XYRM Innovation: 08/01/12

Security researcher wins Microsoft Blue Hat prize for kBouncer

Microsoft has rewarded a researcher for his creation of a technique that can help defend against memory-based return oriented programming attacks.

We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too.

Katie Moussouris,
senior security strategist, Microsoft

Vasilis Pappas won the grand prize in Microsoft's Blue Hat contest, designed to get researchers to design memory-based defenses. Pappas earned $200,000 for kBouncer, a fully transparent return-oriented programming (ROP) mitigation technique. It's based on runtime detection of abnormal control transfers using hardware features found on Intel processors, according to Microsoft.

Pappas' method uses Intel processors' Last Branch Recording, or LBR, feature to detect ROP when system calls are made. It tracks the destination address of API return control transfers. The method is considered to be a practical and functional short-term mitigation technique that would work against most ROP attacks today, Microsoft said.

Two other winners received cash prizes for their research entries. Second-place winner Ivan Fratric received $50,000 for the creation of ROPGuard, a system that can detect and prevent the currently used forms of ROP attacks at runtime. Jared DeMott took the third-place, $10,000 prize for his entry, /ROP, a system that lowers the effect of address space disclosures and mitigates known ROP exploits.

The Blue Hat contest winners were announced at the Black Hat 2012 Briefings in Las Vegas. Microsoft announced its Blue Hat contest last year as a way to get security researchers to focus on defensive techniques to thwart memory-based attacks. The software giant does support a bug bounty program to reward researchers who discover vulnerabilities in Microsoft products.

The Blue Hat contest has helped connect Microsoft with talented researchers and create defensive techniques that have an immediate impact on the security industry, said Katie Moussouris, senior security strategist at the Microsoft Security Response Center. Features from Fratric's RopGuard submission have been integrated into the technical preview of the Enhanced Mitigation Experience Toolkit (EMET) 3.5. It's possible that other elements of the context submissions are incorporated into EMET or other products.

"One of the goals we set out to accomplish with this contest was to create both an incentive and an opportunity for fame and fortune in the area of security defensive research that never existed at this scale before," Moussouris wrote. "We identified security defense talent that we may never have encountered otherwise, and helped the world get to know them too."

Microsoft admits that techniques can be bypassed

Microsoft has acknowledged the difficulty of developing and implementing defensive security technologies. It shouldn't take long for cybercriminals to design an attack that would bypass Pappas' mitigation technique, said Matt Miller at Microsoft's Security Engineering Center.

"It is believed that attackers would be able to accomplish this in most cases with a low to moderate development cost," Miller wrote in the Security Research and Defense blog. "Specifically, imposing these checks on specific APIs (as in the prototype) may be prone to bypasses, and imposing checks only on returns does not mitigate all methods of chaining gadgets."

In fact, all three winning Blue Hat contest entries rely on techniques that are likely to be bypassed by cybercriminals, Miller said. The entries will have a short-term impact, but over time, cybercriminals will focus their resources on evading detection.

Miller called Fratric's research "novel," but said an attacker can adapt to the checks it employs at relatively low cost. ROPGuard limits checks to certain critical functions, but an attacker could bypass those functions by attempting to call a lower-level API, he said.

DeMott's technique could be "bypassed by leveraging gadgets that are in the set of valid return sites, or by using a gadget chaining method that does not involve a return instruction," Miller wrote. "The fact that this solution does not fully address all forms of code reuse limits the expected long-term impact of the design as described."

Black Hat 2012: Pepper Flash sandbox bolsters Google Chrome security

Google Chrome could be getting a security boost when it more formally adopts Pepper Flash sandbox technology, according to two researchers who say Pepper offers the best protection against attacks.

Attackers now need additional sandbox escape vulnerability to fully compromise a system.

Mark Vincent Yason,
security researcher, IBM's X-Force Advanced Research Team

Security researchers Paul Sabanal and Mark Vincent Yason of IBM's X-Force Advanced Research Team, told attendees at the 2012 Black Hat Briefings last week that Chrome's Pepper Flash implementation offers a much more restrictive environment when compared to Google's native Flash plug-in for Chrome or Protected Mode Flash for Firefox, which is based on the sandboxing code in Adobe Reader X.

Google announced plans earlier this year to begin phasing out its native Protected Mode Flash for Chrome, a Flash player plug-in it developed with Adobe. Pepper Flash offers an alternative to the plug-in and supports a more secure Pepper Plugin API (PPAPI). The researchers said Pepper Flash will likely be the default player in Chrome 21.

In their paper, Digging Deep into the Flash Sandboxes (.pdf), the two researchers conclude Pepper Flash offers the most security, but needs work on stability issues before it can be fully supported in Chrome.

"It is still not stable enough for day-to-day use," the researchers said in their report. "Fortunately, even the less-restrictive Firefox Flash and Chrome Flash still offer substantial cost of exploitation. In fact, we haven't encountered any public exploits that fully exploit a Flash vulnerability through Firefox and Chrome since these sandbox implementations were released."

At Black Hat, the two researchers gave a detailed description of the way all three sandboxing technologies work. The analysis shows that while sandboxes add another layer of defense to browser components, attackers could find a way to force some data leakage or bypass the restrictions altogether. Adobe credited the researchers in March for discovering two vulnerabilities in Flash Player â€" memory corruption errors that could allow attackers to cause a denial of service (DoS) and ultimately find a way to escape the sandbox implementation.

"What can malicious code do when it is running in a sandbox? Not much, but enough," Sabanal said.

The researchers said Firefox Flash contains default policy rules that grant the sandbox process write access to certain folders and files. It also allows read access to all files that are accessible from the user's account. An attacker could potentially read the registry, they said. Meanwhile, Chrome Flash allows read access to all files that are accessible from the user's account, and allows read access to the major registry hives, they said.

"Both Firefox Flash and Chrome Flash do not restrict network access," Sabanal said. "This could allow transfer of stolen information to a remote attacker."

The two researchers demonstrated a sandbox escape, exploiting local elevation-of-privilege vulnerabilities in Chrome Flash that were discovered earlier this year. Using two computers- the machine that serves the exploit and the victim's machine â€" the researchers opened two calculators. The calculators, one with a medium integrity level and one with a low integrity level, were spawned by a mutually exploited sandbox Flash plug-in process, the researchers said.

The researchers said other methods could be used to escape the sandbox implementations. Researchers have used named object squatting attacks and IPC message parser vulnerabilities for targeting weaknesses in a higher privileged application.

"Attackers now need an additional sandbox escape vulnerability to fully compromise a system," Yason said. "It's made it more expensive for the attacker."

Adobe has been working diligently to add a sandbox around its Adobe Reader and Acrobat software, which has been a favorite target of attackers. The new defensive layer makes it difficult for automated toolkits â€" the most prevalent kind of attacks â€" to successfully exploit the software and then break out and infect a victim's machine. Other browsers and plug-ins use sandboxing to build in similar protections. Chris Rohlf, an independent researcher with Leaf Security Research, presented ways to bypass Google Chrome's native client sandboxing technology. Other researchers have demonstrated ways to bypass sandboxing implementations, but most experts agree the additional layer makes it more difficult for cybercriminals to successfully carry out attacks.

Wildfire Joins Google: Serving All Social Media Platforms

Google has just announced its purchase of social media marketing software developer,Â Wildfire.

Wildfire Joins Google

The acquisition will likely lead to Google providing advanced promotional services for businesses and brands that want to run marketing campaigns on Google+.

However, Wildfire has stated that it will continue to deliver marketing services across all social services including Facebook, Twitter, YouTube, Pinterest, LinkedIn and more, even though these sites make up much of Google+'s competition.

This means that Google will now run a service that actually benefits from the success of its competitors. So as networks such as Facebook and Twitter gain popularity with brands, Google can cash in on that success. But as Google focuses more and more on the promoting Google+, will it decide to change up Wildfire's offerings to mainly benefit its own social network?

Currently, Wildfire offers marketing tools that can help brands manage activity on multiple social networks, measure activities and results, build strategies, monetize social audiences, and more. One feature, however, that isn't run by Wildfire is social media advertising.

Currently, Wildfire only sells ads through its partner, Adaptly. So if Google decides that it wants a full-service social media marketing suite, it would have to also purchase Adaptly or another social ads platform.

But for now, Adaptly and Wildfire will continue their partnership. So Wildfire users won't necessarily see any immediate changes to the service because of this acquisition.

Wildfire was started in 2008 when its founders were looking to host a Facebook contest for their New Zealand based travel company. When they discovered that running the promotion on Facebook would require a separate application, they decided to create their own software, which became the first version of Wildfire.

Today, Wildfire continues to help different brands run similar promotions and a variety of different marketing efforts across Facebook and other platforms. And now that Wildfire has joined up with Google, Wildfire says it will continue to deliver those same services, while it builds and improves new tools for companies wanting to use social media to promote their businesses in new and different ways.

The Current State of Small Business Lending

How did small business lending fare last year? The SBA's Office of Advocacy recently released its annual report on small business lending, Small Business Lending in the United States 2010-2011.

money abstract

As might be expected, the report found that both small business borrowers and lenders were less active in 2011 than in 2010, with both sides cautious about either taking on debt or extending capital in a still-shaky economy.

This report's data are based on the size of the loan, not the size of the business, so it defines â€œsmall business loansâ€ as those under $1 million. Within that number, loans are further broken down into â€œmacro business loansâ€ (between $100,000 and $1 million) and â€œmicro business loansâ€ (under $100,000).

Here's what the SBA found:

Larger loans grew while smaller loans fell. Business loans of over $1 million grew by 5.8 percent in 2011 in terms of dollar volume. This is a big change from the 8.9 percent drop such loans saw in 2010.
By comparison, outstanding small business loans as of June 2011 were valued at $606.9 billion, a decline of 6.9 percent from the same time the previous year.
Borrowing declined for both commercial real estate (CRE) and commercial and industrial (C&I) loans under $1 million. However, CRE loans declined at a slower rate.
The value of the smallest C&I business loans (micro loans less than $100,000) declined by 12.7 percent.
The largest banks (those with assets of $50 billion or more) accounted for 38 percent of outstanding small business loans and 51 percent of the total decline in small business loans.

While the SBA study reflects what was happening last year, the Thomson Reuters PayNet Small Business Lending Index for June paints a more optimistic picture. That index shows small business borrowing at its highest level of the year, what Thomson Reuters president William Phelan calls in this Reuters video one of the most dramatic jumps since they began tracking the data in 2005. Phelan says:

â€œTransportation, construction and professional services companies are starting to expand and invest in their businesses again.â€

Phelan attributes the surge to small businesses having learned how to do more with less. They've adjusted to new economic reality by becoming more productive and investing in new technology, he says.

As a result, small businesses are in good financial shape and loan delinquencies are down to an all-time low. Phelan explains:

â€œSmall businesses have spent a lot of time strengthening their balance sheets and are well-positioned to start to expand when the economy starts growing again.â€

Is your business ready to borrow?

Money Photo via Shutterstock

Have You Tested Your Backup Solution Lately? (Infographic)

If you're reading this, you probably have a backup solution stowed away somewhere deep in the jungle of the Internet. You're probably thinking about how simple life is when you have the ability to restore those files straight to your systems. What if you learned that backing up something doesn't necessarily mean you'll get it back at the time you want?

When disaster strikes, you're probably going to get those files, but you might not get them when you really wanted them. Every hour in the delay loses you precious traffic and cash, eventually leaving you in a deep state of panic. What are you going to do now?

According to BUMI, a company that specializes with innovative backup solutions, almost all people using a backup solution consider a â€œmore than a dayâ€ recovery unacceptable. But how do you know if your recovery process will take that long?

Here's an infographic released by the company with the results of a survey on companies using backup solutions:

Fortunately, there's a solution that helps you ensure that your recovery will go as smoothly as possible. The solution is possible through a business you already know: Your own. Yes, you can test your own backup solution by recovering your data in a â€œdrill recoveryâ€ that will fill up a dummy drive or partition with the information. It's not extraordinarily hard, and you can do this once per quarter.

About a quarter of respondents to the survey never test their backup solutions. This leads to a concern regarding the ability or them to recover from disasters. Do you really want to put your company in that much risk? Testing these things should usually be as easy as flipping on a switch. If your recovery isn't easy, then you probably shouldn't be using it.

Many companies told BUMI that they'd lose hundreds, even thousands, of dollars with one hour of downtime. Some couldn't put a figure on the amount of money they'd lose in an hour. The problem rests not only in money, but the customer relationships that are damaged when they see a website that doesn't load. You lose not only the opportunity to have newer clients, but you also bite your customers slightly by having a downed site for more than a day, especially if they rely on your business a lot.

Don't become a statistic. Put that pointer finger to work and left-click on the â€œrecoverâ€ button (or whatever it's called). It will not only give your pointer finger nicer muscle tone in the long run, but will also give you the satisfaction of knowing how your backup solution performs in the face of a crisis when you most need it.

New model iPhone picked for next month

Apple is preparing to introduce the next version of the iPhone on September 12 in what will be a design overhaul of its top-selling product, according to two people with knowledge of the company's plans.

The people asked not to be named because an official announcement hasn't been made.

The new iPhone will have a larger screen and thinner body, and is expected to work with faster long-term evolution wireless networks being introduced by carriers, according to analysts such as Piper Jaffray's Gene Munster.

The design change will be Apple's first for the best-selling smartphone since 2010, when it unveiled the iPhone 4.

Last year's update, the 4S, had the same look as the previous version.

Anticipation for the new model has led to a drop in sales for the current devices, causing Apple to miss analysts' sales and profit targets for the three months that ended in June. The iPhone accounted for 46 per cent of the company's revenue in the quarter.

Apple is battling Samsung Electronics for supremacy in the US$219.1 billion ($270.1 billion) smartphone market.

While Apple's strategy has been to release a single smartphone each year, Samsung has become the world's leading handset maker by putting out several devices a year in a range of sizes and prices.

The planned September debut was reported earlier by iMore, a technology news website. Natalie Harrison, a spokeswoman for Apple, declined to comment.

Signs that Apple is preparing to introduce a new product were evident in its quarterly financial results.

The company increased the prepayments it is making for components by US$1.15 billion - a jump that may indicate a new product is going to be introduced, according to a report from Maynard Um, an analyst at Wells Fargo Securities.

Apple co-founder Steve Jobs had worked closely on the redesigned phone before his death in October, a person familiar with the matter said.

- Bloomberg

Facebook drops 6.2 per cent to record low

Facebook dropped 6.2 per cent to a record low, the third straight day of declines after the world's largest social-networking service reported second-quarter results that showed slowing growth.

Shares slumped to US$21.71 yesterday as of the close in New York, the lowest closing price since Facebook held an initial public offering on May 17.

Facebook disappointed investors last week when it reported sales growth of 32 per cent, down from 45 per cent in the first quarter, and refrained from providing a sales or profit outlook for the year.

The company also posted slower user growth and is grappling with concerns about how well it can boost advertising on mobile devices.

"There were obviously some people who didn't want to sell on the first day in anticipation that you would see some stabilisation and the stock price sort of return a little bit," said Mark Harding, an analyst at JMP Securities who has a market outperform rating on the stock.

"Perhaps they're disappointed by the lack of a recovery, and maybe now they're using the opportunity to perhaps pare back."

Facebook has lost 43 per cent since the IPO.

Carlos Kirjner, an analyst at Sanford C. Bernstein & Co, lowered his Facebook price target by US$2 to US$23 a share even as he upgraded the stock to a market perform from an underperform. Facebook is worth US$19 a share, based on its value as an online-display ad company that's gaining market share, he said.

Growth opportunities, including new advertising markets, add another US$4 to the stock price, Kirjner said.

Facebook shares could fall in the coming months with the expiry of lockup periods, which bar insiders from selling shares for a period after the IPO, Kirjner said. More than 200 million shares will come on the market in August alone, he said.

Facebook on July 26 reported revenue of US$1.18 billion, topping an estimate of US$1.16 billion, according to Bloomberg.

- Bloomberg

Google gobbles up Kiwi\'s firm for $307m

From humble beginnings on a farm in Manawatu, Kiwi expat Victoria Ransom co-founded a technology company which Google has now purchased for a reported US$250 million ($307 million).

Ransom's company Wildfire - a Silicon Valley-based startup that helps companies promote themselves on social media networks such as Facebook and Twitter - announced on its blog yesterday it had been scooped up by Google.

The terms of the deal were not disclosed but the Wall Street Journal said the purchase price was US$250 million.

Wildfire's services can help clients boost interest on Facebook and other social sites, including Twitter and Google+.

"Wildfire will operate as usual," the company said on its website yesterday.

Ransom started Wildfire with former professional snowboarder Alain Chuard in 2008.

The pair both worked as investment bankers in New York before quitting their jobs in 2001 to start an adventure travel company.

After making software that would allow the company to give away trips on Facebook, Ransom and Chuard soon discovered this service was a viable venture in itself, eventually launching it as the first Wildfire product. They went on to develop a company with nearly 400 employees and 16,000 clients, including 30 of the top 50 global brands.

Ransom - now in her mid-30s - grew up in the small rural settlement of Scotts Ferry near Bulls. She told US website mixergy.com that entrepreneurship was not a career option she had first considered.

"Where I grew up in New Zealand, it was not a career choice you talked about. But as it turns out, my father is a farmer, that's an entrepreneurial career," she said.

After graduating with a degree in psychology in 1999, Ransom went to work in the media group at investment bank Morgan Stanley.

"I saw a lot of entrepreneurs coming in and pitching to Morgan Stanley. That was eye-opening for me," she said in another online interview.

Ransom later went to study at Harvard Business School before starting Wildfire.

- Additional reporting agencies

Kiwi expats in Silicon Valley

While Kiwi entrepreneurs may once have been few and far between in Silicon Valley, there is now a growing network of New Zealand expats working in the San Francisco Bay Area.

John Holt, a director at the Kiwi Landing Pad in California, said there was now a strong community of New Zealanders in the technology scene in San Francisco.

Kiwi Landing Pad is an organisation helping New Zealand tech companies establish and grow their business in the US. Holt said getting traction overseas was essential for internet start-ups.

"For anything, particularly around the internet, you need scale, and you run out of that pretty quickly with four million people [in New Zealand], so you've got to go regardless."

Over the past 18 months, Holt said, a number of Kiwi companies had been bought by US firms, including his own firm Sonar6, acquired in April this year.

Another company, Litmos, was sold for a multimillion-dollar sum to Silicon Valley's Callidus Software in 2011.

These sales had flow-on effects for the New Zealand economy, Holt said.

"Sonar6 still has 30 people earning salaries and pretty much all of its shareholders having return from that sale [are] in New Zealand."

By Hamish Fletcher | Email Hamish

Eliminate To Innovate

Several years back, while talking on the phone with a friend from college, I was also going though my pile of things-to-fix-up-and-reuse. Â When she asked what I was doing, I told her and her reply was certain and final enough to get my full attention:

â€œDon't keep broken things around you.â€

taking out the trash

She went on with what she was talking about, but her statement stuck with me.

In â€œThe Upside-Down Approach To Innovation,â€ Anita Campbell asks a core question:

â€œWhat if we approached innovation from the opposite direction â€" by getting rid of what isn't workingÂ before we try to come up with something that works.â€

What if we cleaned house first, addressed the mess and made room for innovation? What if we let go of the junk nowÂ and let it become somebody else's treasure?

It's time to quit wasting our energy on hackneyed systems and broken equipment. It's like Spring cleaning, getting the house ready for the new year, except doing it now.

A Good Reason To Get Rid of The Mess

Christmas is coming! If you get rid of the things that don't work, maybe Santa will bring you something that does. Ok, I'm kidding (a little). Besides I don't know if Santa makes office calls, but the Holiday season does bring sales and that includes sales in the business community.

However, you can't know what deals to take advantage of if you don't know what you need. You can't get intimate with what you need until you let go of what you don't need. Â Eliminate first. Â That process alone will make you feel lighter and smarter. Then you can innovate with more focus and precision.

Don't let the junk get in the way of your next steps.

Removing Trash Photo via Shutterstock

Hit The â€˜Send\' Button With Confidence â€“ How To Ensure Your Correspondence is Secure

Although today it is common for storage and data to be encrypted, email has remained a weak link in digital security. Although email encryption suites have been on the market for years, the majority of implementations have been limited to special needs and high end clients who could afford the premiums involved with implementing the systems. Encryption has always been a must for legal, accounting, and medical firms but with recent regulations making companies liable for data breaches it is crucial for all companies, no matter the industry, to ensure that their security measures are at or above industry standards.

Before continuing it is important to have a basic understanding of why encrypting email is important. Typically when you send an email, your message travels through the web, bouncing across dozens of servers, in plain text for anyone to see. Even when using your email for business matters, chances are that every email you sent has been sent in plain text, meaning anyone with access to the servers carrying your email could view the contents without any barriers. At the best case scenario, if you are working in an enterprise you might have secure email between your colleges and other employees, but any email sent to non-corporate accounts likely falls back to plain text.

Without going into the fine details of email encryption, one of the biggest obstacles users face when enabling encryption on their servers is that the sender and recipient of any encrypted message must have the right software installed on their system to open the data. The process varies by vendor, which is why email encryption is difficult to use. While software for desktops and laptops is common, Â encryption for mobile devices has only recently begun to take off.

For users seeking a simple to use platform, Voltage Security has recently released an update to their SecureMail system which provides a simple Â â€send secureâ€ Â button for users to secure their communications. Unlike many competing solutions which require complex server configurations or having users worry about certificates and other parts for the encryption; Voltage offers a â€œcloudâ€ option, which simply means that they handle most of the heavy lifting. The Voltage SecureMail system works on desktops, mobile devices, and even in browsers (for those times you're on a shared computer) and the encryption automatically kicks in as long as you are sending emails to another Voltage user (since the software handles all the encryption and decryption of the emails).

While using Voltage does not mean you will be able to encrypt all your online communications in one shot, the platform does make simplifying the majority of your corporate communications a breeze. At a price of only $65/user per year, Voltage is a very affordable option for even the smallest businesses that need extra security for their communications.

Dropbox admits that accounts were hacked and plans new security measures

Dropbox has admitted that its accounts were recently hacked, leading to spam being sent from/to user accounts.

In a statement on its website, Aditya Agarwal, Dropbox's vice president of engineering, said that an investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.

Agarwal said: â€œA stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again.

â€œKeeping Dropbox secure is at the heart of what we do, and we're taking steps to improve the safety of your Dropbox even if your password is stolen.â€

Agarwal said that it was introducing two-factor authentication in a few weeks, automated mechanisms to help identify suspicious activity and a new page to allow users to examine all active logins to their account.

â€œAt the same time, we strongly recommend you improve your online safety by setting a unique password for each website you use. Though it's easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk,â€ said Agarwal.

The story began two weeks ago when Dropbox admitted thatÂ it had drafted in third party security investigators after more than a hundred users said that they were receiving spam into their dormant Dropbox email accounts.

Dropbox engineer Joe Gross said that while it had not had any reports of unauthorised activity on Dropbox accounts, it took a number of precautionary steps.

Security blogger Brian Krebs said: â€œA Dropbox spokeswoman said the company is not ready to disclose just how many user account credentials may have been compromised by this password oops, noting that the investigation is still ongoing.â€

CertiVox CEOÂ Brian Spector told SC Magazine that authentication on the internet is a "train wreck", as people use a username and password for applications and users have too many credentials and there is no good way to secure login data.

Cloudmark said that its insight into the spam campaign showed that "unsophisticated" messages were sent, as they were "hitting a handful of spammy fingerprints at once".

Neil Cook, CTO of Cloudmark, said: â€œIf this were an exam, the spammer would receive an 'ungraded' mark for lack of message complexity orÂ originality.

â€œRecent data from our Global Threat NetworkÂ showed 364 different domains in use by this spammer. Some of the domains point to an IP address shared with domains that have been seen by our system in prior spam campaigns as far back as 2008. So this is a long way from a new campaign.â€

Former NSA technical director says it secretly collects details on American citizens

The National Security Agency (NSA)Â has been accused of collecting and indexing emails, tweets, internet searches and other data belonging to American citizens.

According to Wired, former NSA technical director William Binney said during a panel discussion that NSA director general Keith Alexander was playing a "word game", after the latter said that the agency does not collect files on American citizens.

Binney accused Alexander of deception during a speech, saying that the NSA began building its data collection system to spy on American citizens prior to the 9/11 attacks, and then used the terrorist attacks that occurred that year as the excuse to launch the data collection project.

He said: â€œIt started in February 2001 when they started asking telecoms for data. That to me tells me that the real plan was to spy on Americans from the beginning.â€

He claimed that the spying was the reason he left the NSA in 2001.

Alexander previously said that the NSA "absolutely" does not maintain files on American citizens, and said that "anybody who would tell you that we're keeping files or dossiers on the American people knows that's not true".

Alexander said that the NSA's job was foreign intelligence, not domestic, and that the agency is constantly monitored in everything it does. He said if the NSA â€˜incidentally' picked up the data of Americans in the process, the agency was required to â€˜minimise' the data so that no one can see it unless there's a crime that's been committed.

American Civil Liberties Union (ACLU) staff attorney Alex Abdo said in a panel discussion that a gaping loophole in the laws governing the NSA allows the agency to do dragnet surveillance of non-Americans and in the process, sweep up the data of Americans they may be communicating with and hold onto that data, even though the Americans are not the target.

US-based security blogger Jeffrey Carr told SC Magazine that he did not see any way around democratic governments engaging in these types of activities and in his opinion, law enforcement and intelligence agencies would not be properly doing their job if they ignored or were restricted from accessing internet-based communications for their investigations.

He said: â€œWe all enjoy how the internet has made the world a smaller place. Part of the price for that is that it's also easier for bad actors to cause disruption and chaos across borders without leaving their homeland. That enhanced capability can only be combated by granting governments' legal access to communications data (email, VoIP, IRC, etc.) stored at the ISP level.â€

Former NSA technical director says it secretly collects details on American citizens

The National Security Agency (NSA)Â has been accused of collecting and indexing emails, tweets, internet searches and other data belonging to American citizens.

He said: â€œIt started in February 2001 when they started asking telecoms for data. That to me tells me that the real plan was to spy on Americans from the beginning.â€

He claimed that the spying was the reason he left the NSA in 2001.

IBM launches next-generation intrusion prevention appliance

IBM has announced the launch of a next-generation intrusion prevention appliance that helpsÂ control social media and web browsing risks.

According to the company, the IBM Security Network Protection XGS 5000 helps clients address advanced attacks targeting their organisation by providing visibility into exactly what applications are being used on the network, where users are going on the web and monitor and control this activity.

Built on the features found in IBM Security Network Intrusion Prevention System, it incorporates global threat intelligence from X-Force and includes protection for zero-day exploits by adding new levels of visibility and control over the network, applications, data and users, IBM said.

Brendan Hannigan, general manager of the IBM security systems division, said: â€œThe escalation of targeted attacks and rapid adoption of mobility, cloud and social media requires companies to take a new approach to securing the enterprise.

"IBM is uniquely positioned to help our customers address these challenges with our new Advanced Threat Protection platform that combines total security intelligence from within the enterprise, exhaustive external threat intelligence and the new XGS appliance that delivers fine-grained activity detection and control.â€

IBM launches next-generation intrusion prevention appliance

IBM has announced the launch of a next-generation intrusion prevention appliance that helpsÂ control social media and web browsing risks.

Dropbox admits that accounts were hacked and plans new security measures

Dropbox has admitted that its accounts were recently hacked, leading to spam being sent from/to user accounts.

â€œKeeping Dropbox secure is at the heart of what we do, and we're taking steps to improve the safety of your Dropbox even if your password is stolen.â€

Dropbox engineer Joe Gross said that while it had not had any reports of unauthorised activity on Dropbox accounts, it took a number of precautionary steps.

Cloudmark said that its insight into the spam campaign showed that "unsophisticated" messages were sent, as they were "hitting a handful of spammy fingerprints at once".

Neil Cook, CTO of Cloudmark, said: â€œIf this were an exam, the spammer would receive an 'ungraded' mark for lack of message complexity orÂ originality.

Make Blog Reading Part Of Your Day

We're constantly being told how important it is to read blog related to our industry and keep up with the news of the day. By taking on this practice it keeps us in the loop, alerts us to conversations happening off our site, and it gives us fodder for our own blogging and/or social media updates.

using laptop

Butâ€¦with everything else you have to do, how are you supposed to find the time to read those blogs in the first place? How can you move blog reading from a â€œshould doâ€ to an â€œalready done?â€

As someone who has always had to make time for blog reading (and writing) this is one issue I'm particularly sensitive to. Because, as a business owner, you can't afford to miss important industry updates or not know what's going on. You have to be alert so that you can take advantage of what's happening around you.

Reading blogs is your job.

Below are five ways to make blog reading part of your day:

1. Justify the Investment

First off, understand why it's so important that you (and the people on your team) take the time out of your day (or even your week) to stay up-to-date on blogs in your industry. Like with most things, once you break down the value it brings to your business, the more likely it is you'll dedicate resources to it.

As a business owner, reading blogs:

Ignites your passion on a topic
Increases your subject-related knowledge
Introduces you to new thought leaders and future partners
Highlight communities you should be aware of
Opens the door for guest posting opportunities
Ensures you stay abreast of important industry issues, search engine changes, or other areas
Gives you something to say/link to in your blog
Provides fodder for Facebook, Twitter and other social media updates

And that's just the tip of the iceberg. Being serious about your business means being serious about your industry and taking part in it. One big way to do that is to read blogs and become part of those conversations that may (and usually do) lead to bigger opportunities.

2. Find Blogs Worth Reading

It goes without saying that not every blog is going to be worth your time. As with anything, there are high quality blogs that will bring a lot of value to you as a business owner and then there are blogs made up of just filler. To get the most out of your investment, you want to find the blogs that are worth reading.

How do you do that?

Use blog aggregators like AllTop or TechMeme to help you find the most respected blogs on a subject.
See where your favorite blogs link out to or who is in their blogrolls. If you like what they're sharing, you may like who inspired them.
Perform keyword-related searches on Twitter and see what content is being passed around and who the author is.
Search Google News for terms related to your topic. Many of Google's top new sources are actually blogs.
Use social media to ask for blog recommendations. Everyone has a favorite or a handful of blogs that always seem to steer them in the right direction.
Have a couple commenters who always leave valuable insights on your blog? See where they're writing.

That should help you get your initial list down. From there, you'll need to manage itâ€¦

3. Use a Feed Reader At Home & On The Go

You're probably already using a feed reader to help you manage your blogs while at your desk, but what about when you're on your smart phone or seated in front of your iPad? If you're currently using Google Reader, you can take advantage of its mobile app or upgrade to a service like Feedly, which will give your Google Reader subscriptions a more magazine-style layout to make them easier to read on a smaller screen.

Other apps like Feeddler, Reeder or NewsRack will give your feeds a simple and intuitive interface; PulseNews to make your blogs more interactive; or use a service like InstaPaper to help you save blog posts or pages you want to read later.

Regardless of which app you use, by using a feed reader it allows you to take your blogs with you. You can read them on the train into work, while you're eating lunch, or during commercial breaks when you're sitting on your couch. With all the reading options available, SMBs will find it hard to use the â€œI don't have timeâ€ excuse.

4. Schedule the Time

Hey, sometimes that's the only way things will get done. Make blog reading part of your day by making it part of your day. Set aside 20 minutes to catch up on what's happening in your industry. The 20 minutes could come at the start of your day over coffee, it could happen after lunch, or it could be at 11pm before you hit the sack. It doesn't matter when you find that time, just that do you, consistently, and that you make it part of your ritual.

5. Do Something With What You've Read

I don't know about you, but the best way to make me accountable for a task is to tie an action item to it. Maybe your blog reading will result in a weekly post for your blog or maybe it will be your job to share three interesting stories a week with your team. Whatever it is, look for ways to use what you're reading about. After all, that's the point of doing the reading in the first place, right?

While many of us can certainly sympathize that it's difficult to dedicate time to reading blogs, it doesn't make it any less important. The tactics above help me to stay up to date on my blog reading. What works for you?

Blog Reading at Lunch Photo via Shutterstock

How Technology is Helping Doctors Stave Off Bankruptcy

These are uncertain times for doctor's offices. Many are finding that the drop in Medicare reimbursements, coupled with the rise in the cost of doing business, spells trouble for their practices' bottom line. Dan Rodrigues, CEO of medical billing software company Kareo, sees a need for these medical offices to evolve in order to survive.

â€œTo survive in today's business environment, doctors need to leverage all available tools,â€ Rodrigues says. â€œDoctors routinely use diagnostic tools and differential diagnosis logic to determine treatment plans and assess how well their patients are doing. Â To thrive in the business, doctors need to take the same approach to how they run their offices. Â Technology now gives tools to track the health of their business â€" giving diagnostics, if you will, about how successful they are getting paid the money they are owed.â€

Cloud-based technology tools also give ways doctors can get paid faster and with less effort than ever before. Â And, automated patient outreach mechanisms allow them to provide better communication before, during, and after visits than has ever been possible. Â According to Rodrigues, these tools are the secret weapons for doctors to sustain and even grow their businesses during tough times.Â â€œ

By utilizing technology, medical practices can begin to arm themselves to compete in the modern-day marketplace. Rodrigues notes these three things doctors offices are doing to stay competitive:

Eliminating paperwork. This includes electronic medical records, which are a great way to empty out offices of space-consuming file cabinets while saving money on printer toner and paper. Electronic medical records allow for convenient storage and easy retrieval. A study published in Health Econ Policy Law in 2006 revealed that adoption of EMRs increases an office's productivity by six percent each year. Another process that can be automated is billing, which can save money on postage, printing, delayed payments, and more. Kareo's Cloud-based medical billing software has integrated electronic claims processing, streamlined collections processing, and patient scheduling.
Shared office space. Another benefit to eliminating paper files is more available office space. Because of this, some doctors are able to team up with other medical practices to share office space. This allows all doctors to share the same front office staff, pooling resources to pay for these workers. The ability to have one central check-in desk also saves on office space.
Using social media to get referrals. Today's marketing efforts have gone online, with many medical professionals turning to social media to network. Traditional social media sites like Facebook and Twitter are important, as always, but a social media site targeted specifically to healthcare professionals, Doximity, may be more useful. Doximity allows medical professionals to interact with each other, getting in touch with former classmates and colleagues. The site says that more than 80% of American physicians have a message waiting for them at registration. Doximity provides a great way for doctors to get referrals from colleagues, as well as provide referrals.

Automating your business's processes not only eases the strain on your practice's budget, but it also establishes your practice as a professional, successful operation. Patients are increasingly seeing traditional appointment books and large shelves of files as outdated and unprofessional. By keeping electronic calendars, using modern technology in billing practices, and creating an active online presence, you'll continue to draw in new customers and retain existing customers, ensuring your practice's long-term success.

Facebook Stock Continues to Slump

Facebook stock continues its downward slide, but it may be too early to panic. There are signs the company's revenue base is continuing to expand and, of course, Facebook continues to lead a social media revolution that has been vital to businesses of every type and size. Here's more about where things stand, with thoughts from some leading business bloggers.

Too Hard to Face

Going down. Facebook's stock slides another 6.2 percent, reaching another record low for the third day of trading Tuesday. The company has lost 40 percent of its value since it went public May 18. Doubts swirl about the company's ability to retain its valuation among rumors of an increase in automated accounts on the site and a planned sell-off of employee stock next month. Yahoo! News

Help Wanted: A new CEO. Some people are placing blame for Facebook's poor stock performance squarely on the shoulders of the company's fearless leader, CEO Mark Zuckerberg. Columnist John C. Abell insists the real problem with Facebook is that Zuckerberg is no longer playing to his strengths. He should be back in his hoodie, creating awesome tools that improve user experience, not working to soothe stockholder worries. Reuters

Socially Awkward

Play the game. Facebook's dependence on revenue from social gaming company Zynga, maker of games like Farmville, dropped while overall Facebook earnings increased, showing the company is diversifying its revenue stream. One growing source of revenue is Facebook advertising. Forbes

Browsing for business. Gradually people are moving away from using Facebook as a form of leisure toward using it as a tool for business. Growth in the social network, while perhaps not impressing Wall Street, is possibly a result of this trend. No matter how Facebook performs in the stock market, businesses and individuals who use its services will continue to see its value. U.S. News & World Report

We're Engaged

The great Exodus. Controversial reports suggest that there is an increasing number of â€œlikesâ€ by automated or fake Facebook accounts. Critics say manipulation by bots instead of real people on the networking site make engagement worthless and devalues Facebook's advertising . Startup Junkies

Interested in Pinterest. Marketing professional Mark Riemer thinks Facebook's new â€œwantâ€ feature reminds him of a Pinterest function. Here are the positives and negatives Riemer sees in the new tool and what he thinks it will mean to the social network's users. Adam Riemer Marketing LLC

Putting the work into networking. If you don't use social networking for your business, you can't reap its benefits. Here are some of the things you're missing out on if you're one of those people who just doesn't get social media sites like Facebook or what they can do for your business. Firefly Coaching

Samsung copied iPhone, Apple designer tells jury

An attorney for Apple told a jury that bitter rival Samsung faced two options to compete in the booming cellphone market after Steve Jobs introduced the iPhone to critical acclaim in 2007: Innovate or copy.

Samsung chose to copy, making its smartphones and computer tablets illegal knockoffs of Apple's popular products, attorney Harold McElhinny claimed.

Samsung "has copied the entire design and user experience" of Apple's iPhone and iPad, McElhinny told a jury during his opening statement at the patent trial involving the world's two largest makers of cellphones.

In his opening statement, Samsung attorney Charles Verhoeven countered that the South Korean company employs thousands of designers and spends billions of dollars on research and development to create new products.

"Samsung is not some copyist, some Johnny-come-lately doing knockoffs," he said.

Verhoeven asserted that Apple is like many other companies that use similar technology and designs to satisfy consumer demands for phones and other devices that play music and movies and take photographs.

For example, he said several other companies and inventors have filed patent applications for the rounded, rectangular shape associated with Apple products.

"Everyone is out there with that basic form factor," Verhoeven said. "There is nothing wrong with looking at what your competitors do and being inspired by them."

A verdict in Apple's favor could lead to banishment of Samsung's Galaxy products from the US market, said Mark A. Lemley, a professor and director of the Stanford Program in Law, Science, and Technology.

A verdict in Samsung's favor, especially if it prevails on its demands that Apple pay its asking price for certain transmission technology, could lead to higher-priced Apple products.

The witness lists of both sides are long on experts, engineers and designers and short on familiar names. Apple CEO Tim Cook is not scheduled to testify.

On Tuesday afternoon (California time) Apple designer Christopher Stringer wrapped up the first day of testimony discussing his role in helping create the company's iPhone and iPod during his 17 years at the company.

Dressed in a tan suit, the bearded and long haired designer said because of Apple's desire to create original products, he and his co-workers surmounted numerous engineering problems such as working with the products' glass faces in producing both products over a number of years. Stringer said he was upset when he saw Samsung's Galaxy products enter the market.

"We've been ripped off, it's plain to see," Stringer said. "It's offensive."

The trial resumes Friday with the testimony of Apple senior vice president for marketing Philip Schiller.

Cupertino, California-based Apple Inc. filed its lawsuit against Samsung last year and is demanding $2.5 billion in damages, an award that would dwarf the largest patent-related verdict to date.

The case marks the latest skirmish between the two companies over product designs. A similar trial began last week, and the two companies have been fighting in other courts in the United Kingdom and Germany.

In the patent case, US District Judge Lucy Koh last month ordered Samsung to pull its Galaxy 10.1 computer tablet from the US market pending the outcome of the patent trial. However, she barred Apple attorneys from telling jurors about the ban.

Apple lawyers argue there is almost no difference between Samsung products and its own, and that the South Korean company's internal documents show it copied Apple's iconic designs and its interface.

Samsung counter-claims that Apple copied its iPhone from Sony. In addition, Samsung alleges Apple is using some of Samsung's own inventions without payment, such as a computer chip at the heart of the iPhone.

Samsung lawyers also stressed the company has been developing mobile phones since 1991, long before Apple jumped into the market in 2007.

Also at issue at the trial are some of the most basic functions of today's smartphones and computer tablets, including scrolling with one finger and zooming with a finger tap.

Tuesday morning's proceedings began with a bit of drama.

First, a juror pleaded with the judge to be released from the trial, saying she suffered a panic attack and spent a sleepless night after belatedly discovering that her employer would not pay her salary while she served. A sympathetic judge granted her request and left the jury with nine members.

Then the judge rebuked John Quinn, one of Samsung's attorneys, for refusing to stop a line of legal argument the judge said she had ruled on numerous times.

"Mr. Quinn, don't make me sanction you," the judge said as the lawyer continued his argument. "Please. Please. Please, take a seat."

Quinn relented and sat down, but his tenacity underscored the high stakes of the trial that is costing both sides millions of dollars in legal fees and expenses. Battalions of lawyers from prestigious law firms are working overtime to file myriad court documents.

The most senior lawyers on each side charge upward of $500 an hour for their representation

Legal experts said that most patent disputes are resolved way before trials that can bring unpredictable and ruinous verdicts.

"A patent case of this magnitude has the possibility of impacting phone technology for years to come," said Manotti Jenkins, a patent attorney with no stake in the trial. "Given the substantial revenue that is generated by smartphone technology, companies are likely to prompt more litigation of this type and continue to use the courts as an attempt to protect and expand market share."