Indeed, without sufficient security in place, there will come a day when, for example, a customer service representatives IM client is hijacked to send spimspam IMto your top customers. The converse is also likely to come to pass, where the customer service IM presence information posted on a Web site will become a spim target. (Much the same way that the firstname.lastname@example.org in-box is the biggest recipient of spam at any company.) Companies such as Microsoft envision a world in which presence data exists everywhere. In fact, Outlook 2003 can be configured to show presence data about message senders in the Outlook in-box.Companies considering IM to communicate externally and internally need to think about security in the context of how badly such an application can be exploited. The most likely way spim and malware will spread via IM is through trusted contacts, but spim could easily take on the source characteristics of spam. For this reason, companies developing IM applications need to be thinking about ways to establish and manage access to presence information, and users have to be thinking about how they want to distribute their IM addresses. Conceptually, the way IM systems manage presence information is ready-made for attacks. I guarantee there is a product manager out there who thinks the ability to execute scripting code in a business IM client is a good idea and a competitive advantage that must be pursued, despite the well-documented and overwhelming evidence to the contrary. That product is going to come out one of these days, and IT managers have to be prepared to put their collective feet down and say no. ´ Technical Analyst Michael Caton can be reached at email@example.com. To read more Michael Caton, subscribe to eWEEK magazine. Check out eWEEK.coms Messaging & Collaboration Center at http://messaging.eweek.com for more on IM and other collaboration technologies.
It will not take long for an enterprising hacker to usurp presence data in desktop applications that can arbitrarily execute code to send spim to everyone who makes his or her presence known.