First look: Norton's 2012 desktop, smartphone security push

Norton today released an updated version of its Norton 360 desktop and mobile security software, while also rolling out a new licensing arrangement for combined PC, Mac and Android use.

Anti-virus software sales expected to show strong growth in 2012

In addition, Norton announced a novel plan for a new kind of customer support called "Norton One" that involves individualized unlimited assistance for customers who are mystified by computers, security and software — if they're willing to pay the annual membership fee.

Symantec's Norton 360 v. 6, available for Windows XP, Vista, and Windows 7, is desktop security combining network intrusion prevention, Norton's "Sonar" behavior-based protection, its "Insight" reputation analysis for malware, an anti-virus engine, and Web-based anti-phishing protection, among other features. The latest version of Norton 360 adds bells and whistles, such as the introduction of a Web portal so customers can access passwords they commonly use anywhere. Its "Download insight" capability, which had been in beta, will give users feedback on how safe it is to download a file.

There are now bandwidth controls to allow the user to monitor and control how mobile broadband, which is often metered by the provider, might be used, among other network services. And in another change, a so-called "self-healing" feature will now be apparent to the user as a green dialog box from Norton, which may appear, when needed, to say it has detected a unique error code in the user's machine and is applying an auto-fix correction to Norton 360 to adjust for it.

"These are probably errors unique to your environment," says Collin Davis, senior director of engineering at Norton. He says "there are a lot of idiosyncrasies that come up" that Norton will tackle with a minor custom build to Norton 360 v. 6 to correct the glitch. Norton has found this is needed because customers use such a wide range of computers and software these days that making use of the new auto-fix will quickly solve issues that distract users, plus minimize call volumes for tech support. This autofix is distinct from any general patch updates that might occur.

Microsoft Windows 8 is not yet out — it's not exactly clear when it will be but a beta is expected soon with year-end general release — but Norton is working closely with Microsoft to make sure that Norton 360 v. 6 will be able to run on Windows 8. "Microsoft has given us internal preview builds," Davis says, adding at this point Norton is highly confident that if someone bought Norton 360 v. 6 now, it would work on Windows 8 when it's available.

Norton 360 v. 6 costs $89 for up to three devices.

Norton 360 Everywhere

For the first time, Norton is coming out later this spring with what it calls Norton 360 Everywhere, which basically is a licensing plan for use of Norton 360 for up to five Windows or Apple Macintosh computers, plus any Android-based smartphones and tablets based on Android 2.1 and up. Subscribers will link to Android Marketplace to get the app for it. Norton 360 Everywhere includes 25GB of online storage. Pricing is yet not announced. Norton says it's the first time it's set up a single licensing of Norton 360 across platforms like this, and it's a testimony to the impact of mobile computing today. (It doesn't include Apple iOS devices, however, mainly because Apple's architecture is said not to lend itself to this use.)

13 security myths you'll hear -- but should you believe?

They're "security myths," oft-repeated and generally accepted notions about IT security that arguably are simply not true -- in order words, it's just a myth. We asked security experts, consultants, vendors and enterprise security managers to share their favorite "security myths" with us. Here are 13 of them:

Security Myth No. 1: "More security is always better."

IN PICTURES: 13 security myths

Bruce Schneier, security expert and author of several books, including his most recent, "Liars and Outliers," explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut. Yes, the donut would be more secure, but it would make more sense to simply risk the donut." He also notes that "additional security is subject to diminishing returns. That is, measures that reduce a particular crime -- say, shoplifting -- by 25% cost some amount of money; but additional measures to reduce it another 25% cost much more. There will always be a point where more security isn't worth it. And as a corollary, absolute security is not achievable." Sometimes security may even become a moral choice and being in compliance might be an immoral decision, as it could pertain to a totalitarian system, for example. "Security enforces compliance, and sometimes complying isn't the right thing to do."

Security Myth No. 2: "The DDoS problem is bandwidth-oriented."

"There are a lot of urban myths you hear over time that aren't backed up by real evidence," says Carl Herberger, vice president of security solutions at Radware, who says there's a widespread belief among IT managers that if only they had enough bandwidth, distributed denial-of-service (DDoS) attacks would go away. The reality, he claims, is that since last year, it's become evident that more than half of DDoS attacks are not characterized by bandwidth at all but are application-oriented, where attackers strike at the application stack, and exploit standards for purposes of service disruption. In these circumstances, having more bandwidth actually helps the attacker. In fact, only about one-quarter of the DDoS attacks seen today are mitigated by adding bandwidth, Herberger contends.

Security Myth No. 3: "Regular expiration (typically every 90 days) strengthens password systems."

"I think this is like the nutritional advice that urges us to drink eight glasses of water a day," says Ari Juels, chief scientist, RSA, the security division of EMC, about his favorite myth, which is that passwords should be expired regularly. No one knows where this came from or if it's good advice at all, he points out. "In fact, recent research suggests that regular password expiration may not be useful," says Juels. Research that RSA Labs has done suggests that if an organization is going to expire passwords, it should do so on a random schedule, not a fixed one.

 

Apple's iPad 3 could face customs ban in China

Apple's much speculated iPad 3 has emerged as the latest target in an ongoing trademark dispute in China, after a little-known Chinese firm said on Wednesday it has filed for a customs ban with local authorities to stop the import and export of the tablet.

Ma Dongxiao, a lawyer for display vendor Proview, said the company has filed the request with the country's custom offices, but declined to offer details. "We feel that Apple is infringing on the iPad trademark," he said, adding that the company's goal was to stop shipments of Apple's next generation iPad.

Both Proview and Apple have been locked in a legal battle to determine which company owns the iPad trademark in mainland China. In December, a Shenzhen court rejected Apple's claims to the trademark, putting the company's iPad at risk of further legal action in the country.

China is not only a major market for Apple, but also home to many of the factories that build the company's products. If a customs ban is allowed, it could stop the import of iPad tablets to the country, but is unlikely to affect exports, said Stan Abrams, an intellectual property lawyer and professor at Beijing's Central University of Finance and Economics.

"Apple can come back and say to the government, 'We have the right to make stuff here,'" he said, noting that Apple owns the iPad trademark in other countries.

More than 30 commercial regulatory offices in China are investigating Apple's sales of the iPad following complaints made from Proview, according to the company's lawyer. One of those offices, located in the Chinese city of Xuzhou, confirmed on Wednesday an investigation was taking place, but declined further comment. Another Chinese city, Shijiazhuang, has reportedly seized iPad tablets from merchants.

Apple did not immediately respond to a request for comment. The company has appealed the December court ruling. Apple claims the company bought the iPad trademark from Proview's subsidiary in Taiwan.

Although its still unclear how authorities will proceed, Abrams said Proview is pressuring Apple to settle and buy the iPad trademark. But Proview, which has filed for bankruptcy, could be asking for a sum Apple believes is too high and unwilling to pay.

"If there isn't a (settlement), this could be a big problem for Apple," he said. "They could have damages to pay for past iPad sales and even future sales. That's a big headache. Proview has all these cases they have filed all over the country."

 

 

Microsoft, Oracle, Adobe send patches for Valentine's Day

The Valentine's Day 2012 edition of Patch Tuesday is upon us, and Microsoft has come forward with details on the nine bulletins it previewed last week.

Although Lumension security and forensic analyst Paul Henry are calling it a "pretty sweet Valentine's Day" for Microsoft, given the relatively light patch load for the month, additional patches from Adobe may spoil the mood for others.

VALENTINE'S DAY PATCH TUESDAY: Microsoft to issue 9 patches, 4 critical

As previously noted, four of Microsoft's nine security bulletins are deemed "critical." The most important, Henry says, are the two bulletins that have been publicly disclosed. One is susceptible to remote code execution in Windows, while the other addresses a similar vulnerability in Silverlight and the .NET Framework.

Beyond that, Henry believes the two patches deemed "important" should receive higher priority because they have also been publicly disclosed. Both are susceptible to remote code execution in Windows, one through the Color Control Panel and the other through Indeo Codec.

However, given the recent spike in browser-based attacks, Qualys CTO Wolfgang Kandek says the patch for four privately discovered vulnerabilities in Internet Explorer -- MS12-110 -- should receive the most attention.

"We have seen how quickly attackers can react to new vulnerabilities when exploits for MS12-004 appeared within 2 weeks of its release on attack sites," Kandek says. "So while none of the vulnerabilities in MS12-010 were publicly known, you should install this fix as quickly as possible."

Although it surpassed the seven bulletins released last month, the nine patches issued today is a low for the month of February since 2009. That's a sign that a focus on security may be paying off for Redmond, Henry says.

However, a happy Valentine's Day for Microsoft doesn't necessarily mean the same for the IT department. Citing Oracle's concurrent release of patches for 14 Java vulnerabilities, which have been targeted particularly frequently of late, Henry says some support teams may have their hands full.

"The light patch load from Microsoft does not mean IT can sit back and relax however," Henry says. "A significant patch update from Oracle came out recently and, as always, threats targeting Java must be addressed, as currently it is the bad guys' most popular attack vector."

Similarly, Adobe released five security bulletins today as well. Four of the patches, specifically those addressing vulnerabilities in Shockwave Player, Flash Media Player Server, Flash Player and Photoshop, were deemed critical, while another targeting vulnerabilities in Robohelp was rated important.