http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004402 By John Dickinson October 24, 2006 Computerworld If you or your users feel unsafe sending financial information through the pathways of the Internet, youre not alone. According to Symantec, as many as 71% of all users are uncomfortable engaging in financial transactions in cyberspace, and the company has launched a program called Norton 360 to win their confidence back. The program promises to be a complete set of solutions to fraud and phishing attacks that plague and intimidate many users by stealing their identities and their money. Some of that program's foundation technology is embodied in the new Norton Confidential, just released to manufacturing. Its job is to protect users Web-based transactions from phishing attacks and malware incursions. It also stores and protects user password and other logon information, and prevents its unauthorized use. Confidential also tells users when theyre logged on to a "safe" transaction-oriented site. Cheapskates and Firefox users need not apply It all seems to work well enough, but there are a couple of things you should know. First, any of you cheapskates that havent upgraded your Norton programs beyond the 2004 versions can forget about Confidential. According to Symantec, the $34.95 Confidential will work alongside just about any competitive security programs, but not with older versions of the companys own PC security and cleanup packages. "Upgrade or get phished" is apparently the new motto at Symantec. So I uninstalled my old Norton Utilities -- I use another package these days -- and pressed on through Norton Confidentials otherwise trouble-free installer. And then with great confidence I brought up Mozilla Firefox but, try as I might, could not see any difference in its operations. So, just for grins, I tried Microsoft Internet Explorer 6, and youll no doubt be shocked and surprised to learn that I found myself looking at a new information bar from Norton Confidential, telling me that "Fraud monitoring is on." Further experimentation revealed that the program also doesnt work with Opera or Netscape browsers. It does work with the Maxthon browser, which uses much of the same underlying technology as Internet Explorer. A Symantec spokesman says that it works with Internet Explorer 7, and that later editions would work with the Mozilla-oriented browsers. (He hadnt heard of Maxthon.) Mediocre password storage steps up and down The program doesnt say much else at that point because there isnt anything for it to do until it encounters a site that handles transactions. It does, however, store and encrypt passwords for any site that has some sort of sign-on, and its secure way of handling them is a step up from browser-stored passwords, or the password vault used by Norton Utilities. Norton Confidential asks you each time you get to a new password-protected site if youd like to store the password, and then uses it automatically when you return to the site. One seriously annoying weakness in this part of the program is that if you get to a different part of the site in your log-on process, Norton Confidential doesnt recognize the site as having a stored password. For example, if you get to PayPal by simple navigation, you log on at one page, but if you come over from eBay you log on at a different one. Norton Confidential understands that to be an entirely different site. When you are logged onto a transaction site that is safe to use, a "No Fraud Detected" message displays and two logos go from gray to green. One logo indicates that a check of your computer indicates no fraudulent activity is at work, and the other indicates that the page you are on is safe. The theory here is that any change in page or any activity on your part can change either of those two statuses. The only real problem with all of this is that Norton Confidential impedes performance. Just filling in the password takes 6 seconds at Wells Fargo, and 4 seconds at PayPal, and that wait makes it not especially worthwhile. You also wait to find out if a site is safe (3 seconds for Wells Fargo and 4 seconds for PayPal), and if your computer remains safe. In the amount of time that takes, I could have given away the family fortune... twice. When it comes to checking for phishing attacks and criminal fraud, such as keylogger or screen scraper installation, there's some excuse for the time it takes. Like most phishing attack detectors, Norton Confidential uses blacklists and whitelists to initially determine whether or not a site is dangerous. But unlike the others it checks the page for what it contains, and then watches the behavior of the page during your interaction with it. That inevitably takes time but I have no idea how much for a fraudulent site as I didnt come across any in links or programs stored in any of the messages I have hanging around in various spam/phishing buckets. I also have to wonder how inclusive a program like Norton Confidential really is. In my case, for example, while I use online commerce sites with some frequency, almost all of my banking transactions occur through Quicken. And many phishing and other fraud attacks now come via instant messaging programs. While those generally wind up sending a user to a Web page, that is not necessary, especially for a malware attack. Is it worth it to you to install a program that takes up all that time? Only you can tell for yourself, but if youre like me it might be worth it to install Norton Confidential on the computers used by family members or colleagues you need to watch out for. Theres just no telling what they might navigate to or click on. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Oct 24 2006 - 22:42:49 PDT