[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Norton Confidential nothing to shout about
From: InfoSec News <alerts () infosecnews ! org>
Date: 2006-10-25 5:22:43
Message-ID: Pine.LNX.4.61.0610250022320.16648 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004402
By John Dickinson
October 24, 2006
Computerworld
If you or your users feel unsafe sending financial information through
the pathways of the Internet, youre not alone. According to Symantec, as
many as 71% of all users are uncomfortable engaging in financial
transactions in cyberspace, and the company has launched a program
called Norton 360 to win their confidence back. The program promises to
be a complete set of solutions to fraud and phishing attacks that plague
and intimidate many users by stealing their identities and their money.
Some of that program's foundation technology is embodied in the new
Norton Confidential, just released to manufacturing. Its job is to
protect users Web-based transactions from phishing attacks and malware
incursions. It also stores and protects user password and other logon
information, and prevents its unauthorized use. Confidential also tells
users when theyre logged on to a "safe" transaction-oriented site.
Cheapskates and Firefox users need not apply
It all seems to work well enough, but there are a couple of things you
should know. First, any of you cheapskates that havent upgraded your
Norton programs beyond the 2004 versions can forget about Confidential.
According to Symantec, the $34.95 Confidential will work alongside just
about any competitive security programs, but not with older versions of
the companys own PC security and cleanup packages. "Upgrade or get
phished" is apparently the new motto at Symantec.
So I uninstalled my old Norton Utilities -- I use another package these
days -- and pressed on through Norton Confidentials otherwise
trouble-free installer. And then with great confidence I brought up
Mozilla Firefox but, try as I might, could not see any difference in its
operations. So, just for grins, I tried Microsoft Internet Explorer 6,
and youll no doubt be shocked and surprised to learn that I found myself
looking at a new information bar from Norton Confidential, telling me
that "Fraud monitoring is on."
Further experimentation revealed that the program also doesnt work with
Opera or Netscape browsers. It does work with the Maxthon browser, which
uses much of the same underlying technology as Internet Explorer. A
Symantec spokesman says that it works with Internet Explorer 7, and that
later editions would work with the Mozilla-oriented browsers. (He hadnt
heard of Maxthon.)
Mediocre password storage steps up and down
The program doesnt say much else at that point because there isnt
anything for it to do until it encounters a site that handles
transactions. It does, however, store and encrypt passwords for any site
that has some sort of sign-on, and its secure way of handling them is a
step up from browser-stored passwords, or the password vault used by
Norton Utilities. Norton Confidential asks you each time you get to a
new password-protected site if youd like to store the password, and then
uses it automatically when you return to the site.
One seriously annoying weakness in this part of the program is that if
you get to a different part of the site in your log-on process, Norton
Confidential doesnt recognize the site as having a stored password. For
example, if you get to PayPal by simple navigation, you log on at one
page, but if you come over from eBay you log on at a different one.
Norton Confidential understands that to be an entirely different site.
When you are logged onto a transaction site that is safe to use, a "No
Fraud Detected" message displays and two logos go from gray to green.
One logo indicates that a check of your computer indicates no fraudulent
activity is at work, and the other indicates that the page you are on is
safe. The theory here is that any change in page or any activity on your
part can change either of those two statuses.
The only real problem with all of this is that Norton Confidential
impedes performance. Just filling in the password takes 6 seconds at
Wells Fargo, and 4 seconds at PayPal, and that wait makes it not
especially worthwhile. You also wait to find out if a site is safe (3
seconds for Wells Fargo and 4 seconds for PayPal), and if your computer
remains safe. In the amount of time that takes, I could have given away
the family fortune... twice.
When it comes to checking for phishing attacks and criminal fraud, such
as keylogger or screen scraper installation, there's some excuse for the
time it takes. Like most phishing attack detectors, Norton Confidential
uses blacklists and whitelists to initially determine whether or not a
site is dangerous. But unlike the others it checks the page for what it
contains, and then watches the behavior of the page during your
interaction with it. That inevitably takes time but I have no idea how
much for a fraudulent site as I didnt come across any in links or
programs stored in any of the messages I have hanging around in various
spam/phishing buckets.
I also have to wonder how inclusive a program like Norton Confidential
really is. In my case, for example, while I use online commerce sites
with some frequency, almost all of my banking transactions occur through
Quicken. And many phishing and other fraud attacks now come via instant
messaging programs. While those generally wind up sending a user to a
Web page, that is not necessary, especially for a malware attack.
Is it worth it to you to install a program that takes up all that time?
Only you can tell for yourself, but if youre like me it might be worth
it to install Norton Confidential on the computers used by family
members or colleagues you need to watch out for. Theres just no telling
what they might navigate to or click on.
_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic