by Larry Seltzer - eWEEK
Sometimes writing about security is just too easy. Making predictions
about next year is like this in some ways.
Let's pick some of the low-hanging fruit early. Even though most
spam-tracking companies show that spam already comprises 75 percent or
more of all e-mail, that proportion will go up in 2005. We are
approaching the situation in which, I have always assumed, users will
begin to withdraw from e-mail because it is so unpleasant.
It seems to me that the consensus number at the end of last year was
at or just above 50 percent, so I'll assume it will go up another 50
percent of legit percentage, up to 87.5 percent. Of course, with an
overall number like that, there will be many days where 95 percent or
more of all e-mail is spam. No matter how good filters are, more and
more is going to get through.
Will authentication, the last great hope to save e-mail, make a
difference? We can hope that by the end of 2005 it will have taken
deep roots, but will we be in a position where domains can really
begin blocking and rejecting mail that isn't authenticated? That's the
ultimate goal, and I think it will take longer.
Perhaps this is some more low-hanging fruit. You might have noticed
that December has so far been a gangbusters month for vulnerability
reports. Microsoft is well-represented, not just on its own
controversial patch day, but with a separate report about the Windows
Firewall and an independent report about Internet Explorer.
But it's not just Microsoft. We've also had reports this month of
vulnerabilities in products from Cisco and Veritas, along with the
Samba file-sharing system.
There were separate reports about the PHP Web programming system and
Mozilla-based Web browsers. And let's not forget the serious holes
Apple reported early this month.
December must have been the most bug-ridden month of 2004, but
researchers tell me that inventories of unpublished vulnerabilities
are running high. I think that months like December will become more
the norm than the exception in 2005.
We'll need some new metric to quantify this, but I think the average
number of vulnerabilities reported per month in 2005 will increase
substantially over 2004.
Firefox Flaws, Phishing:
On a related point, we and others have been reporting that usage
of the Firefox browser has been increasing rapidly. I'm actually
skeptical of the numbers, but let's take them for granted for the sake
of argument.
If they're true, then Firefox and Mozilla are on track to reach the
point of penetration where malware programmers will begin targeting
them specifically.
I don't want to overstate things; Firefox has a long way to go
before its problem list rivals that of Internet Explorer, but it does
have problems, some of them serious. I pointed to a new one recently
and there are other fairly recent ones reported.
It's not hard to imagine attacks on Mozilla and Firefox originating
with spam messages aimed at them. "Subj: Attention Firefox Users --
Sign Up for Update Notification" or something along those lines. What,
you think only IE users are stupid enough to click through?
Speaking of user error, most of us pundits a year ago predicted an
increase in phishing, but boy, was there an increase in phishing! Most
of it is rather unimaginative stuff, simply trolling for Paypal
account information.
I've seen an increase recently in the cleverness of these attacks and
I think the attackers have barely scratched the surface of what is
possible. So, look for another large increase in the volume of
phishing attack e-mails, but look especially for an increase in the
quality of the attack.
Spyware got annoying enough in 2004 for the mainstream security
industry to start ramping up to attack it, either through their own
products or through buying established anti-spyware/-adware companies
(as Computer Associates did with PestPatrol).
Look for the security industry to try to push new anti-spyware
products, especially in the corporate market. In fact, this has
already begun.
I hope, but won't predict, that buyers reject getting shafted on this
anti-spyware scam. This is a function that the anti-virus companies
should have taken on all along as part of what their products do. I'll
dig further into this subject soon.
To quote Peter Coffee quoting Bill Gates, "There is a tendency to
overestimate how much technology will change in the next two years,
and a similar tendency to underestimate how much things will change in
the next 10 years."
Ten years ago, most of us barely had our feet wet in the Internet. Who
would have thought it would be such a hostile place and that so much
of our attention would be spend trying to protect ourselves from
criminals running rampant? I can't predict that it will be a safer
place a year from now, but it will have to be in 10 years; there's a
limit to how much of this security stuff we can all tolerate.
<a href="mailto:larryseltzer@ziffdavis.com">Larry Seltzer</a> has
worked in and written about the computer industry since 1983.
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . New articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Ziff-Davis.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
[TELECOM Diges Editor's Note: I agree with Mr. Seltzer; the net is
going to get a lot worse before it gets better, if it ever does. I can
only speak for my little entry on the net, this Digest and its web
pages; but the spam to letigimate email ratio here almost always runs
in excess of 90 percent spam. Thus far today, for example, I have
dumped 356 items of spam from telecom mail alone. PAT]