Carnegie Mellon University

Instant Messaging Security and Usage Guideline

This document contains the following sections:


Overview

Because many Instant Message (IM) systems are not designed with security features, hackers have found it easy to plant viruses, spyware, phishing scams, spam over IM (spim), and a wide variety of worms.

Applies to

This guideline applies to all campus affiliates who utilize Instant Messaging as a means of electronic communication.

Purpose of the Guideline

The Carnegie Mellon University Computing Policy establishes a general policy for the use of computing, telephone and information resources. The goal of the guidelines set forth in this document is to help minimize the Instant Messaging security incidents at Carnegie Mellon University.

Definition/Clarification

Server Proxy: Messages pass through the IM vendor’s computer and are forwarded to the user.
Server Broker: Messages are passed to the IM vendor only to initiate the communication between users, who then communicate directly with each other.
Trojans: Hidden programs on a system that perform a specific function once users are tricked into running them.
SPIM: Spam over Instant Messaging

Guideline Statement

There are numerous risks associated with the use of IM and as with any form of electronic communication one must take certain steps to mitigate those risks.  Such risks include:
  • Revealing confidential information over an unsecured delivery channel.  Public Instant Messaging transmits unencrypted information, so it should never be used for sensitive or confidential information.  The information is on the Internet and may be accessed by anyone.
  • Spreading viruses and worms. Instant Message (IM) programs are fast becoming a preferred method for launching network viruses and worms.  The lack of built-in security, the ability to download files and built-in “buddy list” of recipients create an environment in which viruses and worms can spread quickly. The threat is growing so fast that IM is quickly catching up to e-mail as a primary point of attack.
  • Exposing the network to backdoor Trojans
  • Denial of Service Attacks
  • Hijacking Sessions - Information received by IM is not authenticated.  There is no way to verify that a message really originated from the sender with whom the recipient believes he or she is communicating during the session.  Chat sessions can be hijacked and users can be impersonated.
  • Legal Liability resulting from downloading copyrighted materials.

User Responsibilities and Procedures

User responsibilities and procedures are as follows:

  • Ensure that your IM account password meets Carnegie Mellon University recommendations for strong passwords.  Refer to the Guidelines for Password Management and to the Managing Your Password web pages.
  • Download and install security upgrades from IM companies.  This software is frequently updated to address security flaws.
  • Turn on automatic updates for your IM program and install updates as soon as they are available.
  • Investigate encryption for your IM client. The Electronic Frontier Foundation provides IM encryption resources. 
  • Don’t allow your IM program to “remember” your password or automatically sign in to your account.
  • Don't automatically accept incoming messages from sign-in names that are not on your contact list. If someone wants to begin to communicate with you via IM, they should email you or phone you to exchange IM sign-in names.
  • Don't accept file transfers under any circumstances.  File transfers are an easy way for hackers to launch virus attacks and are not scanned for viruses before reaching your computer.  In this case, sending an attachment via e-mail would be a better alternative because you (1) expect the communication, and (2) the attachment will be scanned at the mail server in addition to the anti-virus application on your computer.
  • Don't click links sent to you in a message, even if they appear to be from someone you know.  Many links often go to a site hosting malware or may be malformed in such a way as to exploit another vulnerability.
  • Protect Privacy of Sensitive Data.  DON'T discuss via IM or install an IM application on a computer containing sensitive data.  Don’t assume that your IM conversations are private or secure.  Most IM programs are not encrypted; therefore, someone listening on the network can read anything said in your IM conversation.
  • Avoid file-sharing. File-sharing increases the risk that unauthorized parties could gain access to the computer.
  • Implement Virus Protection that includes network desktop and laptop solutions to handle both IM methods of delivery (Server Broker and Server Proxy).

Revision History

Status:  Date Published 
Published:  07/21/2006 
Last Reviewed:  09/12/2023
Last Updated:  09/12/2023