Silicon Shecky

Extra charges for single online pay, 4G outages, the FTC starting to look at their business practices. Verizon, what have you done?

I was going to give a review of the Motorola Droid Razor today, but decided to push that off. See the Razor is available only through Verizon, and I noticed yet the start of another outage of 4G services this morning. Verizon has said these outages are growing pains, and were the 4G network brand new, I would accept that, but it is not. Verizon has had their 4G network up for just over a year, and should know how to handle growth. They were the ones who didn’t have the issues AT&T had with the explosion of smartphones. Of course that was CDMA vs. GSM. Now its LTE vs. LTE, and AT&T might have the advantage.

See both are using the LTE network, which requires the use of a SIM card. AT&T, whose network is still known for poor quality, and lots of drops, at least has a head start in dealing with the issues of a network that requires the SIM cards. I wish I had proof, but it seems that the SIM cards, or at least networks that require them, are not as stable here in the States as a network like CDMA which has no SIM card. (At the time of writing this, the 4G network just came back up after being inaccessible for an hour). It would be interesting to hear from someone on the differences between the two networks and why the ones that need SIM cards seem to be more unreliable.

Now this is on the heels of the FTC announcing it was probing Verizon over the $2 convenience fee it was going to charge and then pulled back on. Verizon’s statement is that even paying online has its costs. And they are right, there is equipment and software costs, maintenance on the systems, and hardening the equipment against hackers and other forms of data breaches. Still the costs are the same, whether for an automated system or if people pay individually. That is, unless they have to use 2 separate systems, or the company that is processing the payments is charging them an extra fee. Either way, there are other options to reduce the cost. If you think about it from a security standpoint though, the single payment, which I use, is a safer bet, not just from people knowing they have the money in their account, but from a security breach standpoint.

Just think about it. If you sign up for Automated payments, Verizon and the third party who processes the payments, both have your bank account or credit card information saved on servers. These servers are supposed to be PCI compliant. Even if they are, PCI compliance is a joke. Think of the banks (all of which have to follow at least PCI compliance) or stores (Which have to be PCI compliant) or anything that does online transactions, and how many breaches we hear of. Now think about how many breaches we don’t hear of, at least not immediately. Now look at single payment options, where you can choose not to save the payment info on their servers. Yes there are still problems that can arise from man in the middle attacks, spoofed SSL certificates, etc.. but once you make that payment, the info is not supposed to be stored anywhere. That means if Verizon, or their third party payment processor, has a security breach, your payment information should not be compromised. In reality it might just me being paranoid, but from a logic standpoint it does seem safer.

Now, Verizon did withdraw the $2 fee idea pretty quick, but expect to see it show back up again and again. The bigger thing Verizon has to worry about right now is the amount of bad press they are receiving. They need to remember that pissing one customer off means that customer is going to tell their friends and family, and eventually it can and will take a toll on business.

We all talk about it. We all know that it is important. We also get frustrated about the lack of it. Security, one of the most important things needed with technology, really is a never ending battle.

The world is a much different place now than in the past. We are all interconnected. Computers, iPhones, Social Media, and much more have taken the world to a place where we live in two worlds simultaneously. We integrate our lives, our status, and our personal information into the digital world. Meanwhile, there are those that look to get a hold of it. Others to shut down the flow, to slow down the information available, or to just plain steal what they can. So what do we do? How do we stay secure?

Any technology company that produces anything, be it software or hardware, does not want their product to be a backdoor for those with malicious intent. Yet, the more simple a device or a piece of software is to use, the more likely there are security holes in it. We all know that, and we all cringe for those who do not patch, or are unwilling to spend the funds to help secure the technology. So if this is all so important, why does it seem that the infosec professionals can’t get through to people about it? The answer is simple, and that is a disconnect.

We as people working the technological side of things are one of the biggest problems. We talk about DDoS, Phishing, Social Engineering, Hacking and still we have to fight the battle on two fronts. One agains the malicious people out there, one against the people we are protecting. You look through the lives of people like Kevin Mitnick and Kevin Poulsen and the books they have written, and wonder how can we stop people from stealing lives, stealing credit cards, using the technology in our hands to do harm to others.

There is the whole patch and write better software approach. You can get the best firewalls, log trackers, and policies if you are lucky to help mitigate it. Make the footprint smaller. So why is it such a struggle for so many businesses and individuals who are not in our line of work to understand that? Its the disconnect.

The disconnect can be likened to a layman reading a law brief or even a EULA. the wording is not in terms or ideas that people normally comprehend. The world of IT is a fantastic world, and communicating with each other on a technical level is fantastic, but that is because we speak the same language. Its just like lawyers can understand all the legalese that they write. Its meant for them, and yet they have to break it down for their clients to an understandable state, at least the ones who care about their clients do.

In the corporate world, larger size businesses seem to have a better understanding. They worry about their products, their secrets and know those have to be protected. The small and medium businesses, not so much. I will recommend hardware, software and policies to help them, and they come back with the same old line, “We are small, no one would want to break into our systems. Most people don’t even know abut us.” That is a disconnect. A disconnect from reality, and a disconnect from what we are trying to tell them. Overall there are a lot more small and medium sized business (and way more individuals) with this thought process than there should be.

Now I’m not a genius, but I can understand that trying to tell one of these clients that it doesn’t matter what size, doesn’t quite fly with them. They need proof. Once one of them is hacked that one all of a sudden will take security more seriously. Not always to the extent that we would like, but it is a start. So how can we get the others to understand. How can we get them to realize security is not an end, but a process?

That is the real job we have to do. Not try to ram technospeak down their throats but find a way to communicate with them in layman’s terms, in a way that they understand. We all know that no matter what nothing technology wise is going to be completely secure. We need them to understand that no matter what nothing is 100% secure, but we can lessen the chances. So here are some terms we use, and think about how you would explain it to a non-tech person. I’d love to hear your responses.

Smaller Attack Vector

Social Engineering

Zombie Machines

Packet Filtering

Just taking some small terms like that, I am sure you can think of other terms that need to have some sort of layman term assigned to them. The more we think like an average person when talking about what is needed to make their technology more secure, the better chance we have of getting it more secure, and the more time we can spend on actually proactively fighting those that wish to be malicious.

Years ago I use to think McAfee was a good Anti-Virus program. Then they got bloated. Now McAfee is becoming chicken little.

You can see the reports regularly. New exploit in this, new trojan here, new zero-day exploit, and on. The world of securing your information and your identity, either individual or corporate, is a complex and never ending battle. Nothing is going to be 100% secure. you know it, I know it and the bad guys know it. Its a matter of mitigation. The smaller area of attack we give the bad guys, the more chance that they will pass us up for an easier target.

It becomes more complex every year. New devices come out, connectivity becomes better, people become more greedy. In fact the more complex things get, the easier it is to break into them with simplicity. You may ask how is that the case. Simply put you just showed how. We tend to gloss over the simple items for the more complex ones, including bugs and holes. That is a discussion to have another time though.

Right now, in the security field, McAfee has been making a lot of headlines lately. From a RAT Report that other companies are calling “shady” to the latest report from them about cars becoming the next hacking target, McAfee keeps getting their name out there. The problems with these reports is their are either obvious or disputed. That McAfee look more like an attention hound than anything else.

This grab for attention comes on the heels of a decade of McAfee putting out worse and worse products. Suites that are so bloated that you machine drags to a crawl during start up. Anti-Malware products that let too much Malware through. Software that is difficult to remove from a system should you prefer to go with one of their competitors. How the mighty have fallen.

Most companies in the consumer security field, especially those that make Anti-Malware software, can run into these same pitfalls as the become more popular. Norton has, although they are slowly turning things around, they still have a long way to go. Kaspersky is doing its best not to fall down that path, but it does seem to be getting more resource intensive. AVG, well they put out a decent product but we are about due for another bad patch that messes machines up. None of them are perfect, but some are better than others, and McAfee has been considered part of the bottom of the heap for a while now.

So McAfee throws up a smokescreen. Instead of improving their product, they try to show that they know more. Sorry but knowledge of what is happening, and the ability to translate that into a decent working product do not have to be equal. In fact, McAfee has shown me that you can have the knowledge without the product. Then again, McAfee lately has been more like Chicken Little. Just remember, the sky isn’t falling, things are just progressing. We as the ones in the field need to keep our wits about us and it will all be fine.