[unisog] Recording IM conversations/mapping users to IM

Micheal Cottingham micheal.cottingham at sv.vccs.edu
Fri Feb 10 15:12:21 GMT 2006


Thanks everybody for the feedback. I did have concerns about wiretap
laws and other applicable laws. It seems this project is on hold at
least for the time being right now anyway. As I told someone off-list,
last thing I want is to be caught with the proverbial pants down. All of
our users are greeted with a banner before logging in to the computer
and then after logging in to the computer as well as having to sign
documents and seeing notices all over the place about not using IM,
chat, etc. without permission. Once again, thanks for the feedback,
it'll give me something to think about should this ever come up again.

Micheal Cottingham
micheal.cottingham at sv.vccs.edu
Southside Virginia Community College
Network Security - Christanna Campus
1 434 949 1078



Harris, Michael C. wrote:
>  
> I don't know if this has been raised on this forum regarding IM content, but think it has for e-mail and VoIP.
>
> Be sure you have full institutional policy, procedure and legal buy in for the recording of IM content.  
>
> Discussions I have had with our Missouri Attorney's General Office indicate It may be considered an improper wire tap, especially if you are not disclosing to users that their IM may be recorded & monitored. (e-mail, VoIP etc. other network traffic too)   
>
> Good policy , sign on banners and signed acceptable use documents protect you as much as they protect users.  Make sure these documents contain detailed language that includes the conditions under which you may be recording traffic such as for diagnostic or archival purposes.  
>
> Mike
>
> --------------------------------------------------------------
> Michael C. Harris
> System Security Analyst & Instructor
> University Of Missouri Health Care
> harrismc at health.missouri.edu      KCXPAH
> -----------------------------------------------------------------
>   
>
>
>
>
>   
>>> Micheal Cottingham wrote:
>>>
>>> I know this has been discussed before, but this is something I want to 
>>> revisit following an incident at my institution. Right now I'm looking 
>>> at IMLogic IM Manager and Akonix products. I want to record 
>>> conversations, map employee names to a central database, be able to 
>>> flag a screen name for further investigation, etc. We have an IPS on 
>>> our boundary, so I'm not as worried about IM worms.
>>>       
>
>   
>> Gary Flynn:
>> Our Juniper IPS has a feature called Profiler that inventories things like 
>> instant message screen names, HTTP user agents and versions, gnutella agents
>> and versions, HTTP server versions, etc.
>>
>> It does not collect content but the screen name to IP address mapping may come
>> in handy in harassment or abuse cases.
>>
>> We have written signatures for the IPS to block instant message traffic with 
>> known malicious links in buddy and away messages though they don't appear to 
>> catch all of them...probably due to a combination of the proliferation of 
>> protocol versions, some clients going to the trouble of enabling encryption, 
>> and my own ignorance of instant message protocols and applications.
>>     
>
>
> --
>
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>
>
>   



More information about the unisog mailing list