Little being done to prevent Web application threats, analysts say

SQL injection and cross-site scripting remain among the most targeted Web application vulnerabilities; however, security experts say new technologies like HTML 5 come with their own set of dangerous vulnerabilities.

There's 15 years' worth of insecure Web code we need to clean up.

Jeremiah Grossman,
founder and CTO, WhiteHat Security

According to a report by Richardson, Texas-based secure cloud hosting firm, FireHost Inc., SQL injection (SQLi) attacks rose 69% between the first two quarters of 2012. SQL injection occurs when an attacker enters malicious code into a Web form input box to gain access to resources or make changes to data.

"SQL injection is by far the biggest [issue], for instances and data lost," said Jeremiah Grossman, founder and chief technical officer at WhiteHat Security, based in Santa Clara, Calif.

In the WhiteHat Security Website Statistics Report for summer 2012, SQL injection had an 11% likelihood of appearing in a website at least once. This number put SQL injection in 8th place for vulnerability prevalence.

Claiming the top spot for prevalence was cross-site scripting (XSS), with a 55% likelihood of at least one security vulnerability on a website. XSS occurs when an attacker inserts malicious coding into a link that appears to be from a trustworthy source. By clicking the link, the user unleashes the embedded programming, which is submitted as part of the client's Web request and can execute on the user's computer, often allowing the attacker to steal information.

Security experts said other vulnerabilities, although less prevalent and less dangerous than the top issues, still pose a threat. Joe Basirico, vice president of application security services at Wilmington, Mass.-based Security Innovation, Inc., said authorization issues -- when users can access information above their authorization level -- are a growing concern. Grossman pointed to business logic flaws, when two security steps clash and end up creating a vulnerability, as a problem.

HTML 5 a growing target

The newest version of standard programming language of webpages, HTML 5 seeks to make Web applications and documents equal on every type of browser. But the emerging technology poses new dangers.

Ed Moyle, senior security strategist at Town and Country, Mo.-based Savvis Inc., said the emphasis HTML 5 has on the client side continues to make attacking from the user perspective easy for cybercriminals. New technology like HTML 5 is dangerous because threats are harder to find and harder for developers to fix, he said.

"When you shake things up and start to introduce technologies like cloud, HTML 5 ... you introduce new complexities," Moyle said.

Moyle added that in terms of cases of attacks, HTML 5 is lagging because cybercriminals are sticking to the older, more widely deployed programming languages, such as Java.

Newness may be the issue with lack of protection for HTML 5, but that is not a reason for SQL injection and XSS attacks, which have been around for more than a decade. Security experts said security is not a top priority when creating a Web application. Instead, the emphasis is on speed, functionality and overall experience, said Diana Kelley, founder of consulting and research firm SecurityCurve in Amherst, N.H.

"We hear a lot about [security]. It gets a lot of press and ink," Kelley said. But, she added, security falls apart in practice when application creators realize they have to spend more time and money on the product before it can be released.

Moyle said that when an enterprise IT security team addresses security for Web apps, the money and focus is often at the network level. The company will spend money on applications, but not specifically on the security of those applications.

Lack of security-aware programmers

Some experts have found a general lack of security people in the industry.

"There's no one around to do the job," Grossman said. He added that many SQL injection and XSS attacks are targeting legacy code because old code has weaknesses left out of newer versions.

"There's 15 years' worth of insecure Web code we need to clean up," Grossman said. Still, he said that while flaws in new code can be avoided, these steps are sometimes skipped in the creation of an application.

Grossman and other security analysts named parameterized SQL statements as one of the best ways to mitigate SQL injection attacks. With parameterized statements, Grossman said only specific entries would be accepted in a Web form input box, based on the restrictions put in place by developers. In an example, he said a good statement would be, "My name is Jeremiah" while "My name is Jeremiah;" would be rejected. Because punctuation is not accepted, this prevents attackers from entering code into an input box.

For XSS, Grossman named context-aware output encoding as a good defense. Input validation is another step that can be used in securing Web applications against both XSS and SQLi.

When creating a Web application, Grossman said it is important to have security in every step of the process. He identified three roles that need to be filled to address security throughout the life of a Web application. Builders begin the process by creating secure code, breakers then come in to test and find security threats, and defenders are operationally focused, watching for attacks once a Web application has been launched.

Experts agreed that security specifics need to come from company executives. Taking time to write code properly, check it, and write extra code for security measures like input validation, will only happen if it is mandated by executives, said SecurityCurve's Kelley. Software developers are hired to do a job, she said, and if those who employ them emphasize expediency and the experience of writing a Web application, then the final product will reflect that. Instead, Kelley said executives should give clear instructions on what security measures they want implemented.

When security is considered throughout the Web application creation process, it can ultimately save time and money, although it initially does not seem that way at the time, Kelley said. There have been instances at the end of the development process, when an auditor has said that the Web application does not meet certain requirements. The auditor stops production, making the development team go back and fix problems. Under these circumstances, Kelley said production could be delayed up to a week, where if the proper security steps had been taken initially, it would have only been a day or two.

Ultimately, Kelley said executives need to decide what is important to the final product. If security is important, then an enterprise needs to take every step to protect its Web application.




Firms failing at mobile application development security, study finds

The security of sensitive mobile business applications is failing to gain priority during the software development process, hindered by a lack of tools and know-how to test mobile applications in various environments, and, according to a global study, most firms are focusing instead on speed and performance.

A lot of testers we've spoken to are being exposed to mobile testing for the first time and most of them don't think about some of the things that are important.

Charlie Li,
vice president of global quality and testing services, Capgemini

The fourth annual World Quality Report (.pdf), conducted by Paris-based technology consulting firm Capgemini, analyzed the state of software quality in the face of growing use of smartphones and the bring your own device (BYOD) movement. This year's focus was on mobile application security. The global survey was designed by the firm's quality assessor (QA) and testing experts, and reached more than 1,500 CIOs, IT directors and application and testing managers in 25 countries.

The study found that 31% of respondents across the world currently test mobile applications. Of those that do test, 64% of firms focus on efficiency of performance, rather than functionality, usability or security.

"Mobile is a completely new paradigm that presents a lot of new challenges and people haven't really caught up yet," said Charlie Li, vice president of global quality and testing services at Capgemini.

Different mobile platforms coupled with devices supporting various firmware versions, combined with a complex entanglement of mobile carriers, creates serious testing challenges for many firms, Li said. Those surveyed readily admit to being ill-equipped for mobile testing with 65% citing a lack of tools to conduct testing, he said. Emulators can be used to test how software runs on different platforms, but it doesn't test how the application runs on a specific device. Another 52% cited the lack of access to the required devices to conduct testing. Other tools can allow firms to emulate network connections, but Li said most firms want to see the mobile application run on a real network.

In addition, some firms said their QA teams lacked the expertise to test mobile applications against security and functionality requirements. One-third of organizations lack the testing methodologies and processes, and 29% fail to have the specialists necessary to effectively certify mobile applications, according to the Capgemini study.

"The way developers write code is not fundamentally so different," Li said. "A lot of testers we've spoken to are being exposed to mobile testing for the first time, and most of them don't think about some of the things that are important, such as Edge or 3G versus a 4G network. ... There's no formalized training of any kind. Most testers learn on the job."

Li said he engaged a client a few years ago on mobility testing. The firm offshored all of its testing facilities to India and wanted to conduct mobility testing from the country. But the tests needed to be run on mobile devices in different parts of the world. "The roaming charges ended up being more than the actual cost of labor," Li said.

While enterprise IT security teams are addressing security policies and controls to reduce the risks posed by smartphones and other devices in the enterprise, software development and testing teams creating enterprise mobile apps are also addressing security concerns, said Chris Wysopal, CTO of Burlington, Mass.-based application testing services firm Veracode Inc. In a recent interview with SearchSecurity.com, Wysopal said companies often fail to see the weaknesses that can be exploited by attackers.

"It used to be the client system was a Web browser and the back-end system was a Web application and people would test the Web application," Wysopal said. "When you make the front-end a mobile device, a lot of people aren't testing that back-end Web service as they would if it was a Web app. Every time something changes, they think all the risks that were there are gone, but they're not. The risks are still there, but the attackers have to just change their toolset."

If an attacker can create a malicious application and make money through fraudulent SMS charges, it won't be long before a mobile app is built that directly steals intellectual property, he said. A number of firms, including Sunnyvale, Calif.-based Good Technology Inc., enable mobile application developers to create enterprise apps that are contained in a sandbox protecting data stores and data transmission. Even with a sandbox, it's important to test the application, he said. Implementing a sandbox incorrectly enables an attacker to find holes or bypass the sandbox altogether, Wysopal said.

Li advocated a test-driven development model to address mobile, a concept that has been around for years, experts said, but is rarely ever fully implemented. The model emphasizes repeated testing on source code. Companies often aren't ready to make the significant investment needed to change the processes that have been ingrained for years, and some software development and testing teams often push back fearful of the amount of work required. But the process allows clients to start thinking about the quality of the application much earlier than after it is built, Li said.

"We're trying to help clients think about quality, performance and security before a single line of code is written, Li said. "It definitely takes a political change in most places. If done properly, most companies will report that it reduces a significant amount of work down the line."

Mobile fuels interest in cloud-based testing

Cloud-based models for testing have seen slow adoption, but Capgemini and other security firms believe adoption will begin to grow. Testing as a Service (TaaS) is of interest to survey respondents with 78% of them indicating their firm plans to move to TaaS in the next two years, rising to 89% by 2015.

TaaS prevents clients from the costs associated with building their own mobile testing labs. It encompasses everything from the environment and the tools to the techniques and processes necessary to meet the requirements of the application, Li said.

"As a consumer, you're buying a piece of mind that when the app is released, less than 2% of defects will go into production," he said.




Quin named Telecom retail head

Telecom has appointed Chris Quin as chief executive of its retail division.

Quin is currently the head of the information technology arm, Gen-i, and will replace departing retail boss Alan Gourdie in the role from October 1.

Quin was in the running to replace Paul Reynolds as chief executive of the Telecom group but lost out to Simon Moutter who took over in the top job last month.

Quin has worked for Telecom for over 20 years and prior to his appointment as CEO of Gen-i Australasia, Chris was the general manager of Gen-i's New Zealand operations. This followed several roles across Telecom that included finance, sales and management.

Before joining the company he was chief financial officer and company accountant for Mitel New Zealand.

By Hamish Fletcher | Email Hamish

Rocket Lawyer On Call For Legal Assistance

For individuals and businesses in need of legal assistance, finding an attorney with the right expertise can seem like a daunting task. And likewise, individual attorneys and small law practices can sometimes have trouble finding the right clients to keep their business moving in the right direction.

rocketlawyer

Attorney network Rocket Lawyer has recently launched a new service called On Call, which aims to help connect attorneys and small law practices with new clients, without all the extra work normally involved in setting up a marketing campaign.

According to a Rocket Lawyer study, many solo attorneys and small law practices feel they need a more efficient way to reach new clients. Focusing on marketing efforts and reaching out to new clients might be easy for large law firms, but for small businesses, that type of work can just take up time that could be used for actually providing legal services and running a business.

Said California-based On Call attorney, Mark Ruiz:

“As a solo practitioner, On Call membership helps minimize my anxiety behind client acquisition as there is always a steady stream of potential clients on the site seeking legal services.”

Once attorneys sign up and are admitted into the program, they will receive access to pre-screened potential clients, Rocket Lawyer's library of legal documents, and their own profile page on the Rocket Lawyer website.

The Rocket Lawyer team actually interviews potential clients up front and provides information to attorneys so they can decide which cases might be the best fit for their practice.

The attorney profile pages on Rocket Lawyer's site can include pertinent information about the practice, such as areas of expertise and pricing, so that potential clients can learn more about the attorneys that can help their case.

Both lawyers and other small businesses needing legal help could benefit from this type of program. Users of the site can choose from a list of practice areas, including business law, intellectual property, and several other types that may be pertinent to small business owners.

Rocket Lawyer offers a basic plan and a professional plan for individuals and businesses seeking legal assistance.




Here\'s What Your Employees Want: Are You Listening?

When it comes to what your employees want, too many small business owners are in denial. At least, that's the finding of a new study by MetLife, which polled small business owners and employees and found that while employee loyalty has dropped steadily since 2008, employers mistakenly believe it's on the rise.

employer listening employee

More than one-third of the work force (36 percent) hopes to find a new job soon, and among younger employees (Gen X and Gen Y), that number hits 42 percent.

If you're looking to replace lost workers, be aware that benefits were also an important factor in attracting younger workers-even more so than in attracting Boomer-age workers.

One reason younger workers are more likely to be influenced by benefits is because they're having a harder time financially, with 50 percent saying they're more reliant on employee benefits for financial security than they were in the past.

However, that's not to say Boomers are carefree. More than half of employees in all age groups are worried about making ends meet, paying for health insurance and paying down debt.

Employers are also in the dark about what benefits contribute most to employee loyalty. Asked what benefits were key drivers of loyalty, more than half (52 percent) of employees named retirement benefits, 44 percent said nonmedical insurance benefits (such as life insurance) and 38 percent want to have a choice of benefits.

While employers in the survey were well aware of the importance of benefits, 65 percent report it has become more difficult to pay for them.

The good news for cost-conscious employers: Two-thirds of younger workers and more than half of Boomers say they'd rather pay for more of the cost of their benefits than lose them altogether.

Ask

The title of the study, Are You Listening? offers a clue. Start by asking your employees what kinds of benefits they care about most. You may find, based on the age group of most of your employees, that the results are not what you expected.

Analyze

Figure out what kinds of benefits you can offer. Is there something that would make you a more desirable employer because none of your competitors offer it? Conversely, is there some type of benefit that's considered “essential” or basic in your industry or your area?

Price

Figure out what you can afford and how much your employees are willing to pay. If something that employees care about deeply is out of your price range, can they contribute part (or all) of the cost?

You might be surprised: MetLife found that more than one-third of employees were interested in having access to disability coverage, life insurance, dental insurance and vision insurance-even if they had to pay 100 percent of the cost.

Communicate

Letting employees know what you offer and how much it costs is key to building loyalty. Be transparent about the cost of policies and how much of the tab you are picking up. Employees often underestimate these costs, and showing them the reality will make the benefits more valuable to them and build loyalty.

Review

Don't “set and forget” your benefits. Do an annual checkup to ask employees what benefits they used, what they care about and what they don't care about. Also talk to your insurance agent(s) each year to assess whether you have adequate coverage, what you can drop (and add) and ways to lower your bill.

Going forward, the trend toward employees contributing more for coverage won't end anytime soon. As the war for talent heats up, having employees chip in for their benefits will make it easier for small business owners to win at least part of the battle.

Listening Photo via Shutterstock




Join The Tweet Chat 9/26 – #DellCoIT: ‘Debunking 4 Myths In Consumerization of IT\'

The business environment is changing with consumer-owned devices in the workplace now being used to perform every day tasks.  IT departments and managers are tasked with ensuring these devices (tablets, smartphones, laptops) are secure and compliant â€" a trend known as consumerization of IT. To help businesses of all sizes embrace this new business trend, our very own Ramon Ray, editor of Smallbiztechnology.com, will be hosting a tweet chat to discuss common myths associated with it.

On September 26, 2012 at 12PM CDT, join Ramon (@RamonRay), Sean Wisdom from Dell (@DellSMBUS) and Matt Watson from Microsoft (@Microsoft and @MicrosoftSMB) for a tweet chat about “Debunking 4 myths in consumerization of IT.”

What They'll Cover:

They'll be debunking the following 4 myths in the consumerization of IT:

  1. Employees are using personal devices just to get around firewalls and browse social sites
  2. There's no difference in security across platforms â€" security is just security
  3. IT & executives aren't prepared for the consumerization of IT
  4. Employees are less productive when allowed to use personal devices in the workplace

How You Can Participate:

We recommend using a tool like TweetChat to follow the conversation. Just sign in with your twitter account, enter the #DellCoIT hash tag, and join the conversation as if you were in a chat room.

Register here for this event and don't forget to come prepared to learn about consumerization of IT with our experts.



Dunedin company buys mining technology stake

Dunedin-based industrial automation firm Scott Technology has taken a stake in a Western Australian developer of a patented conveyor belt technology for use in the mining, bulk handling and automated processes markets.

For an initial commitment of less than A$500,000 ($631,000), the company has purchased assets belonging to Integrated Conveyor Systems ahead of a due diligence process that will take until next June.

"ICSL's conveyor technology is a logical extension for Scott with our progress in the mining automation market, where the technology is aimed at improving speed, occupational safety and health and labour costs, particularly in remote areas or over difficult terrain," said chief executive Chris Hopkins and chairman Stuart McLauchlan in a statement to the NZX.

Its application for the mining sector is still in the development phase and has attracted inspection by Bathurst Resources, which is planning a conveyor system to bring coal off the Denniston Plateau for export from Westport, said Hopkins.

Scott shares were up 2.9 per cent yesterday to $1.80, and have risen 24 per cent in the last year.



Kiwis at home in heart of high-tech

Silicon Valley has become synonymous with the technology scene in the United States and is home to the headquarters of giants such as Google and Facebook.

Sprawling across the Santa Clara Valley, Palo Alto, San Jose and other parts of the San Francisco Bay Area, the technology hotspot earned its name from the silicon-chip makers that set up shop there.

iPhone maker Apple is also based in the valley and is looking to build a four-storey, 260,000sq m R&D hub.

While it's often conflated with the city of San Francisco, the traditional heart of Silicon Valley is closer to San Jose to the south. However, the Wall Street Journal reported earlier this year this was beginning to change, and tech firms were gravitating further north towards San Francisco.

According to a PricewaterhouseCoopers report from 2010, the area makes up around 30 per cent of all venture capital investment in the United States.

As well as being the base of software and hardware giants, the region also hosts offices of social networking firms such as Twitter and LinkedIn.

Up until the 1960s it was known as the Valley of Heart's Delight because of its orchards and was believed to be the largest fruit packing area in the world.

By Hamish Fletcher | Email Hamish

Silicon Valley backs Appsecute

Kiwi software entrepreneurs come away from whirlwind trip to US with investment from high-level backers

Two Christchurch software entrepreneurs have caught the eye of US investors after a week-long sojourn to Silicon Valley.

Appsecute's Mark Cox and Tyler Power have spent the past year building tools for an emerging area of cloud computing, known as platform as a service, that they hope will get more traction with big companies.

After dealing with overseas developers on Skype, the pair headed to California last month to see if there was a market for their product. They have returned buzzing about Appsecute's prospects after securing funding and getting support from the industry.

"It was really fast-paced. The people over there, the people in San Francisco, in Silicon Valley, are our sort of people, they get what we're doing. It's tremendous," Cox said.

"We were over there for a week and in five days we'd progressed our business by about three months," he said.

The 40-year-old could not disclose how much the investment was worth, but said it came from a vice-president at a Silicon Valley company.

"The investment will work towards us opening an office in San Francisco, it will get us through to the next stage where we need to raise a substantial amount more money than we have so far and expand," Cox said.

As well as getting financial backing, Cox said a lot of industry players approached them wanting to lend a hand, including from a "very high-profile Silicon Valley executive".

"I don't want to give names ... I was out, he was sitting beside me and he just kind of lent over and said 'I'd like to help you out, I've done this kind of thing before and I think I can help you' ... a lot of that sort of stuff happened," he said.

"We managed to get quite far with not a huge budget. If you look at a company like Xero, they were the first generation of cloud out of New Zealand and they had to spend quite a lot on marketing to become known. But it seems to be possible now through social media and the right introductions to get noticed in Silicon Valley."

Cox formed Appsecute with Power after the pair worked together at Jade Software. Although there was some risk to giving up full-time work, Cox said he felt compelled to move with the venture, particularly once it got some attention: "It's exciting to see people blogging and tweeting about how much [they] love what we're doing and seeing the growing momentum."

By Hamish Fletcher | Email Hamish

Social Media Tips for Small Business

You've recently setup the obligatory Facebook, Twitter, LinkedIn, and Google+ profile pages for your small business and you're asking yourself, “Now what?”

social network

If you're new to the game and wondering what to do next, below are 5 social media tips to send you and your small business off in the right direction to achieve social media success:

1) Develop a Strategy

I've seen many companies make the mistake of approaching social media without a strategy. First, decide which social networks make most sense for your company. You may not have a product that will translate to Pinterest or Instagram. It's better to have a limited, strategic presence on social media than to be everywhere without purpose.

Once you have selected the social networks that best suit your company, you can then align your strategy to meet your desired goals. For example, do you have the goal of growing your Facebook community? If so, you should be brainstorming content, promotions, and posts that will attract your target customer.

2) Respond

Assigning an intern to manage the social media channels a few hours per week is simply not enough anymore. Your online community expects to receive responses to inquiries in a timely manner (typical accepted response time is within 24 hours). If you aren't willing to invest the time and money it takes to respond to your online followers, then you probably shouldn't be on social media.

Customers want to know someone is listening. The simple task of responding speaks volumes to your customer service. If you don't have the answer and need some time to find it, let that person know that you have seen their question and you are working to get the answer for them.

3) It's All About the Content

Don't just broadcast anything to make it look like you're active on social media. There are too many companies out there bombarding their followers with the social media equivalent of spam. If you want to build a following, create content that makes you a leader in your industry.

If you don't have enough time to regularly produce original quality content, share the good content that's already out there or approach the experts to create content for you. Your online community will thank you for helping them find the good stuff.

4) Don't Duplicate

Posting the same thing to Facebook, Twitter, LinkedIn and the like is redundant and will cause you to lose followers. Tailor the content for each network and audience. LinkedIn is a professional network so this serves as a great place for thought leadership. Make use of photos and other rich media content to tell a visual story using Facebook Timeline.

People join social networks for different reasons and you best serve your online community when you know who they are and what they want to see. Take the time to do the research and post what is best suited to each medium.

5) Self Promotion is Anti-Social

In real life, when you're trying to make friends, talking about yourself won't get you far. It's the same with social media. Your participation in the space should foster conversation. It's okay to tell your online community about a new product or promotion, as long as that's not all you're doing.

Make it easy for your community, customers, and industry leaders to share content on your social pages. Be an active listener to better understand what your community wants. If they're following you, they already think you're great, you don't need to constantly remind them.

How do you use social media for your small business?  Share your social media tips with us.

Social Network Photo via Shutterstock




Apple\'s iPhone 5 Is Out, But Is It Really Worthy Of All The Buzz?

Apple's iPhone 5 just recently came out and â€" as always â€" this subject has generated an enormous amount of buzz. Consumers have been lining up in droves to purchase the phone and we probably won't hear the end of it for a while. The new smartphone introduces a sparkling new operating system loaded with new features. But with other competitors on the market, is it really worth it to get Apple's new contraption?

David McQueen, the principal analyst at Informa Telecoms & Media, believes that the iPhone 5 seriously delivers in some areas:

  • LTE connectivity is finally here! The iPhone 5 will be able to take advantage of the 3GPP/4G LTE broadband networks everyone's been crazy about lately. This is certainly a plus.
  • The new connector for the iPhone 5 is an 8-pin “Lightning” connector with two-sided connectivity for an easy fit. You no longer have to look at the plug to see if it will fit in its slot.
  • The screen is slightly bigger than its predecessor's and the material on the back side is metallic. The aspect ratio is slightly trending more towards 16:9, but the width hasn't changed for the sake of maintaining compatibility with apps that worked on its predecessor.
  • The Apple iPhone 5 uses the A6 chip, which allegedly runs twice as fast as the previous A5 seen in older models.

Like David McQueen also mentioned in his statement, Apple's hardware might not stack up against competitors. Here are a few reasons why I see the iPhone 5 doesn't match up with other phones:

  • Apple implemented a nice new cable for the new iPhone. That's very cute, until you realize that the cable is proprietary, meaning that the company can charge anything it wants for the cable. You'd be willing to pay the price, in the end, if you want your smartphone to remain functional.
  • The iPhone 5 is kind of late in the game when it comes to LTE. Samsung's Galaxy S III has long supported this new connectivity. Nokia's Lumia 920 will also support it when it comes out around November this year.
  • The optics on Apple's new smartphone aren't top-notch. If you want good optics and camera capabilities, go for the Lumia 920.
  • Most of the new smartphone's features are already reflected in other brands' models (i.e. 1 GB RAM, 32 GB storage, etc.).
  • The iPhone 5 doesn't have support for microSD cards â€" a feature that has long since been revered in the smartphone world. Granted, many phones don't have this, but this would have made the iPhone stand out among the others significantly.

In conclusion, you should only get the iPhone 5 if you feel like you need a more powerful phone that can still run all the iOS apps you currently depend on and don't feel inclined to find apps that can perform the same functions on another smartphone. Depending on Apple seems like it will soon be a thing of the past unless it changes its game soon. Other smartphones have already proven themselves beyond superior to Apple's new phone.Optimized with InboundWriter



German government advises surfers not to use Internet Explorer

The German government's Federal Office for Information Security (BSI) has instructed citizens not to use Internet Explorer following the discovery of a zero-day bug in the browser.

The bug, which was discovered by security researcher Eric Romang,impacts versions 9, 8, and 7 of the Internet Explorer browser and led Microsoft to release Security Advisory 2757760 to address the issue. According to Reuters, hackers are using the bug to launch attacks, specifically against defence contractors, and until Microsoft issues a patch it has encouraged users to use other browsers.

The BSI said it was aware of targeted attacks and advised all users of Internet Explorer to use an alternative browser until the manufacturer has released a security update. "A fast spreading of the code has to be feared," the German government said in its statement.

Officials with Microsoft did not respond to a request to comment on the move by the German government, although the company downplayed the impact of the flaw in a written statement. Yunsun Wee, director of the Microsoft Trustworthy Computing Group said: “There have been an extremely limited number of attacks. The vast majority of Internet Explorer users have not been impacted."

Microsoft also said that is planned to release a patch in the next few days. However some security experts have said it would be too cumbersome for many PC users to implement the measures suggested by Microsoft and instead advised Windows users to temporarily switch from Internet Explorer to rival browsers such as Google Chrome, Mozilla Firefox or Opera.

AlienVault researcher Jamie Blasco confirmed that the zero-day was being used to target specific sectors, including defence and industrial. He said: “Following our investigations on the servers found serving the Internet Explorer zero-day and using OSINT, we were able to use the WHOIS mail address and the IP addresses used by the attackers to find fake domains registered by them.

“They contain specific names of companies related with: a US Aircraft and weapons delivery systems company; a US Defence decoy countermeasures company; a US Aerospace and defence technology company; a US Supplier for repairs of tactical fighters; a laboratory for energetic systems and materials; and a UK defence contractor. We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants.

“We were able to check that the official website of the company has been compromised as well and it is serving the Internet Explorer zero-day to the visitors. They've included an iframe to the exploit in the entry page. Apart from that, it seems the exploit code has evolved and they are now able to infect not only Windows XP but also Windows 7 32 bits running Java 6.”



Good Technology offers BYOD implementation and consultancy service

Good Technology has launched two new bring your own device (BYOD) services to help the CIO and organisation quickly and easily transition to their own program.

Named the BYOD Policy Construction and Transition Services, the company said that these are geared towards users that want to harness the productivity and cost benefits of BYOD, but are concerned with the business, legal, financial and HR dilemmas of a rollout.

Included in the BYOD Policy Construction approach is a structured framework that offers industry and peer data, as well as best practices, to inform policy decisions; enable decision-making; and balance the security interests of the employer with the employees' concerns around privacy. It also allows a business to tailor a standalone BYOD policy to the organisation's unique culture, workforce and risk management profile.

Good's Transition Services provide customers with a dedicated consultant who works with them to define their success criteria, forecast the number of BYOD that need to be provisioned and launch demand-generation programs and map out the steps necessary for an efficient rollout. The consultant will also oversee the implementation and track progress of support and perform a final readiness review to ensure the company is prepared to execute the Transition Plan.

Allen Spence, vice president of worldwide professional services at Good Technology, said: “We talk with a lot of customers who have been thinking about implementing a BYOD program, but don't know where to start, or how to finish and roll out. Others had been planning for a three-year transition, but are now challenged to potentially implement a BYOD program and migrate all mobile employees in just six months.

“Our BYOD services provide our existing and new customers with expertise and the frameworks to roll out successful BYOD programs.”



GCHQ develops Cyber Security Challenge contest

The Cyber Security Challenge UK has announced a new competition designed by GCHQ that will test competitors' skills to protect against attacks to a simulated government IT system.

Named 'Balancing the Defence', it will require competitors to analyse a mocked-up network representing that typically found across government departments. They will be asked to look for vulnerabilities that an attacker could exploit, prioritise the threats and, whilst working to a tight budget, suggest a range of defensive controls, both technical and policy based, to reduce the risk to the network.

The competition will take place over seven days from Monday 1st to 8th October 2012, during which time the candidates will be fully briefed on the scenario and will be asked to submit a report with their proposed security solution.

The GCHQ architect behind this competition, 'Karl', said that he hoped that this competition would help uncover those who have the vital mix of technical ability and business awareness to make tough decisions in the best interest of an organisation.

“Cyber Security Challenge UK has proved itself a very accomplished mechanism for finding new talent. At GCHQ we are committed to finding and developing the new cyber security skills in the UK and these are the skills sets employers including ourselves are most interested in,” he said.

Stephanie Daman, CEO of Cyber Security Challenge UK said: “Balancing the Defence is part of our new Risk Analysis and Policy Stream which puts our candidates in the shoes of the professionals and makes them answer some difficult questions â€" Where do the biggest threats come from? Are there some risks I have to accept? What impact will my changes have on the organisation?

“These are questions which cyber security professionals grapple with every day and answering them requires an aptitude that isn't easy to identify from traditional CVs and job interviews. We need a new approach if we are to find people with these skills in the numbers that the industry desperately needs. No organisation is better placed than GCHQ to help us deliver this.”

The winners from this virtual competition will be invited to a face-to face competition where 30 candidates from the GCHQ competition and a second virtual competition - Dtex System's Insider Threat game. Winners selected at this event will then be invited to attend the Challenge's Masterclass and Awards weekend on the 9th and 10th March 2013.



German government advises surfers to use Internet Explorer

The German government's Federal Office for Information Security (BSI) has instructed citizens not to use Internet Explorer following the discovery of a zero-day bug in the browser.

The bug, which was discovered by security researcher Eric Romang,impacts versions 9, 8, and 7 of the Internet Explorer browser and led Microsoft to release Security Advisory 2757760 to address the issue. According to Reuters, hackers are using the bug to launch attacks, specifically against defence contractors, and until Microsoft issues a patch it has encouraged users to use other browsers.

The BSI said it was aware of targeted attacks and advised all users of Internet Explorer to use an alternative browser until the manufacturer has released a security update. "A fast spreading of the code has to be feared," the German government said in its statement.

Officials with Microsoft did not respond to a request to comment on the move by the German government, although the company downplayed the impact of the flaw in a written statement. Yunsun Wee, director of the Microsoft Trustworthy Computing Group said: “There have been an extremely limited number of attacks. The vast majority of Internet Explorer users have not been impacted."

Microsoft also said that is planned to release a patch in the next few days. However some security experts have said it would be too cumbersome for many PC users to implement the measures suggested by Microsoft and instead advised Windows users to temporarily switch from Internet Explorer to rival browsers such as Google Chrome, Mozilla Firefox or Opera.

AlienVault researcher Jamie Blasco confirmed that the zero-day was being used to target specific sectors, including defence and industrial. He said: “Following our investigations on the servers found serving the Internet Explorer zero-day and using OSINT, we were able to use the WHOIS mail address and the IP addresses used by the attackers to find fake domains registered by them.

“They contain specific names of companies related with: a US Aircraft and weapons delivery systems company; a US Defence decoy countermeasures company; a US Aerospace and defence technology company; a US Supplier for repairs of tactical fighters; a laboratory for energetic systems and materials; and a UK defence contractor. We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants.

“We were able to check that the official website of the company has been compromised as well and it is serving the Internet Explorer zero-day to the visitors. They've included an iframe to the exploit in the entry page. Apart from that, it seems the exploit code has evolved and they are now able to infect not only Windows XP but also Windows 7 32 bits running Java 6.”



Gartner Security Summit: Be agile to challenges to survive and thrive

Creating effective roadmaps and being adaptable to change were the key themes of the opening of the Gartner security summit.

Speaking at the opening keynote of the Gartner Security and Risk Management summit in London, Andrew Walls, research vice president in Gartner Research began by talking about change and saying that 'change is inevitable but can be good as it drives improvement and refinement'.

Referring to changes in the financial markets, politics and climate, Walls said that the species that thrive are those able to adapt to change, and compared this to security and risk managers that are able to change are those that enable a business to survive.

Walls said: “People are adapting to change in IT for personal objectives, this is a society based on change.”

He said that IT and security managers need to enable transformation and effectively manage uncertainty in a constantly changing world. Gartner also launched its 'Nexus of forces' (pictured) which combines social, mobile, cloud and information and Walls said 'redefines forces and changes our role as risk and security leaders'.

“By 2014, 80 per cent of risk leaders will need to report on risk compliance and security postures to board of directors, not just CEO. In order to stay relevant, security and risk leaders need to develop new abilities in the face of a drive in change,” he said.

“Security and risk mangers face an exciting future â€" users and enterprises are racing ahead to mandate changes for success. To meet these challenges we need to redefine roles and deliver appropriate levels of security anywhere at any time. We must be there first to protect, detect and remediate and drive better business performance in the face of uncertainty.”

Also speaking was Paul Proctor, Gartner research vice president, who likened the reactive nature of security to the addition of safety features to cars, saying that it was a 'requirement in response to government regulation'.

He said: “Information security and risk management have a history of being reactive, we quarantine, block or 'just say no', so how can you say that is in-line with the business? The Nexus changes the role of security and risk management, it has to be integrated and promote desired business outcomes. You cannot align with the business, you need to be the business

“Risk management is the explicit recognition that you cannot protect yourself against everything. Make decisions about what going to do to protect yourself and what you are not going to do.”

Finally, Carsten Casper, a vice president with Gartner Research, echoed recent Gartner predictions that spending on security services will reach $49 billion by 2015, and also called on businesses to adapt to changes and promote business growth. He called the Nexus a 'strategic roadmap to secure the enterprise and reduce risk'.



12 Blogs Every Small Business Should Be Reading

Last month I encouraged everyone to make blog reading part of their day. While it's easy to ignore your daily reading list or think it's not a productive use of your time, the truth is staying up to date on blogs is a great way to stay in tune with what's happening in your industry, educate yourself on new trends, and even to keep your own creative juices flowing for material. As mentioned yesterday, by becoming part of your local ecosystem, it also makes you a more attractive link/traffic target.

I thought today I would share a short list of blogs I think every small business owner would benefit from reading, regardless of your industry. Below are some of my personal recommendations.

Business Leadership/Entrepreneur Blogs

QuickSprout

QuickSprout is a blog penned by serial entrepreneur Neil Patel and covers a wide variety of tips from leadership, to social media, to search engine optimization, and everything in between. While it would arguably fit in any of the categories on this list, Neil's posts on business best practices are some of his most valuable. But as an SMB, you'd be wise to listen to anything Neil talks about.

Harvard Business Review

The Harvard Business Review is a great place to head for general business advice, leadership tips, crisis management information, and a host of other topics. Articles are written by expert authors and I always leave with a few new takeaways and things I want to start implementing in my own work.

Killer Startups

As the name would suggest, you can find some ‘killer' information here on everything you need to know to run a successful company. There's information on the best tools, apps, how to build a great team, product reviews, etc. This blog has been in my feed reader for a long time, and with good reason.

Mixergy

I really enjoy checking out Mixergy to hear from other entrepreneurs who have created successful businesses, how they did it, and to get a sense of their personal stories. I think that's something Mixery does really well â€" it lets you hear directly from the people holding the sweat equity. Right now there are more than 750 interviews on the site to benefit from.

Search Engine Optimization Advice

Mike Blumenthal Blog

Mike is a familiar face here at SmallBizTrends.com, as we often reference some of the great finds he comes across. If you're a small business owner trying to understand all the changes associated with Google Places, local search, and what bugs are getting fixed when, Mike's blog is among the best in the industry to follow and a huge resource. I think he may have a secret line to Google because he seems to know things before anyone else.

David Mihm

Known to many for his annual Local Search Rankings Survey, David Mihm is a constant source of expert local search information. He's also known for his GetListed.org events, which bring noted local search experts to various towns across the country to help small business owners learn more about SEO, social media, and how to increase their Web presence.

Search Engine Land's Local Search Category

Search Engine Land is a huge SEO resource for marketers of all levels. However, small business owners will want to pay special attention to the Local Search section which is designed with them specifically in mind. There's great tips and best practices on how to craft an effective listing, how to use social media, and other small business issues. If you're interested in further social media reading or other topics, you'll also be able to find that information in other SEL categories.

Content Marketing

Blueglass

The folks at Blueglass cover a lot of great topics on their blog, but their content marketing topics may be of most interest to small business owners. Here you'll find tips, tools, and personal experiences that anyone can learn from and implement in their own business. One of the most strategic, forward-thinking outlets on content marketing topics.

Andy Sernovitz

Andy Sernovitz's blog where he shares great examples of word of mouth marketing, oftentimes centered around the content we're using or how we're talking to customers. There are great case studies, as well as examples from big and small brands.

Copyblogger

The goal of Copyblogger is to help you get traffic, attract links, increase subscribers and grow revenue through content. The site offers strategic advice on how to become better with content and is a must read for anyone looking to build a business on the Web.

Convince and Convert

Jay Baer's blog is a great resource for marketers looking to use social media and content to better connect with customers. What I love about Jay's blog is it's chock full of data that marketers can use to make informed decisions. It's less theory and more hard-hitting evidence of success.

And of Course….

Google Small Business

Google has an official blog for small business owners to keep them up to date on new releases, using Google tools, and other news. Some of it can be a little overly-promotional at times, but it's worth following. This is a Google world, after all.

Above are some of my favorite blogs to help me in my daily business life. What blogs do you currently rely on?

Blog Photo via Shutterstock




Countdown to Small Business Saturday: Time to Start Preparing

Each year, SmallBizTechnology does its best to help you prepare for one of the biggest small business events of the year: Small Business Saturday. Sponsored by American Express, Small Business Saturday is held each year on the Saturday that falls between Black Friday and Cyber Monday. This year that Saturday is November 24th. While it may seem like you have plenty of time left, it's important to start preparing your website for the big day.

Each year, American Express seeks to help small businesses by encouraging patronage of small businesses. Customers who register their American Express cards to shop at small businesses on November 24 will be given a $25 credit for each registered cardholder. Customers need only register their cards ahead of time to qualify for the refund.

“I think slowly the message is starting to seep in that it's vital to shop at small businesses,” Josie Leavitt, Publishers Weekly blogger, wrote after last year's success. Leavitt is a bookseller in Vermont. “It was heartening to see so many new faces. People actually thought about what small businesses to go to and were happy to let us know they'd chosen us.”

Here are some dates to use as a checklist as you prepare for the biggest shopping weekend of the year.

Today

  • ‘Like' the official Small Business Saturday Facebook page. This will not only sign you up for ongoing updates and reminders about Small Business Saturday, it will also provide information about participating in special contests hosted for small businesses.
  • Sign up for ShopSmall to receive ongoing communications about Small Business Saturday, including advice on how your small business can participate.
  • Evaluate your small business's online presence, taking into account local customers who might be searching for you for the first time through sites like Yelp and Angie's List. Make sure it's easy for those customers to find  you.

October

  • Utilize the many ad tools available in the Small Business Saturday Toolkit. These include signs and tutorials on small business marketing activities like creating a Facebook presence and uploading a YouTube video.
  • Work with your web designer to make sure your website is ready for the influx of traffic. Decide which specials you'd like to offer and create banners and signage. The toolkit can help with this.
  • Promote the $25 American Express credit and let customers know you are participating in Small Business Saturday. You'll be amazed how many customers hold American Express cards and will be willing to shop if they know they're getting a $25 credit.
  • Create a way to capture customer information to a database. As you receive a larger-than-usual influx of customers on Small Business Saturday, take advantage of the opportunity to get information on those customers that you can use for future mailings.

November

  • Finalize website testing and optimization.
  • Hang Small Business Saturday signage prominently in your store's window and/or near the cash register.
  • Promote your Small Business Saturday special offers on your company's social media sites.
  • Don't forget your current customers. Contact them to let them know about the special offers you'll have for Small Business Saturday.

When it comes to promotion, it's never too early to start preparing. Thanksgiving weekend will be here before we know it and with so much competition for attention, small businesses are more challenged than ever to make an impact on Small Business Saturday.



Twitter reinvents iPad App

Social media is here to stay with tools introduced regularly to enhance the experience. Large and small businesses use these tools to build branding, get their messages out inexpensively, connect with customers, and drive traffic. Here's the latest from Twitter and beyond.

Twitter Turnaround

Tweeting in tablet form. Here is a look at the new Twitter experience for iPad. The new app features a “Discover” tab uncovering top Twitter trends and a feature that helps you easily find who's retweeted or mentioned you. For more on features, read the full review. Wired

The bigger they come. Another major innovation changing the Twitter experience is a redesigned profile page complete with larger Facebook-esque headshot and other information designed to help your followers get more up close and personal with you, writes blogger Cendrine Marrouat. Examiner.com

Getting to know you. On a blog post about the redesign, product manager Sachin Agarwal says the new profile page is about empowering users. “New profiles also help you get to know people better through their pictures,” Agarwal explains. “Photo streams now appear below anyone's most recent Tweets on iPhone, Android, and iPad.” Twitter Blog

Socially Awkward

The road to ruin. Simply deciding to use social media for your business or brand does not mean you are doing it right. In fact, there are some big mistakes even pros make when trying to create great social media engagement. Here are some things that won't work. Communicatto

The missing link. Pierre Debois uses a bicycle chain metaphor to explain why buying Twitter followers or Facebook fans is the worst idea for growing your business with social media. If the strength of your network is determined by the strength of these connections, a network with fake connections will be weak indeed. Zimana

The Real Deal

The shadow of a doubt. If you doubt the importance of social media to your business, look no further than some of your competitors. A recent survey indicates a third of businesses may be spending at least $845 a month on technology to manage their social media, while another third are spending more than $1,000 a month. Business Insider

What the traffic will bear. If you want to know where a full half of your small business traffic is coming from, surprise, surprise, the answer is social media again. See how the numbers break down in our post. Small Business Trends