Microsoft Messenger Virus Hits Reuters IM 275
steman writes "Reuters had to temporarily shut down its private instant messaging service after being targetted by the W32/Kelvir-Re trojan. Reuters Messaging is implemented with Microsoft messenger technology and has more than 60,000 users. When activated, the Kelvir trojan sends itself to all users contacts via email and IM. Francis deSouza, chief executive of computer security provider IMLogic, said 'It just generated a flood of instant messages, so it suddenly slowed down the network for legitimate traffic. This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand-in-hand with security.'"
Duh! (Score:2, Insightful)
well duh!
AOL,Yahoo & MS (Score:4, Interesting)
Not trying to flame here but there is always this raging debate on whether MS is the brand for those desiring insecure solutions or if its just a matter of size making it a media of exponential viral growth. We have one key data point which is that its' web server technology gets hacked more than say, Apache. It's important since Apache is as big as MS in that, neutralizing partly the size issue (al beit Apache is less homgenous than MS server so it's not perfect)
Now we have an IM data point. This is more interesting since here we do have three homgenous IM sources of large size AOL, MS and Yahoo. So I wonder how often these other brands get hacked. Anyone know?
Re:AOL,Yahoo & MS (Score:3, Insightful)
B.
Re:AOL,Yahoo & MS (Score:2)
Google [google.com]
Another question is does Trillion or other third party IM tools that connect to these networks have similar security breachs?
Re:AOL,Yahoo & MS (Score:2)
Can you point me to the list of security problems that IIS6 has experienced? Or are you just basing your point on outdated information?
Re:AOL,Yahoo & MS (Score:2)
Re:AOL,Yahoo & MS (Score:3, Interesting)
Linux and Apple don't get hacked because nobody uses them, and IIS6 doesn't get hacked because it's secure by default?
But Windows gets hacked because of it's high marketshare, right?
So what's the difference between Apache and Windows?
We haven't had that wake-up call yet? (Score:5, Insightful)
Re:We haven't had that wake-up call yet? (Score:5, Insightful)
Why is IM better than a phone? (Score:2)
Re:Why is IM better than a phone? (Score:5, Insightful)
When you're in a deep hack mode, typing a message is much less distracting than talking to someone.
Re:Why is IM better than a phone? (Score:3, Insightful)
I frequently IM myself as a low-budget cut-and-paste between my computers. It requires 1 screenname for each machine, but it works great.
Most of the people on my team also use IM for the same purpose. We'd explored using jabber-based chat, but AOLs infrastructure is hard to beat.
Since AOL added the ability to have encrypted IM sessions between users, I don't have to worry about getting my sessions intercepted either.
A few years back, there were a rash of problems with users having their IM IDs
Re:Why is IM better than a phone? (Score:3, Insightful)
You can hold multiple conversations at the same time.
It indicates if somebody is in, without disturbing them like a phone call does.
I can deal with them in the order I choose, unlike phone calls.
You're comparing them to the wrong thing. Phone calls and IM's are different enough that they complement, not compete. E-mail, however, is closer to a competitor for IM.
We're trying out Office Communicator, and despite the fact that the UI was done by an absolute moron (can't
Re:Why is IM better than a phone? (Score:2)
You can hold multiple conversations at the same time.
It indicates if somebody is in, without disturbing them like a phone call does.
I can deal with them in the order I choose, unlike phone calls.
Ah, you mean IRC.
Re:Why is IM better than a phone? (Score:2)
You can hold conversations with people who aren't even online with IM? That's even more impressive.
Seriously, that's the purpose of e-mail then, isn't it?
Re:Why is IM better than a phone? (Score:2)
Re:Why is IM better than a phone? (Score:5, Insightful)
2. IM is not really Instant, it's almost-Instant, which means you get a chance to read what you're about to say.
3. Go right ahead and type, you don't need to wait for the other party to finish their utterance
4. you can copy and paste things into IM. That's quite hard over a phone call
5. you get a log of the conversation. So if you need to go back and check a fact, you can. It's possible to record phone calls too but in IM it's automatic and it's much easier to search text than audio.
6. By logging into IM you are announcing your availability for chat. Not so with a phone call, which is a polling system (ring ring)
7. Lying requires less work
8. But really you have to TRY something before you DISMISS it.
9. there's probably more.
Re:Why is IM better than a phone? (Score:3, Insightful)
In some states it's also illegal to record phone conversations without consent, I don't belive that protection extends to IM conversations. It's not something you usually have to worry about, but if you're IM'ing with your manager having a record of exactly what was said could save your bacon.
Re:Why is IM better than a phone? (Score:2)
Re:Why is IM better than a phone? (Score:2)
better make sure your ass is covered before you do something stupid
Ever used IRC? Email? (Score:2, Informative)
IM is just a faster version of email, and pretty much the same thing as IRC (with a dumbed down interface).
Others have stated the merits of asynchronous communication via IM (just like in email/IRC), and the ability to communicate with more than one party at the same time.
IM doesn't make sense for everyone (I don't use it at work, others do). Some people do not need or appreciate the positive aspects of IM.
Re:We haven't had that wake-up call yet? (Score:5, Insightful)
Having IM is kinda like having everyone at your company working in your cubicle. Anyone can just blurt out some kind of crap without thinking it through.
Try turning off IM for a day and see how much real work can get done.
Re:We haven't had that wake-up call yet? (Score:2)
There's plenty of people who would say the same thing about many modern conveniences. The funny thing is, you basically admit that it was your use of IM that was the problem.
This is typical. Person A has a problem where they can't stop using item X. Person A therefore campaigns for the restriction of item X, regardless of the positive results of other
Re:We haven't had that wake-up call yet? (Score:2, Interesting)
Infringing on rights? Having IM at work is not a Constitutional right.
That's great when you have a choice of IM. If IM is allowed at work, the managers are going to require me to sign-in everyday. I really don't have a choice when somebody IM
Re:We haven't had that wake-up call yet? (Score:3, Insightful)
I would like to tell my managers to stop IMing me crap but I would probably get fired. I have 5 managers ala Office Space. When something goes wrong, I have 5 IM windows saying: "Did you not get the memo about the new T.P.S. report?"
Re:We haven't had that wake-up call yet? (Score:2)
An increasing number of companies are rolling out IM in house. Set it up so your staff has access to your own secure thing and it's at least held within the VPN.
In this case, their in-house solution was based off Microsoft stuff that got breached. It sucks, but road warriors (and those clueless people that always download this stuff no matter what) cause this.
The scary thing is that corporations have such large internal
Why isn't filtering more instantaneous? (Score:3, Insightful)
Re:Why isn't filtering more instantaneous? (Score:3, Informative)
I'm using 2003a, so your settings may be different.
Re:Why isn't filtering more instantaneous? (Score:2)
Didn't Microsoft fix this a while back? (Score:2, Funny)
I had to copy a good installation file by file to get the new version.
How inconveniant (Score:2, Insightful)
Ofcourse with access like this someone could have started a rumour that saudi ariabia would decrease/increase oil production, a merger between X and Y was going through/south, public figure x was assasinated, or a group calling itself l337 cr3w had bombed a major oil pipeline. If convincing, the rumour might be spreaded along with a reuters mark of credability acceptable everywhere where oil/stock/currency-prices and foreign policy are decided...
Why is it that whenever a worm hits a high profile system noo
Re:How inconveniant (Score:2)
So how do you write software which is usable by humans, but not usable by worms?
Besides, reference the huge outcry against Microsoft in trying to do just that with the XP TCP/IP stack; things like limiting half-open connections gets them yelled at.
What it comes down to is, however, that if a system is usable, it's abusable. If your car
Re:How inconveniant (Score:2, Informative)
If your OS can execute a program to let you do your finances, it can execute a program to then send that data somewhere.
Why should your os allow access to financial files to a program that it allows it to send anything anywhere but your bank as identified and certified by a trusted third party?
So how do you write software which is usable by humans, but not usable by worms?
Thats what people asked themselfs when working on openvms and multics, its what they wondered about after the morris worm. The peo
Re:How inconveniant (Score:2)
Yahoo! IM (Score:3, Interesting)
Does anyone know why Yahoo! has had a hard time catching on? Is it just a diffusion effect? E.g., if all your friends have AIM, you have to use AIM, too?
Re:Yahoo! IM (Score:2)
Use Gaim (Score:3, Insightful)
It can handle both MSNmsnger and YIM.
"The One IM To Rule then all"
Re:Use Gaim (Score:2)
Why not use Jabber [jabber.org]? Jabber can use gateways to reach other IM protocols. One of the better jabber-providers is jabber.org.uk [jabber.org.uk]. They have msn, aim, yahoo, icq and irc gw. Oh, and it is free software!
Use Gaim with Jabber (and YIM and AIM and MSN) (Score:2)
Jabber is a protocol. Gaim is a multi-protocol client. Gaim works well with Jabber networks (and YIM and AIM and MSN). Miranda IM does too, though it is Win32 only. Both are FOSS. Both are completely ad-free. People should use them, even if they never use Jabber.
It is generally better to use a multi-protocol client than Jabber gateways. The gateways tend to be feature-weak, for example most don't support file transfers or group chat.
By the way, if you do use the Jabber gateways (which is the only option
Re:Yahoo! IM (Score:2)
Don't blame Microsoft for this one. (Score:5, Insightful)
And people still do it!? What will it take before people learn?
Re:Don't blame Microsoft for this one. (Score:2)
MS got blamed when users clicked on Yes to Install with ActiveX (I realize the wording could have been better)
MS got blamed when Admins did not install patches, Code Red, Slammer etc
MS will always get blamed whether it is their fault or not. However there are always thing you can do in software that help the Technically challenged. It just like a security in an company, you need to account for people that do not know what they are doing, and train/create policies/
Re:Don't blame Microsoft for this one. (Score:2, Insightful)
Dialog boxes with pictures help only to confuse the user. There is no better stuf than text to put into them.
The probem you are pointing happens because some systems abuse of dialog box, they appear all the time, so the user don't care about them. The solution is simple, just use dialog boxes to ask the user for directions, never confirmations (unless there is something very dangerous). Dangerous actions should be hard to execute. So, the system should require concentration to execute the attachment, not t
Grrrrrrrrr.... (Score:2, Insightful)
We [explitve deleted] know that!They don't seem to be listening. [microsoft.com] AGAIN.
Re:Grrrrrrrrr.... (Score:2)
http://www.microsoft.com/security/incident/im.msp
Re:Grrrrrrrrr.... (Score:2)
Thanks, though that's beside the point.
Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is.
Re:Grrrrrrrrr.... (Score:2)
Unfortunately, we still can't figure out how to stab people in the face over the internet [bash.org]
Re:Grrrrrrrrr.... (Score:2)
This would imply that neither Linux or Mac OS is designed with security in mind, because they certainly need patches.
Only on the most superficial levels. It's not quite the same thing if the design encourages bad behavior and the patch doesn't deal with that. If the system can't be secured without a patch
stupid virus (Score:4, Informative)
If I'm not mistaken, didn't this vulnerability get fixed a while ago on MS/MSN Messenger?
Re:stupid virus (Score:2)
Re:stupid virus (Score:2)
Re:stupid virus (Score:2)
Re:stupid virus (Score:2)
You have to mangle quite a bit to come to that conclusion.
Jabber anyone? (Score:4, Interesting)
Is there a _serious_ msn-im feature that jabber lacks?
Re:Jabber anyone? (Score:4, Informative)
Re:Jabber anyone? (Score:2, Informative)
Re:Jabber anyone? (Score:2)
Re:Jabber anyone? (whiteboard) (Score:2, Informative)
Re:Jabber anyone? (Score:2)
Re:Jabber anyone? (Score:2)
CTO should be fired (Score:2, Troll)
Trillian vs MSN? (Score:4, Insightful)
Reasons? I would be interested in hearing why. I don't use Gaim much, but I use Trillian everyday.
There is no way I'm going to use MSN Messenger after that. So many more useful functions - default logging of chat...however I'm not sure about the security aspects, and how it compares with Redmonds offering.
R.
Re:Trillian vs MSN? (Score:5, Insightful)
No, of course not. You have a bit of a clue. But that's exactly what happened here. The only way Trillian or GAIM would be 'more secure' than MSN Messenger (in this instance) is if they disallowed clickable links in IM's, and/or had no stored contact list. Both of which would be major reductions in functionality.
GAIM and Trillian DO have major functionality benefits over AIM/MSN/Yahoo (notably, multi protocol) but a clueless user is a clueless user, no matter what client they use.
Correction... (Score:2, Insightful)
"This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand in hand with security.'"
Should have been...
This is certainly a wake-up call, IM is just like any other "Microsoft Program". The Microsoft Program needs security."
There isn't a new yahoo virus flying around, nor is there an AIM virus flying around (sending a url that leads to a virus DOES NOT COUNT, as this is not the program itself spreading the virus but just a text link someone
Re:Correction... (Score:2, Insightful)
I'm not sure why the above post was modded troll. Microsoft has bred a culture of irresponsibility in IT displacing decades of tried and true practices.
Re:Correction... (Score:2)
Re:Correction... (Score:2)
Re:Correction... (Score:2)
Sure, social engineering applies here, not technical vulnerabilities, but your straw-man has absolutely nothing to do with the point: The person I was responding to (you?) WRONGLY claimed that IM is not decades old (feeling foolish perhaps?). In fact I only brought up security because the person I was replying to had already implied that security was the issue ("corporate IM solution was secure", "feeling safe" etc.) Look, you were wrong, just admit it, don't try change the subject.
Re:Correction... (Score:2)
Re:Correction... (Score:2)
Apache is the major player here, but I know which one has the most vulnerabilities and is responsible for most major net outages through malware.
Re:Correction... (Score:4, Insightful)
Having said that, I am of the opinion that as the number of people using Firefox increases, so will the number of exploits, but I can't imagine it ever reaching IE proportions; you pretty much have to design in that level of insecurity ;)
Re:Correction... (Score:2)
It's interesting to look into vulnerabilities within MS products pre and post their 2003 security push. Before 2003 their products were shamefully insecure. In 2003 they stopped all development for a month while the whole company underwent extensive security training, and re-vamped their development process. Since then their software has steadily hardened. I think the company gets a ton of flac now a days particularly for the bad taste it left in our mouthes in the early 2000's, but there's not much rec
Re:Correction... (Score:2)
Re:Correction... (Score:2)
Well duh. Only stupid zealots would claim that popularity has *no* effect. Of course black-hats tend to target more popular software, that's only natural. Firefox has gained a lot of popularity very quickly and is still relatively young. So there's going to be a sudden surge in new vulnerabilities and other bugs. The question is wether this little surge turns out to be a short term
In other news... (Score:4, Funny)
"Reuters Messenging" (Score:5, Interesting)
Stop writing Crap code (Score:2)
Programming 101 (Score:4, Insightful)
When transferring any kind of data from one computer/system/program to another, where the source cannot be guaranteed trustable (hint: always) the data should be assumed to be intentionally malformed, as a result the system should either:
a) limit what the input data can do eg: not be executed as binary or a privileged command, not be capable of overflowing anything (ignore extra long data) not be capable of doing anything that you wouldn't allow any random person to do.
b) warn the user every time new data is to be processed and require acknowledgement to continue.
(b) is the reason why your operating system can't install random software people send it without warning/asking you.
(a) is for documents, emails, messages, pictures, music etc.
This is a pretty fundamental computing rule, its pretty much exactly like the basic gun safety rules: always assume the gun is loaded. always keep it pointed somewhere you don't mind a bullet going. always keep it unloaded. So you really have to wonder about peoples competence..
Re:Programming 101 (Score:2)
None of your comments apply in this case.
Think Different! (Score:3, Funny)
Also included in the traditional post is a gratuitous slam against Windows users: "Windows users are poopieheads for using Windows!"
Finishing up with a "In Soviet Russia..." joke
In Soviet Russia, you infect Reuters!
It has been my pleasure to provide the Slashdot Community with the traditional posting making fun of the Windows OS and WIndows Users, contrasting the Windows OS with the Mac OS, in a snarky, oh, so superior and ultimately uninformative manner, in a comment thread about yet another flaw/fault/sploit in the Windows OS.
Thank you for your kind attention!
P.S. if you use Linux or any of the UNIX variants, please substitute the name of your OS for Mac OS in the above posting, the better to observe the Slashdot traditions we so revere.
Yeah, we'll it *is* about IM's and closed source (Score:2)
Yes, and a good start is to not use closed source solutions where few people can give input to security issues. Yes, a pretty much default comment on Slashdot, but reallly... Using MSN Messen
this is fucking hilarious (Score:3, Insightful)
Re:this is fucking hilarious (Score:3, Funny)
Well, given Microsoft already mastered unsecuring HTML, the next challenge, obviously, is plain text.
Lots of IM warnings (Score:2, Informative)
110 million users (Score:2)
http://bink.nu/Article620.bink [bink.nu]
Re:Microsoft Messenger? (Score:2)
Re:Microsoft Messenger? (Score:4, Informative)
Details here:
http://www.theeldergeek.com/messenger_removal.htm [theeldergeek.com]
However, note (from the above source):
In none of the cases below is Messenger actually 'removed' from the system. You can hide it, prevent it from starting, disguise it, and fool the system into thinking it's not available - but it isn't removed. It's still on the computer and a part of the operating system.
Re:Microsoft Messenger? (Score:2)
Re:Microsoft Messenger? (Score:2)
Re:Old News (Score:5, Funny)
Better yet... (Score:2)
When it's not old news it's dup right?
Re:Old News (Score:5, Insightful)
Correct. This is primarily a news reposting site, in order to generate discussion.
It's a forum, not a newspaper.
KFG
Re:of course its microsofts fault (Score:2)
I agree it's a pain in the ass that it is turned on by default, but it's not exactly rocket science to turn it off.
Re:of course its microsofts fault (Score:3, Informative)
Messenger won't come up automatically.
But again I agree it's a pain.
Why do people give Microsoft their money? (Score:3, Insightful)
Seriously, Microsoft creates architectures with guaranteed downtime, yet people still buy their products? I think their current revenues are holdovers from their monopoly in the 1990s, and the slip in their earnings is indicative of real slowdown for them. As GNOME/KDE desktops mature, people will certainly have few reasons to spend their hard-earned money on Windows and Office. If they want to spend the money, then spend it on Mac OS X and get something better than Microsoft could ever produce.
Re:Why do people give Microsoft their money? (Score:2)
The Linux desktops are good enough to be called competition, now. Mac OS X certainly is good enough.
"And pay 3x more for the hardware to run it on."
It's not hard to get decent Apple hardware for under $1000. Speed isn't that big an issue. My computer at home is years old, and I really don't care too much.
Re:Die IM, Diiiieee (Score:4, Informative)
Re:Die IM, Diiiieee (Score:2)
If you don't want to be messaged about every little thing, then inform your contacts of that fact, and use the features (closed buddy list and such) that keep random people from talking to you.
My rationale is, if its not important, send me an email. If it _is_ important, give me a call.
So you use email for real-time communication when you can't (or don't want to) call someone on the phone? Seems pretty
Re:Die IM, Diiiieee (Score:2)
Why IM (Score:2)