Targeted Cyber Attacks Against Small Biz: Chat Recap

Last week on July 19th we held a Twitter chat - and achieved a “personal best” for the Small Business Trends community.  Our #SMBchat made it as the top trending topic on Twitter.  And we've got the screenshot to prove it!  Thanks to all who participated and made it a huge success.

#SMBchat a Top Twitter Trending Topic

The topic was “Targeted Cyber Attacks, No Longer a Big Biz Problem” and we were fortunate to have two world-class security experts from Symantec join us:

Many thanks to Symantec for making the experts available and for sponsoring this chat!

As usual, we bring you a sampling of some of the interesting and insightful tweets.  Yours truly, Anita Campbell (@Smallbiztrends) was asking the questions of our expert guests and the community:

Q1: How likely is it that a small business will face a malicious cyber attack?

  • 36% of all cyber attacks target small businesses. Poll by @Symantec PDF here: http://t.co/hAhGY1xg  - @TJMcCue
  •  50% of SMBs think they're not a target for cyber attackers, but 73% have been victims of cyber attacks: http://t.co/Vr5Ym3uU  - @SymantecSMB
  • Can it be 100% likely? Isn't it already happening?  - @DIYMarketers
  • Extremely likely. Just looking at WordPress-based sites, 78% sites old versions. All things insecure out of the box insecure.  - @dynamicnet
  • I've had to alert 3 clients that their Websites were hacked. They didn't know because it's not their homepage! â€" @PeggyDuncan
  • Symantec blocked more than 5.5 billion attacks in 2011, an increase of 81 percent over the previous year â€" @SymantecSMB

Q2: What are the most common types of malicious cyber attacks that small businesses face?

  • Interesting things happening with targeted attacks. They're becoming everyone's problem, not just govs. & enterprises â€" @SymantecSMB
  • My email account was hacked and I might need to stop using it because I can't get it fixed…. â€" @BasicBlogTips
  • Malware comes attached in spam. But Web-based attacks, drive-by downloads: http:/bit.ly/LwyWTV are very prevalent. - @KPHaley
  • Increased data usage means everyone is challenged to apply secure processes. Threats to bigbiz = threats to smallbiz  - @ZimanaAnalytics
  • Once you get hacked, spammers use your site as the staging ground for their spam efforts. â€" @robert_brady

Q3: If small businesses use Macs, instead of PCs, do they need to worry about cyber attacks and malware? Why or why not?

  • SMBs using Macs must take steps to protect info: http:/bit.ly/Q2MyIc  - @KPHaley
  • I have Mac and I am not very worried after I checked if I had the Flashback malware. But I will look out for a good protection. â€" @Lyceum
  • Mac users as well as PC users are both targets. Just this year alone, Mac has been heavily targeted by malware and virus â€" @dynamicnet
  • Virtualization software for running Windows on a Mac can be just as vulnerable as a PC  - @ZimanaAnalytics
  • From a security standpoint treat your Mac like a PC, protect it.  - @KPHaley
  • Shortened links make it tough to know where you're going to land. Malware authors love that too. - @KPHaley

Q4: What are the top steps SMBs can take to stay safe from Internet-based threats?

  • Deploy reliable security solution on both Windows and Mac endpoints. Keep security software & OS updated with latest patches. â€" @SymantecSMB
  • I like 7 Tips for Protecting SMB's Information: http:/bit.ly/Q2MyIc Nice overview. - @KPHaley
  • Keep site applications up to date. Use secure, unique per application passwords â€" http://t.co/NzZYDJpv might help. â€" @dynamicnet
  • Make sure you back up your website AND your computer network â€" to more than one device or service. â€" @HowardLewinter
  • Educate employees about Internet safety, train to be wary of email attachments, links from unknown sources â€" @SymantecSMB
  • Bad guys [are] like roaches, they run when light shined on them. Lists get out of date quickly. â€" @KPHaley

Q5: What is a “Comprehensive Security Plan” and how does a small biz create one?

  • SMBs first need to know what they need to protect. It's important to understand your risk and assess your security gaps â€" @KPHaley
  • Your security plan should include password polices, endpoint protection, secure email and Web assets, encryption and backup. - @KPHaley
  • Plan should include how when (since nothing is hacker proof) hacks, malware, etc. get in, then what (time, money)? â€" @dynamicnet
  • If the bad person knows you use just one centralized system.. you now made their life so much easier. Layers matter.  - @dynamicnet
  • #SMBChat is happening right now on SMB security, worth following the conversation. â€" @Bislr

Q6: What if despite prevention efforts, your business gets hit with a malware attack. What steps should you take to recover?

  • Encourage employees to come forward immediately if they spot a virus or malware, rather than try to resolve it themselves. â€" @SymantecSMB
  • Hopefully you have been maintaining a proper backup. Then you can roll back to previous. â€" @robert_brady
  • Assess the damage. Determine reporting requirements. Report as applicable. Recover, Debrief for what needs to improve. â€" @dynamicnet
  • @robert_brady Great point about backup! If infected roll back to last known good backup. â€" @SymantecSMB
  • 61 percent don't even have a written plan, according to @Symantec â€" so, do that first to have a security process.  - @TJMcCue
  • In the same thought, 1 in 10 SMBS have suffered from a data hack http://www.darkreading.com/smb-security/167901073/security/news/240003962/one-in-10-smes-have-suffered-from-a-data-hack.html  â€" @port80software

Q7: Passwords are a problem, especially as cloud apps grow all requiring passwords. What are some best practices?

  • Strong passwords have 8 characters or more and use combination of letters, numbers & symbols. â€" @KPHaley
  • People like to use the same password to access personal & business resources. Do NOT re-use passwords. - @KPHaley
  • Passwords should be unique per application. http://t.co/NzZYDJpv might help for how to create passwords. - @dynamicnet
  • Bad guys love re-used passwords. - @KPHaley
  • We require auto password changes every 90 days. Employees cannot share password info â€" @BasicBlogTips
  • At BARE minimum, have strong email & banking passwords different from each other & social media passwords â€" @CathyWebSavvyPR

Q8: If you don't have internal IT or have limited staff, how do you get help for your biz?

  • Cloud-managed security is a great option for SMBs with limited IT staff. Learn about Symantec's SMB: http://bit.ly/NfVHN9 â€" @SymantecSMB
  • Most infections can be prevented by adhering to organizational policy and exercising caution, so employee training is critical. â€" @SymantecSMB
  • Small biz with no it can often get help from chamber of commerce, fellow small biz, why even twitter. However, confirm facts. - @dynamicnet
  • Cloud-managed security is great option 4 SMBs w limited IT staff.  - @DIYMarketers
  • Make sure you're working with an expert BEFORE you have a problem â€" not just cyber issues but anything that's important 2 biz. â€" @HowardLewinter

Wrap up:

  • Great to see #SMBChat trending  - @michaelsharkey
  • Thanks for the #SMBchat security discussion - @NoahJS
  • We enjoyed reading all the commentary during the #SMBChat It's great to see people connecting and discussing  - @BusinessDotCom
  • Tip: If you liked what someone said on a chat, follow them, connect later this week; cld be yr next client or biz partner!  - @CathyWebSavvyPR

See also the recap on the Symantec blog.

Note:  to make the recap easier to read, tweets above have been edited to remove redundant information, such as hashtags and answer numbers, and fix obvious misspellings.  The above represents only a small portion of the tweets - it is intended to cover key highlights for reader convenience.




Speak My Language: Getting Customers to Listen

How do you get and keep the attention of people who do not have to listen to you? I mean, life and marketing is not like grade school and your audience doesn't have to be in the room so to speak. From tutoring teenagers in voluntary summer programs to building a following online or a loyal client base, the process of communication is fascinating to me.

capture attention

How do you captivate an audience enough to get them to listen to you and buy from you?

Kristen Zhivago at RevenueJournal has a simple take on it. In ‘Why Do They Love You,” she suggests that you “have someone you trust to interview your customers.” Isn't it funny how simple solutions keep rising to the surface.

So What Is The Right Way To Say It?

How many times have you run around in circles with your marketing copy, new product development ideas, and other processes inside your small business, trying to find the “right” way to do things? Who wants to put energy into things that your staff won't use and that you clients won't buy?

What if you could speak their language? What if you knew the magic words? What if you knew how to talk to potential clients?

According to Zhivago, author of Roadmap to Revenue, you learn how to talk to future clients by interviewing and listening to your current ones. The goal is to learn from successful relationships and then repeat that behavior. There is nothing like a well-placed conversation and honest feedback.

It's Hard To Serve People You Don't Understand 

It's even harder to understand people that you don't listen to.  Feedback gets you beyond guessing and assuming, it gets you to a place of knowing.  The more you know, the better decisions you can make.

Personally, when it comes to public speaking and training, I learned that it's not my clever acronyms, credentials or catch phrases (though they do help start a conversation) that gets and keeps my audiences' attention. In their own words it's the personal stories, authentic enthusiasm and simple and clear way of breaking things down that keeps them listening.

Before I talked to them, I assumed it was something else.

What assumptions have you made about your customers and what actions are you taking to verify your hunch?

Capturing Attention Photo via Shutterstock




Google\'s Penguin Update: What You Need To Know To Ensure Your Website Can Be Found

As a small business, you need to precisely define your budget and make sure that every dollar invested gets at least doubled. When creating a website and web content for your company, you need to make sure the site is created with respect to the latest industry standards and that the content is good enough to get you listed at the first SERP (search engine results page) page.

Being the biggest and the most popular search engine, Google often releases updates to its search algorithms. The purpose of these updates are to keep up with many black-hat methods in SEO (search engine optimization) where people would fill their sites with a bunch of keywords just to get their site as a first result for specific keywords. However, these updates are often quite unfair to small businesses which can't invest money in special SEO techniques (good ones or bad).

Recently, Google released the Penguin, their latest update to the search algorithm. Penguin specifically targets over-optimized websites, causing small businesses to implement some updates to their sites. If you take into consideration that most small business sites run on WordPress (or any other template-using CMS), you'll probably see that almost every one of them has the same footer â€" including the link to the site itself. This is just one of the things Google's Penguin update might penalize you for. Unfortunately, now you, as a small business, should either do this change (and a bunch of other ones) yourself or you'll have to hire a professional to do it.

Todd Bailey, SEO expert at WebiMax claims that “Google search is now releasing over 50 updates each month to their search engine, disrupting any consistency of guidelines and punishing small businesses that lack the resources to respond.”

You've probably seen the effects of the Penguin update; the search results are dramatically changed since April 24th and petitions are circulating all across the web for the retraction of the Penguin update. There are also some concerns about Google's honesty in all of this â€" some people will say that Google did this on purpose to “remove” small businesses from the search results, forcing them to start using AdWords campaigns more.

As a small business with a limited budget for your web, there is only one thing that will keep you visible â€" the content. Create a blog on your website and write about your business and your niche regularly. Don't focus too much on the size of the text, but on the quality because that is the only thing that will drive organic traffic to you, regardless of the changes Google or any other search engine introduces.

Take some time during the week(end) and write up 2-3 blog posts for the following week and make blogging your habit. You won't see the change right away, but as with your business, you should write your blog for the long term effect and results.



Black Hat 2012: SSL handling weakness leads to remote wipe hack

LAS VEGAS -- The best-laid plans, and the seeds for a sweet hack, are sometimes sewn over a few drinks.

Peter Hannay, a researcher based at Edith Cowen University in Perth, Australia, recalled a conversation over a few cold ones with a client who was curious what an attacker could do should they pwn an Exchange Server. Patiently, Hannay explained bad things could happen; a lot of things could get broken. An attacker would be able to push policy updates and a lot more.

"How about pushing a remote wipe command to every mobile device connected to Exchange?" the client asked.

At that moment, the wheels began to turn for Hannay. Surely an attacker who was to gain direct access to Exchange could issue any command via policy change they desired. But since Exchange is a network service, Hannay wondered, perhaps there would be a way to duplicate the service and issue commands.

With help from some willing students and faculty, Hannay learned the answer is "yes" to all of the above. Thursday at the 2012 Black Hat Briefings, Hannay described the technique he and his cohorts developed to issue remote wipe commands against Apple iOS and Android devices, taking advantage of an SSL handling weakness in both platforms. Ironically, Windows-based phones were immune to his attack.

"This could ruin a lot of days," Hannay said.

Hannay had believed SSL would intervene, and the attack would never work.

"At the very least, we're not going to get a trusted certificate for any random connection to our server. And surely, SSL on the device would also prevent us from receiving a connection," Hannay said. "I also figured some Exchange security, or shared secrets between Exchange and the device would step in."

Nope.

Hannay's attack does not exploit a vulnerability in Exchange. Instead, it takes advantage of a weakness in the way Android and iOS devices handle SSL certificates. Hannay was able to run a man-in-the-middle attack using the popular Wi-Fi Pineapple tool and a self-signed SSL certificate, which both devices accepted with only slight interference on iOS. Windows phones would not connect to the phony server. Once the user checked email from the device, a short Python script written by Hannay would execute, sending a remote wipe command to the phone, and the phone would revert itself to factory settings.

Hannay said that to mitigate the flaws, Apple and Google must implement fixes to their respective platforms. Both companies have been notified.

It's been a bad 12 months for digital certificates. A breach at Dutch certificate authority (CA) DigiNotar last fall was the most egregious misstep. More than two dozen CA servers were breached and hundreds of forged certificates were signed against 20 different domains. Microsoft, Google and Mozilla quickly announced they'd deemed DigiNotar certificates untrustworthy and blocked them. The CA eventually filed for bankruptcy protection.

Hannay, meanwhile, plans to explore where he can apply his hack next, hinting it could be used to steal data or penetrate remote backup or sync features.

"I think it should be possible," he said.




Your Employees Are Your Best Asset For Social Media Success

As your company grows you find that you want to tighten up and control what your company publishes online, especially through social media. One of the ways to “let a thousand flowers bloom” is to open up your social media and enable employs to freely participate in corporate social engagement.

Of course this can only be properly done with training. Here's a video interview I did in Feb 2011 on Dell's head of social media. Dell has a campaign to train it's employees in the proper use of social media and thus can enable more employees to communicate with customers through social networks.

In a recent press release McKinsey Global Institute writes:

Two-thirds of this potential value lies in improving collaboration and communication within and across enterprises. The average interaction worker spends an estimated 28 percent of the workweek managing e-mail and nearly 20 percent looking for internal information or tracking down colleagues who can help with specific tasks. But when companies use social media internally, messages become content; a searchable record of knowledge can reduce, by as much as 35 percent, the time employees spend searching for company information. Additional value can be realized through faster, more efficient, more effective collaboration, both within and between enterprises.

The amount of value individual companies can capture from social technologies varies widely by industry, as do the sources of value. Companies that have a high proportion of interaction workers can realize tremendous productivity improvements through faster internal communication and smoother collaboration. Companies that depend very heavily on influencing consumers can derive considerable value by interacting with them in social media and by monitoring the conversations to gain a richer perspective on product requirements or brand image-for much less than what traditional research methods would cost.

To reap the full benefit of social technologies, organizations must transform their structures, processes, and cultures: they will need to become more open and nonhierarchical and to create a culture of trust. Ultimately, the power of social technologies hinges on the full and enthusiastic participation of employees who are not afraid to share their thoughts and trust that their contributions will be respected. Creating these conditions will be far more challenging than implementing the technologies themselves.

I encourage you to read and download the full report.



Xero Makes Changes to Improve Cloud-Based Accounting Software

Online accounting software company Xero has made some changes in the past few months to better help business owners manage their finances. These changes aim to improve the company's online accounting services so that small business owners can spend less time managing their finances and more time growing their business.

xero

Earlier this month, Xero integrated with ADP's online payroll platform, allowing the more than 150,000 small business owners who use RUN Powered by ADP to easily and securely transfer financial data between ADP's payroll solution and Xero's cloud-based software.

RUN Powered by ADP is a popular tool that offers improved compliance tools for payroll, tax administration and employee management. This change aims to allow both business owners and accounting professionals to manage payroll and other HR tasks more efficiently.

Xero also recently acquired WorkflowMax, a full-practice management suite that has allowed Xero to strengthen its cloud-based offerings. Since many businesses and accountants have begun switching over to online financial management systems, Xero wanted to make it easier for accounting professionals to not only manage their clients and finances, but also to deal with all of their other business functions within the same software.

WorkflowMax helps those businesses with important management functions such as tracking time, filtering job leads, generating reports, and creating invoices. With all of the added functions offered by WorkflowMax, accounting professionals can cut back on using different services for each management task, and just use one cloud-based service to run their business while easily collaborating with clients and colleagues.

Founded in 2006, Xero aims to help both business owners who want direct, real-time access to their finances, as well as accounting professionals who serve business clients. With software for everything from invoicing to online accounting, plus a wide range of available add-ons, Xero claims to be the world's easiest accounting software, and also to have everything business owners need to run a business.

Pricing for monthly plans ranges from $19 to $39 with different features for small businesses with different accounting needs.

To learn more about Xero, visit Xero.




Seven Mistakes Harming Your Business\'s Mobile Strategy

Lextech Global Services has developed mobile apps and strategies for businesses throughout the world, including several Fortune 500 businesses. Through his work with mobile technology, CEO and founder Alex Bratton has identified key areas where businesses can improve on current mobile strategies. Today, Bratton says, businesses are feeling so much pressure to develop apps, they may be destroying their own effectiveness. Bratton advises against simply creating a mobile version of your existing CRM or website.

“This hurried and incomplete approach leads to detrimental development mistakes, leaving businesses with a mobile presence that can hamper revenue growth, ROI and customer experience,” Bratton says. “This type of app wastes valuable IT resources and sets businesses up for failure.”

Bratton names seven specific mistakes businesses make when developing a mobile strategy.

  • Creating a “Me Too” App. If the only reason your business is developing an app is to keep up with the competition, Bratton says you may be going into it for all the wrong reasons. ” Just because you're afraid to fall behind in the market doesn't mean it's time to go mobile.” Determine whether or not there's a real business benefit to developing an app.
  • Lack of a Good Business Plan. Bratton has found many businesses leave specifics out of their business plan or, even worse, fail to develop a business plan at all. Careful planning can give your app direction, increasing your chance of having a ROA (return on app investment).
  • Transferring Your Entire Website into Mobile. Bratton recommends the five percent rule: transfer only five percent of your web system's typical content into your web app.
  • Serving All Users with One App. Consider making a suite of apps, each tailored to a specific need of your end users. Bratton also recommends approaching app development on a task-level basis.
  • Overlooking Offline Use. Your end users won't be able to connect from everywhere. Consider creating an app that your end users can still access if they are unable to access wi-fi or cell phone towers.
  • Only Testing In-House. If your technical team are the only ones testing the app, you may be missing feedback from those who matter most. Have end users test your app for the most valuable feedback.
  • Trying Too Hard. Avoid excessive gimmicks to get users to download your app. “Instead, focus on the app's professionalism, ease-of-use and value-added,” Bratton says.

Lextech focuses on creating apps that have professional, easy-to-use interfaces and integrate with a variety of platforms. Lextech's apps have won the Bronze Edison award for Best New Technology Product of the Year, Coolest App and Most Monetized App from iOSDevCamp, and a Chicago Innovation Award. In addition to providing mobile web development and mobile planning, Lextech also focuses on customer support once an app has been deployed. Most recently, Sonic Automotive announced a partnership with Lextech to help take its online car-buying experience to the mobile format.



MSSP and mobile support added by BeyondTrust

BeyondTrust has announced the launch of multi-tenant support for MSSPs and a context-aware management solution for mobile devices.

BeyondTrust said that Retina CS 3.5 includes enhanced protection agent deployment and policy management for multi-tenant support for mobile connectors and Retina Insight.

According to the company, Retina CS is a vulnerability management solution that integrates private cloud security into existing vulnerability management practices, providing organisations complete visibility and management of all vulnerabilities.

The new version, Retina CS 3.5, allows users to visualise the before and after effects of remediation recommendations, as well as the ability to view resources within the organisation, such as mail and database servers, domain controllers, new assets and critical mobile vulnerabilities.

Brad Hibbert, executive vice president of product engineering at BeyondTrust, said: “A recent Gartner report advises that organisations looking to invest in cloud infrastructure by leveraging an MSSP should have the provider also support the security for the cloud offering.

“MSSPs can offer a new level of security and comfort to their client base with Retina CS 3.5 by providing security risk discovery, prioritisation, remediation and reporting across their dynamic IT infrastructure, helping to close critical security gaps.”

Retina CS 3.5 also includes a connector to BeyondTrust's PowerBroker mobile solution. According to the company, PowerBroker Mobile is the first product to integrate Retina CS technology since the successful acquisition of eEye Digital Security and integrates context-aware management with vulnerability and patch information.

PowerBroker Mobile offers coverage for Android, Apple iOS, BlackBerry and ActiveSync devices, and is a mobile device provisioning and configuration platform, with policy management for virtual private networks (VPNs), email, passwords, device encryption, remote locking GPS tracking and remote wipe, according to BeyondTrust.

Hibbert said: “With PowerBroker Mobile we're bridging policy management and mobile health by taking vulnerability assessment information as part consideration. Our goal is to provide organisations with a solution that easily integrates management functionality with security information, for any user that brings their own devices to work.

“Managing the health and risks associated with mobile devices shouldn't be so costly and complex and that's why we're introducing PowerBroker Mobile to the market.”



When You\'re In Trouble, Just Consult an Expert!

Experts are hard to come by. That is, unless you have an Internet connection! The Internet gives us an almost infinite resource for knowledge, but also provides us with the ability to consult with experts in different industries who often answer people's questions in their own free time.

If you're wondering about the best way to troubleshoot a problem on your servers, or even one way to fix a leaky fridge, you can simply ask a question on any experts network. Some companies provide you with general consultation services where you are paired up with someone who has expertise in your industry.

You probably have already felt that your competitors know something you don't, and you can't just ask your neighbors for that information. Competition won't tell you what they're doing right, of course.

Despite all this, you can actually employ the services of a consultant from a website that offers these services at a “pay for what you need” basis. Here are a few of those:

  • Maven - The definition of “maven” is “an expert or connoisseur.” Maven lives up to this definition by providing you with consultation services from individuals who are experts in any particular field. If you want to know the latest trends in your business, you can ask Maven to conduct a survey of its members working in your field. Within a short time, you'll get results of what's going on in your industry.
  • Experts Exchange - This kind of service allows you to get answers to your technology questions.  Experts sign up here to work with a point-based system and you can sign up to ask any amount of questions you want for $12.95 a month. You can get answers here that you wouldn't have gotten in free places like Yahoo Answers. This platform makes sure you get the top expert for the particular question you're asking.

If you've got a small business, chances are you won't find it convenient to have to hire a panel of experts to get what you're looking for. The Internet makes it possible for you to have experts work on your case without having to ever leave the office.



IDS described as being 13 years out of date and not good enough

Intrusion detection systems (IDS) have been labelled as not being good enough now or for the last 13 years.

Speaking at a recent Websense event, Martin Jordan, director of the information protection team at KPMG, said that "13 years ago IDS did not work and it still does not give much back" and the security industry needs to improve defences against modern malware and botnets.

He said: “There is some advanced IDS and there is threat management, but the state of IDS is still not enough.”

Asked if he felt that IDS was out of date, Jordan said: “I don't think it addresses the threat. IT departments shouldn't see it as a magic button, as it is all technology and it is all fallible, you can only solve a problem by dealing with the threat appropriately, by gauging what it is.

“I have to help by securing our own network and we are protecting 40,000 people worldwide, and quite often the first thing I look at is the Websense folders, as they are a very rich source of intelligence. So IDS will never solve it but a move towards better solutions will be better for you.”

Speaking to SC Magazine, Metadigm CTO Steven Malone said that it was interesting that he had referenced IDS and not IPS (intrusion prevention systems).

He said: “Around five years years ago, IDS vendors suddenly decided they were intrusion prevention/protection rather than just intrusion detection and IDS morphed into IPS.

“However, with the complexity of APTs on the increase and UTM technology maturing, it's easy to see how blended threats now require blended security rather than standalone products. UTM vendors with a solid offering such as Check Point and Fortinet are in a prime position to service this demand.”

Didier Guibal, executive vice president of worldwide sales at Websense, said: “You cannot do without traditional defences and you need to take a separate look at things.

“You cannot spend 80 per cent of your resources on solutions that only address 30-40 per cent of the threats, so you have to take another look at how you are spending the budget and then beyond that, have a top down strategy so you have a constant additional layer that is consistent with the technology.”



Qualys opens Android app analysis framework

Qualys has launched an open-source framework to allow users to find out what their Android apps are doing.

Named the Android Security Evaluation Framework (ASEF), the company said that it allows researchers to harvest behavioural data from hundreds of installed application on a device, analyse their run pattern and assess whether they are doing more than what they are supposed to and if personal information is exposed.

According to a blog by Parth Patel, vulnerability signature engineer at Qualys, he created ASEF to perform Android app analysis, while alerting the user about other possible problems.

“[You should] use it to become aware of unusual activities of your apps, expose vulnerable components and help narrow down suspicious apps for further manual research,” he said.

He said that ASEF takes a set of apps, either pre-installed on a device or as individual APK files, and migrates them to the test suite that runs through test cycles on a pre-configured Android Virtual Device (AVD).

This will simulate the entire lifecycle of an Android app on an Android device, triggering behavioural aspects of it and collecting data using ADB (Android debug bridge utility, which is available as a part of an Android SDK) and network traffic using Tcpdump.

Patel said: “During such a simple yet thorough approach of performing a behavioural analysis for various apps, interesting results were found about apps leaking sensitive information such as IMEI, IMSI, SIM card or a phone number of a device.

“Some malicious apps might just send this data in clear text over the internet, and are much easier to be caught by analysing collected behavioural data. However some malicious apps can be sophisticated enough to detect the default settings of a virtual Android device and might behave differently in such settings.”

Patel also said that ASEF is available as open source so users can gain access to security aspects of Android apps by using this tool with its default settings.

“ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android security,” he said.



MSSP and mobile support added by BeyondTrust

BeyondTrust has announced the launch of multi-tenant support for MSSPs and a context-aware management solution for mobile devices.

BeyondTrust said that Retina CS 3.5 includes enhanced protection agent deployment and policy management for multi-tenant support for mobile connectors and Retina Insight.

According to the company, Retina CS is a vulnerability management solution that integrates private cloud security into existing vulnerability management practices, providing organisations complete visibility and management of all vulnerabilities.

The new version, Retina CS 3.5, allows users to visualise the before and after effects of remediation recommendations, as well as the ability to view resources within the organisation, such as mail and database servers, domain controllers, new assets and critical mobile vulnerabilities.

Brad Hibbert, executive vice president of product engineering at BeyondTrust, said: “A recent Gartner report advises that organisations looking to invest in cloud infrastructure by leveraging an MSSP should have the provider also support the security for the cloud offering.

“MSSPs can offer a new level of security and comfort to their client base with Retina CS 3.5 by providing security risk discovery, prioritisation, remediation and reporting across their dynamic IT infrastructure, helping to close critical security gaps.”

Retina CS 3.5 also includes a connector to BeyondTrust's PowerBroker mobile solution. According to the company, PowerBroker Mobile is the first product to integrate Retina CS technology since the successful acquisition of eEye Digital Security and integrates context-aware management with vulnerability and patch information.

PowerBroker Mobile offers coverage for Android, Apple iOS, BlackBerry and ActiveSync devices, and is a mobile device provisioning and configuration platform, with policy management for virtual private networks (VPNs), email, passwords, device encryption, remote locking GPS tracking and remote wipe, according to BeyondTrust.

Hibbert said: “With PowerBroker Mobile we're bridging policy management and mobile health by taking vulnerability assessment information as part consideration. Our goal is to provide organisations with a solution that easily integrates management functionality with security information, for any user that brings their own devices to work.

“Managing the health and risks associated with mobile devices shouldn't be so costly and complex and that's why we're introducing PowerBroker Mobile to the market.”



Chick-Fil-A Comments Put Brand in Jeopardy

Chick-Fil-A president Dan Cathy has discovered what some business owners already know, that what you say and do may have an impact on your brand not only in positive but also in negative ways. Cathy's recent comments on gay marriage have landed his business in the middle of a contentious debate. The situation can be a cautionary tale for other business owners contemplating stands on controversial issues:

A Poor Choice of Words

Playing chicken with public opinion. Cathy's comments about supporting the “biblical definition of the family unit” have angered gay rights activists, some customers, some political leaders and, yes, even the Muppets. Of course, business owners, like everyone else, have the right to free speech, but exercising this freedom may affect your business. CBS News

Having your waffle fries and eating them too. After Cathy's remarks to a religious news site and over the radio angered customers and political leaders, some of whom are now threatening to block the company's expansion plans, Chick-Fil-A is trying to disengage from the debate. But the question is whether or not it's too late. The Los Angeles Times

The Seeds of Discontent

Brand runs afoul with customers too. Lest anyone think activists, political leaders, and business partners were the only ones offended by Cathy's remarks, a marketing research company says the Chick-Fil-A brand has taken a hit with American consumers too, since Cathy's remarks became public. YouGov

Trouble in the hen house. What's worse, the Chick-Fil-A controversy has even encouraged a bit of brand co-opting. Witness YouTube chef and comedian Hilah Johnson's creation, the Chick-Fil-Gay, a do-it-yourself home version of the chicken franchise's popular sandwich, made for home consumption to show opposition against the company's stand. The Stir

The Eye of the Storm

Chick-Fil-A appreciation day. Meanwhile, not everyone is on Cathy's back, and some leaders are even urging support for the values he espoused during two controversial interviews that have angered some and energized others to defend the company. Former US Presidential candidate Mike Huckabee is advocating support for Cathy's remarks and his business in a nationwide show of solidarity Wednesday. Facebook

Don't mix business with religion. Of course, franchise expert Joel Libava points out in a recent post that the Chick-Fil-A president's real mistake was not simply espousing a politically incorrect opinion. It's also that he made the mistake of mixing business with religion. Some say it's unwise to discuss politics or religion with others. Maybe business owners should take the hint, too. The Franchise King

Amazon chief wades into debate. While controversy over Chick-Fil-A's stand on gay marriage still rages, another business leader, Jeff Brazos, CEO at Amazon, has donated $2.5 million in support of a same-sex marriage referendum in Washington state. Some will question whether his stand also invites criticism from those on the other side of the debate. The Washington Post



Small Business Ain\'t Employing Like it Used to

It's paradoxical.

While everyone from politicians to the media extol the value of small business to job creation, its share of U.S. employment has been on a long-term decline.

The majority of the private sector labor force now works in big companies, with that fraction at 51 percent in 2009, up from 43 percent in 1946. The share in medium-sized businesses is down slightly from 34 to 31 percent, while the fraction in the smallest businesses â€" those with less than 20 employees â€" has declined from 23 percent to 18 percent.

These employment changes result from a subtle, but long-term trend toward more big businesses. While big companies have never been a large fraction of U.S. businesses, and almost certainly never will, they make up a bigger fraction of companies than they did back at the end of World War II. Data from the Census Bureau and the Bureau of Economic Analysis reveals that in 2009, companies with more than 500 employees accounted for 0.3 percent of U.S. companies. Back in 1946, that fraction stood at 0.2 percent.

The growth in big businesses comes at the expense of small companies. Businesses with fewer than 20 workers made up 94.4 percent of U.S. firms back in 1946. In 2009, that share was down to 89.7 percent.

Small business won't disappear as a major source of employment for Americans. Small scale operations are effective in too many industries for that to ever happen. But, at the same time, I doubt we will ever return to the days when small business accounted for a clear majority of private sector employment.