Dropbox Rolls Out Two-Factor Authentication Login Method to Increase Security

After the recent security breach experienced by some users of cloud storage service Dropbox, the company has announced that it is beginning to introduce two-factor authentication in an effort to improve cloud security. This means that users will have one extra step in the login process, but Dropbox hopes this change will mean keeping data stored in the cloud safe from cyber attacks.

Dropbox

The new system is optional, and fairly similar to Google's new two-factor authentication method. Users will have the option to add their mobile devices to a whitelist and authenticate them to access their account. Then users can receive unique access codes via text or mobile app that supports the Time-Based One-Time Password system.

Examples of apps that can be used for two-factor verification include Google Authenticator, which works with iPhone, Android, and Blackberry smartphones; Amazon AWS MFA for Android; and Authenticator for Windows Phone 7. Upon entering their password and the authentication code they received, Dropbox users can then obtain access to their account.

Dropbox is a popular cloud storage service used by millions of individuals and business professionals. Since Dropbox users often store sensitive types of files or data in the app, such as passwords, financial data, and other business or personal information, the company vowed to improve security measures after company officials learned of the attack.

For business users, this security measure might be worth the extra step so as to protect sensitive company data.

Dropbox has also announced a few other security measures since the breach, including automated mechanisms to help identify suspicious activity, a new page that lets users see all active logins on their account, and more vigilant measures regarding passwords and other secure data.

Users with the latest beta version of Dropbox have the option to switch on the two-factor authentication if they so choose. The new feature will become available to all users in the coming weeks.




NYC Event: Use Mobile Apps to Date Your Leads and Marry Your Customers

 

Use Mobile Apps To Date Your Leads and Marry Your Customers

 

Using Mobile Apps To Increase Sales and Build A Strong Brand For Your Small Business

 

When: Wednesday, September 12th - 8:30am â€" 10:30am

Where: Alley NYC, 500 7th Avenue, 17th Floor (37th Street)

Click here to register for this event or get more information.

 

Event Summary

 

Join Jimmy Newson, Mobile Market Apps and Ramon Ray, Infusionsoft, as they help you understand the importance of mobile apps and lifecycle marketing to GROW your business by NURTURING your customers.

Jimmy will talk about developing a mobile strategy for your business. Learn how to increase sales, build a strong brand awareness and strengthen customer loyalty. Learn about creating loyalty programs with QR codes, communicating in real time with users using push notifications, creating mobile commerce to sell everything from food and clothing to tickets and subscriptions. The world is mobile, is your business? 

Ramon will help you understand the importance of lead magnets and other tools that are critical in ensuring that prospects are nurtured and developed. This process is critical for dating your leads and marrying your customers and we at Infusionsoft call this lifecycle marketing!

Session will Include a Light Breakfast and Networking Opportunity.

 

Jimmy Newson has over 21 years experience in the entertainment and digital media industries. Presently, Jimmy is founder and C.E.O. of Mobile Market Apps.com and JLN Media. He has worked with organizations such as the National Association of Recording Arts & Science, TV Japan, Gibson Guitar, Muscular Dystrophy Association, Royal Caribbean Cruise Lines, St. Mary's Foundation for Children, Sony Music, and Music Under New York. Jimmy is a current member of the Manhattan Chamber of Commerce and serves on its Marketing Committee. He majored in business at Indiana University-Purdue University of Indianapolis (IUPUI) and later continued his education at the Art Institute of Fort Lauderdale. He is currently developing a mobile app in conjunction with the Manhattan Chamber of Commerce the Shop 2nd Avenue initiative in Manhattan involving 150 local businesses on the 2nd avenue strip affected by the construction of the future 2nd avenue subway line.

Spotlight

Ramon Ray is a technology evangelist, author (3 books), event producer, national speaker, journalist and freelance writer with over 8,000 articles to his name. As a former technology consultant Ramon has hands on knowledge of technology and as a business owner, knows the challenges and joys of growing a business. 



Poor Man\'s Lead Scoring Tricks

Lead scoring.  It's the kind of term that sends shudders down the non-technical, non-business school types.  Algorithms, graphs, and money â€" lots of money spent â€" may start to run through your head.  And, in order to get peace once more you convince yourself, “I know who my leads are.”  False.

Unless you possess some mind-reading elixir (if so, please email me about this), you can't magically know who your leads are.  But, don't be discouraged!  You don't have to be an MBA nerd like me to do some basic lead scoring.

poor businessman

Today, I'd like to cover some poor man's lead scoring tricks that I've learned along the way.  These tips and tricks can apply to just about any business, and won't cost you a dime.

Tracking Traffic

First things first.  In order to score leads, you have to know who they are.  I recommend using Google Analytics, by far the most comprehensive and thorough analytics program that is completely free.  (However, there are free versions of some other top-notch services out there.)

Google Analytics can tell you everything.  Who's coming to your website, their location, what pages they're landing on, how long they spend there, the paths they take through your website, etc.  There's very little you can't find out from Google Analytics.  If you aren't running this (or some other paid analytics program), insert the code now.

Developing Your System

While big business lead scoring can get super detailed, the truth is, you can come up with a lead scoring system of your own that does the trick.  Figure out a points system that works for your team.

Maybe all of your website visitors get five points.  For each minute or set of thirty seconds they spend on the landing page, maybe they get five more points.  Then, perhaps they get ten points for looking at two product pages.

You get the idea.  I don't know your business, so I can't come up with the scoring system for you.  But, the point is to just start.  Your lead scoring approach won't be perfect when you first start out, and that's okay.  However, once you get the ball rolling, you'll soon begin to figure out what elements of your scoring system help you accurately consider your leads, and what parts are not working.

Look for Trends

Once you have a system going, it's time to start looking for trends.  Do you have an anomalous amount of traffic from southern Illinois?  If so, create PPC ads that target that region.  Maybe one landing page on your site accounts for 80% of your site's traffic.  If so, put in the work to make that page really shine.

Perhaps there's a sharp tail-off in on-site time when customers get to your fourth product page.  Maybe you need some kind of pop up offer on that page.

Looking for these trends can be fun and exciting, but you have to start monitoring your traffic first.  However, once you get this part down pat, you'll be ready to start scoring and nurturing your leads!

What are some free or cheap lead scoring tactics you are using?

Poor Businessman Photo via Shutterstock




My Business Was Sabotaged! Lessons Learned and How to Protect Yourself

In the case of sabotage, a business gets attacked from within its own safe walls, eventually putting it in a deep slumber it might never recover from. This kind of thing happens often in even the largest enterprises; it's not just something rare that occurs once to some random company out in the outer edges of the Internet. Just because airplanes are more likely to crash than you are likely to be sabotaged doesn't mean you shouldn't prepare for it, either.

Such is the story of Peter Justen, a serial entrepreneur who founded Mybizhomepage,  a product that provided businesses with financial metrics data. This piece of software would analyze a company's QuickBooks data and put things very plainly so that the people in charge have a very precise idea of which direction the company is going in. This software would send alerts when some metrics passed a certain threshold, such as accounts-receivable.

At one point, Justen declined an offer to buy the company, justifying it with the fact that he hasn't yet tapped the full potential of the product with a global audience, having only some thousand customers at the time. His Chief Technology Officer (CTO) didn't really like Justen's decline, so he gathered up a few other folks and started mustering up the resources to start a competing company. Justen didn't like that, either. When he learned about this, he fired the CTO and asked his own lawyer to send a cease-and-desist letter, effectively halting any effort in creating a new company.

Shortly after this whole debacle, Justen's software started crashing on and off. Not only that, but the personal emails and Facebook accounts of executives and board members were compromised, sending details about their business practices to contacts on their lists, which alleged that the company was defrauding its investors.

But here's the interesting part: When Justen called the authorities to explain what happened, he learned that the CTO doesn't even have an identification. That means they found no real license plate, real name, no credit cards, and no tax returns to tie to him. The CTO was actually as difficult to trace as a homeless person with lots of cash.

In this situation, he had two choices: Either he would renounce and just start over, or he would declare bankruptcy and leave his investors with nothing, completely soiling his reputation and confirming the allegations against him.

If you don't want to be faced with a similar situation, consider these practices:

  • Adopt a role-based access control solution that would allow different people to have different levels of access within a firm.
  • If this happens to you, be honest, and try not to declare bankruptcy. In Justen's case, he could admit to his investors that he didn't really look into his CTO's identity and didn't have the security measures necessary implemented to ensure the prevention of catastrophic failure.
  • Implement a protocol for people who leave the company that involves shutting off their access properly for all company resources. Security should be tightened especially on high-profile individuals. If you run a software company, showing employees the door should also include ensuring that you immediately have a backup of your business' software somewhere very safe â€" somewhere only you can access and no one (not even your dentist) knows.

These kinds of practices aren't magically effective, but they definitely do a good job in prevention and/or eventual damage control. Access control is, perhaps, the most important of the three; and the third practice goes hand-in-hand with it. Access control solutions should always give you a way to cut off access from people who leave the company. Ensuring you're well protected is no joke. Sabotage happens a lot â€" usually in tiny ways, but sometimes in a way that could completely devastate your hopes, your dreams, and your future.



Pro Assange movement sees attacks on Swedish and British government websites

Anonymous has launched attacks on Swedish and British government targets.

With attacks in support of WikiLeaks founder Julian Assange, the websites of the Swedish government, Armed Forces and the Swedish Institute were among those experiencing problems.

Speaking to the Associated Press, Niklas Englund, head of digital media at the Swedish Armed Forces, said it was unclear who was behind the so-called denial-of-service attacks, in which websites are overwhelmed with bogus traffic. However he noted that an unidentified group urging Sweden to take its ‘hands off Assange' claimed responsibility on Twitter.

WikiLeaks also confirmed in a tweet that the UK's Ministry of Defence has also been taken down, allegedly by pro-Assange protestors. Tweets also claimed that both the MI5 and MI6 websites were down for around an hour this morning, as Anonymous UK claimed that these were in protest at the treatment of Assange.

An Anonymous spokesperson told TechWeekEurope that the online protests were simply there to supplement the action outside the embassy, where Assange's supporters have gathered, many in Anonymous masks.

A Cabinet Office spokesperson told the website that the sites had been taken down by a DDoS but denied that the sites were hacked. The spokesperson also confirmed that no personal or sensitive information is held on them as they are public facing sites.

“We treat threats of disruption to government websites very seriously and will continue to monitor the situation closely,” the spokesperson said.



Pro Assange movement sees attacks on Swedish and British government websites

Anonymous has launched attacks on Swedish and British government targets.

With attacks in support of WikiLeaks founder Julian Assange, the websites of the Swedish government, Armed Forces and the Swedish Institute were among those experiencing problems.

Speaking to the Associated Press, Niklas Englund, head of digital media at the Swedish Armed Forces, said it was unclear who was behind the so-called denial-of-service attacks, in which websites are overwhelmed with bogus traffic. However he noted that an unidentified group urging Sweden to take its ‘hands off Assange' claimed responsibility on Twitter.

WikiLeaks also confirmed in a tweet that the UK's Ministry of Defence has also been taken down, allegedly by pro-Assange protestors. Tweets also claimed that both the MI5 and MI6 websites were down for around an hour this morning, as Anonymous UK claimed that these were in protest at the treatment of Assange.

An Anonymous spokesperson told TechWeekEurope that the online protests were simply there to supplement the action outside the embassy, where Assange's supporters have gathered, many in Anonymous masks.

A Cabinet Office spokesperson told the website that the sites had been taken down by a DDoS but denied that the sites were hacked. The spokesperson also confirmed that no personal or sensitive information is held on them as they are public facing sites.

“We treat threats of disruption to government websites very seriously and will continue to monitor the situation closely,” the spokesperson said.



Data supports need for security awareness training despite naysayers

with Sammy Migues

Is information security training a complete waste of money as some security pundits suggest?  Not when it comes to software security.  Actual data from the Building Security In Maturity Model (BSIMM) study of 51 firms sheds some light on the latest tempest in a teapot. The fourth version of the BSIMM, will be released on Sept. 18 and includes a completely revised set of data about the role training plays in 51 real software security initiatives.

Dave Aitel's Blustery Exaggeration: Training is Worthless

Dave Aitel apparently doesn't think much of training, especially basic security awareness training.  His recent article in CSO magazine, “Why you shouldn't train employees for security awareness,” certainly sparked a (well calculated) firestorm.  Of course Dave lives off of saying outrageous things. Fortunately, he's really smart and can usually either back them up with something tangible or just smile when you catch him spouting nonsense.

Sadly though, Dave's anti-training hypothesis is increasingly common among security people with little or no operational experience.  On one hand, if you are a CSO responsible for a cast of thousands, you know just how much security ignorance needs stamping out (hint: even the most obvious lessons can help).  On the other hand, if you are an uber-elite penetration tester, security ignorance is your best friend.

Ultimately, disproving Dave's hypothesis properly would require proving a negative.  That's because you would need to both train some people and not train the same people, then observe the differences. Short of advances in time travel, this is not something we're going to be able to do. 

That means figuring out what to do about training boils down to thinking about risk management and proper allocation of resources.  Should we completely abandon awareness training?  No.  Should we put all of our eggs in the training basket and stop paying for other technical controls?  No.  Well then, just how many eggs should we put where?  Incidentally, that's the kind of data we're trying to get to in the BSIMM project (see below).

An analogy with commercial antivirus products may help.  Is AV useless (as some experts claim) because some viruses get through?  Um, no.  Epidemiology studies show that prophylaxis in even just 90%-95% in some populations prevents epidemic spread. So it's the dingbats who think you must have 100% AV coverage for it to be effective who really need educating!  (Plus AV is cheap these days and we can save the “monoculture” scenario for another time.)

Lets pick apart Dave's main argument against awareness training-the phishing and social engineering argument-using the same logic we just used to salvage AV.  Dave argues that an average click-through rate (employees clicking on malware) of 5-10% “even with these [training] programs” is an awful result and should lead us directly to abandoning our awareness training programs.  But 5-10% is a manageable number.  Look at it this way: training reduced an intractable problem of every employee doing something stupid to just a handful per hundred. This is a good thing from the perspectives of risk management, due diligence, and every other grown-up way of slicing it. Because of this, training helps with insurance claims, E&O insurance, FTC consent decrees, and piles of other stuff that anyone with operational experience understands.

While we're on this issue, we just have to point out that every social engineering attack will work on someone.  Training simply raises the bar; it's not an impermeable shield. Besides, when phishing stops working, we'll see more kidnappings, blackmail, hostage situations, and other forms of coercion. 

Ultimately, when Dave says, “Instead of spending time, money and human resources on trying to teach employees to be secure, companies should…,” he is correct about everything but the “instead of” part. When Dave says “It's the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee-and if these measures fail, that the network is properly segmented to limit the infection's spread,” he's right.  However, reducing secondary measures (such as training) to zero remains a spectacularly bad business decision.

Awareness Training for Developers

This whole debate becomes even more extreme (and the answer even more obvious) when we talk about awareness training for developers and architects.  In our view, awareness training for developers is an essential practice.  That's because developers are busy building the things we're supposed to use, and when they build insecure things we all suffer.  Even a little bit of awareness can go a long way.

So how much effort do organizations put into training their development staff as opposed to the other possible things they could spend on?  Let's find out.

BSIMM4 and Training for Developers

The intriguing thing about the BSIMM Project is that it collects, organizes, and publishes data describing the actual software security activity of 51 firms. Those companies among the 51 who graciously agreed to be identified include: Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust & Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase & Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Visa, VMware, Wells Fargo, and Zynga.

Training is one of the 12 core practices described in the BSIMM, and the BSIMM has plenty to say about how training is being used when it comes to software security.  We provide a pre-release look here at the completely overhauled Training practice as covered in BSIMM4.

For what it's worth, the Training practice had become increasingly problematic statistically from BSIMM2 to BSIMM3. For BSIMM4, we took the bull by the horns and completely revisited all of the activities and their levels. To accomplish the overhaul, we made the six changes to the Training practice that all involved moving activities between levels. You see, BSIMM is a data driven model, and training has undergone some big changes in the last four years (our data set has grown ten times as large as well)!  This is the first time in the BSIMM project that we have completely overhauled one of the twelve practices.

Here is a skeleton-level view of the 12 activities taken directly from the BSIMM document.  These 12 activities encompass all of the software security training activity that we observed among the 51 firms.  These are statements of fact, not opinions about what you should do.  In the BSIMM document itself, you can find detailed descriptions of the activities which all include actual examples.  We have included one such description here as an example.

BSIMM

T1.1 Provide awareness training. The Software Security Group (SSG) provides awareness training in order to promote a culture of security throughout the organization. Training might be delivered by members of the SSG, by an outside firm, by the internal training organization, or through a computer-based training system. Course content is not necessarily tailored for a specific audience. For example, all programmers, quality assurance engineers, and project managers could attend the same Introduction to Software Security course. This common activity can be enhanced with a tailored approach to an introductory course that addresses a firm's culture explicitly. Generic introductory courses covering basic IT security and high level software security concepts do not generate satisfactory results. Likewise, providing awareness training only to developers and not to other roles is also insufficient.

Note that the breakdown of BSIMM activities into levels is meant only as a guide. The levels provide a natural progression through the activities associated with the practice. However, it is not at all necessary to carry out all activities in a given level before moving on to activities at a higher level in the same practice. That said, the levels that we have identified hold water under statistical scrutiny. Level 1 activities (straightforward and simple) are commonly observed, Level 2 (more difficult and requiring more coordination) slightly less so, and Level 3 (rocket science) are much more rarely observed.

Here are actual data reporting how many times each of the twelve activities in the Training practice were observed among our population of 51 firms.  This gives you some idea of how widely adopted various activities are.

BSIMMOf particular note to our discussion here (and highlighted), awareness training (of the software security variety) is provided to the development staffs of 38 out of 51 firms (74.5%).

The training practice as a whole encompasses only 12 of the 111 activities described in the BSIMM.  Remember, these activities are not opinions about what you should do in your software security initiative, they are facts about what 51 firms are doing today in theirs. 

As we said above, training is only one of 12 core practices.  Here is a look at how level of effort stacks up in each of the 12 practices including training.

BSIMM

The practices each have three bars representing three distinct verticals in our study of 51 firms.  The bars all equate level of effort in a given practice to raw activity count per possible activity count (a percentage) for the practice.  The blue bars represent Financial Services firms (19 firms), the red bars represent Independent Software Vendors (19 firms), and the green bars Technology firms (13 firms).

If you're looking for answers regarding how much effort to allocate to training there are some interesting data here.  Training shows the least amount of activity among the twelve practices when averaged across all three verticals (28.31%)!  But it isn't zero.

Is there Trouble in Training-land?

There are several training challenges we have observed over the years as we have collected data for the BSIMM. Many of them relate to the “how” of training, not the “what” and “why.”

Number one is that many firms started with training alone years ago, then “checked the box” and promptly stopped thinking about it.  Meanwhile their developer churn has been huge and software security has been galloping ahead as a discipline. So the “we did that” green box on the CISO's dashboard now applies to developers who work elsewhere. The time has come for firms who find themselves in this situation to take another look at who was trained when and what they may or may not remember.

Number two is pushback in some firms from the internal developer community who claim (vociferously) that they “get” security (since many have now grown up with the theme through school and internships) and that much of secure development is “simply knowing what procedure or class or function or whatever to call when.” This has depressed demand for software security awareness training that establishes foundational knowledge in favor of “just tell me how to write this line of code right now to do this specific thing.” Sadly, developers seem to know less than they need to know about software security writ large. Getting them to understand this knowledge gap is the key. We hate to say it, but sometimes a penetration test can break the “we already know all that” logjam.

Number three is simply the quality of training available in the market. Developers are rightfully wary of yet another time-suck in their already busy schedule. Training that isn't tailored to their needs, necessary for a problem they have now, and accessible on their schedule likely won't be successfully deployed.

Ultimately, we believe awareness training is something that all smart CSOs will continue to invest in, whether it is for the entire staff to understand the hostile environment around them or for developers to understand more than “security problem X = use function call Y.”

About the author: 
Gary McGraw, Ph.D., is CTO of Cigital Inc. a software security consulting firm. He is a globally recognized authority on software security and the author of eight best selling books on this topic. Send feedback on this column to editor@searchsecurity.com




Words That Make a Big Difference

I love words and language, I have been writing and reading since I was 10 years old. Poetry, lyrics, essays, reports, articles, presentations, a book, eBook, blogging â€" you get the idea.  Words have always had great power to change things for the good and their meaning can impact others greatly.

magic words

Words describe our personality, spirit, soul, personal brand and what we stand for. How we present ourselves, treat others and how others describe us is crucial to happiness and success.

Here are 5 descriptive words that can make a big difference not only in our lives, but in the lives of others:

Amiable

By definition: having or showing pleasant, good-natured personal qualities, friendly, agreeable, willing to accept the wishes, decisions, or suggestions of another or others.

This quality lends itself so well to networking, cooperation, team spirit and collaboration. It is one of the four drivers of customer personality styles.

Plucky

By definition: having or showing courage and determination in the face of difficulties or challenge.

There are so many examples of public and private people showing “pluck”, courage and determination through challenge. Here are 10 revolutionary acts of courage by ordinary people, who stepped up in an extraordinary way.

Ineffable

By definition: incapable of being expressed or described in words.

This is how we serve people. Random acts of kindness can and do change people's lives and have such impact that they are indescribable in words. Imagine doing something that elicits this emotion? It happens everyday and RAK is now a worldwide trend that was documented by TrendWatching.

Serendipity

By definition: an aptitude for making desirable discoveries by accident, good fortune.

The more good energy and intentions we all put into the universe the more it comes back to us. The real key is that we are paying attention to all the things that are put in our path. That random conversation in line, returning that lost wallet or meeting someone at an event we weren't going to go to all can be serendipitous. These encounters happen daily and are meant to happen.

Magnanimity

By definition: generous in forgiving an insult or injury, free from petty resentfulness or vindictiveness.

We seem to collect and harbor these emotions and they become more of a burden than anything else. The ability to let go, release and move on frees us to greater opportunities for doing, accepting and noticing good.

The prolific Ralph Waldo Emerson said it best:

“The magnanimous know very well that they who give time, or money, or shelter, to the stranger-so it be done for love, and not for ostentation-do, as it were, put God under obligation to them, so perfect are the compensations of the universe.”

What words change things for you?

Magic Words Photo via Shutterstock




Mobile Apps: Are They a Must for Retailers?

Just how prevalent, and important, are mobile applications for commerce today?

According to Mobithinking.com, there are over 225,000 applications and counting. Apple counts about 5 billion app downloads, with each application being downloaded at least 22,222 times where every app generates about US $4,444.44 revenue.  An average iPhone user has 37 apps on an iPhone and the total application downloads off just the Apple App Store comes close to 12 million downloads.

That's how big the application development scene is, and this is just the United States, let alone the rest of the world.

In a survey conducted by Harris Interactive, on behalf of Apigee â€" a leading provider of API technology â€" at least 54% of mobile app users opined that it could cost them a wasted trip to retail store just because retailers don't have a mobile application developed that could apprise customers of prices, product availability and other such information that customers could easily avail, if there was an application.

At least 50% of mobile users browse for information on stores, deals available, and price comparisons. Over 19% of these users think that retailers are old-fashioned if they don't have an app developed while 25% fear that they could lose out on deals just because information wasn't made available to them.

Are applications really that critical?

While the usefulness of the app is determined by the actual value it delivers to a user, for retailers it's a no-brainer to have an app for their store. Apart from the only trouble with apps â€" which stems from the fact that they have to be downloadedâ€" an app really does a lot for a retailer. It could help provide store information, product reviews, product updates, digitize loyalty programs, and take customer engagement to a whole new level.

“For a business, a mobile app can and should serve as a catch all for all your online and offline marketing endeavors.  Ways of doing this can include use of all online social media, QR codes programs and direct messaging using push notifications”, says Jimmy CL Newson of mobilemarketingapps.com â€" who is also the co-organizer for the Infusion CRM and Mobile Marketing Apps NYC Event along with Smallbiztechnology.com editor, Ramon Rayâ€"  when asked how businesses, especially retailers, can use apps.

Mobile Application Vs Mobile Website: What goes?

A mobile version of the website is a responsive, rendered-for-mobile version of a retailer's site. Technically, it does everything the desktop/laptop version of the actual e-commerce site of the retailer should do â€" provide information, allow for product sales, and much more.

So should retailers have mobile versions of their websites or build an app? Given the popularity of the apps, we'd say both. A website â€" mobile or not â€" still has to be visited. It's utility starts with customers taking initiative to visit the site. An application is far more easier to open up and access information than what a mobile version of a website.  From a business point of view, though, either one of the options (or preferably both) won't hurt. In fact, it bodes well for the retailers.

According to Jimmy again, ”Unlike a traditional website, a mobile app provides direct communication to engage your customers, a unique experience with optimized media rich content and better overall customer service for your customers to communicate with you.  With a mobile app, you are connected to your customer 24/7.“ 

With the mobile apps, retailers have a new way to engage, connect, and to serve customers. Developing mobile applications is not too hard for retailers today, irrespective of the size of the retailing coming.

This begs the question: If “there's an app for that”, why should retailers be left in the lurch?



FireEye warns of steady increase in advanced malware

Security firm FireEye has documented a significant increase in what it calls advanced malware designed to evade detection by antivirus and other signature-based security technologies.

The overall volume of spear phishing emails is increasing and our domain analysis also shows the ratio of emails that use limited-use domains is also on the rise.

FireEye Inc.

Milpitas, Calif.-based FireEye Inc. said that on average, organizations are experiencing more than 600 Web-based "malicious events" each week. The bulk of the attacks are from malicious email attachments or embedded links in emails. Compared to the second half of 2011, the number of infections per company rose by 225% in the first half of 2012, the firm said.

The company's report, issued last week, is based on data collected by its Web and email system customers. The firm analyzed several million incident submissions drawn from mainly large and medium-sized businesses.

"For organizations that rely solely on firewalls, IPS, AV and other signature-, reputation-, and basic behavioral-based technologies, it is abundantly clear that compromises and infections will continue to grow," FireEye said in its report.

FireEye said attacks targeting the healthcare industry almost doubled in the first half of 2012. The financial services sector also saw a massive increase. In May of 2012, the financial services sector saw more events than the entire second half of 2011, according to FireEye.

Spearphishing using malicious file attachments or embedded links that lead to malicious websites appears to be a continued favorite attack vector, according to the FireEye analysis. The firm, which sells software designed to detect web and email threats, said it saw a 56% increase in email-based attacks.

Cybercriminals have long been developing techniques to outsmart antivirus and other signature-based antimalware technologies. Some malware is designed to disable antivirus, while other variants evade detection altogether. Experts point out that automated attack toolkits have been increasing in sophistication. Black Hole, Zeus, SpyEye and other exploit toolkits have advanced features, designed to let cybercriminals ramp up attacks quickly, collect and analyze infection data and target specific industry sectors or regions with a particular attack.  FireEye said it documented cybercriminals changing their malware more quickly, using automated tools to morph it into a different variant, making signatures ineffective.

To get targeted spear phishing email messages past domain reputation analysis and URL blacklists, FireEye said it is tracking the use of "throw-away" domains used in targeted attacks against a limited number (10 or fewer) attacks.   

"Through social engineering, cybercriminals are personalizing emails and then using throw-away domains to bypass signature- and reputation-based mechanisms that organizations rely on to filter out malicious emails," FireEye said. "The overall volume of spear phishing emails is increasing and our domain analysis also shows the ratio of emails that use limited-use domains is also on the rise."




The 25 Questions Your Site Must Answer

How long will a user stay on your site before leaving?  Unless you can prove, quickly, that your site is trustworthy and relevant to their needs, we're talking seconds. Maybe.

When a customer lands on your site for the first time, they're coming to you with questions. Questions that they may not even realize they're on the hunt to answer, but they are. As consumers we're all looking for subconscious clues that the site we're on is going to meet our needs, that we'll have a good experience, and that we can trust them with our credit card information.

What is a first-time visitor asking themselves when they land on your site?

  1. Where is your search box? How usable is the navigation?
  2. Are you a real company? Do you have a store? Where is it located? What are the hours? Phone number? I need a map.
  3. Are you on Twitter? Facebook? Instagram? How do I learn more about your social side to scope you out?
  4. Is there an About page? Are your employees visible? Do you give them a voice?
  5. What is the culture like? Are you a “good” company?
  6. Are there company testimonials? What other people or companies have worked with you? Were they happy with the experience?
  7. What about product or service reviews? What's everyone else saying? Am I making a good decision if I commit to this?
  8. If I'm not ready to buy yet, how can I stay in touch? Is there a blog? A newsletter? Some other way to stay up to date with you?
  9. How do I know if this is the “right” product for me? Is there a sizing guide? A product FAQ? Comparison charts?
  10. What's your return policy like? Will I stuck with this if I don't like it?
  11. Do you ship to where I live? Where are you shipping from? How long will it take me to get my goods?
  12. What are your payment options? Can I pay with Paypal?
  13. Is your Web site secure? Are there icons that tell me that?
  14. How will you protect my personal information? If I give you my email address, are you going to respect it or sell it?
  15. Do your prices make sense? Are you high? Low?
  16. What's weird about you? How are you different from someone else? Do I want to align myself with your brand?
  17. Have any of my friends purchased from this site before? Are they connected with you on Facebook? Do you show that off?
  18. Are you fun? Serious? Quirky? Stuffy?
  19. Should I trust you? Are you part of any organizations?
  20. Do other people seek you out? Do you speak anywhere? Teach a class? Been features anywhere cool?
  21. What do you believe in? How do you make that part of your experience?
  22. What's your story? Who are you in the market?
  23. Why you over someone else? What's your point of difference?
  24. What does your process look like?
  25. How is this product different from that other one on your Web site? Which is better for me?

And the list goes on.

Is your heart racing a bit more rapidly having read through all that? I know. It's a lot. But whether you (or they) realize it, these are the questions running through a potential customer's mind when they land on your site for the first time and begin investigating. They're also the questions your site must answer - through site content, trust cues, or specific features â€" before someone feels confident doing business with you.

So, using the questions above as a Trustworthiness Checklist. Does your own site pass?

Image credit: steph79 / 123RF Stock Photo




MobileIron announces DLP addition to access tool

MobileIron has added mobile-based data loss prevention (DLP) attachments and the ability to deploy its technology to 100,000 devices on a single system.

Launching version five of its technology, it said that its Docs@Work technology which it launched in June, is now able to prevent corporate email attachments from being uploaded to consumer services such as Dropbox and prevent unauthorised distribution of documents.

This also extends to controlling of cutting, copying and pasting actions as well as offering selective wiping of documents. Also on iOS devices, the technology can protect email attachments.

Improvements to its scalability also allow its App Delivery Network to deliver gigabyte-sized apps without latency, manage hundreds of certificates and configure hundreds of devices at the same time.

Ojas Rege, vice president of strategy at MobileIron, said: “Our customers are going big with mobile, but they worry about corporate documents ending up in the cloud. MobileIron Docs@Work gives our customers the mobile DLP controls they need without sacrificing the native Apple email experience their end users know and love.”



Sophos appoints Kris Hagerman as new CEO

Sophos has appointed former Veritas and Symantec senior manager Kris Hagerman as its new CEO.

Replacing Steve Munford, who will become non-executive chairman of the board and will be returning to his native Canada, Hagerman was previously group president, data centre management at Symantec and executive vice president, storage and server management at Veritas. Most recently he was CEO of Corel Corporation.

Hagerman said: “I am thrilled to join Sophos. Sophos has a winning strategy, a highly talented team and world-class products that provide an exciting opportunity to expand our share of the growing IT security industry. I look forward to working with the Sophos team to deliver compelling value to our customers and partners and to continue the company's momentum and success.”

Munford said: “I am proud of our team's accomplishments over the last seven years as we have transformed Sophos from an anti-virus vendor to a strategic provider of complete security.

“I am excited to welcome Kris as our new CEO to lead Sophos into the future. I look forward to working closely with Kris and the board as we continue to build on Sophos' global success."

Peter Gyenes, the current chairman, will continue as a member of the Sophos board as its lead independent director.



IT audit reveals major device loss at Glasgow City Council

Glasgow City Council has lost 750 devices over the last five years according to an IT audit.

According to the Herald, 256 unencrypted laptops and 487 desktop PCs, also thought to be unencrypted, are unaccounted for. These were also lost from an office in the City Chambers which contained about 17,000 bank details. A reported theft in May, which the Information Commissioner is aware of, led to the audit of all the council's IT hardware and revealed that almost 750 devices that are unaccounted for.

The report says that ‘a further nine incidents of theft involving 37 pieces of equipment have been reported by departments from various council premises throughout the city' and these include 28 laptops, only one of which was encrypted, three BlackBerrys, two desktop PCs, three memory sticks and a SIM card. According to the report, ‘where appropriate, these losses were reported to Strathclyde Police'.

The report, by the council's chief inspector, said: “These losses referred to indicate that theft has occurred on a significant scale over a number of years from a ‘secure area', and it would also appear to show that these thefts have been well-organised and systematic.”

A council spokesman said: “What this report shows is that for a number of years the council family has been poor at keeping accurate records of its IT equipment.”

Chris McIntosh, CEO of ViaSat UK, said: “The ludicrous fact that two unencrypted laptops were returned and then lost the same day seems to show a lack of care form the council and its contractors, especially following on from the announcement that the bank details of 16,451 constituents stored on an unencrypted laptop were lost earlier in the year.

“The controversial case where Glasgow City Council's mistakes led to the details of listed sex offenders entering the public arena via an unencrypted USB stick further demonstrates the damage that can be caused by a lax data protection policy.

“Organisations should act as responsible custodians of sensitive information they are charged with and ensure that any contractors or external organisations they work with are held to the same level of accountability. Furthermore, data should be secured and wherever possible encrypted to ensure audits like these no longer throw up such dour surprises in future.”



Unapproved applications haunt networks

A third of IT professionals have reported a network infection as a result of an unauthorised application being downloaded on their network.

A survey of 1,500 IT professionals by Avecto found that 39 per cent had reported malware on their network due to the use of unapproved applications. The survey also found that 76 per cent of respondents said that they didn't know how many unauthorised applications have been downloaded on their networks.

Paul Kenyon, co-founder and chief operating officer at Avecto, said that the problem lies with staff who have administrator rights who can download applications that contain malware, and cause significant problems if entered into the corporate network.

“The answer is simple - don't give admin rights out to everyone, only to the few key IT administrators who really need them. You will see an immediate decrease in security risk and associated downtime as well as an increase in productivity from IT,” he said.

Writing on the Fortinet blog, Stefanie Hoffman said that following the bring your own device (BYOD) trend, users are now pushing the trend to its limits by introducing their own applications into the workplace to meet their needs, with an emerging trend of bring your own application (BYOA).

She quoted a recent Fortinet survey, which said that 69 per cent of respondents indicated that they are interested in BYOA, in which they could create and use their custom applications at work. However when asked whether companies have policies that ban the use of non-approved applications, 30 per cent admitted they have or would ignore those policies.

“In actuality, the BYOA trend is not entirely new. Organisations have been dealing with users who have either brought or built their own applications into work to enhance productivity for as long as computers have been used in the workplace,” Hoffman said.

“However, the consumerisation of IT and the explosion of mobile devices now used for business related tasks has truly cultivated an environment that sets BYOA on a course for exponential growth.

“But with BYOA, the trend doesn't end with bringing your own app. Thanks to out-of-the-box app kits and templates, the trend also includes building your own app. With the relative simplicity of building applications these days, (almost) everyone can bear the title of ‘developer' and you can be sure that more users are going to be exercising their right to create their own unique, custom apps in order to get the job done.

“That means contractors and employees with almost no security experience will be creating applications that will inevitably impact sensitive data housed on the organisation's network.”

The Avecto survey also found that respondents pinpointed 20-35 year old male employees as the main reason for internal use of unapproved applications, with 80 per cent saying that they were the most likely to demand and have elevated rights.

Kenyon said: “Gen Y [is] a technically savvy generation that has grown up in an online and freedom-of-access world. They often come into the enterprise with the same expectations of access and availability and, in many instances, have the skills and experience to be able to work around basic security protocols to get what they want.

“On top of this, many IT departments elevate users to admin rights as a means to quickly solve IT problems. Considering these factors, it's more important than ever for organisations to have a solution in place that enables the quick and secure removal of administrator rights from users, and the ability to deploy policies that elevate all of the legitimate business applications that require privileged access using privilege management technology.”



Antisec releases over a million Apple #UDID after Java-enabled FBI breach

Over a million Apple Unique Device Identifiers (UDIDs) have been posted online after hackers claimed to have obtained them from an FBI breach. 

In a lengthy statement, the AntiSec hacking group said it had 1,000,001 Apple Devices UDIDs linking to their users and their push notification service tokens. It said: “The original file contained around 12,000,000 devices. We decided a million would be enough to release. We trimmed out other personal data [such] as, full names, cell numbers, addresses, zipcodes, etc. Not all devices have the same amount of personal data linked.

“Some devices contained lot of info. Others [had] no more than zipcodes or almost anything. We left those main columns we consider enough to help a significant amount of users to look if their devices are listed there or not. The DevTokens are included for those mobile hackers who could figure out some use from the dataset.”

It then went on to say that it ‘never liked the concept of UDIDs since the beginning' and said it was a ‘really bad decision from Apple'.

As for why it was exposing this personal data, the profanity-ridden release said that it had issue with the FBI ‘using your device info for a tracking people project' and wanted people to be aware of the FBI using people's device details and information.

It said: “Looking at the massive number of devices concerned, someone should care about it. Also we think it's the right moment to release this knowing that Apple is looking for alternatives for those UDID currently and since a while blocked axx to it, but well, in this case it's too late for those concerned owners on the list. We always thought it was a really bad idea. That hardware coded IDs for devices concept should be erradicated from any device on the market in the future.”

It said that it came by the data after a Dell Vostro notebook, used by an FBI supervisor special agent was breached using the ‘Atomic Reference Array' vulnerability in Java.

The statement said that during the shell session, some files were downloaded from the users's desktop folder and one had the name ‘NCFTA_iOS_devices_intel.csv' which was a list of 12,367,232 Apple iOS devices that included UDIDs and personal details.



Facebook Tackles Fake Like Issue

Business owners work hard for likes on their Facebook pages, a great form of social validation. It's a sign that companies are building an army of followers and increasing engagement from people who actually want to interact with their brands. The trouble is that recent data indicates some of these likes may not be from potential customers or even real people, but from bots using fake accounts for nefarious ends. The degree to which these fake accounts are skewing actual social interaction is a cause for concern, especially among those using Facebook for marketing or advertising. Here's a closer look at the issue.

Cracking Down

Tales from the dark side. There is a shady economy operating on Facebook, one in which vendors have sold fake likes, advertisers have paid for clicks, and businesses try to make their Facebook pages appear more popular than they really are. And the social media giant is now moving to correct the issue. Wired

Too little, too late. Some Facebook users aren't impressed with the social network's efforts, claiming company executives have willfully ignored the problem for too long, cheapening the value of marketing for brands, or are now over reacting and penalizing some innocent users unfairly. For obvious reasons, Facebook hasn't revealed how it is going after fake accounts, but this lack of transparency leaves many questions. PC World

A matter of integrity. In a post about its intentions to aggressively purge the network of questionable accounts, Facebook's staff acknowledges that a like coming from someone with no interest in connecting to a brand benefits no one. Many business owners work hard to generate likes for their pages, but may not be getting what they expect. Facebook Security

Cause and Effect

Sizing up the competition. Business owners should use social media like Facebook and Twitter not just for gathering customer demographics as people visit their pages, but also to learn about their competitors to find out which customers they are targeting and how. The realization that many likes may not be from real customers at all could spell trouble for both of these approaches. Small Business Trends

Following the golden rule. Cendrine Marrouat shares some golden rules about social media strategy, among them the importance of listening, being human, and building relationships. Again, readers may wish to check out the concerns about fake accounts on Facebook and consider how much more difficult this makes things when planning your social media approach. Creative Ramblings

Social media magic. No matter what the controversy, business owners will still want their Facebook pages to be liked, and will still work to build the best networks they can. Building that network as quickly as possible is important too, even if Facebook and other social media sites keep changing the rules of the game. Brad Smith demonstrates some shortcuts. Social Media Today

Taking the road less traveled. Facebook, of course, isn't the only social media network out there, and as digital marketing blogger Andy Williams points out, alternatives like Google+ are worth checking out, even if they still don't have anywhere near the audience Facebook has. The fact is that Facebook has too many users to be ignored. But don't close the door on other options. Koozai