Love it or hate it, Instant Messaging (IM) has become an important tool to many Internet users. The ability to instantly send tiny email-like messages to friends and family without any fussy face-to-face or even voice-to-voice personal interaction has become a compelling, must-have ability.
IM has also become an indispensable attack vector to criminal hackers, causing IM to become a real thorn in the side of many major corporate IT departments. Similarly, small office and home IM users are not immune to attack, as spammers and other criminal-types use IM to spew viruses, phishing and spam emails, keyloggers and rootkits across the Internet.
IM security leader Akonix Systems (www.akonix.com) has reported an almost 100% increase in malicious attacks over instant messaging networks during the month of August, 2007, double the number of attacks tracked during July. “The extraordinary increase in malicious code activity we’ve seen this August is proof positive that the IM networks have become hackers’ favorite open door into corporations’ computers,” says Don Montgomery, VP of marketing at Akonix. “This August’s output was nearly double that of July, and brings the 2007 total to a full 50% higher than during the same period last year.”
Lousy default settings invented by ignorant IM programmers and poor behavior by ignorant IM users have contributed significantly to the success of IM attacks around the globe. A willingness to be befriended by anonymous “buddies,” click on links leading to unknown websites and download “cool” screensavers, games and porn has come back to bite many an IM user. Some people like to espouse that these are problems are mainly experienced by children and teenagers. Real-world situations have taught me that the adult crowd is by no means smarter regarding or more immune to IM attacks.
The blame for insecure default settings and the failure to educate IM users about security lies squarely at the feet of IM programmers and the greedy manufacturers who allow the release of slipshod, insecure applications. I’ve said similar things about software manufacturers before, to which someone once asked, “Jeez buddy, you are jaded. Is a car manufacturer supposed to teach you how to drive?”
This brings up two very relevant questions: are car manufacturers supposed to teach you how to drive? Are software manufacturers responsible to teach security?
Regarding car manufacturers, I am inclined to say, “Yes,” since their products will be used in public settings on public roadways and pose a great potential hazard to other innocent drivers and bystanders. Yes, because of those factors, they are responsible to teach the safe operation of the vehicles that they sell. If automakers can’t tell you how to safely operate their products, are we all expected to figure it out on our own? This is a widely understood and accepted principle. In fact, whether you agree with the concept or not, drivers are required to pass a competency test before they are allowed to legally operate motor vehicles on public roadways.
Next week: how IM manufacturers are security slackers.