We’ve looked for the pas two weeks at some security problems related to Instant Messaging (IM). In this last part of the series we’ll look at how to secure AOL Instant Messenger.
The Big Three IM programs are AOL Instant Messenger (AIM), MSN Messenger (now replaced by Windows Live Messenger) and Yahoo! Messenger, with AIM being the most popular. Other IM alternatives exist, such as Trillian and Pidgin (formerly named Gaim), both of which allow messaging across multiple disparate networks. Most users have only heard of the Big Three. If not properly configured, all IM programs are vulnerable to the same attacks from the Internet bad guys. I can’t explain how to setup all of the different IM programs. However, I offer he following as my personal settings for AIM.
Bear in mind, these are my personal settings. I run a bare-bones IM setup: no plugins, no video, no audio, no file transfers, no smilies and no frilly icons. Yeah, yeah, I’m the crusty curmudgeon of IM. Your needs may differ from mine. Just keep in mind, be suspicious of everything!
AIM SETTINGS. Toolbars: no. Launch on startup: no. Remember me: no. Save password: no. Auto sign in: no. When creating screen name: be sure to use a secure password
Account security questions: Where were you born: NO! Last 4 digits of SS #: NO! Where did you grow up: NO! Favorite singer, favorite food: Huh? Alternate email address: no. Birth date: fake one, pre-1989. Gender: choose opposite. Country: fake. Zip code: from fake country. Don’t use AIM email
IM settings: Uncheck: keep IM conversation text after IM is closed. Never check: auto-accept IMs from unknown senders. Check: Block incoming Buddy Chat invitations (instead, add Buddies manually). Enhanced IM: don’t check anything here. Don’t auto-accept any invitations, images or files from anyone. File transfer: change the default folder to something else. Don’t save a bunch of junk to your desktop. Offline IM – defaults are OK here. Mobile – don’t register any mobile devices. Mobile device security is terrible and is only going to get worse before it gets better.
IM logging – don’t log anything. Buddy list — Uncheck: Add people I exchange IMs with to my Recent Buddies group. Address book – don’t use it. Don’t import personal information from Outlook, etc. Expressions – oh, whatever. Sounds – whatever. Sign in/Sign out – When I sign in, display the following: None (you don’t need a browser window open to use AIM). Uncheck: Start AIM when Windows starts. Notifications — Uncheck: Display notifications when… new mails arrive (don’t use AIM mail).
Privacy – Who can contact me: Allow only users on my Buddy list. Allow others to see: uncheck everything except “I am idle.” Plugins – do we really need AIM plugins? I don’t. Be suspicious. Style – oh, whatever. I could care less.
And, after all of that, after unchecking “Start AIM when Windows starts,” the intrusive jerks at AOL still insist on hiding AIM in the startup group, just without a startup tray icon. So, even though you thought that you were given the choice to prevent AIM from constantly running in the background, it’s still there churning away and wasting your computers resouces. Remove it by using msconfig in XP or StartupCPL in Windows 2000.
Last but not least, make sure that your antivirus program offers IM protection. Avast, my favorite free antivirus program, offers protection for many different IM programs. If your AV program doesn’t have similar features, then it’s time to switch to something better.