IM Conversations compromised

[revolutn]

Recently a business associate of mine had some of our IM conversations compromised.

Basically he's going through a divorce, his wife 'stole' his PC and even though it was eventually returned by judges order, she had detailed knowledge of conversation that had only occurred via IM.

Mostly I don't care, but I do feel kind of violated since our conversations were not pertinent to their divorce, but rather about some corporate matters.


Now, normally I consider myself pretty security conscious, but this unnerved me slightly.

The IM conversations took place of Windows Live Messenger.
Conversation logging is turned off on the target PC (both pc's actually)

So the question is......should I suspect a key logger on his PC?

OR.....


Much like with the case of the INDEX.DAT file...is there some 'secret' cache of l IM conversations on a Windows XP system that I need to be schooled about?

Any thoughts appreciated

 

[QuixoticOne]

I'm guessing it just saves the data to some extent. It is not uncommon with IM messengers to be able to scroll back over previous conversation text to an extent, and often you can even do this after you've closed an IM session and then later open a new one with the same partner. Thus proving it is saving some context data to give you some conversational history / context info.

I don't know if MSN does that, but it isn't uncommon in others, especially if logging is enabled, and sometimes even if not.

As for keyloggers, it is always possible that there is one additional to the IM program's possible insecurities.

Anyway if you care about privacy / security, I can't understand why you'd willingly use IM software or VOIP software like Skype or whatever that sends the data over the internet, through 3rd party servers totally unencrypted or encrypted with a key that is NOT strictly private to the two peers and unknown to the service providers.

I'm pretty sure IM clients like jabber support end to end encryption with keys not known except to the PCs at the ends of the link.

I'm pretty sure there are add on programs that can encrypt text being sent over IM programs just as you'd use PGP for emails so that even though the IMs are sent (by the normal IM software) unprotected and visible to all, all that anyone would see is gibberish text because a utility is encrypting the text before the IM program even gets it.

If we don't demand better security / privacy features in our s/w and networks we'll surely have none whatsoever.

Good luck.

 

[MrColin]

You can never assume that IM conversations are truly private. Your associate may have assumed that saving of chat sessions was turned off when it actually wasn't.
Also, I doubt the folks at msn live put too much thought into the security of the cached text of an IM session, you might want to do some experimenting to find where it stores that text on the HD. If her lawyers had access to the pc they may have had some specialized tools run on the HD to look for incriminating evidence to use against your friend. This could include insecurely deleted temp files from chat sessions. There could be an index.dat type of thing as well, I don't know.

 

[Rainsford]

Originally posted by: QuixoticOne
...

I'm pretty sure there are add on programs that can encrypt text being sent over IM programs just as you'd use PGP for emails so that even though the IMs are sent (by the normal IM software) unprotected and visible to all, all that anyone would see is gibberish text because a utility is encrypting the text before the IM program even gets it.

If we don't demand better security / privacy features in our s/w and networks we'll surely have none whatsoever.

Good luck.

A VERY good addon that works for multiple IM clients and networks is Off the record (OTR) messaging. It supports very strong cryptography including perfect forward security, which many IM encryption protocols don't support. It essentially means that no long term key is used to encrypt the messages (a long term signing key is used to prove your identity, however), which means that when the conversation is over, there is NO way to recover the messages unless one side or the other saved them. Used properly, even if someone recorded all the encrypted messages you ever sent and then later obtained your PC, they could NOT read the previously sent messages.

That said, it doesn't sound like this is a solution to the OP's problem...OTR is mostly to avoid eavesdroppers who may get access to your PC at a later date. This case really sounds like someone had logging enabled or there was a cache file stored on the hard drive.

 

[QuixoticOne]

Thanks, Rainsford, that sounds like a good utility to have / recommend.
I knew the sort of thing existed, but I don't usually keep up on the best Windows utilities in this category.
As for keylogger protection, a good anti-spyware / anti-virus setup might've caught some of them, but if someone else had extended physical control of the machine, well, all bets are off as to what they could have installed / done.

 

[revolutn]

Yea, well all I can be certain of is that logging in the client itself was NOT enabled.

Still the conversations were apparently 'recovered' in some manner.

It is not clear at this time exactly where the PC went or whom had access to it during the time it was removed.
My personal suspicion is/was that a clone of the drive was made and some level of deeper forensic software was run, whether that merely be her attorney or someone/thing else like say the FBI. (She was threatening him with turning alleged records of fraud to the FBI at one point ) but the reality is that there is no fraud so I'm thinking that she's getting bad advice from someone helping her that just doesn't really understand what they are looking at, so I do not truly believe there ever was any alphabet agency involved...I'm just saying at some level conversations were monitored or recovered.

No evidence of rootkits or keyloggers have been found thus far.

I guess I was just looking for any info about potential hidden cache's ala the index.dat file but doesn't sound as if anyone knows of such a creature...so....

I guess point forward I'll look into OTR

Thanks,
Rev

 

[QuixoticOne]

The simplest answer might be that if the person you thought you were messaging had their PC or password compromised, someone totally different was actually receiving those messages (maybe just offline messages, or maybe even interactively chatting with you).

Some IM programs let you log in from multiple places, e.g. cell phone + home desktop + work desktop, and in some cases messages going to one place are copied to all of them simultaneously. I have no idea if MSN does that.

Plenty of software like VNC or PC Anywhere lets you copy the whole contents of the screen of the PC to a remote computer.

There seem to be plenty of IM capturing programs like some of the following.. it does not surprise me that one could have been unnoticed and active.

I don't really trust common IM / VOIP / webmail systems; a large part of their whole PURPOSE is to enable the server operators to "spy" on your content for their own purposes e.g. gmail / google and its "targeted advertising", and I'd expect that is similar with MSN/AOL/Yahoo/SKYPE/et. al. It is noteworthy that NONE of these popular systems take ANY attempt to use even decades old design methodologies of secure programming, encryption, use of standards compliant protocols, et. al. to allow the USER to have more control / security in their communications activities. In fact they're pretty much designed to take over as much of your PC as possible remotely to serve you ADs, install custom protocol / helper / toolbar extensions in your web browser, track / control your IM / chat partners / topics / forums, store transcripts of your activities on their remote servers, et. al. Almost none of them will operate in P2P mode where the connection to chat / IM is made directly between communicating parties, but, rather, forward all traffic in insecure ways through their central servers often for no (respectable / trustworthy) reason.
They're typically FULL of bugs and expose you to a myriad of the well known historical and contemporary security vulnerabilities in the OS, video, audio, graphics, rich text, and networking related codes. In short it is garbageware, spyware, a "walled garden" designed to control you and limit your true choices for secure free speech via free, portable, multi-platform software of your choice in a standards compliant way, and shouldn't be trusted for any purpose whatsoever.

Read the "privacy policy" and "terms of service" to see what level of expectation of security / privacy they tell you you can expect; none.

http://www.softpedia.com/progC...s-Changelog-26826.html
http://wareseeker.com/free-bus...message-monitor-2.5.1/
http://www.simkl.com/
http://www.topshareware.com/IM...ory-download-52847.htm

 

[Rainsford]

Originally posted by: QuixoticOne
The simplest answer might be that if the person you thought you were messaging had their PC or password compromised, someone totally different was actually receiving those messages (maybe just offline messages, or maybe even interactively chatting with you).

Some IM programs let you log in from multiple places, e.g. cell phone + home desktop + work desktop, and in some cases messages going to one place are copied to all of them simultaneously. I have no idea if MSN does that.

Plenty of software like VNC or PC Anywhere lets you copy the whole contents of the screen of the PC to a remote computer.

There seem to be plenty of IM capturing programs like some of the following.. it does not surprise me that one could have been unnoticed and active.

I don't really trust common IM / VOIP / webmail systems; a large part of their whole PURPOSE is to enable the server operators to "spy" on your content for their own purposes e.g. gmail / google and its "targeted advertising", and I'd expect that is similar with MSN/AOL/Yahoo/SKYPE/et. al. It is noteworthy that NONE of these popular systems take ANY attempt to use even decades old design methodologies of secure programming, encryption, use of standards compliant protocols, et. al. to allow the USER to have more control / security in their communications activities. In fact they're pretty much designed to take over as much of your PC as possible remotely to serve you ADs, install custom protocol / helper / toolbar extensions in your web browser, track / control your IM / chat partners / topics / forums, store transcripts of your activities on their remote servers, et. al. Almost none of them will operate in P2P mode where the connection to chat / IM is made directly between communicating parties, but, rather, forward all traffic in insecure ways through their central servers often for no (respectable / trustworthy) reason.
They're typically FULL of bugs and expose you to a myriad of the well known historical and contemporary security vulnerabilities in the OS, video, audio, graphics, rich text, and networking related codes. In short it is garbageware, spyware, a "walled garden" designed to control you and limit your true choices for secure free speech via free, portable, multi-platform software of your choice in a standards compliant way, and shouldn't be trusted for any purpose whatsoever.

Read the "privacy policy" and "terms of service" to see what level of expectation of security / privacy they tell you you can expect; none.

http://www.softpedia.com/progC...s-Changelog-26826.html
http://wareseeker.com/free-bus...message-monitor-2.5.1/
http://www.simkl.com/
http://www.topshareware.com/IM...ory-download-52847.htm

That's why I use Pidgin + OTR. The IM protocol and the server operators are probably still crap, but it's not going to bother me any