[ISN] Security products sold despite freeware

From: InfoSec News (alerts@private)
Date: Sun Sep 17 2006 - 22:28:21 PDT


http://seattlepi.nwsource.com/business/1700AP_Free_Security.html

By ANICK JESDANUN
AP INTERNET WRITER
September 17, 2006

NEW YORK -- Microsoft gives away a security firewall with its latest 
operating system. Many high-speed Internet service providers offer free 
anti-virus protection for subscribers. And several Web sites distribute 
free toolbars to warn of Web scams.

AOL even recently made a package of basic security tools - anti-virus, 
anti-spyware and firewall programs - available for free to anyone, not 
just paying subscribers.

Despite all the free protection, primarily for Windows computers, 
leading security vendors are moving forward with plans to start selling 
their annual slate of security products this fall.

Why bother, when so much is available elsewhere at no cost?

"I absolutely don't argue that the highly tech-savvy consumer will and 
can search the Web for freeware and knock out 90, maybe 95 percent of 
the risk," said Lane Bess, Trend Micro Inc.'s general manager for 
consumer products. "That's not the largest (base of) consumers out 
there."

Most people, he said, would rather install a package - for $50 in Trend 
Micro's case - that does everything.

Free often means cobbling a package together:

* Taking the basic firewall that comes with the Service Pack 2 version 
  of Microsoft Corp.'s Windows XP, or getting a stronger one like Check 
  Point Software Technologies Ltd.'s Zone Alarm to monitor and block 
  outbound traffic as well;

* Adding anti-virus protection from a high-speed Internet provider like 
  Comcast Corp. or Time Warner Inc.'s Road Runner;

* Obtaining one or more free spyware removal tools like Spybot Search & 
  Destroy;

* Installing a toolbar from EarthLink Inc. or elsewhere to block Web 
  sites known to engage in e-mail "phishing" scams.

Even AOL's free all-in-one package, which uses technology from McAfee 
Inc. and others, is incomplete, said Joel Davidson, an AOL executive 
vice president for products and technologies.

Last week, the Time Warner unit announced that subscribers who pay $26 a 
month will get additional protections, such as a stronger firewall and 
alerts when malicious software tries to send out a bank account or 
credit card number. They'll even get more online storage for backup and 
free insurance for identity theft and computer damage.

The free standalone products have even more limits.

Major e-mail providers scan messages for viruses automatically, but they 
won't address threats that come from instant messaging or a rogue Web 
site, or a virus already on the computer.

Trend Micro's free HouseCall virus scanner covers those situations, but 
users must remember to periodically perform a check, and they won't be 
automatically protected in the interim. Same goes for the free scan from 
Microsoft; automated scanning comes with Windows Live OneCare, which 
costs $50 a year for up to three computers and includes computer backup 
and tuneup services.

And while Microsoft plans a more robust firewall in its upcoming Windows 
Vista operating system, it's holding back enough to justify selling 
OneCare separately.

The free Zone Alarm, meanwhile, will generate a pop-up warning when 
newly installed software attempts to connect to the outside world. The 
$40 Zone Alarm Pro will have a continually updated database of programs 
that researchers know as good or bad, so pop-up prompts only come up in 
rare cases.

"I don't think (the free version) reduces protection, but it is 
definitely less convenient," said Laura Yecies, general manager of Check 
Point's Zone Labs consumer division. "The user is essentially then 
putting themselves in the role of making determinations."

The free and subscription versions of Grisoft Inc.'s anti-virus and 
anti-spyware products are nearly identical, but paying customers can get 
technical help from humans, instead of only the software's help files 
and Web site documents.

And free software won't come with the ability for companies to easily 
update all their computers remotely, an issue for larger organizations, 
said Johannes B. Ullrich, chief research officer with the SANS Institute 
security group.

Google Inc., Yahoo Inc. and computer manufacturers distribute free 
security products as well, but they are trial versions often with 
features disabled, said Kraig Lane, Symantec Corp.'s manager for 
consumer security products.

The six-month Symantec software bundled with Google, for instance, will 
block known viruses but won't detect unknown ones, based on behavioral 
patterns, in the hours before a software update can be developed and 
distributed for new threats.

"We want to have a little extra value" for paying customers, Lane said.

Other restrictions are in the free software's license terms.

A standalone version of AOL's anti-virus software, from Kaspersky Lab, 
comes with terms that permit AOL to send e-mail marketing messages, 
while Sophos Inc. gives free software only if a person's employer or 
school is already a paying customer.

Some security is better than no security, said Bruce Schneier, a 
computer security expert with Counterpane Internet Security Inc. "I can 
complain about them (the free products), but going out free to millions 
and millions of users, you have to like that."

Yet it's not entirely clear how many users even know of the free 
offerings.

Bari Abdul, McAfee's vice president for consumer marketing, said 
Internet users often configure their browsers to bypass home pages that 
high-speed service providers use to promote free software.

AOL subscriber Gail Taylor, a teaching assistant at the University of 
Illinois at Urbana-Champaign, said she never knew AOL gave away security 
software.

But even after checking a number of free products at the request of The 
Associated Press, she said she still couldn't decide which of the free 
or fee offerings work best for her. She said she'd need to find time for 
more research, leaving her computer largely unguarded for now.

Consumers who do install free products may be left with a false sense of 
security, added David Luft, a senior vice president for security vendor 
CA Inc.

"Some of those limitations aren't always obvious to the end users until 
they run into a problem they thought might be addressed," he said. "They 
think they have something that's fully protecting them, when in reality 
they don't protect in a way they might need."

-=-

On the Net:

AOL package: http://daol.aol.com/safetycenter 
Grisoft: http://free.grisoft.com 
Spybot: http://www.safer-networking.org


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Sep 17 2006 - 22:38:40 PDT