Monday, October 16, 2006

Symantec Reports Viruses/Worms "Solved"

According to Larry Greenemeier's report in Symantec Says Viruses And Worms Are 'Solved':
"It's official: The problem It's official: The problem of worms and viruses is "solved"--at least according to Symantec chairman and CEO John Thompson. The more relevant security threats today are phishing and fraud, as well as organized crime's interest in stealing and reselling personal information, Thompson says. Not that Symantec will stop cashing checks made out to it for antivirus software. But the company's "Security 2.0" strategy, detailed for the first time last week, tackles broader threats beyond its popular Norton PC security line, including database, E-mail, and identity-theft protection."
Does that mean that Symantec is going to ignore worms and viruses in favor of phishing and fraud? Does Symantec think that their customers are no longer being infected with worms and viruses? I wonder what rock their management has been sleeping under. Based on the logs I see, most infected users have either Norton or McAfee as their antivirus software. Perhaps that lack of ability to detect and/or remove the current prevelant infections is why Symantec -- and, according to the article, apparently McAfee as well -- no longer see worms and viruses as problems.

Now, why does this bother me:
"As part of Security 2.0, Symantec will partner with security services company VeriSign and IT services firm Accenture. Symantec plans to integrate its Norton Accounts software with VeriSign's Identity Protection Authentication Service, which will let Symantec customers use one-time passwords when conducting online transactions."
Here the choir has been preaching for eons to use a different password for each site, particularly for banking, online bill paying and purchases. This is where I need to put up the stop sign and suggest you go back to my blog post from just yesterday entitled, "Closing the Gates on Phishing" where I quoted Bruce Schneier in "The Failure of Two-Factor Authentication":
  • "Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done right, the user will never realize that he isn't at the bank's website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user's banking transactions while making his own transactions at the same time.
Now Symantec is saying only one password for online transactions? What happens when the gullible customer does not recognize the phish and types in that one password, responds to various questions about their account, perhaps even providing information on multiple accounts to what they believe is their trustworthy banking establishment. I need to see this in action before I believe it will work.

No comments: