Sometimes writing about security is just too easy. Making predictions about next year is like this in some ways.
Lets pick some of the low-hanging fruit early. Even though most spam-tracking companies show that spam already comprises 75 percent or more of all e-mail, that proportion will go up in 2005. We are approaching the situation in which, I have always assumed, users will begin to withdraw from e-mail because it is so unpleasant.
It seems to me that the consensus number at the end of last year was at or just above 50 percent, so Ill assume it will go up another 50 percent of legit percentage, up to 87.5 percent. Of course, with an overall number like that, there will be many days where 95 percent or more of all e-mail is spam. No matter how good filters are, more and more is going to get through.
Will authentication, the last great hope to save e-mail, make a difference? We can hope that by the end of 2005 it will have taken deep roots, but will we be in a position where domains can really begin blocking and rejecting mail that isnt authenticated? Thats the ultimate goal, and I think it will take longer.
Perhaps this is some more low-hanging fruit. You might have noticed that December has so far been a gangbusters month for vulnerability reports. Microsoft is well-represented, not just on its own controversial December patch day, but with a separate report about the Windows Firewall and an independent report about Internet Explorer.
But its not just Microsoft. Weve also had reports this month of vulnerabilities in products from Cisco and Veritas, along with the Samba file-sharing system.
There were separate reports about the PHP Web programming system and Mozilla-based Web browsers. And lets not forget the 16 serious holes Apple reported early this month.
December must have been the most bug-ridden month of 2004, but researchers tell me that inventories of unpublished vulnerabilities are running high. I think that months like December will become more the norm than the exception in 2005.
Well need some new metric to quantify this, but I think the average number of vulnerabilities reported per month in 2005 will increase substantially over 2004.
Next page: Firefox flaws and the future of phishing.
Firefox Flaws, Phishing
On a related point, we and others have been reporting that usage of the Firefox browser has been increasing rapidly. Im actually skeptical of the numbers, but lets take them for granted for the sake of argument.
If theyre true, then Firefox and Mozilla are on track to reach the point of penetration where malware programmers will begin targeting them specifically.
I dont want to overstate things—Firefox has a long way to go before its problem list rivals that of Internet Explorer, but it does have problems, some of them serious. I pointed to a new one just above, and there are other fairly recent ones here, here, here and here.
Its not hard to imagine attacks on Mozilla and Firefox originating with spam messages aimed at them. “Subj: Attention Firefox Users – Sign Up for Update Notification” or something along those lines. What, you think only IE users are stupid enough to click through?
Speaking of user error, most of us pundits a year ago predicted an increase in phishing, but boy, was there an increase in phishing! Most of it is rather unimaginative stuff, simply trolling for Paypal account information.
Ive seen an increase recently in the cleverness of these attacks and I think the attackers have barely scratched the surface of what is possible. So, look for another large increase in the volume of phishing attack e-mails, but look especially for an increase in the quality of the attack.
Spyware got annoying enough in 2004 for the mainstream security industry to start ramping up to attack it, either through their own products or through buying established anti-spyware/-adware companies (as Computer Associates did with PestPatrol).
Look for the security industry to try to push new anti-spyware products, especially in the corporate market. In fact, this has already begun.
I hope, but wont predict, that buyers reject getting shafted on this anti-spyware scam. This is a function that the anti-virus companies should have taken on all along as part of what their products do. Ill dig further into this subject soon.
To quote Peter Coffee quoting Bill Gates, “There is a tendency to overestimate how much technology will change in the next two years, and a similar tendency to underestimate how much things will change in the next 10 years.”
Ten years ago, most of us barely had our feet wet in the Internet. Who would have thought it would be such a hostile place and that so much of our attention would be spend trying to protect ourselves from criminals running rampant? I cant predict that it will be a safer place a year from now, but it will have to be in 10 years; theres a limit to how much of this security stuff we can all tolerate.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer