AIM clients - How to put the lockdown on security!

[WhiteMateria]

How to put the lockdown on your online accounts!
Getting started...

1. Strong passwords
Q: How do I know my password is strong enough?
A: Rule of thumb: 'a password nobody can guess'.

Q: But HOW exactly can I make it stronger?

Quote:

1. Never use your name, personal information, or ANY PART THEREOF as your password...
2. or a simple word...
3. or your favorite movie, game, etc. for that matter!
4. Use both upper and lowercase letter.
5. Avoid just using letters. (A-Z) (a-z)
6. Add some numbers to it. (0-9)
7. Add some vb characters to it.
8. and perhaps even some html tags in it. <html>,</body>
Wanna get even more secure?
9. Break up the html tag in the password so it’s not grouped together or do parts of a tag or make up your own tag...
10. Jump around from one to the other; Example: tag to numbers to letters to whatever. (Make it random!)
11. Take advantage of the maximum character count a password can have!

Let’s apply this to make up a 16 character password...

Quote:

Adi/war02žŽ38y<>

This password was made "on the fly" just by jumping around from someting to something until it reached the 16 character limit. Notice: It is random, holds NO information about myself, and impossable to guess if you did not know it. Even cracking it with a list and brute force will take a whole building of computers just to long to even try to guess at it.

Q: How safe am I from brute force and password lists?
A: A little article for the math wizards out there...
http://fafalone.hypermart.net/aol.html

Quote:

"The name for that number is 320.88 undecillion. Still cracking at 100 tries per second? 101,751,950,683,220,000,000,000,000 (101.75 septillion) millennia to crack every POSSIBLE AIM PASSWORD WITH 100 TRIES PER SECOND."

Copyright ©2001 Fafalonian Productions.

*WhiteMateria writes - The article was written back in 2001 in which 1.4 GHz was probably common place for desktop computers. A 5 GHz processor won't bring this number down enough to even matter if the password is solid! And very unlikely a person will have access at a mainframe or higher end computers to mess around with something so trivial as cracking a password. It is simple: strong passwords thwart off brute force attempts for today's computers.

2. Registered to free email?
Believe it or not your E-mail can be the weakest link in keeping your AIM account secure. A strong password means little if you have a weak 'lost my password' answer to the 'secret question'. Let me show you one area many people fail to secure with free email clients!

Q1: How many of you actually put your REAL zip code in the registration process of an email for an AIM sn?
Q2: How many of you actually put the REAL answer to "What is your pet's name" or other simple questions to the 'question & answer' password retrieval safety measure?

Most crime victims know their predator... Likewise many account names are taken by people the victim knows!

1: Your best friend or girlfriend/boyfriend, who one day might become your bitter enemy, already knows what zip code you really live in... ERR?
2: Why he/she may even know your dog's name and etc.,... HUH?
3: Chances are they know which email names you use to... AH CRUD!
4. And even if I did not know you in real life consider the following...

With gaim or TestBuddy I can input an E-mail to find the AIM accounts that have not been setup to a "hide everything about me" status. Since many like to post emails on forums it’s not that hard to harvest emails for this task.

Most people share with others online what city they live and their date of birth. When was the last time you announced your birthday and how old you were online? For email security this is a WEAK link in the chain!

How can one use this information:
There are ONLY so many zip codes in a city - A truely determined person could try them all! After successfully guessing your zip code and birthday, provided you did put your real one up, it will ask me the 'secret' question. That answer can be done successfully sometimes with innocent friendly conversation because most people forget this can be sesitive information!

Me: "Hey Susie do you have any pets? I have 2 dogs and a cat!"
Victim: "Yeah I have I kitty and her name is Spots!"
Me: "Awwww that’s a cute name... kitties are so cute!"

::Tries out "spots" as the convo carries on::

If it works I can now change the password to your email and log on. Then its simply a matter of going to the AIM site and doing a password retrieval for all accounts registered to it.

Quote:

1. Use a fake zip code that is easy to remember for free email clients and tell nobody it.
2. Don't include numbers that pertain to any importance to you such as birthday or lucky number.
2. Use a fake answer that somewhat relates to the question but is not entirely real...
- Q: "What is your pets name?"
- A: AIMnekos4sale
3. or you can even use a strong password here!

3. Firewall
Since many programs on your computer makes an outbound connection it’s important to have a firewall that can handle both inbound and outbound packets. This will be your last line of defense should a trojan happen to get on your computer.

Look 'n' Stop [Editors choice]
This is a serious firewall for the power user... Light on resources, no bloatware, inbound/outbound protection, stateful packet inspection, application filtering, custom rules, MD5 checksum verification, .dll thread injection, and very powerful. (passes more firewall tests than any other at time of posting) [02-25-2004]
Users of this firewall are also advised to use Phant0m``s latest ruleset!
http://www.fluxgfx.com/ssc/showthread.php?t=14
As a member of this forum myself please check out
http://www.fluxgfx.com/ssc/index.php?
ZoneAlarm
Works quite well for the beginner... Free, MD5 checksum verfication, application filtering, inbound/outbound protection. (A little bloated)

4. MD5 Checksum File Protection
This is the feature in ZoneAlarm that does file verification. Whenever you update, downdate, or go on a date with AIM ::cough choke cough... dies:: it will notice the change. Of course if you did not do anything to AIM and something changes then it could have been malware or corrupt files.

The INs and OUTs of AIM...

5. MD5 Hash Passwords (AIM 5.2+ and up)
Beginning with AIM 5.2 it does not send your actual password out online to sign on! Instead it sends out an MD5 Hash of your password which will verify if its correct on the server to let you sign in.

QtOI+LHb2X+q99qsh/ESkELSiPix25l/qtfatIfxLpA=

This is what the actual value that goes out to the servers would look like. This could mean something as simple as "blowfish". It is also what your registry holds so friends cannot snoop to find your password. Other unofficial AIM clients may not use MD5 Hashes for passwords and do it in plain text.

More about MD5 Hashes can be found at...
READ ME!

6. AIM Encryption

About Encryption:
http://www.duke.edu/~jrm20/misc/secure.html

AIM security certificate standards:
http://www.zones.com/images/pdf/AIM_ds.pdf
The security certificates used in the standard AIM 5.2+ and above are S/MIME standard signing and encryption on industry-standard X.509v3. The current cypher strength is 128 bits.

128 bit encryption certificates:
http://secure.sylikc.net:8080/self_signed/ (Create your own certificate)
http://ca.cryptgate.com/ (Free AIM certificate but requires personal information)
http://www.aimencrypt.com/ (WARNING: Free PUBLIC AIM certificate)

Quote:

"A little in-depth technical description of why I didn't use AIM Encrypt's certificate:
Certificates are basically a neatly packaged password-protected file that contains a public key and a private key. The encryption algorithm allows someone to encrypt text using the public key portion that can only be decrypted by the matching private key pair. When you want to do secured communication with this particular certificate, the program shares your public key to the other party. The application on that side encrypts the information with that public key and you decrypt it with your private key. This concept is known as "Public Key Cryptography" (just search Google for more technical details if you're interested). Now, imagine this, everyone in the whole wide world has the same public/private keypair as you do (as with AIM Encrypt). How secure is that? It gives you a false sense of security, which is the worse than no security at all. All the encrypted data that you can decrypt with AIM Encrypt's certificate, anyone else in the world (including your boss who may be monitoring your chats) can decrypt it using the same certificate freely available. Hence, I decided to find a way to create my own self-signed certificate."

sylikc.NET ©

SecureIM SOCKS4 localhost proxy:
http://www.vonnieda.org/SecureIM/
I stumbled across this program in my reading about RSA and NSS encryption to share information with you guys. Its a localhost SOCKS 4 proxy that can work even with PyBoticide.

Quote:

"SecureIM uses 2048 bit RSA key exchange and 256 bit BlowFish encryption to make sure that the only people that can read what you are saying are the people you are saying it to."

Copyright © 2003 Jason von Nieda

gaim-encryption and e-gaim plugins for gaim:
http://gaim-e.sourceforge.net/ (Outdated?)
http://gaim-encryption.sourceforge.net/ (I use this)

Quote:

quote:"Gaim-Encryption uses NSS to provide transparent RSA encryption as a Gaim plugin. Supports 512 - 4096 bit keys."

Source = http://gaim-encryption.sourceforge.net/

"Why not PGP/GPG/....? Is this really secure?

The one sentence answer is that this plug-in can be every bit as secure (and every bit as insecure) as PGP. The longer answer involves a few principles that guided the design of this plug-in, which I'll go into below.

One principle is that frequently there must be a balance between better security and the added difficulties imposed on the user by extra security. Security that is difficult to use will be bypassed, and the end result is worse than a "less" secure system. However, whenever possible, the choice between security and ease of use should be left up to the user, not imposed on the user by software. Hopefully, the easy parts are built in, and the hard parts are do-able, if the user wishes. The user can then decide how much security they want, given a flexible software solution.

This plug-in's approach to providing this ease of use / security is very similar to that of SSH. By default, when you first talk to a user (host) that you haven't talked with before, the keys are automatically exchanged (but, like SSH, you can change this). Then, in the future, if the software sees a different key than the one you got that first time, it informs you that something may be wrong. If you want better security, you can verify that the public key that you received is the correct public key, via a channel that you feel is more secure than the original transmission of the key. This isn't too hard to do, as the public keys are stored in a human readable file (.ssh/known_hosts, and .gaim/known_keys). You can call up your friend and ask her to read the number on her screen to you, or ask your buddy to email you his key and sign it with his GPG key, or...

Another reason for not using GPG is that, fundamentally, I think that many people want (and expect) a different level of security for IMs as compared to email. If a stranger IM's you and you "accept" his public key, does that mean that you want to trust email that this same person sends to you in the future? Keeping the keys in separate pools means that you can lean towards convenience in your IM encryption but be stricter about security for your email."

Source = http://gaim-encryption.sourceforge.net/FAQ.html

Screenshots:
Using Ethereal and Proxomitron I logged sample messages sent to myself using these different security programs and certificates. This will give you grasp of how encryption can look like jibberish without a 'private key'.

No encryption
gaim-encryption plugin using 3000+ bit key
Secure-IM
128-bit standard AIM certificate

7. IP Address Issues
Q: How can a user get my IP address from AIM? How can I get an IP address from a user on AIM so that I can mess with him?

A: Direct connection, microphone convo, file send, file get - (If there are others please let me know!)

Quote:

quote:"An example would be that one program made a game request and then would auto cancel itself, but sending the request would form a quick connection that would allow the program to find your IP."

Source = someguy03's security posting

In otherwords if you leave these various connection attempts open for other people it does in fact broadcast your IP address for a split second which may be recorded by various program.

Q: Sometimes on a direct connect I see remote port 4443 connect to 198.162.1.100 - How is this possable?

A: I finally figured out how to do this! This is a feature known as 'IP masquarading' which can be found in higher end routers. Someone I witnessed this to actually told me that. Using Ethereal packet sniffer I was able to determine that AIM actually will ask the computer whose IP is hidden something along the lines of...

"HEY WHO IS [Insert other computer name here] on 198.162.1.100?"
Reply from the connected computer in simple terms is...
"[X Computer name] IS XX.XX.XX.XX.XX MAC ADDRESS!"

The MAC address is your ethernet, modem, or routers' set number just like your IP address is your connection to the network or Internet.

8. IM Bombs, Chat Bombs
Instant messenging bombs occurs when bots/clones just massivly flood you with IMs, invites, microphone requests, game invites, file send requests, direct connection requests, or anything else that can send you a dialogue box. It is not limited to this specific list however...

Chat bombs can occur from clones spamming a room full of text or even broken html to create errors if on AIM.

A truely good bomber will kick you offline if you are on AIM. With official AIM the main reason is SO many graphic windows come on you screen and soak up memory like a sponge! There are ways to prevent or lesson the blow of such attacks.

Quote:

My AIM, Edit Options, Edit Preferences

Note: [some text] will refer to the left side menu option within this screen and {some text} will refer to the right side section you should be looking for.

1. [Privacy] {Who can contact me}
-&gt; Allow only users on my Buddy List
2. [Privacy] {Allow users to see...}
-&gt; Check all that you want...
About the typing indicator: Any user who has an IM open to your sn can tell when you are typing even if you never send them a message. For peace of mind if you have morons who truely bother you and you do not want to show that you are present at the computer right that second uncheck the 3rd option and click apply.
3. [Privacy] {Allow users who know my E-Mail address to find...}
-&gt; Nothing about me - (This is how you hide yourself from AIM's buggy "find-a-buddy by E-mail" feature. While buggy with AIM it works without fail in gaim and TestBuddy if you have not done this yet.)
4. [Sign On/Off] {Show AIM Today window at sign on}
-&gt; uncheck
5. [IM/Chat] {Block all incoming chat invitations}
-&gt; checkeded
6. [AIM/Expressions] {Show AIM expressions from others}
-&gt; unchecked - (For those who don't like people messing with the look of the IM and it also might prevent a virus if they put on in the theme)
7. [Buddy Icons] {For buddy icons set by others}
-&gt; Do not display their icons - (Another very small but paranoid setting)
8. [Away Message] {When away}
-&gt; Insert in personal profile ONLY! - (If your AIM client reponds to people who IM you while away they can warn you every time! After I got warned to 100% and could not sign on for a day I turned off the auto-response.)
9. [Stock Ticker] {Show stock ticker in Buddy List window}
-&gt; unchecked
10. [News Ticker] {Display ticker at sign on}
-&gt; unchecked
11. [File Sharing]
-&gt; Don't Allow for anyone... - (You can also set up group on the buddylist just for this. If someone asks if they can have a file you share simply click, hold down, and drag their name into the specific group. When done you can simply drag it out of the group.
12. [File Transfer] {Recieve File Permission}
-&gt; Reject from all users -
-&gt; Add your firewall and virus scanner settings if you want
13. [Direct IM]
-&gt; Don't allow
14. [Send Buddy List] {When others send buddy list}
-&gt; Don't Allow
15. [Talk] {When others want to talk to you}
-&gt; Don't Allow
16. [Add-Ins] {When others send an Add-In Invitations}
-&gt; Don't allow -

If you use open IMs to everyone here are several other options to try out.

Quote:

1. Tabbed IMs take up way less resources than multiple IM windows
2. PyBoticide can now do IM filters Set up a few trigger rules such as...

HTML Code:

im_url*::
im_text*::[Ww][Ee][Bb][Cc][Aa][Mm] *::no web cam!
im_text*::[Cc][Rr][Ee][Dd][Ii][Tt] *[Cc][Aa][Rr][Dd]::no credit card ads!
im_text::AIM Invader::AIM Invader

3. Future updates of PyBoticide might include a certain word verification users must type to get an IM through if NOT on the allowIM.txt list! Perhaps if I annoy the programmers enough with it...

9. Two names at once
While it may seem like a good thing it can also be an invasion of privacy. Unofficial AIM clients will NOT alert you of 2 or more people signed on your name. In fact AIM may not alert of you of this ethier. If another person is logged on as you they can see to EVERYTHING another person types to you. However they cannot hear what you type back to that person. Think in terms of a Y connection and you will see what I'm talking about.

10. How do disable AIM spyware
http://www.bigblueball.com/forums/to...?TOPIC_ID=9157
Right now this posting is out of date to the next version of AIM. I hold no desire to reinstall AIM version 5.5.crap!

So what else is there?

11. Trojan/Virus Protection: Simply put there is no reason to have no protection from both.

Quote:

1. TDS3 30 day trial version
http://tds.diamondcs.com.au/index.php?page=download
2. Trend Micro Virus Scanner
http://housecall.trendmicro.com/
3. Norton's Online Scanner
Norton Online Scanner

So which AV/Trojan is the best if you are spending money? It really depends on resources but if you want to go for broke and have unlimited resources they are...

1. Kaperskys (Highest detection rate of 'zoo' viruses)
2. NOD32 Forums (Highest detection rate of 'new' viruses in the wild and unknown?)
3. McAffee's (Good standing - Has matched detection rate of Kaperkys a few times)
4. Norton 2004 (Good standing)
5. TDS-3 and TDS-4 (Highest trojan detection rating)
6. Trojan Hunter
7. TDS Worm Guard

- Never click links in profiles, chatrooms, IMs for these can lead you to sites which automatically download a trojan or virus -

- Files people send to you might have viruses or trojans -
- Enable your resident scanner to always on so you can catch viruses in real time -

- Enable the highest scan abilities and heuristics and include ALL file types -

12. HOSTS File Setup
This list is presented as is by
http://webpages.charter.net/modtweaks1/home/readme.html

127.0.0.1 localhost

127.0.0.1 ar.atwola.com
127.0.0.1 empiremovies.com
127.0.0.1 xlonhcld.xlontech.net
127.0.0.1 VTOT.proxy.aol.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.aol.com
127.0.0.1 ads.aim.com
127.0.0.1 ads.doubleclick.net

13. PyBoticide Chat Filter
This program lets you filter out bots and clones and chatrooms. The new Mods update even lets you keep IMs open while adding filters for it for IM bomb attacks!
http://www.bigblueball.com/forums/to...?TOPIC_ID=4615

[panickedthumb]

Dude, incredible post. And it seems there's more to come.

This is valid for people who might not be using aim as well, just anyone making a password for anything.
I've always used ridiculous answers to the questions for password recovery, for example, (this is not what I actually use, I'm not dumb) "What is your mother's maiden name?" Answer: ILikeCookies. Sorry that's lame, but good example.

[WhiteMateria]

Quote:

quote:Originally posted by panickedthumb

Dude, incredible post. And it seems there's more to come.

This is valid for people who might not be using aim as well, just anyone making a password for anything.
I've always used ridiculous answers to the questions for password recovery, for example, (this is not what I actually use, I'm not dumb) "What is your mother's maiden name?" Answer: ILikeCookies. Sorry that's lame, but good example.

I have used AOL/AIM for years now and I just feel ready to strangle people at times when these questions comes from so many different folks. I write these postings so I can learn myself but I hate having to type up stuff alot of times if I can help it to each person that ask. Ever heard it that you don't actually know something till you can put it into concreate words?

[panickedthumb]

Yeah, when you're describing something that you know, you learn a lot FROM describing it. Interesting how it works.

[Someguy03]

I would also like to say that you MUST be careful about files you are recieving. There are many advanced programmers out there who are making trojans do more than just steal passwords and allow a hacker to control your computer. I was infected by one of these once, and lost ability to use task manager, regedit, and almost every windows utility on my computer. I had to go out and find someone who had wrote their own private fix for it.

So I guess what im trying to say is that trojans do more than just allow people to access your computer, and that firewalls cannot completly stop them.

[panickedthumb]

yes, that thing is a mes. I have never personally gotten it but at the ISP I worked for we got a few people with it. We ended up writing our own batch file that would clean it all up.

But yes, be sure to ask people what the program you're getting is, and then check the info in properties to make sure. And DEFINITELY have a firewall (in case it tries to send out info) and a virus scanner (for obvious reasons)

[Busybyeski]

Great, Great post, but I think a few people read it and go, hey thats a good idea, I'll change my exact password to "Ad&lt;i/war&gt;02žŽ38y" and save it to a .txt file on my desktop for easy access. Just clarifying that you shouldn't do that. lol

[panickedthumb]

Haha. Yeah good idea Busy...

You should add NOD 32 to the list of virus scanners, it got the best results for heuristic scanning.

from the website:
NOD32 - Product Awards
NOD32's detection efficiency combined with 2-50 times faster hard disk scanning rate earned the product many international prestigious awards. NOD32 is the world leader of the Virus Bulletin 100% Awards having won more awards (23) than any competing product. Since its first submission for testing in May 1998, NOD32 was the only tested product that has never missed a single In the Wild virus. NOD32 has been selected as the "Antivirus program of 2001" by Australian PC User magazine, "Best Buy, Best Performance, Best Value" by the independent UK Consumer's Association. For selected list of awards, please, click here.

So this is arguably the best in the world... but its all a matter of what your needs are.

[WhiteMateria]

Time and time again its always been Kapersky's but yeah I know that Weilders Security Forum promotes NOD32 like crazy. However Kap. is 90 bucks ordered from Russia but it is the highest detection rate there is.

[colin]

WhiteMateria, you are right, it is unbeleivibly easy to get someones password, and the email is the easiest way to get it. I took someones sn from them, but then I gave it back cause im not a "hacker" and they are my friend, but on there "forgot your password" thing on hotmail, there question was, what was your pet name, so I casually brought up pets, and got there pw.

Note: I do not think hacking is right, I was merely seeing whether it was very hard for someones sn to be takin away. I was just proving a point, so please dont give me the little policy link or anything