Microsoft takes $6.2b hit on dud online ad buy

Microsoft is absorbing a $US6.2 billion charge to reflect that one of the biggest deals in its 37-year history turned out to be a dud.

The non-cash charge announced Monday could saddle Microsoft Corp. with a loss for its fiscal fourth quarter ended in June. Analysts polled by FactSet had predicted Microsoft would earn about $5.3 billion for the period. The company hasn't suffered a quarterly loss during the past 20 years, according to its website.

Microsoft, which is based in Redmond, Washington state, is scheduled to release its latest quarterly results on July 19.

The world's largest software maker blamed the setback on the disappointing performance of aQuantive. That's an online advertising service that Microsoft bought for $6.3 billion in 2007 to mount a more serious challenge to one of its biggest rivals, internet search leader Google Inc.

The aQuantive deal ranked as the most expensive deal in Microsoft's history until it was eclipsed last year by the company's $8.5 billion purchase of internet video chat service Skype.

Investors can only hope Skype works out better than aQuantive.

Microsoft's $6.2 billion charge represents a sobering acknowledgement that aQuantive didn't bring in as much online advertising revenue as envisioned, forcing management to write off most of the purchase price.

To add to Microsoft's mortification, Google has been milking the acquisition of an aQuantive rival to widen its lead in the steadily growing online ad market. Google bought DoubleClick for $3.2 billion about eight months after Microsoft took control of aQuantive,

Since then, Google's annual profit and advertising sales have more than doubled. Last year, Google earned $9.7 billion and collected $36.5 billion in ad revenue.

Microsoft's online division has sustained losses totaling nearly $9 billion since the company bought aQuantive. The online division generated $2.5 billion in revenue during Microsoft's fiscal 2011, just $54 million more than in fiscal 2007.

Although the online division has been faring slightly better in the past year, "the company's expectations for future growth and profitability are lower than previous estimates," Microsoft said in a Monday statement.

Bing, a search engine that Microsoft unveiled four years ago, has been getting more usage, but most of its gains have come at the expense of a business partner, Yahoo Inc. Microsoft's search technology has been powering searches on Yahoo's website for nearly two years, but that alliance hasn't dented Google's market share.

Google's share of the US search advertising market has risen from 74 per cent in 2010 to 78 per cent this year, according to the research firm eMarketer. Meanwhile, Yahoo's share of US search advertising has fallen from 10 per cent in 2010 to less than 5 per cent this year while Microsoft's cut has remained unchanged at 7 per cent.

BGP Financial Partners analyst Colin Gillis doesn't expect the hefty charge to dampen investors' enthusiasm as the anticipation builds for the upcoming release of Microsoft's latest version of the Windows operating system that remains the company's biggest moneymaker. The revisions in Windows 8, expected to hit the market this fall, are being counted on to help revive personal computer sales and establish Microsoft as a major player in the tablet computer market.

"AQuantive didn't work out, but everyone already pretty much knew that," Gillis said. "Now, they are just mopping up."

Microsoft shares shed 13 cents to $30.43 in Monday's extended trading. At that level, Microsoft's stock price has still posted a 17 per cent gain so far this year.

-AP

Business, Not Government, is Leading the Green Movement

Many people were disappointed with the recent Rio+20 summit, the United Nations Conference on Sustainable Development. The 100 international leaders who attended made little progress and few commitments beyond reaffirming the same environmental goals they set 20 years ago at the 1992 Earth Summit.

But the summit did reveal something important: Even as governments and politicians drag their feet on sustainability, businesses continue to take large steps.

At the summit, dozens of companies unveiled plans for how they intend to lower their environmental footprint. Microsoft committed to being carbon neutral by end of fiscal year 2013. Kimberly-Clark, parent of Kleenex and Huggies, unveiled it would cut the amount of wood fiber it uses from natural forests by 50% by 2025. And Coca-Cola pledged to recycle the water it uses by 2020 and increase water efficiency by 20% by 2015.

You can rightly argue that these initiatives aren't bold enough to counteract global warming or other large-scale environmental problems. However, it's a good sign that companies are voluntarily taking steps even when they aren't required to by government regulation.

It shows the tide is turning: Businesses are realizing the benefits to being environmental stewards and setting sustainability goals on their own.

What's going on? In the past, businesses found few incentives to invest in earth-friendly practices. But in recent years, consumers have started to factor sustainability more into their purchasing decisions as there's a growing awareness about the health and lifestyle benefits to being green. Governments have provided financial incentives to help companies' implement eco-friendlier practices. And as companies embarked on these initiatives, they started to realize many benefits from sustainability.

Here's a look at the benefits big and small businesses alike have reaped by undertaking sustainability initiatives:

-   Good publicity. Touting  environmental good practices has shown itself as an excellent way to draw positive attention and more customer loyalty to a business (as long as it's not “greenwashing.”) Check out any corporation's web site these days, and you can pretty easily find its page devoted to sustainability initiatives.

-   Bottom-line savings. Sustainable business measures often come with upfront costs (think installing new energy-efficient equipment or hiring a sustainability consultant). But the paybacks on many sustainability measures, whether lower energy bills or lower transportation costs, can save businesses a lot of money over the long run. (Coca-Cola says it saved $90 million in 2010 alone by reducing its packaging waste.)

-   Happier people. Whether or not they choose to do business with you because of sustainability measure, many customers feel good knowing they are supporting businesses doing the right thing by being environmentally friendly. This can also spill into employee morale. With many younger workers now seeking to work for socially conscious employers, it's in a business's best interest to be that.

Given the many benefits businesses are finding to “going green,” it's likely that more and more businesses will continue to do so, regardless of what government leaders do.

How have environmental sustainability efforts affected your business? Have you discovered any benefits to being green?

Coca Cola Photo via Shutterstock

DDoS mitigation a key component in network security

Attacker motivations behind distributed denial-of-service attacks (DDoS) have shifted away from solely financial (for example, the extortion of online gambling sites and retailers) toward socially and politically motivated campaigns against government websites, media outlets and even small businesses. Hacktivist collectives such as Anonymous, LulzSec and others have used DDoS attacks to damage a target's reputation or revenue since December 2010 when Anonymous began targeting corporate websites that opposed Wikileaks.

At that time, attacks were conducted using botnets to flood sites' servers with large quantities of TCP or UDP packets, effectively shutting down the sites for hours at a time. Today, botmasters have begun to use more complex strategies that focus on specific areas of the network, such as email servers or Web applications.

Others divert security teams' attention with DDoS flood attacks while live hackers obtain the actual objective, valuable corporate or personal information. This tactic was utilized in the infamous attack against Sony in 2011, according to Carlos Morales, the vice president of global sales engineering and operations at Chelmsford, Mass.-based DDoS mitigation vendor Arbor Networks Inc.

Rapid growth in the sophistication of DDoS attacks combined with the prevalence of attacks across markets makes for a dangerous and fluid attack landscape. Security researchers and providers agree that it's becoming more important for companies to protect themselves from denial-of-service attacks, in addition to implementing other measures of network security.

DDoS attacks can quickly cripple a company financially. A recent survey from managed DNS provider Neustar, for example, said outages could cost a company up to $10,000 per hour.

Neustar's survey, “DDoS Survey Q1 2012: When Businesses Go Dark” (.pdf), reported 75% of respondents (North American telecommunication, travel, finance, IT and retail companies who had undergone a DDoS attack) used firewalls, routers, switches or an intrusion detection system to combat DDoS attacks. Their researchers say equipment is more often part of the problem than the solution.

“They quickly become bottlenecks, helping achieve an attacker's goal of slowing or shutting you down,” the report stated. “Moreover, firewalls won't repel attacks on the application layer, an increasingly popular DDoS vector.”

For those reasons, experts suggest companies with the financial and human resources incorporate DDoS-specific mitigation technology or services into their security strategy. Service providers such as Arbor Networks, Prolexic and others monitor traffic for signs of attacks and can choke them off before downtime, floods of customer support calls, and damage to brand or reputation occur.

Purchasing DDoS mitigation hardware requires hiring and training of employees with expertise in the area, but experts say that can be even more expensive.

“In general, it's very hard to justify doing self-mitigation,” said Ted Swearingen, the director of the Neustar security operations center. All the additional steps a company has to take to implement their own DDoS mitigation tool, such as widening bandwidth, increasing firewalls, working with ISPs, adding security monitoring and hiring experts to run it all, make it a cost-ineffective strategy in the long term, he said.  Three percent of the companies in Neustar's survey reported using that type of protection.

In some cases, smaller DDoS mitigation providers even turn to larger vendors for support when they find themselves facing an attack too large, too complex or too new to handle on their own.

Secure hosting provider VirtualRoad.org is an example. The company provides protection from DDoS attacks for independent media outlets in countries facing political and social upheaval-places where censorship by the government or other sources is rampant, such as Iran, Burma and Zimbabwe. A specific niche like that in a narrow market with small clients doesn't usually require extra support, but VirtualRoad.org has utilized its partnership with Prolexic a few times in the last year, according to CTO Tord Lundström.

They have their infrastructure to deal with attacks, Lundström said, but they also have parameters for the volume and complexity that they can handle. When it gets to be too much, they route the traffic to Prolexic,.

“It's easy to say, ‘We'll do it when an attack comes,' and then when an attack comes they say, ‘Well, you have to pay us more or we won't protect you,'” Lundström said. Extra fees like that are often the reason why those who need quality DDoS protection, especially small businesses like VirtualRoad.org clients, can't afford it, he said.

The impact can be worse for companies if the DDoS attack is being used as a diversion. According to a recent survey by Arbor Networks, 27% of respondents had been the victims of multi-vector attacks. The “Arbor Special Report: Worldwide Infrastructure Security Report,” which polled 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, stated that not only is the complexity of attacks growing, but the size as well.

In 2008, the largest observed attack was about 40 Gbps. Last year, after an unusual spike to 100 Gbps in 2010, the largest recorded attack was 60 Gbps. This denotes a steady increase in the size of attacks, but Morales of Arbor Networks believes the numbers will eventually begin to plateau because most networks can be brought down with far smaller attacks, around 10 Gbps.

Even if they stop growing, however, DDoS attacks won't stop happening altogether, Morales said. Not even the change to IPv6 will stop the barrage of daily attacks, as some were already recorded in the report.

Because of the steady nature of this attack strategy, experts suggest all companies that function online prepare themselves for this type of attack by doing away with the “it won't happen to me” attitude. Luckily, recent “hacktivist” activities have given DDoS attacks enough press that CSOs and CEOs are starting to pay attention, but that's just the first step, Morales said.

It's important to follow through with getting the protection your business needs if you want to achieve the goal, said VirtualRoad.org's Lundström. “The goal is to keep doing the work,” he said.

Botnet infections in the enterprise have experts advocating less automation

Cybercriminal gangs wielding hoards of malware-infected zombie machines are primarily using them for massive spam campaigns aimed at pushing pharmaceuticals, herbal remedies and porn, but they are also often rented out for more nefarious purposes, say experts who monitor them.

Anything you can imagine that somebody might steal in the virtual world, somebody has a botnet that is probably doing it.

Joe Stewart, director of malware research, Dell SecureWorks

Botnets can be used to conduct distributed denial-of-service attacks (DDoS), leveraging the power of infected systems to disrupt and wipe out websites. Botnets often spread malware, and are the main engine behind phishing campaigns or the fuel behind powerful clickjacking campaigns. What started as an amateur activity on Internet Relay Chat (IRC) networks -- using the power of people connected to IRC to knock victims offline -- quickly became a for-profit venture associated with cybercriminal fraud activities, said Joe Stewart, director of malware research at Dell SecureWorks. “Now we see you've got governments and hacktivists getting into the game for reasons that aren't really just money related, Stewart said.”

Stewart and other security experts say many enterprises have zombie machines running on their networks without even realizing it. Rather than being aimed to disrupt systems, the malware is being remotely controlled to seek an enterprise's most prized possession: intellectual property.

“They're highly focused on companies and governments,” Stewart said. “Anything you can imagine that somebody might steal in the virtual world, somebody has a botnet that is probably doing it.”

Stewart and other security experts say many businesses are far too reliant on automated systems; big security appliances such as intrusion prevention and detection systems designed to monitor network traffic. They're calling for enterprises to instead hire skilled IT security pros to proactively monitor those systems and investigate issues. The approach, they say, improves the security systems already deployed in most enterprises by addressing and isolating issues before they become a serious problem. 

The good news is some of the malware associated with widely known botnets can be detected using most traditional security appliances and endpoint security software, including antivirus. But a much more serious threat is targeted attacks â€" particularly those hurled at enterprise employees â€" that use malware combined with techniques that are designed to evade detection. Once an endpoint machine is infected by stealthy malware, a Trojan embeds itself and then attempts to reach out to cybercriminals for orders. Enterprise network monitoring tools can detect the nefarious traffic and block some of it, but over the years, cybercriminals have become savvy at tunneling communications using strong encryption algorithms, timing communication drops for odd hours when systems aren't being fully monitored or sending out tiny communication packets that assimilate with normal network traffic.

“You can hope your corporate antivirus [detects botnet infections] at the gateway or on the desktop, but we know from testing that those capabilities don't have the highest rates of detection,” Stewart said. “If you move into the network realm you can pick up a lot of this activity because it doesn't change its network fingerprint very often.”

Botnet size doesn't matter
Stewart said the most powerful botnets are not necessarily the largest. The Flame malware toolkit for example, contained a botnet of less than 200 infected machines in Iran, yet it wielded a powerful arsenal for those behind it. The limited scope of the attack, believed to be a nation-state driven cyberespionage operation, enabled the botnet operators to stealthily eavesdrop on their victims, steal data and capture video for years.

By contrast, Stewart said larger botnets give cybercriminals the advantage of leveraging the computing power of infected computers to spread malware and other malicious activities. They can be used to amplify a denial-of-service attack to take down a website or quickly spread malware and steal account credentials.

The Zeus and SpyEye malware families make up massive botnets that have, for years, wreaked havoc on the financial industry. The botnets spread quickly due to the business model put in place by the cybercriminals behind the malware. Using automated attack toolkits, the cybercriminals set up an affiliate network, rewarding other cybercriminals for infecting machines. Zeus gained notoriety in 2006. The malware can be coded to spoof websites, steal account credentials and drain bank accounts. Security firms have tried to knock out portions of the botnets by disrupting the command-and-control servers associated with them, but despite those efforts, cybercriminals have built-in mechanisms to bring them back online. The most recent effort came from Microsoft, which used legal action to wipe out Zeus botnet servers in the United States.

Detection: The human factor
There is no technology better than a skilled IT pro assigned to look for anomalies on the corporate network, said Johannes Ullrich, chief research officer at the SANS Institute. Skilled system administrators should be inspecting network traffic and system logs, applying creative thought in the process of flagging potential problems for further investigation, Ullrich said.  Packet analyzers and other filtering tools can help network security pros determine if suspicious traffic is malicious in nature.

“A lot of enterprises still rely on old, signature-based antivirus,” Ullrich said. “Particularly with [targeted] attacks and these kinds of botnets it depends on individuals at this point.”

The trend at many enterprises has been to outsource network monitoring activities, but Ullrich said that in his experience, outsourced security monitoring usually fails at detecting the targeted attacks and botnet infections that matter the most. Outsourced services follow a checklist and process a specific number of requests per hour, Ullrich said, adding that outsourced services would be better if they played a role in assisting a system administrator to “find the next new thing versus yesterday's bot.”

“They don't really understand the business and that's why some enterprises are going through the expensive process of bringing it back in-house,” he said.

Endpoint security combined with network-based security such as host intrusion prevention (HIPS) technology and other reputation and filtering systems can help mitigate malware infections, said Mike Rothman, analyst and president of Phoenix, Ariz.-based security research firm Securosis LLC.  The firm recently concluded its malware detection series that focused on why detection is so challenging. Network security appliances can provide context on application and user behavior, but it requires adjusting and tuning to avoid a serious impact to end users, Rothman said in a blog post describing the firm's research series.  The same goes for Web filtering and reputation-based. “Find a balance that is sufficiently secure but not too disruptive, navigating the constraints of device ownership and control, and workable across device locations and network connectivity scenarios,” Rothman wrote.

What\'s A Business Without A Website?

Well? What was the first thing you thought of? Bankrupt? Stupid? Behind the times? Surely this must be a trick question. It’s 2012. Every business has a website. Right?

OK, it was a trick question. While more than half of small business do have an actual website - temporarily ignoring the fact that that means there are still about half of small business that don’t have a website - the majority of them aren’t doing enough to proactively make sure Read More

From Small Business Trends

What’s A Business Without A Website?

Is Your Wi-Fi Hotspot Secure?

We've all read about the dangers of using public wi-fi hotspots. In short, wi-fi hotspots usually offer no security at all. Wi-fi providers become so intent on offering customers the ability to connect, security is an afterthought. With hotspots becoming more common, and users hopping on with smartphones and tablets in addition to laptops, those consumers need to know the dangers of having electronic devices so open to infiltration.

“Hot spots are great for the coffee shops, but people conducting business have to understand it's their responsibility to protect themselves,” Marc Noble, director of consumer affairs for (ISC)2, told ComputerWorld. “They might as well be putting it on a billboard and run down the street.”

The internet is littered with articles on how to protect yourself while using a wi-fi hotspot, but several technology tools can be invaluable if you're regularly conducting business in public venues. Here are a few tips that can help protect your data from the guy sitting in the parking lot, hacking into machines:

• Laptop VPNâ€"A VPN provides a tunnel to route you into data remotely. Hotspot Shield offers a free VPN service, along with malware protection, and is highly reviewed on CNET. The free version will include an annoying toolbar, but that's typical with freeware.
• Smartphone VPNâ€"Many cell phones include secure VPN access as part of their operating systems. Look in your phone's network settings to see if you have the ability to secure your wi-fi. Tablets will operate on the same principal. If you can't find pre-loaded VPN software, there are apps to help.
• VPN Appsâ€"An app from Boingo Wireless not only automatically connects you to the nearest wi-fi hotspot upon command, it connects to a nearby data center's VPN service to lock down your wi-fi connection against intruders. The service is free to Boingo customers.

“We connect to hot spots without thinking but are we secure?” SmallBizTechnology's Ramon Ray asks, pointing out that smartphones and tablets are just as easily compromised as laptops. If compromised, Ray points out, hackers can not only access the user's data but can also affect any network connections tied into the phone.

Experts also recommend turning off wi-fi on devices when not on a trusted network. With many carriers now limiting data, smartphone users are now setting up wi-fi to activate automatically whenever a hotspot is available. This leaves smartphone owners vulnerable when they don't even realize it.

Another suggestion by experts is to choose wi-fi hotspots that require passwords. While this is no guarantee, it will reduce the chance of someone accessing your data from a nearby location. Paid wi-fi hotspots also provide an additional security feature, as it limits the number of people who are using it.

For additional security, consider only checking bank accounts and important private data while on a trusted wi-fi. This still isn't a guarantee, since data can be compromised even when you aren't using it. Consider a company-wide VPN solution that will secure all of your devices. The small expense will provide peace of mind and keep your customers' information safe from prying eyes.

Dell set to acquire Quest

Dell has announced that it has entered into a definitive agreement to acquire Quest Software.

The IT management software company is set to be acquired for approximately $2.4 billion (£1.5 billion), to include Quest's 1,500 software sales experts and 1,300 software developers.

Quest would sit within Dell's recently-formed Software Group, with its Quest One Identity and Access Management tool an addition to the SonicWALL and Secureworks security assets. It also said that the Quest Performance Monitoring solutions for applications, networks and databases would address customer needs, specifically the Quest Foglight application performance monitoring solution.

John Swainson, president of the Dell Software Group, said: “The addition of Quest will enable Dell to deliver more competitive server, storage, networking and end user computing solutions and services to customers.

“Quest's suite of industry-leading software products, highly-talented team members and unique intellectual property will position us well in the largest and fastest growing areas of the software industry. We intend to build upon the strong momentum Quest brings to Dell.”

Vinny Smith, chairman and chief executive officer of Quest Software, said: “Clearly, Dell's distribution, reach and brand are well recognised in the industry. Combine that with Quest's software expertise and award-winning systems management products and you have a very powerful combination for our customers and partners.

“With this transaction, Quest's products and employees become the foundation for Dell's critical software business.”

Dell set to acquire Quest Software

Dell has announced that it has entered into a definitive agreement to acquire Quest Software.

The IT management software company is set to be acquired for approximately $2.4 billion (£1.5 billion), to include Quest's 1,500 sales experts and 1,300 software developers.

Quest would sit within Dell's recently formed Software Group, with its Quest One Identity and Access Management tool an addition to the SonicWALL and SecureWorks security assets. It also said that the Quest Performance Monitoring solutions for applications, networks and databases would address customer needs, specifically the Quest Foglight application performance monitoring solution.

John Swainson, president of the Dell Software Group, said: “The addition of Quest will enable Dell to deliver more competitive server, storage, networking and end-user computing solutions and services to customers.

“Quest's suite of industry-leading software products, highly-talented team members and unique intellectual property will position us well in the largest and fastest growing areas of the software industry. We intend to build upon the strong momentum Quest brings to Dell.”

Vinny Smith, chairman and chief executive officer of Quest Software, said: “Clearly, Dell's distribution, reach and brand are well recognised in the industry. Combine that with Quest's software expertise and award-winning systems management products and you have a very powerful combination for our customers and partners.

“With this transaction, Quest's products and employees become the foundation for Dell's critical software business.”

Establishments Are Less Likely To Fail Than Firms

Since the mid-1980s, the number of U.S. business establishments has grown faster than the number of employer businesses, Census data shows. But this growth comes from higher odds of survival, not from higher rates of formation.

The Census Bureau defines a business as an:

“Organization consisting of one or more domestic establishments that were specified under common ownership or control.”

As establishment is “a single physical location where business is conducted or where services or industrial operations are performed.”  As Census explains, “the firm and the establishment are the same for single-establishment firms”, but differ for multi-establishment businesses.

The figure below shows the number of establishments and firms as a percentage of their 1977 level. As you can see, the gap between establishments and firms has widened since the mid-1980s, including during the recent downturn and weak recovery when the number of both has slipped.

In 2010, there were 33 percent more establishments than employer businesses. Back in 1977, there were only 22 percent more.

Source: Created from data from the Census Bureau's Business Dynamics Statistics

This gap comes from a lower rate of failure for establishments than employer businesses. The difference in start-up rates has actually shrunk over time. In 1977 the ratio of new establishment starts to new employer business starts was 1.1 to 1. But by 2010, the amounts were virtually the same, with only 1.7 percent more establishments than companies being formed.

The twitter-length message for entrepreneurs here is that, over the past 25 years, individual outlets of multi-unit chains have become less vulnerable to failure than independent businesses.

Businesses report losses and long replacement times for hard authentication tokens

Replacing lost physical authentication tokens can lose months for IT departments.

A survey of 300 IT managers found that 12 per cent of respondents waste months recovering and replacing lost physical authentication tokens. A further ten per cent said that they waste weeks, 13 per cent lose days, while 16 per cent were able to contain this to a matter of hours.

Andy Kemshall, CTO and co-founder of SecurEnvoy, that conducted the survey, said: “Organisations invest huge sums of money in out-dated technology that has stood still while the world has moved on.

“We advocate the use of mobile phones, which can be turned into an authentication device eliminating many of the management costs associated with 2FA systems. Our mantra is simple: authenticate anyone, anywhere, any phone â€" simply and securely.”

In terms of lost tokens, the research found that in a typical 12-month period, seven per cent of respondents were losing between half and three-quarters of their tokens, 14 per cent lost between a quarter and a half, while 13 per cent lost between 11 per cent and 25 per cent. A third (32 per cent) of companies recorded losing ten per cent of their tokens.

Dave Abraham, CEO of two-factor authentication (2FA) managed service provider Signify, recently told SC Magazine that the use of tablets, smartphones and applications is driving a demand for soft token technology.

He said: “We are seeing a big uptake of password-on-demand (via SMS), [it] makes up to ten per cent of our businesses, but soft tokens are better as it doesn't matter if you have no coverage and we have seen these taking off a lot over the last few years. Since the start of the millennium, soft tokens have been the same but smartphones have got smarter and faster.”

Abraham said soft tokens account for 50 per cent of new deployments and for existing customers, soft tokens account for 15 per cent of new business. However users opt for a combination of technologies in order for them to offer remote working capabilities for key workers.

Website vulnerabilities fall and cross-site scripting still dominates as the prominent flaw

While SQL injection remains a prevalent website vulnerability, it only affects 11 per cent of websites and flaws are fixed in an average of 53 days.

According to research by White Hat Security, five per cent of all websites had at least one SQL injection vulnerability that was exploitable without first needing to login to the website.

For its website security statistics report for June 2012, more than 7,000 websites across more than 500 organisations across 12 industries were evaluated. The sector with the most vulnerabilities was retail with 404 and a 328-day window of exposure; next it was financial services with 266 flaws and a 184-day window of exposure; and third worst was telecommunications with 215 vulnerabilities and a 260-day window of exposure.

The industries that fixed their serious vulnerabilities the fastest were energy (four days), manufacturing (17 days) and retail (27 days). The research found that retail websites improved dramatically over the last year, yet remain the industry possessing the most security issues, with an average of 121 serious vulnerabilities identified per website.

However 20 per cent of the vulnerabilities identified by White Hat Sentinel have been reopened at some point in time, often several times.

Of the vulnerabilities identified, cross-site scripting (XSS), information leakage and content spoofing were the most prominent at 50 per cent, 14 per cent and nine per cent respectively. Just under half (48 per cent) of XSS vulnerabilities were fixed and to do so required an average of 65 days.

It said that information leakage is a term that describes a vulnerability in which a website reveals sensitive data, such as technical details of the web application, environment or user-specific data.

The number of serious vulnerabilities found per website per year by White Hat Security has dropped from 230 identified in 2010 to 79 in 2011. “While this vulnerability reduction trend is welcome news, there are several possible explanations that must be taken into consideration as the ‘real' numbers may not be as rosy,” it said.

The company said that this could be due to organisations often choosing a less comprehensive form of vulnerability assessment, such as a standard or baseline product over a premium edition, or its sampling of websites.

To avoid these issues, it recommended finding all of your websites and prioritising fixes based upon business criticality, data sensitivity, revenue generation, traffic volume, number of users or other criteria the organisation deems important.

White Hat Security also recommended measuring your current security posture from an attacker perspective. It said that this step is not just about identifying vulnerabilities, it is about understanding what classes of adversaries need to be defended against and your exposure to them.

Finally, it recommended trending and tracking the lifecycle of vulnerabilities: is the development lifecycle behind the website producing too many vulnerabilities? Is the time required to fix issues lagging, simply not fixing enough of them, or some combination? The answer to these questions will serve as a guide for which new and/or improved SDL-related activities are likely to make the most impact and drive toward organisational goals.

Twenty-five days until the Olympics - don\'t let your mobile become a public hotspot

An expectation to be able to connect to the internet at all times could leave London tourists facing a hurdle.

Speaking to SC Magazine, Carla Fitzgerald, vice president of marketing for wireless and mobility at Smith Micro, said that smartphone users expect to be able to connect seamlessly and securely, regardless of device or network.

She said that to bypass this problem, users may use their phones and devices as WiFi hotspots, potentially exposing them to other issues.

Fitzgerald said: “We found that 71 per cent of people could change their password on a hotspot, yet they did not know how many people are connected to their personal hotspot either. More than 50 per cent could not lock it down.

“Our experience of connecting devices as a hotspot is all you have to do is be protected and educate users on how to lock their devices down. Until people get their bill, they never knew what happened.

“The phone has not been developed for the IT administrator, it will allow access to a limit (for time or data) but if you do not know, then anyone can connect. There is no warning on roaming.”

The survey found that using an HTC smartphone, within two minutes only four per cent were able to check how many people were connected to it, yet 71 per cent could change the password required to connect to the mobile hotspot.

In terms of disconnecting the device from the network so nobody else is able to log on to the device, only 21 per cent were able to do this.

Using a MiFi 2200 mobile hotspot, all of the people surveyed were able to see how many people were connected, 88 per cent could change the password and 79 per cent could disconnect the device from the network so nobody else was able to log on to the device.

As discussed by Chris Russell, VP of technology at Swivel, recently, the London Olympics could be a social mediaâ€"fest ‘on an industrial scale', and it was appropriate for those responsible for corporate security to remind their users of the risks posed whenever they are accessing their business applications.

He said: “With most evidence pointing to the fact that given the choice, people are prone to using the same password for all their online activity â€" for both business and personal â€" the security ramifications for companies and individuals cannot be overestimated.

AdaptiveMobile previously told SC Magazine about the dangers of downloading data, saying that when users download updates via 3G dongles they could face huge bills. They said that even 50MB of data transferred could account for £25-30.

Contests & Awards: Big Breaks, Influencers and Opportunities to Pitch Your Biz – July 2, 2012

Welcome to a fresh list of awards, contests and competitions for growing companies and entrepreneurs.

There are some great contests and awards in this week's roundup.

If you've entered and won a contest or award listed here, let me know so we can share your news.

This list is brought to you every other week by Small Business Trends and Smallbiztechnology.com.

*****

Win Expert Advice for your Small Business

DYMO Endicia has partnered with ecommerce and business experts Marsha Collier and John Lawson to bring small business owners the chance of a lifetime:

Two lucky business owners will win a 1-hour phone consultation with either Marsha or John. Ask your burning business questions, get expert advice, and discuss your management strategies with online sales and marketing gurus.

Dell $100M Innovators Credit Fund

Dell has launched a $100 million Innovators Credit Fund, with the purpose of helping entrepreneurs “maximize potential for innovation, speed to market and job creation.” The credit fund will offer both funding and technology resources with IT support, depending on what each start-up needs.

To be eligible, you must have already received some angel funding or venture capital before you can apply. Start-ups can get up to 10% of its current funding or up to $150,000 with limited credit terms. See website for details and application.

Big Break for Small Business
Enter by July 13, 2012

Five small business owners will receive house calls from American Express OPEN and Facebook branding experts who conduct in-depth marketing makeovers. Winners will also receive $25,000 in cash to implement the social strategies they learn from the makeovers.

The local communities of the winning businesses will also benefit. Winning businesses can invite other local entrepreneurs to meet a panel of social media and marketing experts to teach them how to use social channels for their business. See website for details and to enter.

Crain's 2012 Best Places to Work in NYC
Enter by July 13, 2012

This survey and recognition program is dedicated to identifying and recognizing New York City's best employers. Publicly or privately held businesses with at least 25 full or part time employees are eligible to enter.

SMB Influencer Awards 2012
Enter by July 15, 2012

The 2012 Small Business Influencer Awards are now open for nominations! The Influencer Awards honor companies, organizations, apps and people who have made a meaningful and lasting impact on the North American small business market. Impact may mean (i) providing products widely used by significant numbers of small businesses, or (ii) influencing significant numbers of small businesses by being a thought leader, or (iii) providing information or services of note to significant numbers of small businesses. Nominate here.

Rock Your Biz Blogging Contest
Enter by July 30, 2012

Join BizSugar.com for the Rock Your Biz Blogging Competition June 28 through July 30, 2012, to learn some great tips on how to take your business to the next level with online networking, blogging, or social media. Gain exposure for your company and a chance to win some cool prizes including an iPad3 and more.

To enter, simply write and publish a blog post on your blog, sharing tips or advice on how to use online networking, blogging, or social media in a small business.

DailyCandy Start Small, Go Big Contest
Enter by August 3, 2012

The 2012 “Start Small, Go Big” contest, sponsored for the third year in a row by Ink(SM) from Chase, includes mentors from some of the biggest names in fashion, home, beauty and food including Rebecca Minkoff, Jonathan Adler, Lauren Moffatt, Christiane Lemieux of DwellStudio, Lev Glazman & Alina Roytberg of Fresh, Alison Pincus and Susan Feldman of One Kings Lane, and more. Categories for entry include Fashion, Home, Food & Drink, Health & Beauty, and Digital & Tech. See website for entry details.

Accelerate Michigan Innovation Competition
Enter by August 8, 2012

The Accelerate Michigan Innovation Competition is an annual international business plan competition in Michigan. The event is the world's largest business plan competition with more than $1 million in prizes. The goals of the competition are to promote Michigan as a venue for innovation and opportunity and stimulate job creation.

The New York Times Make Your Pitch Contest
Enter by August 29, 2012

Submit your pitch on video, telling about your product or service, your marketing plans, your customer base. Tell what makes your business different - why it is one to watch? Do you need capital? If so, how much and what for? Most important, how are you going to make money?

All video pitches that meet the submission guidelines will be featured on The New York Times small-business Facebook page and selected pitches will be featured on the New York Times You're the Boss Blog.

PITCH NYC 2012
Enter by August 31, 2012

After hosting the successful 5th Annual PITCH 2012 in the Silicon Valley, Women 2.0 is excited to launch the inaugural PITCH NYC Conference & Competition 2012 (PITCH NYC 2012).

Open to early-stage high-growth ventures around the world, PITCH NYC 2012 invites companies with at least one female in the founding team to apply. Applying companies must be in beta stage and have received less than a million in funding. They are looking for the most disruptive web/mobile ventures, connected device companies, double and triple bottom line ventures, etc. Prizes include $25k cash, services and more.

See website for entry rules (you have to send in your business plan on a napkin!)

If you are putting on a small business contest, award or competition, and want to get the word out to the community, please submit it through our Events & Contests Submission Form. (We do not charge a fee to be included in this listing.) Only events of interest to small business people, freelancers and entrepreneurs will be considered and included.

Please note: The descriptions provided here are for convenience only and are NOT the official rules. ALWAYS read official rules carefully at the site holding the competition, contest or award.

[photo credit: Shorts and Longs Flickr]

MobileMe Vanishes, Community Broadband Questioned, and What All This Means to You

Mobile and broadband technology may be as important to entrepreneurship as the Internet itself, but the future of both seems in a state of flux. Here are some of the major news items and issues shaping both of these technologies and how your business may be affected.

The Times, They Are a Changin'

Vanishing in an iCloud of smoke. As of Sunday evening, MobileMe, a cloud storage and syncing service debuted by Apple in 2008, was no more. If you haven't heard yet, the service has been replaced by iCloud, but for those seeking a stable way to store important data and share between devices while on the go, it may be time to consider your options. MacWorld

Walmart won't stand still on mobile. The retail giant is introducing a new pre-paid MiFi service starting at $10 for 100 MB with no expiration. Though the new service, called Internet on the Go, is promoted as being for “casual users,” it can provide a WiFi experience using multiple devices and offer automatic online refills. Engadget

Mobile Tech

Gadgets to go. From mobile power to smartwatches and other wristband tech, mobile gear is exploding with many possible applications. As business moves out of the office, increasing your productivity and flexibility, these devices can go along with you to improve your effectiveness in transit. The Next Web

Mobile and Privacy

Location, location, location. Besides access on the go, mobile companies also offer a wealth of potential marketing information. These companies collect and hold onto location data about customers sometimes for years, and provide it to outside companies, whether privacy advocates like it or not. ProPublica

Privacy as product. As an aside to the discussion about the amount of personal data now collected by mobile and other tech companies, one entrepreneur suggests some small businesses might consider using protection of customer information as a unique selling proposition. Solo Small Business

A More Accessible Web

Broadband opportunities not so broad. South Carolina has become the latest state in the US to pass legislation making it difficult, if not impossible, to create publicly owned Internet providers. While some insist providing cheaper, more accessible public Internet isn't the role of government, others say it would benefit many including small businesses. Ars Technica

Access equals growth. From California to Australia, communities are seeing the connection between adequate broadband and economic growth. Riverside, CA received the 2012 Intelligent Community award for establishing a municipal broadband system, while Australia's Minister for Broadband, Communications, and the Digital Economy was named the Intelligent Community Forum's Visionary of the Year. ComputerWorld

Business Access Equals Success

Slow and expensive. In an effort to advance broadband and the economic prosperity it can bring here in the US, the White House recently announced “US Ignite,” but critics say the plan falls short of addressing the real problem-slow and expensive connectivity in the “last mile” that connects the Internet to homes and some small businesses. PC Mag

Leveling the field. On a recent visit to South Africa, Stephen Carter, executive vice president of global telecommunications giant Alcatel-Lucent, suggested a broadband policy is second only to a nation's economic policy in terms of the prosperity it can bring. Carter suggests good access evens the playing field for all. Think about how your business benefits from such access. BusinessTech

Call To Action

Mission possible. Take a look at the story of Pagosa Springs, CO. The town council has recently embarked on a mission to provide municipal broadband to the rural community. The town's experience is an important example of how these communities are working to improve access for their citizens and businesses, creating better economic opportunities in the process. Pagosa Sun