• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos14 Stats

Symantec, Please Explain

I would like to hear from Symantec why they chose to remove the local ID Safe.

In Beta testing Tim_Lopez posted this  -

All,

 

The plan at this point is to have the local vault be removed from the product and have the online vault be the only option. 

 

If you would like to voice your concern about this, please do so in this thread and let us know why you disagree with this decision. We value your feedback so please give us detailed feedback as to why you prefer local vaults if this change is undesired on your part. 

Cheers,
Tim Lopez
Norton Forums Administrator
Symantec Corporation http://community.norton.com/t5/Norton-360-2013-Norton-Internet/What-happened-to-ID-Safe-local-vault/m-p/774634/highlight/true#M2755 We were told that Symantec "valued' our feedback.  It was and is obvious that the majority of people are in favour of keeping the local ID Safe. Please return it permanently in the 2013 and above products,  or at the very least,  please explain why this decision was made. I would also like to hear Symantec's take on the controversial "Share" button and why we can't disable it. Eagerly waiting a reply, Thank you.Dave
A little bit of knowledge is... well a little bit of knowledge.

Replies

Kudos0

Re: Symantec, Please Explain

If a stealthy malware breaks your system, all bets are off anyway. Once your system is compromised you cannot be certain about anything. A sophisticated malicious program can control your system just as easily as you can - except you might not even be aware that is there.

You are right. If a sophisticated malware into my system, everything is compromised. However, for reasons that companies like Kaspersky and Bitdefender add features to isolate the browser from your bank? Because motifs add a virtual keyboard to enter your password? There must be some important reason for implementing these features.

What do you think about this?

Kudos1 Stats

Re: Symantec, Please Explain


Joao40 wrote:

However, for reasons that companies like Kaspersky and Bitdefender add features to isolate the browser from your bank? Because motifs add a virtual keyboard to enter your password? There must be some important reason for implementing these features.

What do you think about this?


Sandboxing the browser and using a virtual keyboard will no doubt protect your online transactions from some types of malware that may already be present on your system.  But as we like to say around here, nothing is 100% effective against everything.  And note again, that if you are already infected, you really have no idea what sorts of malware may be hiding behind the visible stuff.  Your best defense is to not get infected in the first place.

Security is always a balance between safety and convenience.  Obviously the safest choice is to do your banking at the bank, and forgo online banking entirely.  Short of that, using a Linux Live CD instead of Windows offers a great deal of security, but at a tremendous inconvenience.  But since, if you are not a small business, your bank should cover any losses due to fraudulent transactions anyway, most individuals who take sensible precautions can probably do their online banking in Windows without undue trepidation.

You certainly should not be running two or more real-time security products together, as the performance and security degradation will more than offset any benefit you might get from any particular feature you are trying to add.  If you are really concerned about protecting your online transactions from resident malware, you might look into a product called Trusteer Rapport, which is offered to customers for free by many banks.  It should work alongside your regular security program that you use for real-time protection, although there may or may not be some effect on system performance.  I don't think TR is really necessary in most cases, but if your bank offers it, and it gives you peace of mind, there is no harm in giving it a go.

Kudos0

Re: Symantec, Please Explain

Thanks for your clarification.

I have several computers, but do not use two security suites on a computer.

I have Bitdefender installed on some computers and have Norton installed elsewhere. This allows me to have some idea of the resources of the two suites. I appreciate the feature Safepay in Bitdefender, for the reasons already mentioned.

I have read technical explanations on Pc Magazine and bitdefender forum, for some types of malware. In tests Pc Magazine, a keylogger can not capture the images on the virtual keyboard.

In bitdefender forum, there are exhaustive information on the operation of Safepay. Safepay is not a sandbox, but a resource user, with very specific characteristics. I'm not here to talk about it. Users who are concerned with security should do their own research.

The more pertinent question for me is what sort of resources can minimize the risk of information capture in the browser and on my desktop. I think all resources that minimize the risks of infection and capture of information are always welcome.

I liked having some features in Norton, which currently do not exist.

I do not know if you're of the same opinion.

A hug.

Kudos7 Stats

Re: Symantec, Please Explain

Hi Everyone,

As many of you know I pushed and pushed hard with Symantec to retain the LOCAL ID Safe. We have obviously lost that argument and though I am upset about it I move on.

There are a few things I would like to mention. First, out of CHOICE I chose to use the ONLINE ID Safe back when 2012 was first released. At first I did this mainly because I wanted to be able to support users on the forum, but I actually ended up very much liking the feature as it was very convenient to sync up multiple devices/computers. To be sure 2012 also went through some "growing pains" and I was at the lead in helping Symantec get the details needed to resolve these problems. After the first couple of months the ONLINE ID Safe feature was actually very solid and never had a problem with it until 2013 came out.

Unfortunately, concurrently with the 2013 release new problems cropped up which I had not seen in the prior 10 months before that while on 2012. Admittedly this is very disappointing and I am still working with Symantec to try and get these issues resolved.

But the other thing I wanted to mention is this. People have talked a LOT about what happens if the Symantec server is breached and users online ID Safe data is stolen. I understand this and sympathize with this and again I 100% pushed for keeping the local vault option for users who want it.

However I feel I should point out once again that a hacker getting a hold of your online ID Safe is NOT in and of itself a breach of your account login details! That online ID Safe information (essentially a highly encrypted vault) is nothing but a file which is useless to the hacker without your password. If you have a suffiently STRONG password (which Norton helps enforce via the program interface) it will take at least THOUSANDS of years for that hacker to brute force their way into your sensitive data.

If anyone one wants advice on creating a sufficiently strong password feel free to ask and I'll be happy to provide guidance.

Now I don't offer this as approval of removing the local vault, because I still don't agree with that decision. BUT it does help to keep things in perspective.

And the last thing I wanted to mention for now is that despite this change in 2013 I STILL CHOOSE to keep my ONLINE ID Safe vault EVEN though my desktop computer is still running 2012! I have NOT reverted back to local vault.

Understand I am a software engineer and I understand all too well what the concerns are here but in the end I am actually NOT worried about it because I KNOW that I have a STRONG password and that NO hacker is ever going to be able to access my sensitive data. I do this knowing that the Symantec servers are probably a more ENTICING target because of this change to online vault only in 2013.

Just FWIW. :)

All the best,
Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.6.0.32* Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.6.0.32
Kudos0

Re: Symantec, Please Explain

Allen you could put that info in the tech section of the forum.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos0

Re: Symantec, Please Explain

Hi;

Please see this post.

Either it is fixed by a Norton patch last week... or,  I provided an easy solution....  lol

Norton Community

Kudos0

Re: Symantec, Please Explain

NVM - Had a brain fart moment.       Grrrrr......

Still have to logon online to open vault...

Kudos1 Stats

Re: Symantec, Please Explain


AllenM wrote:

Hi Everyone,

As many of you know I pushed and pushed hard with Symantec to retain the LOCAL ID Safe. We have obviously lost that argument and though I am upset about it I move on.

 [...]


We are far from losing this argument, AllenM. Again, this is an issue that should have been addressed and resolved during the Norton 2013 product beta testing. Given that this issue has spilled out into the released product forums, the Norton management team now needs to stop sitting on their hands and start actively responding to the questions being raised here, just like they would during beta testing.   


AllenM wrote:

Understand I am a software engineer and I understand all too well what the concerns are here but in the end I am actually NOT worried about it because I KNOW that I have a STRONG password and that NO hacker is ever going to be able to access my sensitive data. I do this knowing that the Symantec servers are probably a more ENTICING target because of this change to online vault only in 2013.


But if you accidentally completed one of the interfaces that I provided earlier, then regardless of your STRONG password, I’m now browsing your logins and pondering on what I’m going to do next...

The Symantec servers are never going to be an enticing target; honestly, why waste time brute-forcing a user’s server-side vault when you can easily compromise a user’s vault credentials using the methods I’ve described earlier, or through social engineering?

Kudos0

Re: Symantec, Please Explain


elsewhere wrote:
We are far from losing this argument, AllenM. Again, this is an issue that should have been addressed and resolved during the Norton 2013 product beta testing. Given that this issue has spilled out into the released product forums, the Norton management team now needs to stop sitting on their hands and start actively responding to the questions being raised here, just like they would during beta testing.   

What further response do you want?  The decision to eliminate the local vault was clearly based on considerations other than just the popular vote of beta testers and regular users, and all of that has been explained.  I'm all in favor of efforts to convince Symantec that the product would be more appealing to users if the local vault were retained,  But I don't see why Symantec should be continually responding to the same questions that have already been raised and answered.  Even your point about two-factor authentication has been acknowledged by Symantec.

Kudos3 Stats

Re: Symantec, Please Explain


SendOfJive wrote:
What further response do you want?  The decision to eliminate the local vault was clearly based on considerations other than just the popular vote of beta testers and regular users, and all of that has been explained.  I'm all in favor of efforts to convince Symantec that the product would be more appealing to users if the local vault were retained,  But I don't see why Symantec should be continually responding to the same questions that have already been raised and answered.  Even your point about two-factor authentication has been acknowledged by Symantec.

What everyone wants is for Norton to realize that they need to make their customers happy before they lose them!  They can't continue to make decisions that take their products in directions that are not what the customers want.  They and every other company who sells to the public need to realize there are many choices in the marketplace and they cannot make arbitrary decisions and keep a good relationship with their customers.

Kudos0

Re: Symantec, Please Explain

Hello, Elsewhere. I surely hope that you will win this arguement, but please acknowledge my private messages to you. I would like to receive some intellectual messages, as I stated in the last thread I replied to you on.

Remember to follow the moral of my name.

Kudos0

Re: Symantec, Please Explain

This post is not just for Symantec, just remember it is for other users who may come across it and make them aware of an issue that they may not have thought about before.

Keep the relevant facts coming about the vault and online vault.

Cheers Mo Windows 7 64 bit, NIS2013
Kudos4 Stats

Re: Symantec, Please Explain


SendOfJive wrote:

elsewhere wrote:
We are far from losing this argument, AllenM. Again, this is an issue that should have been addressed and resolved during the Norton 2013 product beta testing. Given that this issue has spilled out into the released product forums, the Norton management team now needs to stop sitting on their hands and start actively responding to the questions being raised here, just like they would during beta testing.   

What further response do you want?  The decision to eliminate the local vault was clearly based on considerations other than just the popular vote of beta testers and regular users, and all of that has been explained.  I'm all in favor of efforts to convince Symantec that the product would be more appealing to users if the local vault were retained,  But I don't see why Symantec should be continually responding to the same questions that have already been raised and answered.  Even your point about two-factor authentication has been acknowledged by Symantec.


We’re all still waiting for a response from Symantec with regards to the following statement that I made 3 weeks ago:

"Right now, we're all awaiting Symantec's detailed counter-response to the vulnerability with this feature that I described earlier here."

In the beta testing forums, Symantec employees would have typically responded to this concern within a day or two.

I’m a little unsure as to why that there is a perception that a ‘popular vote’ is somehow involved here. Using an excerpt from the current ‘Norton Zone’ beta testing Welcome post as a typical example of Symantec’s public beta testing expectations, Symantec’s mandate to beta testers and regular users who chose to comment reads as follows:

"Please give us your feedback on the Norton Zone product. Post your issues, suggestions, questions, or anything related to the Norton Zone on the Norton Zone Public Beta. We want this product to be the best quality product when we release. Please let us know how we can improve the software."

Symantec understands that the beta product on offer may have some features that will be criticised by beta testers. If a beta tester deems that a particular feature poses an undue risk to end users, then a thread will be raised to block its deployment, pending further discussions with Symantec.

Given that, this post is is raised as an equivalent block. Symantec: please respond to the concern raised above.

Kudos0

Re: Symantec, Please Explain

Hi elsewhere,

If I follow you correctly, you are still focusing on the use of two-factor authentication as a protection against phishing.  In fact, that was answered by Symantec here:

http://community.norton.com/t5/Norton-Toolbar-Norton-Identity/Symantec-Please-Explain/m-p/833520/highlight/true#M5015

Phishing will always be with us, and the success of a phishing attack relies on the user's susceptibility to social engineering.  It does not represent a vulnerability in the online vault.  Two-factor authentication will prevent some, but not all, types of phishing from being effective, so yes, it will provide an additional safeguard - but social engineering can still be used to attempt to gain access to any protected data anywhere (not just Norton's), and preys on a user's vulnerability, not a weakness in the data storage system.

I don't quite follow your comments on beta testing and the solicitation of user feedback.  I'm certain that Symantec looks at all user input to see where improvements can be made in a product, but that doesn't mean that all suggestions will be, or should be, adopted. 

Kudos0

Re: Symantec, Please Explain

Hi Alejandrita,

I am anxious to put this to use on the malfunctioning Identity Safe on my Google/Android Nexus-7.  When and where do i download the new Version?  Should I completely uninstall the existing Identity Safe, reboot my Nexus-7, and the reinstall the Identity Safe mobile app that is currently available via Google's Play Now app store?

Thank you in advance for your time,

Be well,

Apocryphal

Kudos1 Stats

Re: Symantec, Please Explain


Apocryphal wrote:

Hi Alejandrita,

I am anxious to put this to use on the malfunctioning Identity Safe on my Google/Android Nexus-7.  When and where do i download the new Version?  Should I completely uninstall the existing Identity Safe, reboot my Nexus-7, and the reinstall the Identity Safe mobile app that is currently available via Google's Play Now app store?

Thank you in advance for your time,

Be well,

Apocryphal


That sounds like what you would do.

I'll ask you post be moved to the Mobile boards of this forum for better exposure to those using mobile devices.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Symantec, Please Explain

Alejandritia,
Thank you for this reply to my post about reinstallation of the Norton Identity Safe Mobile App for the Google/Android OS running on my Asus Nexus-7. I will do this right away and if successful in solving the Online Vault password rejection problem
Kudos0

Re: Symantec, Please Explain

Sorry, accidental early Post transmission...

Alejandritia,
Thank you for this reply to my post about reinstallation of the Norton Identity Safe Mobile App for the Google/Android OS running on my Asus Nexus-7. I will do this right away and regardless of my success or failure in solving the Online Vault password rejection problem, I will post my results in the Mobile boards section of the Norton Community Forum -- rather than here -- for better Community exposure.
Thank you as always for your time and consideration in helping me (and others) solve this problem.
Be well,
Apocryphal
Kudos0

Re: Symantec, Please Explain

To Everyone on the Current Thread,
I am reinserting the posts, below, into this thread because somehow my initial reply to Alejandrita deleted her post and my replies after it, making this part of the thread difficult to read. I hope this restores some sense of continuity to the thread:

12:32 PM
Alejandrita quoted and wrote:

"Hi Alejandrita,
I am anxious to put this to use on the malfunctioning Identity Safe on my Google/Android Nexus-7.  When and where do i download the new Version?  Should I completely uninstall the existing Identity Safe, reboot my Nexus-7, and the reinstall the Identity Safe mobile app that is currently available via Google's Play Now app store?
Thank you in advance for your time,
Be well,
Apocryphal"

That sounds like what you would do.
 
I'll ask you post be moved to the Mobile boards of this forum for better exposure to those using mobile devices.
 
 
 
Add Comment
Kudo 1
Apocryphal (Contributor)
3:05 PM
Alejandritia,
Thank you for this reply to my post about reinstallation of the Norton Identity Safe Mobile App for the Google/Android OS running on my Asus Nexus-7. I will do this right away and if successful in solving the Online Vault password rejection problem
Add Comment
Kudo 0
Success!
Apocryphal (Contributor)
3:21 PM
Sorry, accidental early Post transmission...

Alejandritia,
Thank you for this reply to my post about reinstallation of the Norton Identity Safe Mobile App for the Google/Android OS running on my Asus Nexus-7. I will do this right away and regardless of my success or failure in solving the Online Vault password rejection problem, I will post my results in the Mobile boards section of the Norton Community Forum -- rather than here -- for better Community exposure.
Thank you as always for your time and consideration in helping me (and others) solve this problem.
Be well,
Apocryphal
Add Comment
Kudo 0
Kudos0

Re: Symantec, Please Explain

Hi Alejandrita,
I have done all you recommended regarding uninstalling the Norton IS mobile stand alone app from my Asus Nexus-7 running GoogleAndroid's 4.2 tablet OS. I rebooted, and reinstalled using the newest version of the app available from Google's Play Now app store. I reinstalled, and followed all instructions exactly -- double and triple checking user name and password case and spelling along the way.
No go. It still rejects my online vault password, just as before.
My main post about this is in the Mobile Forum, as you requested.
Any suggestions?
Thank you as always in advance for your time and trouble.
Be well,
Apocryphal
Kudos0

Re: Symantec, Please Explain

Apocryphal,

Why are you posting in this thread?

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: Symantec, Please Explain

Krusry 13,
I was asked by Norton representative Alejandrita to view and respond to the Solution that she put in the middle of this Thread. The Solution, which on the Norton Toolbar/Identity Safe discussion boards has been controversial because of its proposal to eliminate the local Password Vault, on the Mobile Device discussion boards has not been controversial because it was simply a means of getting a defective Identity Safe to work, was something that I replied to -- which is more or less what she asked -- but then I was supposed to Post a new Thread to the Mobile Device discussion boards as to how uninstallation followed by reinstallation of an upgraded Identity Safe app proceeded. Since this was the last place Alejandrita hadseen a post from me, I wanted to leave a marker show she would know where to look. I fully expected that after she read my post she would arrange to have it removed from this thread, since it doesn't belong here. I sincerely apologize if I have caused difficulty or given offense -- I am still fairly new to these message boards.
Have a good day and be well,
Apocryphal
Kudos0

Re: Symantec, Please Explain

How can you say that on-line is the best solution when the tool bars don't work in internet explorer 9 and Firefox 17?  Even your own tech support confirm the issues we are all having.  But here is the real issue, from an "existing customer" of over 10 years.  You took away the local vault when I reinstalled my OS (Win7).  Since the online vault is broken, I can only get to by passwords via the website, which logs me out after 15 minutes, then when I try to log back in it opens the cards, but then closed in about 5 seconds due to inactivity.  Huh?

At this point, since there is no fix in sight, I just want my passwords back, I keep them in an excel worksheet, its much faster and reliable.  And in my opinion safer since Norton knows there is a problem with Identity Safe, but know what it is, does this mean, there are potentially security vulnerabilities that would allow my on-line passwords to be stolen.  Yes my confidence in Norton after 10 years is rapidly declining...

Kudos0

Re: Symantec, Please Explain

Wow, this is the first time I used the Norton Community, after reading that I am so not alone in my frustration with Norton, I am gone.  After 10+ years, gotta find a new tool...

I guess they reached their peak some time ago and I just didn't want to face reality.

I will give Norton one kudo, they send me a warning notice that I was about to auto renew, clearly turned that off...

Kudos0

Re: Symantec, Please Explain

I switched to kaspersky pure 2.0  and I am much happier now

Kudos6 Stats

Re: Symantec, Please Explain


SendOfJive wrote:

Hi elsewhere,

[...]

I don't quite follow your comments on beta testing and the solicitation of user feedback.  I'm certain that Symantec looks at all user input to see where improvements can be made in a product, but that doesn't mean that all suggestions will be, or should be, adopted. 


 

The point I’m making here is that there is a high degree of interaction and mutual respect happening between the Symantec employees who are managing or actively contributing to the Norton product beta release and the product beta testers themselves. If we have suggestions on how to improve the product, then Symantec actually listens. A simple example of this would be the suggestion to change the placement of the update size information for each component listed in a NIS 2013 LiveUpdate session in the Security History in order to make analysis of the information easier (see here). Symantec agreed with this proposal and deployed this change in the latest 2013 product update.

The same process applies when Norton beta testers take a critical view of a new beta product feature. An early implementation of the Site Safety icons shown in a browser’s search results looked like this:

This implementation was rejected by beta testers because the yellow colour of the Norton Secured icon can’t be used in isolation to imply that a site is safe (it breaks both the universally accepted traffic light paradigm and the premise of ‘site safety at-a-glance’). After a lively debate on this issue, Symantec offered the following implementation as an acceptable solution:


SendOfJive wrote:

Hi elsewhere,

If I follow you correctly, you are still focusing on the use of two-factor authentication as a protection against phishing.  In fact, that was answered by Symantec here:

http://community.norton.com/t5/Norton-Toolbar-Norton-Identity/Symantec-Please-Explain/m-p/833520/highlight/true#M5015

Phishing will always be with us, and the success of a phishing attack relies on the user's susceptibility to social engineering.  It does not represent a vulnerability in the online vault.  Two-factor authentication will prevent some, but not all, types of phishing from being effective, so yes, it will provide an additional safeguard - but social engineering can still be used to attempt to gain access to any protected data anywhere (not just Norton's), and preys on a user's vulnerability, not a weakness in the data storage system.

[...]


No, what I’m continually raising as a concern/block here with respect to this feature is that the online vault has been made mandatory with the Norton 2013 product release even though, based on my point of view, it can be easily compromised using the interfaces that I provided earlier in its current form. If this is true, then what everyone needs to understand here, including Symantec, is that the phishing attacks against end-users that I’m posting about will arrive based on a user’s unfamiliarity with the new Norton login interfaces. Introducing new Identity Safe login interfaces in the Norton 2013 products, making the associated Identity Safe Vault data only available online and then making it mandatory is a toxic mix for those Norton users who don’t understand how this feature works. That’s why I need Symantec to respond to this concern.

Let’s not forget what Norton’s Identity Theft primer defines as the potential impact on end users; take note of the potentially sensitive information listed below:

“It can take several months for you to discover if you're a victim of identity theft. During that time, thieves can plunder accounts or run up serious debt in your name.

Regularly check your credit report for unusual activity. If you see anything strange or unexpected, like a new credit line you didn't open, follow up immediately. Meanwhile, monitor activity on all your financial accounts--from banking to investments to credit cards. If the financial companies you do business with offer activity alerts, sign up for them. And if you receive an alert or your financial institution reports unusual account activity, respond as soon as possible.

If someone has stolen your identity, quickly take steps to minimize the damage. Close financial accounts that may be compromised. Cancel your driver's license or IDs you may have lost. Put a fraud alert on your credit report and track your report closely for the next few years."

Based on the information provided above, these are the reasons why Norton needs to continue to make the local-vault-on-install feature available in the Norton 2013 product range.

Symantec: Please address and respond to the concerns raised above

Thanks.

Kudos1 Stats

Re: Symantec, Please Explain


elsewhere wrote:
...making the associated Identity Safe Vault data only available online and then making it mandatory is a toxic mix for those Norton users who don’t understand how this feature works.

You can hardly blame Norton if users do not take the time to learn about the product.  You are still essentially talking about a phishing attack, where, presumably, a user would get an email asking them to go to a fake login page and sign into Identity Safe.  If a user doesn't recognize this as suspicious, or worse, doesn't even recognize when a log-in page appears fundamentally different from the real thing (an extra field to fill in) then it seems the issue is with the user, not the product.  I agree that whatever steps Norton can take to lessen the risk to unsuspecting users would be welcome enhancements.  But ultimately, social engineering will succeed or fail on the acumen of the user, and if users are going to have passwords for any online accounts - stored in a vault or not - the security of those passwords depends upon their actions as much as anything else. 

Kudos1 Stats

Re: Symantec, Please Explain


SendOfJive wrote:

elsewhere wrote:
...making the associated Identity Safe Vault data only available online and then making it mandatory is a toxic mix for those Norton users who don’t understand how this feature works.

You can hardly Norton if users do not take the time to learn about the product.  You are still essentially talking about a phishing attack, where, presumably, a user would get an email asking them to go to a fake login page and sign into Identity Safe.  If a user doesn't recognize this as suspicious, or worse, doesn't even recognize when a log-in page appears fundamentally different from the real thing (an extra field to fill in) then it seems the issue is with the user, not the product.  I agree that whatever steps Norton can take to lessen the risk to unsuspecting users would be welcome enhancements.  But ultimately, social engineering will succeed or fail on the acumen of the user, and if users are going to have passwords for any online accounts - stored in a vault or not - the security of those passwords depends upon their actions as much as anything else. 


Well since Norton is using the fact that having 2 options (local and online) was confusing to users as the reason for only having one option it would seem that they should have chosen the one that are an easy and was the most secure when.  However they didn't do this and instead chose the one that potentially could cost more security problems.  They could have chosen the one that users were more familiar with but didn't.

Kudos0

Re: Symantec, Please Explain


Msradell wrote:
Well since Norton is using the fact that having 2 options (local and online) was confusing to users as the reason for only having one option it would seem that they should have chosen the one that are an easy and was the most secure when.  However they didn't do this and instead chose the one that potentially could cost more security problems.  They could have chosen the one that users were more familiar with but didn't.

The idea was to provide a single storage solution that would be accessible from mobile devices - a functionality that is becoming indispensible to many users.  Because the online vault may be unfamiliar, but is otherwise neither inherently difficult to understand, nor fundamentally insecure, it seems reasonable that Symantec would select that as the solution offering the most usability.  The issue is not which vault to retain, but whether they should have kept both, possible user confusion notwithstanding.  Clearly, almost all of us would prefer to have a choice, although I would rate convenience and reliability ahead of security as considerations for retaining the local vault.

Kudos0

Re: Symantec, Please Explain


SendOfJive wrote:

elsewhere wrote:
...making the associated Identity Safe Vault data only available online and then making it mandatory is a toxic mix for those Norton users who don’t understand how this feature works.

You can hardly blame Norton if users do not take the time to learn about the product.  You are still essentially talking about a phishing attack, where, presumably, a user would get an email asking them to go to a fake login page and sign into Identity Safe.  If a user doesn't recognize this as suspicious, or worse, doesn't even recognize when a log-in page appears fundamentally different from the real thing (an extra field to fill in) then it seems the issue is with the user, not the product.  I agree that whatever steps Norton can take to lessen the risk to unsuspecting users would be welcome enhancements.  But ultimately, social engineering will succeed or fail on the acumen of the user, and if users are going to have passwords for any online accounts - stored in a vault or not - the security of those passwords depends upon their actions as much as anything else. 


But who exactly are these users that you mention ‘who do not take the time to learn about the product’?

Aren't they the same users mentioned here in the following Symantec blog?

http://www.symantec.com/connect/blogs/friends-dont-let-friends-misunderstand-clouds

Symantec has a duty of care to protect and keep the users mentioned in the link above informed of any changes, don’t they?

In terms of the phishing attack described earlier, email is one attack vector but one of the most likely and brazen attacks to come will mimic the current Norton Account login process via the Internet Explorer 9 browser, as described below.

To illustrate:

  1. Open the NIS 2012/2013 main interface and click on the ‘Account’ link.
  2. If IE9 is your default browser, then you should now see a new IE9 window that contains a prompt to login to you Norton Account.
  3. Compare that login prompt in the new IE9 window with the one shown below.

Comparison image:

If you put yourself in the shoes of a user who knows nothing about this Norton product (just like we do in the Beta testing forum), then would you have known that the interface shown above was a fake if it appeared in your IE9 browser?

Please advise. 

Thanks

Kudos0

Re: Symantec, Please Explain


elsewhere wrote:
But who exactly are these users that you mention ‘who do not take the time to learn about the product’?

Aren't they the same users mentioned here in the following Symantec blog?

http://www.symantec.com/connect/blogs/friends-dont-let-friends-misunderstand-clouds

Symantec has a duty of care to protect and keep the users mentioned in the link above informed of any changes, don’t they?

In terms of the phishing attack described earlier, email is one attack vector but one of the most likely and brazen attacks to come will mimic the current Norton Account login process via the Internet Explorer 9 browser, as described below.

The blog post concerns the need to find ways to educate users about ways to stay safer online.  It is not about dumbing down products to cater to some users' unwillingness to learn.  I believe it supports my point that people need to be knowledgeable about such things, and the challenge is to find ways to accomplish this.

As for the fake login page, email would be the most likely attack vector.  Clicking a link in the Norton product and ending up at a couterfeit website would require that the Norton site itself be compromised - the other method, malware installed on individual PCs to redirect users, could only affect a very small number of potential victims.  It's not impossible that the login site could be hacked, but it is certainly extremely unlikely, and not something that I would spend much time worrying about.  The same can be said for the malware approach.  Email would be the most efficient way to reach the greatest number of users.  And people certainly ought to know by now not to click a link in an email and enter your passwords on the page that comes up.

Kudos1 Stats

Re: Symantec, Please Explain


SendOfJive wrote:

elsewhere wrote:
But who exactly are these users that you mention ‘who do not take the time to learn about the product’?

Aren't they the same users mentioned here in the following Symantec blog?

http://www.symantec.com/connect/blogs/friends-dont-let-friends-misunderstand-clouds

Symantec has a duty of care to protect and keep the users mentioned in the link above informed of any changes, don’t they?

In terms of the phishing attack described earlier, email is one attack vector but one of the most likely and brazen attacks to come will mimic the current Norton Account login process via the Internet Explorer 9 browser, as described below.

The blog post concerns the need to find ways to educate users about ways to stay safer online.  It is not about dumbing down products to cater to some users' unwillingness to learn.  I believe it supports my point that people need to be knowledgeable about such things, and the challenge is to find ways to accomplish this.

[...]


The blog post above also clearly profiles the users that I was referring to earlier who typically need such education and protection, doesn’t it? They are the users who need to be protected by default, out-of-the-box, with minimal interaction on their behalf.

I’m not sure where you are coming from with your comment about “dumbing down products to cater to some users' unwillingness to learn”. Can you please clarify this comment as it is not something that I’ve suggested?

Thanks


SendOfJive wrote:

[...]

As for the fake login page, email would be the most likely attack vector.  Clicking a link in the Norton product and ending up at a couterfeit website would require that the Norton site itself be compromised - the other method, malware installed on individual PCs to redirect users, could only affect a very small number of potential victims.  It's not impossible that the login site could be hacked, but it is certainly extremely unlikely, and not something that I would spend much time worrying about.  The same can be said for the malware approach.  Email would be the most efficient way to reach the greatest number of users.  And people certainly ought to know by now not to click a link in an email and enter your passwords on the page that comes up.


Just to clarify, what I suggested previously is that a user may bump into a website that mimics or offers a fraudulent Norton Account login process rather than intercepting a real Norton Account login process. The instructions listed previously were given to highlight to other forum members how the Norton Account login interface demands attention when it gains focus in the IE9 browser (in a manner similar to the way that dialog boxes are presented when the screen darkens when a Windows User Account Control session is invoked).  This behaviour forces the user to make an immediate decision as to whether he or she should complete the displayed ‘Norton Account’ sign-on dialog box displayed in the browser or not. A single wrong choice here, under NIS 2013, will lead to all of that users Identity Safe data being compromised...

Given that we are now discussing the pros and cons of each attack method, is it fair to say that you have now agreed with me that the current implementation of the Norton 2013 Online Identity Safe feature can be easily compromised using the methods I’ve described earlier?

Kudos0

Re: Symantec, Please Explain

Hi elsewhere,

Again, your example is a basic phishing attack which relies on social engineering.  You are presenting a case where, by definition, user action is required for the attack to be successful.  Educated users are far less likely to be tricked into submitting their credentials - and education, not product design, was the point of the article you referenced,

We have already agreed that two-factor authentication could help prevent some, but not all, phishing attacks from succeeding (assuming less sophisticated users would not abandon it as being too inconvenient).  And Symantec has indicated that something along those lines is anticipated.  But no matter what sorts of out-of-the-box protections are put into place, the fact is that in the sort of attack you envision, the user is now and always will be the weakest link.  Just checking to see that your browser address bar shows that you are at the correct Norton login page and that the connection is encrypted - a basic precaution everyone should know to follow - would be sufficient to prevent this attack from succeeding.

Kudos0

Re: Symantec, Please Explain


SendOfJive wrote:

Hi elsewhere,

Again, your example is a basic phishing attack which relies on social engineering.  You are presenting a case where, by definition, user action is required for the attack to be successful.  Educated users are far less likely to be tricked into submitting their credentials - and education, not product design, was the point of the article you referenced,

[...]


Hi SendOfJive

It’s always been about a phishing attack. In terms of education, how has Norton advised Norton 2013 product users that their Identity Safe feature has now fundamentally changed, and that their data is now being stored online nstead of locally?

Based on my previous post, can you please explain your reasoning in terms of how you concluded that I was advocating ‘product design’ over 'education' with regards to your comment above on the point of the article? Thanks.


SendOfJive wrote:

[...]

We have already agreed that two-factor authentication could help prevent some, but not all, phishing attacks from succeeding (assuming less sophisticated users would not abandon it as being too inconvenient).  And Symantec has indicated that something along those lines is anticipated.  But no matter what sorts of out-of-the-box protections are put into place, the fact is that in the sort of attack you envision, the user is now and always will be the weakest link.  Just checking to see that your browser address bar shows that you are at the correct Norton login page and that the connection is encrypted - a basic precaution everyone should know to follow - would be sufficient to prevent this attack from succeeding.


Until such time that two-factor authentication becomes an actual feature of the product, then it’s safe to say that no user is afforded any protection by Symantec’s “best intentions”.

You wrote:

“But no matter what sorts of out-of-the-box protections are put into place, the fact is that in the sort of attack you envision, the user is now and always will be the weakest link.”

I’d suggest that:

“But no matter what sorts of out-of-the-box protections are put into place, the fact is that in the sort of attack you envision, the user is now and always will be the weakest link.”

is probably closer to the truth here. Wouldn’t you agree that the user is almost always the weakest link in any sort of attack?

In terms of out-of-the-box protection, let’s hypothetically see how 10,000,000 of Norton’s “non-tech-savvy” users, who have no need for an online vault, would fare under both the 2012 and 2013 versions of the product. Each user has 10 sensitive logins stored in their Identity Safe vault. The Norton Account/Identity Safe Vault credential harvester interfaces provided earlier are assumed to have resulted in a 50 percent success hit rate.

Results as follows:

Under   NIS 2012MeasureUsers         10,000,000Default Online Vaults                             -  Default Local Vaults         10,000,000Number of Identity Safe Vault Logins                            10Phishing Hit Rate50%Compromised Users           5,000,000Compromised Norton Accounts           5,000,000Compromised Identity Safe Vault   Credentials                             -    Under NIS 2013MeasureUsers         10,000,000Default Online Vaults         10,000,000Default Local Vaults                             -  Number of Identity Safe Vault Logins                            10Phishing Hit Rate50%Compromised Users           5,000,000Compromised Norton Accounts           5,000,000Compromised Identity Safe Vault   Credentials         50,000,000

Clearly the Norton 2012 product offers the ‘non-tech savvy’ user the best protection out-of-the-box, doesn’t it?

Kudos2 Stats

Re: Symantec, Please Explain

I have just posted up a question about the non-existance of a local Vault in the NIS 2013 after carrying out an extensive search of the forum for regarding the issue, then minutes after posting I stumble on this thread!

I am extremely disappointed to read that Norton are not going to give us the Local Vault back.  I have no intention of entrusting all my personal information to an Online Vault, no matter what assurances I am given, and I am not going to go through the hassle of having to reinstall NIS 2012 then the latest version of NIS every time I get a new computer or do a clean install.  So sorry Symantec/Norton, if you have not re-instated the ability to create a local Vault by the time my subscription is due in a years time I'll be joining the multitudes that are looking elsewhere for AV/Firewall/Security provision!

Kudos0

Re: Symantec, Please Explain


Treborvfr wrote:

So sorry Symantec/Norton, if you have not re-instated the ability to create a local Vault by the time my subscription is due in a years time I'll be joining the multitudes that are looking elsewhere for AV/Firewall/Security provision!


All you really need to do is find a new password manager program, and there are several free ones out there.  You can keep the AV/Firewall/Security and use something else in place of Identity Safe.

Kudos0

Re: Symantec, Please Explain

True, just as there are other Security programs, just as good NIS.  I liked the Vault (as it's now called) but since Norton are now dictating where I should store my personal information, and don't appear to give a hoot to what their users prefer, my gut reaction is to give my money (and loyalty) to someone else.

Kudos0

Re: Symantec, Please Explain


SendOfJive wrote:

Treborvfr wrote:

So sorry Symantec/Norton, if you have not re-instated the ability to create a local Vault by the time my subscription is due in a years time I'll be joining the multitudes that are looking elsewhere for AV/Firewall/Security provision!


All you really need to do is find a new password manager program, and there are several free ones out there.  You can keep the AV/Firewall/Security and use something else in place of Identity Safe.


Why should we purchase a software package that doesn't do everything we want?  It's stupid to buy something in only use part of it and then purchase something else to do that portion.

Kudos0

Re: Symantec, Please Explain


Msradell wrote:
Why should we purchase a software package that doesn't do everything we want?  It's stupid to buy something in only use part of it and then purchase something else to do that portion.

All programs have strengths and weaknesses.  There is nothing wrong with using a particular program for its strenghths, and finding alternative solutions for those secondary features that, for whatever reason, do not meet your needs.  Unless you are suggesting that we should all use nothing but Internet Explorer because it is a part of the operating system we all paid for.....

Kudos0

Re: Symantec, Please Explain

Trebor,

Don't you find it faintly amusing that one objects to storing one's passwords "in  the cloud" when they are used to access equally personal information that is in the cloud ... like our bank and credit card information.

The contents of your vault are highly encrypted and so if you establish a strong password and protect it from becoming known I don't see danger in the use of in the cloud storage.

If the Norton Server should be inaccessible for some reason I gather there is a stored file on your hard drive that can be accessed although I gather this does require an internet connection to your Norton Account details.

If I wanted to use the autologin benefits of the Identity Safe I would look for the best bit of software to do this in the way I want it done, just as I would not choose Norton 360 just because it has a bunch of computing utilities built in but choose Norton Internet Security and the utilites (mostly free) that do what I want done in the way I want it done .... but I don't throw the baby out with the bathwater ... <s>

Hugh
Kudos1 Stats

Re: Symantec, Please Explain


SendOfJive wrote:

Msradell wrote:
Why should we purchase a software package that doesn't do everything we want?  It's stupid to buy something in only use part of it and then purchase something else to do that portion.

All programs have strengths and weaknesses.  There is nothing wrong with using a particular program for its strenghths, and finding alternative solutions for those secondary features that, for whatever reason, do not meet your needs.  Unless you are suggesting that we should all use nothing but Internet Explorer because it is a part of the operating system we all paid for.....


"There is nothing wrong with using a particular program for its strengths..."

 

I just wonder why we have to chase a number of different programs since the release of the  2013 versions of Norton products to do what NIS with a local vault did in one program.

 

Dave

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: Symantec, Please Explain

This post removed due to Lithium error causing a double posting...

Kudos0

Re: Symantec, Please Explain


Krusty13 wrote:

"There is nothing wrong with using a particular program for its strengths..."

 

I just wonder why we have to chase a number of different programs since the release of the  2013 versions of Norton products to do what NIS with a local vault did in one program.

 

Dave


And at this point, and in light of the various other issues that continue to be reported ... don't you really feel that the "faults" in the 2013 implementations run "deeper" than just the "faults" with the "vault"?

Kudos0

Re: Symantec, Please Explain

My license is about to expire on my other 2 .  I have NIS 2013 on the one I just purchase and was surprised that it only came with the online NIS vault.  That is not what I wanted andI find it extremely useless.

Why can't we be given the option of chosing online or local NIS vailts?

If this option is not available I will replace NIS with a competitive product.  I will also get rid of the current NIS 2013 at that time, due to the Online vault feature.

This isse will cascade like widfire through the user community until symantic changes it design for NIS to get rid of the online vault feature.

Kudos0

Re: Symantec, Please Explain


plumitis wrote:

My license is about to expire on my other 2 .  I have NIS 2013 on the one I just purchase and was surprised that it only came with the online NIS vault.  That is not what I wanted andI find it extremely useless.

Why can't we be given the option of chosing online or local NIS vailts?

If this option is not available I will replace NIS with a competitive product.  I will also get rid of the current NIS 2013 at that time, due to the Online vault feature.

This isse will cascade like widfire through the user community until symantic changes it design for NIS to get rid of the online vault feature.


Unfortunately they're not listening!

Kudos0

Re: Symantec, Please Explain


Msradell wrote:

Unfortunately they're not listening!



Oh I'm sure they are listening, just not replying.

They do pay attention to user feedback -- they have accepted to change the Facebook thing on the toolbar so that it is optional; they have agreed that patches for FireFox 18 changes will be issued for 2012 and not just for 2013 .....

And they also know how the program is constructed and how it interacts with WIndows better than we do -- and they know more about the effects of Microsoft forcing Windows 8 on us and the demands of tablet and smartphone devices on third party applications.

Couple all that with questions of security and I'm sure that's why they don't say much.

As I've said before I find it ironic that people are complaining so much about lack of security if their log in information is kept in the clouds when the data they access using that login information is actually held in the clouds by the banks and credit card companies who are neither immune from attack or free from down  time

Have a look at http://sitedown.co/reports  And I can vouch for problems in reaching Bank of America and CItibank ....

Hugh
Kudos0

Re: Symantec, Please Explain


huwyngr wrote:

Msradell wrote:

Unfortunately they're not listening!



Oh I'm sure they are listening, just not replying.

They do pay attention to user feedback -- they have accepted to change the Facebook thing on the toolbar so that it is optional; they have agreed that patches for FireFox 18 changes will be issued for 2012 and not just for 2013 .....

[...]


Why do you think they suddenly changed their mind with regards to the Firefox update? Could the lacklustre uptake of the Norton 2013 products have something to do with it? Restoring the ability to create a local vault on install would eliminate one of the roadblocks that’s deterring users from upgrading to the Norton 2013 products.


huwyngr wrote:
[...] 

And they also know how the program is constructed and how it interacts with WIndows better than we do -- and they know more about the effects of Microsoft forcing Windows 8 on us and the demands of tablet and smartphone devices on third party applications.

Couple all that with questions of security and I'm sure that's why they don't say much.

[...] 


The security concerns being raised here are valid and Symantec employees need to start addressing these user concerns. With these security concerns in mind, they now need to provide more feedback on why this is mandatory because user confusion and convenience aren't particularly compelling reasons for making the current implementation of the online Identity Safe vault mandatory. Looking at the number of posts on this board relating to issues with the online Identity Safe, I think it’s safe to say that neither user confusion nor convenience has been adequately addressed by the current release.


huwyngr wrote:
[...]

As I've said before I find it ironic that people are complaining so much about lack of security if their log in information is kept in the clouds when the data they access using that login information is actually held in the clouds by the banks and credit card companies who are neither immune from attack or free from down  time

[...]

 

Forum member PhoneMan summed it up earlier here:

http://community.norton.com/t5/Norton-Toolbar-Norton-Identity/Symantec-Please-Explain/m-p/852908/highlight/true#M6021

Kudos0

Re: Symantec, Please Explain

<< Why do you think they suddenly changed their mind with regards to the Firefox update? >>

I told you why -- because users asked for it and they realized that it was right to do this. Now you are objecting to them listening and inventing an alternative reason .... grow up!

<< Forum member PhoneMan summed it up earlier here:

 

http://community.norton.com/t5/Norton-Toolbar-Norton-Identity/Symantec-Please-Explain/m-p/852908/hig... >>

He also said <<  With the Norton online vault ALL my logins can be had with just one breach. >> which is not true.

And ignores what Norton have repeatedly explained and that is that what is held in their servers is held in a high security encryped format accessible only if someone gets your login information so choose a secure password and safeguard it.

So a hacker would have to both breach Norton Security and breach your safeguarding of your password/login information which Norton do not hold. It is held on your computer and if you fear that will be breached then why do you want your vault to be on your computer where it is absolutely certainly more easily broken into than would be the Norton Servers.

Or do as someone said in that thread -- don't access the bank from your computer.

Hugh
Kudos0

Re: Symantec, Please Explain

As I've said before I find it ironic that people are complaining so much about lack of security if their log in information is kept in the clouds when the data they access using that login information is actually held in the clouds by the banks and credit card companies who are neither immune from attack or free from down  time


You give the impression that all bank data is stored in the cloud when it is not! It is stored on servers in not only bank branches but their HQ's as well. The branch servers are connected to the HQ servers via a highly encrypted VPN. The fact that an internet connection is required to do online banking does not mean it is all done in the cloud. Think about how an ATM works and based on what you are telling people it is using the cloud to conduct business. Considering the fact that ATM's have been around long before the internet should tell you something. Online banking is basically the same principle only now you connect to the banks HQ servers instead of the local branch in much the same way a remote ATM (7-11, grocery store, shopping mall) does.

The fact is that Symantec made a very bad decision when they moved Identity Safe to their cloud servers. If you visit a hacker IRC chat room, the consensus is that they (Norton) made stealing identity information far easier. The simple fact is there is nothing in a password that can't be found on a computer keyboard. If you know the keystroke combos used for some special characters (Alt+0149 for example) which can all be found by running Character Map and have some basic scripting program skiils then hacking a password is just a matter of time.

Main PC: Windows 7 Ultimate (64 bit) - AMD FX-4130 3.8 GHz - 16 GB DDR3 1600 - NIS 2013 (21.1.0.18) - NU 16 - IE11, Firefox, Safari, Chrome 31
Kudos0

Re: Symantec, Please Explain

All =/= Exclusively .....

Neveretheless the bank data is on central servers and while I know from experience that sometimes the local branch can handle some banking tasks locally when their "net" goes down (and woah does it go down -- check sitedown.com ) I also know how often my local ATM goes down ---- and posts an infuriating message with a list of alternative ATMs of which the one you cannot use is at the top as the nearest .....

But the complaint is about security when the data is in the cloud and so far as I know the user data in the cloud has not been hacked, despite anythng hackers may say about it being easy.

I regard everything on my computer at risk the moment I go on the internet so why should I be happy that I am more secure because my passwords are stored locally?

<< Online banking is basically the same principle only now you connect to the banks HQ servers instead of the local branch in much the same way a remote ATM (7-11, grocery store, shopping mall) does.  >>

Precisely my point; thanks for making it.

£ you mean?

Hugh

This thread is closed from further comment. Please visit the forum to start a new thread.