[ISN] Norton Confidential nothing to shout about

From: InfoSec News (alerts@private)
Date: Tue Oct 24 2006 - 22:22:43 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9004402

By John Dickinson
October 24, 2006 
Computerworld

If you or your users feel unsafe sending financial information through 
the pathways of the Internet, youre not alone. According to Symantec, as 
many as 71% of all users are uncomfortable engaging in financial 
transactions in cyberspace, and the company has launched a program 
called Norton 360 to win their confidence back. The program promises to 
be a complete set of solutions to fraud and phishing attacks that plague 
and intimidate many users by stealing their identities and their money.

Some of that program's foundation technology is embodied in the new 
Norton Confidential, just released to manufacturing. Its job is to 
protect users Web-based transactions from phishing attacks and malware 
incursions. It also stores and protects user password and other logon 
information, and prevents its unauthorized use. Confidential also tells 
users when theyre logged on to a "safe" transaction-oriented site.

Cheapskates and Firefox users need not apply

It all seems to work well enough, but there are a couple of things you 
should know. First, any of you cheapskates that havent upgraded your 
Norton programs beyond the 2004 versions can forget about Confidential. 
According to Symantec, the $34.95 Confidential will work alongside just 
about any competitive security programs, but not with older versions of 
the companys own PC security and cleanup packages. "Upgrade or get 
phished" is apparently the new motto at Symantec.

So I uninstalled my old Norton Utilities -- I use another package these 
days -- and pressed on through Norton Confidentials otherwise 
trouble-free installer. And then with great confidence I brought up 
Mozilla Firefox but, try as I might, could not see any difference in its 
operations. So, just for grins, I tried Microsoft Internet Explorer 6, 
and youll no doubt be shocked and surprised to learn that I found myself 
looking at a new information bar from Norton Confidential, telling me 
that "Fraud monitoring is on."

Further experimentation revealed that the program also doesnt work with 
Opera or Netscape browsers. It does work with the Maxthon browser, which 
uses much of the same underlying technology as Internet Explorer. A 
Symantec spokesman says that it works with Internet Explorer 7, and that 
later editions would work with the Mozilla-oriented browsers. (He hadnt 
heard of Maxthon.)

Mediocre password storage steps up and down

The program doesnt say much else at that point because there isnt 
anything for it to do until it encounters a site that handles 
transactions. It does, however, store and encrypt passwords for any site 
that has some sort of sign-on, and its secure way of handling them is a 
step up from browser-stored passwords, or the password vault used by 
Norton Utilities. Norton Confidential asks you each time you get to a 
new password-protected site if youd like to store the password, and then 
uses it automatically when you return to the site.

One seriously annoying weakness in this part of the program is that if 
you get to a different part of the site in your log-on process, Norton 
Confidential doesnt recognize the site as having a stored password. For 
example, if you get to PayPal by simple navigation, you log on at one 
page, but if you come over from eBay you log on at a different one. 
Norton Confidential understands that to be an entirely different site.

When you are logged onto a transaction site that is safe to use, a "No 
Fraud Detected" message displays and two logos go from gray to green. 
One logo indicates that a check of your computer indicates no fraudulent 
activity is at work, and the other indicates that the page you are on is 
safe. The theory here is that any change in page or any activity on your 
part can change either of those two statuses.

The only real problem with all of this is that Norton Confidential 
impedes performance. Just filling in the password takes 6 seconds at 
Wells Fargo, and 4 seconds at PayPal, and that wait makes it not 
especially worthwhile. You also wait to find out if a site is safe (3 
seconds for Wells Fargo and 4 seconds for PayPal), and if your computer 
remains safe. In the amount of time that takes, I could have given away 
the family fortune... twice.

When it comes to checking for phishing attacks and criminal fraud, such 
as keylogger or screen scraper installation, there's some excuse for the 
time it takes. Like most phishing attack detectors, Norton Confidential 
uses blacklists and whitelists to initially determine whether or not a 
site is dangerous. But unlike the others it checks the page for what it 
contains, and then watches the behavior of the page during your 
interaction with it. That inevitably takes time but I have no idea how 
much for a fraudulent site as I didnt come across any in links or 
programs stored in any of the messages I have hanging around in various 
spam/phishing buckets.

I also have to wonder how inclusive a program like Norton Confidential 
really is. In my case, for example, while I use online commerce sites 
with some frequency, almost all of my banking transactions occur through 
Quicken. And many phishing and other fraud attacks now come via instant 
messaging programs. While those generally wind up sending a user to a 
Web page, that is not necessary, especially for a malware attack.

Is it worth it to you to install a program that takes up all that time? 
Only you can tell for yourself, but if youre like me it might be worth 
it to install Norton Confidential on the computers used by family 
members or colleagues you need to watch out for. Theres just no telling 
what they might navigate to or click on.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Oct 24 2006 - 22:42:49 PDT