I’ve just returned from the Symantec Threat Response Center in Dublin, Ireland where a select handful of European security software reviewers witnessed the first public demonstration of Norton Confidential: the Symantec response to what it refers to as the CrimeWare explosion.
Symantec acquired anti-phishing specialist WholeSecurity towards the end of last year, and has been working on a transactional security and identity protection product under the codename of ‘Symantec Voyager’ ever since. The release product will be called Norton Confidential and has some interesting and worthwhile features, although nothing that is truly unique. What it does is combine functionality such as the identification of potential phishing sites using both heuristic detection and known IPs, confirm trustworthy sites courtesy of high-assurance security certificates for authentication, monitor for password-capturing Trojans and key-loggers, and alert the user before transactional data is passed to a suspicious site or in a suspicious manner.
Although I applaud any effort to help secure online transactions against the dangers of identity theft in its many forms, Norton Confidential has a fatal flaw in my opinion. And I made sure to share that opinion with Laura Garcia-Manrique (Senior Director of Product Management), Shane Pereira (Senior Product Developer and Software Architect) and Josh Harriman (Senior Security Quality Assurance Engineer). You see, Symantec will go to great lengths to claim that Norton Confidential is all about making the online user experience as secure as possible, yet it will work only with the most insecure of browsers, Internet Explorer. Sure, one can’t blame Symantec for developing a product aimed at the biggest browser client by market share. But equally, one can (and will) criticize loudly for not making it available for FireFox users at the same time. Sure, one can applaud Symantec for addressing the transactional security crimeware threat, and for taking identity theft seriously. But equally, one would applaud them more loudly if they were to make a stand and say that for the user to be more secure they should be using a more secure browser client. Good security practice is all about user education, it has to be, what message is Symantec sending out when it doesn’t support secure browser clients but instead continues to shore up the less secure ones?
Other interesting nuggets of information to come out of this ‘technical testing workshop’ in Dublin included the confirmation that with the development of Norton 360 (the Symantec equivalent of Windows Live OneCare), there will be no SystemWorks 2007 release. Symantec did state that the product will, for the time being, be ‘maintained’ for the XP platform though. Expect to see many changes in Norton Internet Security 2007, including a newly designed GUI and the introduction of what Symantec is referring to as the ‘silent firewall.’ In essence, this does away with the need for pop-up dialogues asking the user to allow or disallow a process or connection, and instead makes the decisions itself without user interaction. A kind of Norton knows best scenario. Of course, for this to work you have to trust Symantec not to make any mistakes, for their to be no false positives. Sorry Symantec, I don’t, not yet. Nor, to be honest, does Symantec itself it seems for in the Norton Confidential product (at least the pre-release version that I saw in action) the dialogue that pops-up when you attempt to access a known phishing site includes an option to ‘continue to web page’ which makes a nonsense of the whole concept. Even the silent firewall will have an advanced option enabling the user to override the silence and toggle notifications and enable/disable dialogues.