One of eWeek's "Transitions 2006" articles is IM Threats: The Dark Side of Innovation. They are spot-on that 2005 has become the year of the IM exploit, and the question is whether things will get better or worse in 2006. Even though the attacks are getting smarter and more sophisticated, there has not yet been an apocalypse on any of the major IM networks, so the good guys must be doing something right.
Here's a short excerpt:
I'm really surprised we haven't seen a fully automated worm on these IM networks," Nazario said in his interview with Naraine. "To me, it's begging to happen. ... Pretty soon, someone will find a way to package one of these attacks with an unpatched vulnerability to cause some real problems."I still contend that many of the problems in the big IM systems stem from a lack of procedures for authentication. While some people consider it inconvenient or intrusive that registering on BitWise requires a valid email address, it also protects the entire system by requiring people to identify themselves (at least temporarily). We also don't have a way to send messages anonymously through a web site -- you have to log in to the client itself (which requires the password delivered to your valid email address). Simple steps can go a long way sometimes.Indeed, IM systems have become an increasingly favored target for attackers, with nearly 75 new IM viruses reported in August and September, according to the Q3 Threat Report by San Diego-based Akonix Systems Inc., a messaging security developer.
It is my prediction that the pendulum will finally start to swing the other way between convenience and security. People love convenience, but eventually the security cost will be too high and there will be a cry for changes.