How Startups Can Ruin Their Customer Relationships

ruin customer relationships

Many startups go through growing pains, but customer relationships shouldn’t suffer from a company’s internal stress and adjustments. Establishing a loyal client base and solid brand reputation should be the highest priority for a startup, since those customers will sustain it as it moves into various levels of growth.

A firm can avoid a number of common pitfalls by taking precautions, watching analytics, and improving its operational systems.

1. Miscommunication

Both internal and front-of-house miscommunications can break customer relationships. Leadership should be transparent with their teams, and impart accurate product and service information so employees can represent the brand effectively. Inaccurate retail information can lead to a negative purchasing experience.

In order to combat issues like these, make sure all website and social media communications are clear and candid. Include a Frequently Asked Questions page to provide answers for clients who need additional assistance. Your company may also wish to hire trainers and HR professionals to craft training programs, guidelines, and workflows for employees.

2. Inaccurate Records

There’s nothing more embarrassing than calling an important client and learning that your company has the wrong phone number on file. This can lead to unacceptable business delays in communication, which will have a negative impact your company’s pipeline.

Customer records should include precise information and relevant notes, such as purchasing trends, product preferences, and marketing campaigns.

Even if you believe a customer’s records are accurate, take the time to update them. You may learn that a customer has recently changed his or her address, which is crucial information if you are shipping a product to that person or firm. You can take a few moments during each phone call, email interaction, and in-person meeting to verify records and customer information.

3. Lack of Planning

A startup cannot adjust to its opportunities and success if the company is not measuring efforts and results. Analytics can provide invaluable metrics with regard to web, staff, and product performance. Marketing professionals, project managers, and leadership teams can get ready for upcoming product launches, industry conventions, and other substantive events by using business analytic software.

4. Delayed Responses

Startups can lose revenue if they do not dedicate enough staff to customer service needs. Clients who encounter a busy dial signal on the phone, automated email response, or closed door may decide to take their business elsewhere.

If your company is struggling to respond promptly to inbound queries, consider hiring an IT helpdesk and customer service specialists. If clients email, call, or drops in with a question, do your best to connect them with the best resource to fit their needs.

5. Disorganization

Once a startup gains enough of a following, it will need to purchase CRM software to manage contacts, develop pipeline, and close sales. Companies that neglect to invest in these solutions will soon run into organizational problems as data needs overwhelm them.

Excel spreadsheets can do only so much before they become bogged down with convoluted and unnecessary information. A CRM solution empowers teams to collaborate on client accounts, build invoices, and establish sales.

Another way for companies to avoid disorder is to go paperless. Explore servers, cloud solutions, and offsite backups to keep documents safe and secure. Protect CRM databases and other sensitive information by backing data up regularly. IT departments may add another level of security by performing routine technology maintenance, rotating passwords, and repairing technology.

Startups rely on word-of-mouth, online reviews, and client perception to grow their business. These relationships may be placed in jeopardy if your organization suffers from miscommunication, disorganization, or poor planning.

Avoid these stressful situations by investing in staff resources and technologies that fulfill startup needs.

Frustrated Photo via Shutterstock




Security researcher finds vulnerabilities in emergency alert system

Application servers used as part of the nation's emergency alerting system (EAS) suffer from a remotely exploitable vulnerability, according to Mike Davis, principal research

scientist at Seattle-based IOActive Inc.

They could disrupt a station's ability to transmit, and could disseminate false emergency information.

Mike Davis,
principal research scientist, IOActive, Inc.

Davis says the servers "are currently shipped with their root-privileged SSH key as part of the firmware update package. This key allows an attacker to remotely log on over the Internet and can manipulate any system function. For example, they could disrupt a station's ability to transmit, and could disseminate false emergency information. For any of these issues to be resolved, we believe that re-engineering needs to be done on the digital alerting system side and firmware updates to be pushed to all appliances."

A recent vulnerability note from the Software Engineering Institute Community Emergency Response Team (CERT) at Carnegie Mellon University stated: "Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 Emergency Alert System devices exposed a shared private-root SSH key in publicly available firmware images. An attacker with SSH access to a device could use the key to log in with root privileges."

Actual takeovers of isolated parts of the alert system are not unknown. "Earlier this year, we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse," Davis said. During the "alert," viewers of CBS affiliate KRTV heard the grating short-tone bursts that usually signal that "this is a test of the Emergency Broadcast System." In this case, however, the audience was subsequently warned that "the bodies of the dead are rising from their graves and attacking the living."

According to IOActive, it is not known whether the flaw that Davis found was the same flaw used in the Montana zombie incident.

The two makers of equipment affected by the root-privilege flaw have issued firmware updates that correct the problem, according to CERT.




Damballa: Security vendor partnerships of growing importance

NATIONAL HARBOR, Md. - Atlanta-based startup Damballa Inc. is among the many vendors seeking to position itself at the forefront of advanced attack detection and prevention. Not only is it endeavoring to do this with copious research and an ongoing public relations effort, but also by hiring big names. Most recently the company added Sameer Bhalotra, former White House senior director of cybersecurity under President Barack H. Obama, to its board of advisors.

At the recent 2013 Gartner Security and Risk Management Summit, SearchSecurity spoke with Bhalotra and Damballa CEO David Scholtz about the benefits of

best-of-breed information security products, emerging malware and the future of threat detection.

What are your thoughts on partnerships among best-of-breed product vendors? Symantec CEO Steve Bennett outlined his strategy for packaging Symantec's products with those from other vendors, and Damballa already has partnerships in place with companies like F-Secure, Nominum and Blue Coat. Why is that beneficial for enterprises?

David Scholtz: We're in the midst of an evolution involving the traditional layers of security. Look at a lot of the innovations taking place at companies like Damballa, Invincea, Bromium or Co3. There are a lot of companies out there brining a lot of innovation and intellectual capacity to this landscape, which is creating a new layered fabric of security. Over the last couple of decades, you have either had "security in depth" or "layered defense" or whatever terms you want for traditional endpoint and networks security, and all the different products in that stack. Now all that is being reinvented in real time to address the new threat paradigm. There is going to be a whole new set of companies that collaborate and work together. We vendors may all appear competitive, but the reality is, we're doing different things.

Sameer Bhalotra: To me, cooperation is a must; it's mandatory. We have no chance to defend ourselves if we don't. I think that products that seem the same or competitive usually have different strengths. For example, there are companies that focus on the prevention of advanced threats. Technology like Damballa's is [a] very useful compliment to them even though they might seem competitive when you're looking at them from far away. A combination of those technologies might provide the best defense, so I think it's a must.

Your company's mission, according to your website, is to discover the threats that bypass other layers of security. What are those threats, and what makes your approach unique?

Scholtz: If you think about the kill chain, with Damballa, we really pick it up from the point of communication; we're not a prevention play at all. Another theme you'll hear is that prevention will not scale, especially when you think about the amount of resources being deployed to respond and remediate. To get in front is to understand what the mindset is and the techniques are of the threat actors themselves. So what we're working to do is shorten the time from infection to detection, and then from detection to response and then ultimately provide more value in ongoing remediation.

The way we do that is the various profilers we have, which we refer to as communication profilers. As I mentioned, we started with DNS, now we have domain flux and a DGA [domain generation algorithm] profiler. We recently announced a peer-to-peer profiler. So those are all based upon the types of techniques we see the threat operators using, in this case around communication. So between the analysis of behavior and the intelligence we have about the threat operators themselves, and the bad domains out there and the infrastructure being used and the content analysis, and as we have our algorithms determine whether or not an asset is infected in real-time based upon communications, we also package up that core bit of forensic evidence that we used to determine that an asset was under threat operator control, and we pass that along to assist in the acceleration of the response.

What are some of the most prevalent malware evasion techniques that you're currently seeing?

Scholtz: A lot of the techniques are not all that sophisticated. And the bad news is right now they don't have to be. For example, some of the malware variants we've seen recently, like PushDo, have been based on malware that's been around awhile, so in some cases it's just being repurposed. The infrastructure being used by threat operators fosters a whole series of events. It's going from not only the reconnaissance and weaponization, but also getting into the points of dropping files, having command and control back to actually download a separate payload, removing the traces of what was there before.

Domain fluxing is a technique increasingly being used more often. Domain fluxing is the notion that on any given day there will be one domain that can actually be rationalized and the malware, in its communication, will work through a whole series of algorithms, talking and trying to connect with thousands of what we refer to as NXDOMAINs, or domains [that] are not resolved, and then they'll find the one that is current for that specified time period, and that's what will establish the communications. And then that one is no longer valid, and then each day it just moves on to the next.

Where is Damballa heading in the next 6 to 12 months and beyond?

Scholtz: We just released our peer-to-peer profiler [which performs flow analysis on egress traffic to discover malicious connections in P2P swarms]. I think additional product offerings will really look at expansions on the profilers we have. Our research teams and threat analysts are looking at the techniques that are being used by attackers and coming up with additional technologies. For us, our mission is to provide the best, most relevant detection capability in the industry.

We're seeing the recognition that amid a noisy world of alerts and massive amounts of information and a lot of effort being spent on prevention, there's value in the actionability and the specificity of the information that we provide to our customers around what their assets are doing. Often that means information not only about whether they are infected, but also that those hosts are actually actively communicating. That's how we highlight business risk.




July 2013 Patch Tuesday: Critical fixes, but in a lazy summer sort of way

Microsoft's July 2013 Patch Tuesday release meant updating a wide variety of products, with the Redmond giant rating six of the seven patches "critical." Three of the patches fix instances in various products of a remote execution vulnerability linked to how Windows parses TrueType

fonts.

Across all seven bulletins, an unusually wide variety of Microsoft's products are affected, including all Internet Explorer versions, all versions of the Windows OS, and multiple versions of Microsoft Office. Paul Ducklin, writing on the NakedSecurity blog, said the range of affected systems means that before applying the patches "it would be wise to make sure that you have all your operational ducks in a row."

In a blog entry, Qualys' Chief Technology Officer Wolfgang Kandek recommended organizations "start the patching process with MS13-053, a bulletin for Windows that applies to all versions of the OS." This is important, Kandek said, at least in part because of the font issue, of which he said, "The most likely attack vector is through end users browsing a malicious webpage or opening an infected document, which results in remote code execution that gives control of the affected machine to the attacker."

Adobe also released Tuesday patches: three bulletins for its Flash Player, Shockwave and ColdFusion products.

And, if it feels like July only just arrived and the patch is landing early, that's because it is. The NakedSecurity blog noted that "it's almost as early as it can be, since July started on a Monday."




Malwarebytes: Maneuver around \'FBI ransomware\' on Macs

Ransomware isn't limited to PCs anymore; Apple OS X users are being targeted in this scam now, too.

It's using a piece of Java script that intentionally is made to force a loop so that every time you click the close button it'll tell you that you can't close it because it's been locked.

Jerome Segura,
senior security researcher, Malwarebytes

But thanks to a blog post and YouTube video by Jerome Segura, senior security researcher at Malwarebytes, Mac users can easily rid themselves of the annoyance of a "locked computer" without forking over the $300 ransom demanded by the latest "FBI ransomware," which won't get your computer unlocked anyway.

How easily is this "FBI ransomware" turning up? "I went on Bing and did a search for Taylor Swift and clicked some links and eventually found one that led me to a link that totally locked my Mac," Segura said.

Is there a social engineering aspect to this scam? "There's definitely a little link between the type of content you've been browsing that leads to this page, because part of the page warns you about browsing copyrighted material or pornographic content," Segura said. "So it kind of makes sense that if you've been browsing some free movies or looking at porn, if you see this message it's going to be a lot more relevant and you might actually believe it."

How does it work? "It's using a piece of Java script that intentionally is made to force a loop so that every time you click the 'close' button it'll tell you that you can't close it because it's been locked," Segura explained. "This is something new, because it prevents you from closing the browser. The piece of Java script has been used by other Web developers, but the criminals took the 'Are you sure you want to leave this website' message and customized it to say, 'You're locked,' and increased the counter so you're getting the message 150 times."

Segura looked at the source code to figure out the magic number is 150, but many people give up after 10 tries. "There's no exploit, just a little trick," he said. "It takes advantage of the fact that if you force quit the browser, it recovers the last URL and this puts you right back on that locked page. The bad guys aren't reinventing the wheel, they're just using certain features."

Who's running this scam? "It's an IP address that's well known for pornographic and illegal content, located in St. Petersburg, Russia, and is most likely on what we call a bulletproof hosting service," Segura said. "One of the domains had a spike of 50,000 hits in one day. Now that's just one domain, and they're using multiple domains, so if even 2% of people pay the ransom, it would be $300,000 in one day."

Any malware involved? "As far as the Mac users are concerned, no; there's no exploit code and no malware," Segura said. "But for Windows users, it's a different story; there's malware involved in the form of banking Trojans on your computer that can capture your keystrokes if you do any online banking."

The Internet Crime Complaint Center is aware of the situation and posted a note on their website: "Do not follow the ransomware instructions."




Bit9 report blasts Java security vulnerabilities as \'severe\'

In a high-level study of Java and its vulnerabilities, endpoint security company Bit9 found that nearly half of all endpoints have more than two versions of Java installed. Java is so pervasive and organizations are extremely ineffective at closing down their threat surface area by removing old versions -- making them easy endpoint targets for attackers.

People don't understand that installing Java doesn't remove older versions. Make sure you upgrade, not install again. That's one of the reasons there are so many versions of Java on endpoints.

Dan Brown,
lead security researcher, Bit9

Java, known as the "write once, run anywhere" platform, is installed on nearly every computing device. Many websites and web applications require Java to operate properly -- try turning it off in your browser to see just how many.

In 2012, thanks to this popular platform's many vulnerabilities, it became the technology most frequently exploited by attackers. Bit9's just-released "Java Vulnerability Report: Write Once, Pwn Anywhere" provides insight into just how bad the Java problem is.

Java is bad in a special way

Java is frequently slammed, with people claiming you should disable it in your environment, according to Dan Brown, lead security researcher at Bit9.

"But people aren't heeding the advice to remove it because they don't view it as being distinct from other vulnerable software. But Java is different, and there are reasons why it's favored by attackers," Brown said.

There are many different versions of Java and you can try to keep up with patches and updates, but the average organization has "more than 50 different versions of Java on their networks," Brown said. But "fewer than 1% of enterprises are running the latest version."

The most popular version of Java -- version 6, update 20 -- has 96 vulnerabilities that are rated a "perfect 10," according to Bit9's report. That's 96 as-severe-as-you-can-get vulnerabilities.

How quickly are these Java security vulnerabilities showing up? "Fast. Just in a matter of months, between version 7, update 21, and version 7, update 25, software installed everywhere had 38 severe vulnerabilities," Brown said.

While people have been banging on the "Java is bad" drum for quite a while already, Bit9 hopes to shine light on the fact that it isn't just bad; it's bad in a special way. "People don't understand that installing Java doesn't remove older versions. Make sure you upgrade, not install again. That's one of the reasons there are so many versions of Java on endpoints," Brown said.

Why is it bad to have older versions of Java on endpoints? "Java security vulnerabilities come in a couple of flavors," Brown explained. "One is a typical exploit that allows you to break out of the sandbox. The Java virtual machine (VM) running in a browser basically has an isolation sandbox layer around it. Attackers can find and use vulnerabilities to essentially convince Java to behave like a full-blown Java application -- with all the rights and privileges -- rather than being restricted to the in-browser sandbox."

Another vulnerability has to do with controls put in place by Oracle or others to warn users about the fact that the applet is attempting to get access to an older version of Java.

"An attacker can basically ask to have their code run on older, more vulnerable versions," Brown said. "It's a difficult problem, substantially different than the other types of vulnerabilities that organizations are used to dealing with. If every organization could flip a switch and get rid of Java vulnerabilities in their environment, they'd be substantially safer."

Java is a capable, functional black box

One thing that sets Java apart that tends to get glossed over from a threat perspective is that it's a capable, functional black box. When an attacker gains control of the Java VM, they have lots of capabilities -- including scripting.

If they can get one of the vulnerabilities to simply break out of the sandbox or give them elevated privileges in the VM, whatever code they want to download is executed by the Java VM, and their security controls have next to no visibility into that.

"Java's not like Adobe Acrobat, which is a fixed-function program that doesn't provide an attacker with many capabilities inherent to that software," Brown explained. "With Java, the attacker has all of the capabilities of the Java VM to use at their will, and they can do all of those things in the context of Java."

When people typically look for malware, executables that are bad, and they see just Java.exe, which we all love and trust, but wait -- it's running code internally. "The code inside is basically causing Java.exe to do all these malicious things," Brown said. "It's providing those capabilities, essentially making that a black box so security controls don't have visibility into it. That's something I don't think people know and it makes Java an easy target."

How can enterprises lower their risk of Java exploits?

Some enterprises can remove Java wholesale from their environments without seeing a real impact to their business. But for others, Java will be embedded in business uses cases for a long time.

"Enterprises may not have the resources to revamp old code they've written in Java," Brown said. "But you still need to pay attention to it and deal with it somehow. The first step is to find out how pervasive it is in your enterprise -- how many versions you have and where -- and figure out how many versions you can get rid of."

Another step is to remove exposure to the Web browser if you can. "Removing Java from the browser removes virtually all of the attack surface area," Brown said.

If you have business use cases for Java, especially if it has to run in the context of the browser, Bit9 recommends isolating that environment. "Give it special treatment with a sandbox browser or, better yet, use a VM or some isolation technology to truly isolate the Java on your desktop network," Brown noted.

Bottom line: Bit9 recommends removing Java if you can. If not, reduce exposure as widely across your organization as possible and isolate it if it absolutely has business case uses in your environment that you just can't live without.




Turkish researcher claims responsibility for Apple dev site hack

A Turkish security researcher, Ibrahim Balic, issued a sceencast video on YouTube earlier today -- which was initially public, but was yanked from public viewing this afternoon -- that appeared to show he successfully hacked into Apple's developer program website. The Apple site had gone offline this past Thursday, at first without explanation, and then later with the notice that "an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed; however, we have not been able to rule out the possibility that some developers' names, mailing addresses and/or email addresses may have been accessed."

YouTube image of Apple data

Screen shot from YouTube video claiming credit for Apple developer site hack. The user's name is shown in the clear in the original.

Balic told Britain's The Guardian that his: "Intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked."

One cause of initial comments on YouTube following the appearance of the video was the inclusion in the video of actual usernames and email addresses. One commenter, for example, felt that "a real Web security expert would never expose personal info on YouTube!"

In a weekend letter to account holders at the site, Apple said it is "completely overhauling our developer systems, updating our server software, and rebuilding our entire database."




Aveksa acquisition expands RSA\'s intelligence-driven security strategy

EMC Corp. has acquired Aveksa, a provider of identity and access management (IAM) solutions, saying the purchase will enhance RSA's current offerings in the identity and access management space.

It was vital for RSA to choose a mature IAM partner to enable it to compete with the new generation of cloud-focused identity management providers.

Andy Kellett,
principal security analyst, Ovum

This was a "long-overdue acquisition, and one that RSA needed so it can compete at the highest levels in an identity management market set to undergo dramatic changes during the next two years," said Andy Kellett, principal security analyst at Ovum. "It was vital for RSA to choose a mature IAM partner to enable it to compete with the new generation of cloud-focused identity management providers."

As authentication and identity management become more tightly interwoven and increasingly complex in cloud-based, application-centric environments, the days of each user having a single authentication to an enterprise network are rapidly coming to an end. Now, dozens of authentications to applications and related data are required for multiple-user devices, across cloud and on-premises infrastructures.

While the task of ensuring that users have appropriate access to enterprise resources has traditionally been IT-driven, it relies on legacy IAM solutions to enforce policies, processes, procedures and applications. The lack of intelligence and business context with these legacy solutions can lead to an increased risk of data breaches, noncompliance and excessive privilege, according to RSA.

With Aveksa under its wing, RSA claims it will be able to provide enterprises with the ability to automate the complete identity lifecycle of users from a business-driven perspective and turn traditional IAM systems into more intelligent and scalable "situational perimeters."

"It's a combination of what RSA has already been pushing in terms of an intelligence-driven security approach," said Manoj Nair, senior vice president and general manager at RSA. "Aveksa has done pioneering work in identity intelligence and transformed the traditional IAM space by introducing identity intelligence and governance. We're going to take it to the next level now."

They'll get to that next level by "bringing in the most important aspect of user behavior: what privileges users have versus what they need," Nair explained. "When we combine what we can do today from a governance, risk and compliance perspective in a business context, it gives you a 360-degree view of your infrastructure and enterprise."

Down the road, as RSA and Aveksa roll out their authentication platform with risk-based techniques, combined with intelligence in terms of actual user behavior and a user-entitlement view, "you'll see some very interesting potential," Nair said.




Data loss prevention tools: Understanding your options

Today's complex IT environments and business processes have created near-impossible scenarios for successfully monitoring and securing data. Data loss prevention (DLP) tools can ease an organization's data protection pain points, but they are only effective if they are chosen, executed, and managed appropriately.

In this video, information security expert Kevin Beaver offers a primer on DLP best practices based on real-world experiences with the technology. Beaver speaks specifically to the importance of understanding what data is at risk, choosing the most effective data loss prevention tools to fit your needs, avoiding common mistakes and pitfalls with DLP implementation and knowing what areas and data types are most important to focus on once the DLP system is in place.



Cisco spends cool $2.7 billion in Sourcefire acquisition

Cisco has announced that it will purchase IPS and next-generation firewall provider Sourcefire for $2.7 billion, saying it will pay $76 per share in cash for the Columbia, Md.-based company.

This isn't the first time Sourcefire has been courted. In 2005, Check Point offered $225 million and the bid was accepted, but the deal fell through because concerns in the U.S. Congress were likely to hold up or stop the sale. The present Sourcefire acquisition is not only for a much larger sum, but also makes this the largest security company purchase since Intel's 2011 purchase of McAfee for $7.68 billion.

A statement from Cisco said the combined security capabilities will enable the company to "provide continuous and pervasive advanced security threat protection across the entire attack continuum and from any device to any cloud." Hilton Romanski, vice president of Cisco's corporate development, said that taken together, the two companies "have a unique opportunity to deliver the most comprehensive approach to security in the market."

Maybe not absolutely comprehensive though. Jim Ricotta, CEO of Verdasys, said he sees the new team as "just one part of the solution." In his view, there is still "a gaping hole in the kill-chain defense against both malicious insider and malware." Still plenty of room for a company like Verdasys, Ricotta believes, since data security is still left out of the equation in the Sourcefire purchase.

Mike Rothman, Securosis analyst and president, said the acquisition is nevertheless "a very big deal." Noting that Cisco has, in the past, sometimes floundered when integrating acquired companies, he said, "If -- and it's a giant 'if' -- Cisco can do a good job of this, you can't beat Cisco's distribution channel in networking."

"If they let [Sourcefire founder] Marty Roesch do his job and they give him the resources to do it," Rothman said, "this could get pretty interesting." Roesch founded the company in 2001 to capitalize on the success of his open source intrusion detection engine Snort.

Rothman said an acquisition of IPS and next-gen firewall technology was necessary if Cisco was going to be a significant player in the security arena. "Cisco had to do something, and this was the best something they could do," he said, noting that some other potential aquisition targets would have been considerably more expensive.




2013 Black Hat conference: Feds welcome!

After Defcon founder Jeff Moss' announcement that Feds should skip Defcon rocked global headlines and triggered blowback from companies like Secure Ideas -- which wasted no time taking to the blogosphere to announce

they'd skip it too -- we wondered about Black Hat's stance on the issue. So we quickly asked Trey Ford, general manager of Black Hat, for his take on it, and also asked Greg Young, Gartner research vice president and lead analyst for network security, for his insight about potential long-term impacts for the security industry.

Feds from the United States and abroad are welcome.

Trey Ford,
general manager, Black Hat

How does Black Hat feel about Feds attending the show this year?

Trey Ford: Feds, from the United States and abroad, are welcome and will be attending. In addition to General Alexander, we're also welcoming the CISO of the FBI as a speaker this year. Black Hat's mission is to cultivate the conversations and relationships between our communities that will in turn help define and defend the future of security.

Do you think 2013 Black Hat conference attendees are uncomfortable about the relationship with Feds?

Ford: The general tone between those groups has probably improved over the years. Snowden's Prism leak didn't give us something new to fear -- we know our spy agencies are spying. What happened is that we got some insight into how they're doing it and how far they've taken it. We all have some kind of feelings about that, but we want to see the Feds at the Black Hat conference. They need to be brought back into the conversation.

What long-term impact will this message to Feds have on the security industry?

Greg Young: It's an interesting development, which I think speaks to more friction between the overlapping communities of vulnerability research and its associated communities because of recent revelations about the NSA.

There's a material interest in selling to the government for many security companies, so that really makes this an uncomfortable issue. I expect the contortions to continue as companies decide how to react to this now that they're being dragged into it. The posture they take is going to stay with them -- yet I suspect any company that's involved in security must have a strategy to deal with this.

The upcoming 2013 Black Hat conference is being held in Las Vegas, Nevada, July 27 to Aug. 1, 2013.




FortiGuard Labs: Advanced persistent threats are escalating

Advanced persistent threats in the form of tricking users into visiting malicious websites, as well as phishing emails and hacking intrusions, escalated during the first half of 2013, according to a report by FortiGuard

Labs.

If enterprises don't deploy security patches within a week or two of availability, it's almost asking for someone to take advantage -- and unless you're extremely lucky, they will.

Richard Henderson,
security strategist, FortiGuard Labs

Based on data collected from 121,353 FortiGate devices located around the globe reporting incidents between Dec. 1, 2012 to June 1, 2013, FortiGuard Labs' statistical data indicated that 3.14 billion users were tricked into visiting malicious websites; 142 million unsuccessful hacking attempts were launched; and 4.45 million phishing emails were effectively blocked.

In their report, advanced persistent threats (APTs) were defined as "people being specifically targeted by a group -- whether it's an attack by a state-sponsored group or a hacktivist-motivated group -- trying to steal information from your network," explained Richard Henderson, security strategist for FortiGuard Labs at Fortinet.

During the past six months, "We've seen billions of attempts to get people to visit malicious sites that deliver riskware, adware or targeted malware … you name it," he said. "These types of attacks are definitely getting worse."

Nation states are behind most advanced persistent threats

Not surprisingly, the report primarily calls out nation states such as China, Israel, Russia and the United States as the biggest instigators of advanced persistent threats.

Launching APT attacks typically requires a high level of funding, skills and infrastructure, but some cybercriminal groups are also likely involved.

Critical infrastructure devices are parked on the public Internet

One of the most disturbing findings highlighted in the report is that billions of critical infrastructure devices are connected to the public Internet.

"Industrial control system devices, for example, should always be behind a router or gateway that sets up a secure VPN to allow access to those devices solely through an internal network," Henderson said.

The days of "hiding behind obscurity and hoping no one will find these industrial control system devices are over, since technology is evolving at such a rapid pace. Tools exist now specifically to find these devices. Attacks could have and should have happened by now -- but haven't. I hope companies start parking their infrastructure behind routers and gateways, where it requires more skill to get at them," he said.

Enterprises aren't educating users about signs of APT attacks

On the somewhat surprising side: Enterprises are doing an even worse job than expected in terms of educating users about the types of things they should be suspicious of online and the typical signs of spear-phishing attacks.

"Everyone should treat every single email that comes into their inbox with a degree of skepticism, especially ones with attachments or links to external sites," Henderson said. "If you're not expecting an email from a colleague at work and one arrives with an attachment that could contain malware, such as Excel spreadsheets, Word docs and with PDF files in particular, use caution. Years ago, PDF files were seen as safe, but now PDFs can be exploited with a relatively simple skillset."

Enterprises aren't deploying security patches with any sense of urgency

Another surprise, given how quickly cybercriminals will exploit it, is how many enterprises still don't deploy security patches to their boxes with any sort of urgency.

"I found boxes all over the public Internet, woefully out of date and ripe for exploit, just sitting there not hidden behind any sort of firewall or gateway. With all of the point-and-click tools available to hackers now, it's not at all difficult to find and detect whether a box is vulnerable to certain exploits," he cautioned. "If enterprises don't deploy security patches within a week or two of availability, it's almost asking for someone to take advantage -- and unless you're extremely lucky, they will."

Henderson believes corporate enterprises in general will likely continue to be victimized because companies tend not to make security changes until some pain point has been reached.

"We're starting to see companies spend more on security, and it's a trend we hope continues," he said. "Cybercriminals are making millions upon millions of dollars each year with malware. The risk vs. reward … it's no surprise they're evolving in a way to monetize exploits as quickly as possible to keep the money rolling in."

The bottom line is that APTs aren't going to go away and everyone should increase their awareness of them.




RSA warns about \'KINS\' banking Trojan

RSA, the security division of EMC Corp., is alerting the world to a new banking Trojan, simply dubbed "KINS," which is expected to debut in the wild soon. While RSA hasn't seen an actual copy of KINS yet, details being discussed in underground communities suggest KINS may share architectural similarities with Trojans of the past, such as Zeus or SpyEye.

KINS is the first commercial Trojan to look believable since Citadel. It's in an exclusive environment and it's not your everyday fraudster behind it.

Limor Kessem,
cybercrime specialist, RSA

Fraudsters are certainly talking about KINS as if it's the real deal, and a Russian-speaking online forum has announced its open sale to the cybercrime community. RSA believes KINS doesn't require the same level of tech savvy to deploy as previous Trojans, and thinks it will emerge within the next few weeks.

"Criminals are really looking forward to seeing this on their computers," said Limor Kessem, cybercrime specialist for RSA's FraudAction Research Labs team. "KINS is the first commercial Trojan to look believable since Citadel. It's in an exclusive environment and it's not your everyday fraudster behind it."

Rumor has it KINS is based on Citadel and shares many of its features, even though the developer denies this, according to Kessem.

"Looking at the feature list, we think there's at least some sort of a connection to SpyEye and Citadel," Kessem said. "We won't know for sure until we see the malware in the wild and can sample it and get signatures to see antivirus defenders and flag for this malware."

RSA believes KINS is built with a main malware component and uses plug-ins built with a dynamic link library. "It's very Trojan-like," Kessem said.

The Trojan's author has put a remote desktop protocol on it to allow attackers to access computers with user-grade access, which is a method to commit fraud and impersonate the genuine user. "And the Neutrino exploit kit, which is one of the most sophisticated exploit packs today, is being recommended by the developer, who claims his bot conversion is very high with Neutrino," Kessem said. "Since the exploit kit is very good and the Trojan is new, bot masters using it right now are reportedly getting good results."

One unusual aspect of KINS is that it'll be the first commercial Trojan sold as a bootkit. "Unlike a rootkit, a bootkit is a different way to infect computers -- on a deeper level - on their master boot record," Kessem said. Bootkits allow the malicious program to execute before the operating system boots.

KINS will affect PCs but not Macs, according to Kessem, because cybercriminals are still targeting the more prevalent platform. "KINS is a PC Trojan and fraudsters are talking about how it's deployable on Windows 8," she added.

Not surprisingly, there's one part of the world KINS won't be infecting: Eastern Block countries. KINS, like Citadel, is designed not to infect users in Eastern Block countries as part of a move to ensure local law enforcement won't come after them. KINS terminates if it detects Russian or Ukrainian language systems.

"They can get away with it because it's very difficult to extradite people from Russia. That's why developers there won't target people in and around their own country," Kessem said.

But laws in Russia are really starting to crack down on malware developers, which is why many of them aren't willing to sell commercially anymore. "They're sort of afraid of law enforcement there, so when this Trojan came out, a lot of people said this developer is very brave and commended him for his decision to sell to others," Kessem said.

For more details, check out RSA's blog on KINS.




Feds catch hackers behind worldwide data breaches

In a federal indictment in New Jersey, five men were charged with conspiring in a worldwide hacking and data breach scheme that targeted major corporate networks, stole millions of credit card numbers and caused hundreds of millions of dollars in losses.

This is the largest data breach to be prosecuted in the U.S. to date, and the investigation to catch the hackers was led by the U.S. Secret Service.

Five defendants -- from Russia and the Ukraine -- allegedly sought corporate victims engaged in financial transactions, retailers that received and transmitted financial data, and other institutions with information they could exploit for profit. The list includes: NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa, Jordon, Global Payment, Diners Singapore and Ingenicard.

"Those who have the expertise and inclination to break into our computer networks threaten our economic well-being, our privacy and national security," said U.S. Attorney Paul J. Fishman. "This case shows there's a real practical cost because these types of frauds increase the cost of doing business for every American consumer, every day."

The defendants are charged with spearheading a worldwide hacking conspiracy that victimized a wide array of consumers and entities, causing hundreds of millions of dollars in losses.

The attacks

In a press statement, the U.S. States Attorney's Office revealed the conspirators "unlawfully acquired more than 160 million card numbers through hacking."

Initial entry was often gained via SQL injection exploits. Structured query language (SQL) is a programming language designed to manage data held in particular types of databases, and the hackers were able to find and exploit vulnerabilities to infiltrate computer networks.

Once they infiltrated the networks, the defendants placed malware on the system to create a "back door," providing access to the network. In some cases, the hackers lost access to the network due to security efforts, but were able to regain it through persistent attacks.

Instant messages revealed the hackers often targeted the victim companies for months, waiting patiently as their efforts to bypass security were underway. It turns out they had malware planted in several companies' servers for over a year, which allowed them to install "sniffers" to identify, collect and steal data from the networks over a long period of time.

Unmasking the hackers

The five defendants each served particular roles in the scheme, according to the indictment unsealed in Newark federal court and other court filings: Vladimir Drinkman, 32, of Syktyykar and Moscow, Russia, and Alexandr Kalinin, 26, of St. Petersburg, Russia, each specialized in penetrating network security and gaining access to corporate victims' systems. Roman Kotov, 32, of Moscow, also a hacker, specialized in mining the networks Drinkman and Kalinin compromised to steal valuable data. The hackers hid their activities by using anonymous Web-hosting services provided by Mikhail Rytikov, 26, of Odessa, Ukraine. Dmitriy Smilianets, 29, of Moscow, is charged with selling the information stolen by the other conspirators and distributing the proceeds.

Kalinin and Drinkman were previously charged in New Jersey as "Hacker 1" and "Hacker 2" in a 2009 indictment charging Albert Gonzalez, 32, of Miami, in connection with five corporate data breaches -- including the breach of Heartland Payment Systems Inc., which at the time was the largest known data breach. Gonzalez is currently serving 20 years in federal prison.

The U.S. Attorney's Office for the Southern District of New York announced two more indictments against Kalinin: one charge in connection with hacking computer servers by NASDAQ, and a second one that charges Kalinin and another Russian hacker, Nikolay Nasenkov, with an international scheme to steal bank account information by hacking U.S.-based financial institutions. Rytikov was previously charged in the Eastern District of Virginia for an unrelated scheme. Kotov and Smilianets haven't previously been charged publicly in the U.S.

Drinkman and Smilianets were arrested at the request of the U.S. while traveling in the Netherlands on June 28, 2012. Smilianets was extradited on Sept. 7, 2012, and remains in federal custody. He'll appear in District of New Jersey federal court to be arraigned on the superseding indictment on a date yet to be determined. Drinkman is in custody in the Netherlands, pending an extradition hearing. Kalinin, Kotov, and Rytikov remain at large. All of the defendants are Russian nationals, except Rytikov, who is a citizen of Ukraine.

Do the crime, do the time?

While all of the defendants are innocent until proven guilty, and the charges and allegations in the indictment are merely accusations at this stage, it's entirely possible they'll do some serious time in prison.

The maximum penalty for conspiracy to gain unauthorized access to computers is 5 years and a $250,000 fine, or twice the gain or loss from the offense. Conspiracy to commit wire fraud is steeper: 30 years with a $1 million fine or twice the gain or loss from the offense; unauthorized access to computers: 5 years and a $250,000 fine or twice the gain or loss from the offense; wire fraud: 30 years with a $1 million fine or twice the gain or loss from the offense.




5 Ways to Lose Customer Data and Possibly Your Business

Most small businesses don’t employ full-time I.T. staff, choosing instead to outsource technical support to outside firms and Cloud providers. This makes it even more crucial that business owners recognize and watch for leaks that could compromise customer financial information and private health data. Failing to do so could cost you the very business you’ve worked so hard to build.

Unitrends, a leader in backup solutions, recently revealed five common shortcuts I.T. departments take that can create customer data loss. As Unitrends points out, 94 percent of companies who suffer catastrophic data loss close their doors within two years. Forty-three percent never open their doors again. For those small businesses without full-time I.T. staff, it’s imperative that small business owners learn how to protect themselves from business and customer data loss.

“Data protection is one area where you absolutely cannot cut corners,” Unitrends says. “Losing data - the lifeblood of an organization - can mean the death of a business.”

To safeguard customer data, Unitrends recognizes these common pitfalls and provides advice on how to avoid them.

  • Don’t ignore hardware failures. No backup method is foolproof. Unitrends points out that tapes or a NAS or SAN storage device have high failure rates. Make sure your systems are being backed up to a separate, secondary storage device. Unitrends recommends Disk-to-Disk (D2D) backup both because of its reliability and its location on a secondary storage set.
  • Don’t trust your workers to follow policies. All too often, security breaches are caused by employee carelessness, either through disregarding policies or simply making mistakes. Putting policies in place is only the first half of the battle. Unitrends tells businesses to use automation and retention to protect themselves against human error. Automation puts procedures in place to ensure policies are followed through, while retention makes sure data can be retrieved if data loss occurs.
  • Don’t underestimate cybercriminals. Firewalls and antivirus software are only a first step toward preventing surprise attacks. Chances are, everything you have in place, criminals have learned to hack. Unitrends advises using advanced security solutions, such as web monitoring software to ensure your employees are browsing safely, endpoint protection for employee-owned devices on the network, and a sandbox to fight targeted attacks.
  • Don’t play the odds on disasters. Surprisingly, even many large businesses still fail to keep an updated disaster recovery plan in place. Unitrends emphasizes the importance of a DR plan that is customized to your business, taking into account the people, systems, and infrastructure of your organization. A business should take even the most impossible disasters into consideration, as well as those that are more likely to happen.
  • Do test DR plans. Implementing and regularly updating your DR plan is only part of the work. Your small business should regularly test your DR plan to ensure it remains relevant as your business grows. The more frequently a business’s data changes, the more frequently that business’s DR plan should be tested.

As your small business continues to shift operations to the Cloud, it’s important to remember the business is ultimately responsible. By asking the right questions and carefully researching third party providers’ offerings, a small business can protect itself without having an I.T. expert on site.



5 Ways to Lose Customer Data and Possibly Your Business

Most small businesses don’t employ full-time I.T. staff, choosing instead to outsource technical support to outside firms and Cloud providers. This makes it even more crucial that business owners recognize and watch for leaks that could compromise customer financial information and private health data. Failing to do so could cost you the very business you’ve worked so hard to build.

Unitrends, a leader in backup solutions, recently revealed five common shortcuts I.T. departments take that can create customer data loss. As Unitrends points out, 94 percent of companies who suffer catastrophic data loss close their doors within two years. Forty-three percent never open their doors again. For those small businesses without full-time I.T. staff, it’s imperative that small business owners learn how to protect themselves from business and customer data loss.

“Data protection is one area where you absolutely cannot cut corners,” Unitrends says. “Losing data - the lifeblood of an organization - can mean the death of a business.”

To safeguard customer data, Unitrends recognizes these common pitfalls and provides advice on how to avoid them.

  • Don’t ignore hardware failures. No backup method is foolproof. Unitrends points out that tapes or a NAS or SAN storage device have high failure rates. Make sure your systems are being backed up to a separate, secondary storage device. Unitrends recommends Disk-to-Disk (D2D) backup both because of its reliability and its location on a secondary storage set.
  • Don’t trust your workers to follow policies. All too often, security breaches are caused by employee carelessness, either through disregarding policies or simply making mistakes. Putting policies in place is only the first half of the battle. Unitrends tells businesses to use automation and retention to protect themselves against human error. Automation puts procedures in place to ensure policies are followed through, while retention makes sure data can be retrieved if data loss occurs.
  • Don’t underestimate cybercriminals. Firewalls and antivirus software are only a first step toward preventing surprise attacks. Chances are, everything you have in place, criminals have learned to hack. Unitrends advises using advanced security solutions, such as web monitoring software to ensure your employees are browsing safely, endpoint protection for employee-owned devices on the network, and a sandbox to fight targeted attacks.
  • Don’t play the odds on disasters. Surprisingly, even many large businesses still fail to keep an updated disaster recovery plan in place. Unitrends emphasizes the importance of a DR plan that is customized to your business, taking into account the people, systems, and infrastructure of your organization. A business should take even the most impossible disasters into consideration, as well as those that are more likely to happen.
  • Do test DR plans. Implementing and regularly updating your DR plan is only part of the work. Your small business should regularly test your DR plan to ensure it remains relevant as your business grows. The more frequently a business’s data changes, the more frequently that business’s DR plan should be tested.

As your small business continues to shift operations to the Cloud, it’s important to remember the business is ultimately responsible. By asking the right questions and carefully researching third party providers’ offerings, a small business can protect itself without having an I.T. expert on site.



Employment Verification Systems: A Benefit to Employers and Immigration Reform OR A Violation of Privacy?

With the debate about illegal immigration raging on, people on both sides of the political spectrum are rushing to come up with solutions. While support for most ideas is divided on party lines, one solution that has seen bipartisan support is employment verification. In fact, 2012 presidential candidates Obama and Romney both support the use of an employment verification system, such as the government’s E-Verify system.

E-Verify is a free government internet program. Employee information is compared to government records, and if there is a discrepancy, the employee must resolve the issue in order to be eligible for the job (or to continue working). E-Verify was originally created in 1997 and the website currently reports that over 409,000 employers have used the system.

Given the demand for employment verification, there has been a flood of other verification systems in recent years. While E-Verify is used solely to verify employment eligibility, these alternative employment verification systems can confirm hire and termination dates, title, detailed income information and more.

Leading the way in this category is Equifax, a company that offers employment verification services to employers through a program called The Work Number. Equifax holds a majority share of the verification industry, but smaller companies are also vying for a piece of the action. Some examples are Verify Job System, Pre Check, and EmpInfo.

EmpInfo is a cloud-based service that went live in May, 2013. Similar to Equifax, it offers services for both verifiers and employers.

  • Employers can sign up for free, allowing EmpInfo to manage their verification requests. This means you don’t have to waste time and money dealing with requests from banks, landlords, and other companies who need to verify employment information and wages for your current and past employees. Once you sign up, these requests are handled by EmpInfo.
  • While Equifax charges a fee for this service, it is free for employers to sign up for EmpInfo. In fact, they have said that in the future they may even consider a revenue-sharing system.
  • If you need to verify employment information for a new hire, you can pay a small fee to access this data on EmpInfo. You must be approved as a verifier first, and state your reason for needing the information. When you’re approved, the data is available instantly, 24Ã-7, even on mobile devices.

EmpInfo is a small business rival of Equifax, seeking to create a large employment verification database to make the verification process simple and fast. However, some argue that the Equifax and similar databases are a violation of privacy.

Critics say that detailed income information should remain private. Verification companies like Equifax have the power to sell your income history to any company that has a ‘valid’ reason. Beyond future employers, landlords and banks who may offer you a loan, this includes a most loathed group - debt collectors.

What do you think? Are employment verification systems a good idea, one that will help with immigration and benefit small businesses? Or are they a threat to, or even a violation of, an individual’s right to privacy?

We’d love to hear what you think. Add your comments below.



President Obama Angers Small Booksellers With Amazon Speech

president obama's amazon speech

President Obama gave a speech at an Amazon.com fulfillment warehouse in Chattanooga, Tennessee yesterday pointing to Amazon as an example of a job creator.

Independent booksellers and small publishers don’t see it that way.  They were angry.  They see the President’s action as supporting a large corporation that they claim has a monopoly, at the expense of small businesses.

In his remarks at the behemoth Amazon warehouse, President Obama said, “I’m calling on our businesses to do more for their workers.  Amazon is a great example of what’s possible.  What you’re doing here at Amazon with your Career Choice Program pays 95 percent of the tuition for employees who want to earn skills in fields with high demand â€" not just, by the way, jobs here at Amazon, but jobs anywhere -  computer-aided design or nursing.  I talked to Jeff Bezos yesterday, and he was so proud of the fact that he wants to see every employee at Amazon continually upgrade their skills and improve.”

But the independent players in the book publishing industry weren’t buying it.

Dennis Johnson, co-founder of Melville House, an independent publisher located in Brooklyn, New York, wrote with obvious resentment about what he considers Amazon’s near monopoly status, its ability to undercut competitors, lose money and yet on top of that, still get lauded by the President as a champion of jobs.  In a separate piece yesterday on his company’s blog he called the President’s move an “insult added to injury to those of us in the book business.”

The American Booksellers Association, along with the New England Independent Booksellers Association (NEIBA) and the New Atlantic Independent Booksellers Association (NAIBA), wrote letters to the White House expressing outrage. A Publishers Weekly article quotes excerpts:

NEIBA demanded to know, “What is the thinking behind this decision? . . . [Amazon's] business model is based on fighting those states that have required them to collect and remit sales tax while driving Main Street brick and mortar stores out of business through predatory pricing.”

“We cannot believe this is your vision of job creation and the future of American middle class,” wrote NAIBA. “We would hope your administration would be standing with Main Street, and investigating the monopolistic practices of Amazon, rather than explicitly or tacitly endorsing those practices.”

Just prior to the President’s speech, Amazon announced it is creating 5,000 new jobs at its fulfillment warehouses.  The jobs will pay wages 30% higher than traditional retail jobs, says the Amazon announcement.  According to Geekwire, Amazon’s most recent financials indicate it now has nearly 97,000 employees.  That number is triple what it reported just three years ago.

Amazon plans to release an interview it does with President Obama, as a free Kindle Single today.

Image credit: Whitehouse.gov video still.




Panorama dating website investigation leads ICO to crack down on data handling

The ICO is set to crack down on dating websites which readily sell users' details, and how they handle personal data.

Following an investigation by the BBC's Panorama, the Information Commissioner's Office (ICO) has said that it has written to eHarmony, match.com, Cupid and Global Personals, as well as the industry trade body, the Association of British Introduction Agencies, over concerns about handling personal data.

Panorama found that dating profiles could be bought online, with a database of 10,000 profiles including names, email addresses and photographs of UK residents readily available. Those profiles were taken from social networking sites and users were not aware that this was available, nor were they dating website users.

The ICO's own survey of major UK dating websites identified areas where the Data Protection Act was not being followed.

It has asked the companies to respond to allegations on: poor visibility of the terms and conditions that give the website consent to use personal information in certain ways; how those terms and conditions make reference to the dating company having ‘perpetual' or ‘irrevocable' licence to use members' data; whether the websites have any responsibility for the loss of or damage to personal information; and whether users are being expected to provide personal details before the terms and conditions are provided.

Simon Entwisle, ICO's director of operations, said: “The evidence we're being presented with by the media suggests quite concerning business practices by some dating websites, and there are particular questions around how people's information is being used that need to be answered.

“It's concerning to see that there appear to be sites which, as a matter of course, are falling far short of the legal standards for ensuring information is accurate and up to date.

“While media reports are painting a disturbing picture, the number of complaints we're getting from the public is not very high. That could be because this is only an issue with a small minority of websites, or it could be because people are reluctant to come forward.

“The work we're doing now will help us to better understand the scale of the issue. As part of that work, we'd urge anyone who believes a dating website has misused their data to get in touch with us.”



Ubuntu forums back online after attack analysis reveals XSS tactic

The compromise of an individual account and configuration settings led to the recent issue with the Ubuntu forums.

According to a blog post, the Linux user forum is back up and running after an attacker accessed a moderator account and post announcements and private messages to three forum administrators.

The attacker claimed that there was a server error on the announcement page, asked the other administrator to look and was subsequently compromised also.

It said: “We believe the attacker added an cross-site scripting attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker. Once the attacker gained administrator access in the forums, they were able to add a hook through the administrator control panel.

“Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user' table to a file on disk which they then downloaded.”

Ubuntu determined that the attacker had full access to the vBulletin environment as an administrator and shell access as the ‘www-data' user on the Forums app servers. This access was used to download the ‘user' table which contained usernames, email addresses and salted and hashed (using md5) passwords for 1.82 million users.

However it does not know how the attacker gained access to the moderator account used to start the attack, or what cross-site scripting attack was used as the announcement the attacker posted was deleted by one of the Forum administrators.

In response, it has contacted users to change passwords, wiped and rebuilt servers and manually imported data into a fresh database after sanity checking each table.

It has also switched the forums to use Ubuntu single sign-on for user authentication, implemented automated expiry of inactive moderator and administrator accounts, reviewed and further hardened the firewalling around the Forums servers and switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else.

“There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings,” it said.

“We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. Finally, we'd like once again to apologize for the security breach, the data leak and downtime.”

At the time of reporting the attack, Ubuntu said that the forums had been down due to maintenance and confirmed that attackers had gained every user's local username, password and email address from the Ubuntu Forums database.



Employment Verification Systems: A Benefit to Employers and Immigration Reform OR A Violation of Privacy?

With the debate about illegal immigration raging on, people on both sides of the political spectrum are rushing to come up with solutions. While support for most ideas is divided on party lines, one solution that has seen bipartisan support is employment verification. In fact, 2012 presidential candidates Obama and Romney both support the use of an employment verification system, such as the government’s E-Verify system.

E-Verify is a free government internet program. Employee information is compared to government records, and if there is a discrepancy, the employee must resolve the issue in order to be eligible for the job (or to continue working). E-Verify was originally created in 1997 and the website currently reports that over 409,000 employers have used the system.

Given the demand for employment verification, there has been a flood of other verification systems in recent years. While E-Verify is used solely to verify employment eligibility, these alternative employment verification systems can confirm hire and termination dates, title, detailed income information and more.

Leading the way in this category is Equifax, a company that offers employment verification services to employers through a program called The Work Number. Equifax holds a majority share of the verification industry, but smaller companies are also vying for a piece of the action. Some examples are Verify Job System, Pre Check, and EmpInfo.

EmpInfo is a cloud-based service that went live in May, 2013. Similar to Equifax, it offers services for both verifiers and employers.

  • Employers can sign up for free, allowing EmpInfo to manage their verification requests. This means you don’t have to waste time and money dealing with requests from banks, landlords, and other companies who need to verify employment information and wages for your current and past employees. Once you sign up, these requests are handled by EmpInfo.
  • While Equifax charges a fee for this service, it is free for employers to sign up for EmpInfo. In fact, they have said that in the future they may even consider a revenue-sharing system.
  • If you need to verify employment information for a new hire, you can pay a small fee to access this data on EmpInfo. You must be approved as a verifier first, and state your reason for needing the information. When you’re approved, the data is available instantly, 24Ã-7, even on mobile devices.

EmpInfo is a small business rival of Equifax, seeking to create a large employment verification database to make the verification process simple and fast. However, some argue that the Equifax and similar databases are a violation of privacy.

Critics say that detailed income information should remain private. Verification companies like Equifax have the power to sell your income history to any company that has a ‘valid’ reason. Beyond future employers, landlords and banks who may offer you a loan, this includes a most loathed group - debt collectors.

What do you think? Are employment verification systems a good idea, one that will help with immigration and benefit small businesses? Or are they a threat to, or even a violation of, an individual’s right to privacy?

We’d love to hear what you think. Add your comments below.



Panorama dating website investigation leads ICO to crack down on data handlong

The ICO is set to crack down on dating websites which readily sell users' details, and how they handle personal data.

Following an investigation by the BBC's Panorama, the Information Commissioner's Office (ICO) has said that it has written to eHarmony, match.com, Cupid and Global Personals, as well as the industry trade body, the Association of British Introduction Agencies, over concerns about handling personal data.

Panorama found that dating profiles could be bought online, with a database of 10,000 profiles including names, email addresses and photographs of UK residents readily available. Those profiles were taken from social networking sites and users were not aware that this was available, nor were they dating website users.

The ICO's own survey of major UK dating websites identified areas where the Data Protection Act was not being followed.

It has asked the companies to respond to allegations on: poor visibility of the terms and conditions that give the website consent to use personal information in certain ways; how those terms and conditions make reference to the dating company having ‘perpetual' or ‘irrevocable' licence to use members' data; whether the websites have any responsibility for the loss of or damage to personal information; and whether users are being expected to provide personal details before the terms and conditions are provided.

Simon Entwisle, ICO's director of operations, said: “The evidence we're being presented with by the media suggests quite concerning business practices by some dating websites, and there are particular questions around how people's information is being used that need to be answered.

“It's concerning to see that there appear to be sites which, as a matter of course, are falling far short of the legal standards for ensuring information is accurate and up to date.

“While media reports are painting a disturbing picture, the number of complaints we're getting from the public is not very high. That could be because this is only an issue with a small minority of websites, or it could be because people are reluctant to come forward.

“The work we're doing now will help us to better understand the scale of the issue. As part of that work, we'd urge anyone who believes a dating website has misused their data to get in touch with us.”



How Do Your Employee Benefits Stack Up?

your employee benefits

Are you worried about retaining your key employees as the economy heats up? Or do you need to attract new workers to help with growing demand for your product or service, or to expand your business? In either case, employee benefits are an important factor in whether employees choose to join your company, stay with your business for the long haul or jump ship.

How do you know if your employee benefits measure up?

SHRM’s 2013 Employee Benefits research report can offer some insights. While the majority of companies responding to the survey had over 100 employees, some 22 percent were small businesses. Below is a look at the basic benefits most companies were offering, plus some “extras” that could give you an edge.

So How Do Your Employee Benefits Compare?

Health and wellness

The basics: Health insurance is an important benefit for employees, and it’s offered by almost every business. The most common health benefit was prescription drug coverage, offered by 98 percent of companies. Ninety-six percent provide dental insurance, and 86 percent offer PPO healthcare coverage, while 33 percent provide an HMO plan.

Pump it up: Preventive or wellness programs have been on the rise over the last five years, SHRM notes. These offerings, which can help cut health-care costs, can range from bonuses or incentives for reaching health goals (such as quitting smoking) to wellness coaching or subsidized gym membership. About two-thirds of companies offer some type of wellness program.

Retirement savings and planning

The basics: Retirement is another big issue on employees’ minds as they struggle to recover from the recession. Employer-sponsored retirement plans are shifting toward defined contribution retirement savings plans and 401(k) savings plans. Nearly all (92 percent) of employers offer a defined-contribution retirement savings plan, and 73 percent provide an employer match to employees’ contributions.

Pump it up: More companies are offering investment assistance, from online advice (59 percent) to one-on-one investment advice (53 percent) and specific retirement-preparation advice.

Financial and compensation benefits

The basics: Incentive bonus plans are offered by 55 percent of companies

Pump it up: Employee referral bonuses, for referring a job candidate who is hired and passes the probationary period, have gained in popularity over the last year and are now offered by 47 percent of companies.

Flexible work

The basics: The majority (53 percent) of companies offer some form of flextime. Fifty-one percent allow flextime during core business hours, while 26 percent offer it outside of core business hours. Even more popular is telecommuting, which 58 percent of companies offer in some form, whether ad-hoc (45 percent), part-time (36 percent) or full-time (20 percent)

Pump it up:  Over one-third (35 percent) of companies offer compressed workweeks, where full-time employees can work longer days for part of a week or pay period in exchange for shorter days or a day off during that week or pay period.

Career development

The basics: Nearly all (90 percent) companies provide professional memberships, 85 percent provide off-site professional development opportunities and 78 percent pay for certification fees.

Pump it up: Just 44 percent of companies offer cross-training in skills not directly related to the job, and a mere 20 percent offer mentorship.

Three Steps to Get the Most From Them

Whatever employee benefits you offer, SHRM’s report recommends three steps to getting the most from them as a recruitment and retention tool:

Develop a Workplace Flexibility Policy

Past SHRM research shows flexibility is a very low-cost way to drive increased employee job satisfaction, lower turnover and lower insurance costs.

Communicate

SHRM studies show employees consistently rank benefits among the top contributors to their job satisfaction, but many employees don’t fully understand all of their benefits, their value and their options.

Make sure you communicate, through meetings, workshops and other means, about the worth of what you’re giving employees and how they can maximize their benefits’ value. Toot your own horn.

Get Feedback

Review your benefits at least once a year to make sure they’re still competitive with other businesses, that their costs are in line, andâ€"most of allâ€"that they’re serving employees’ needs.

Getting employee feedback is an important part of this assessment.

Stack Photo via Shutterstock




BlackBerry reported to FBI over potential privacy and security issues

Researchers say a vulnerability in BlackBerry 10 meant user email credentials were sent in clear text, a claim developer RIM denies.

German researcher Frank Rieger said in a post that email credentials entered into the BlackBerry 10 email Discovery Service would be sent to RIM Canada servers in clear text if forced SSL was not enabled in mail servers.

“BlackBerry thus has not only your email credentials stored in its database, it makes them available to anyone sniffing in between,” Rieger said.

“The client should only connect directly to your mail server and no one else.”

Security firm Risk Based Security reported the flaws to US authorities and criticised RIM for not fixing the purported flaws. “Due to the severity of this issue, and the apparent lack of mainstream press, Risk Based Security has reached out to clients and some contacts, including the FBI, warning them of the potential privacy and security issue,” the company said in a statement.

RIM denied the existence of a “backdoor”, a term slapped on the vulnerability by Risk Based Security, and asserted in a statement to SC Magazine that BlackBerry's Discovery Service does not store email passwords.

It said credentials were only used to simplify the email set-up process adding that users could go to advanced configuration to bypass the Discovery Service (and its terms and conditions) and set everything up manually.

Yet Risk Based Security, which sponsored the non-profit data breach repository DataLossDB and the Open Sourced Vulnerability Database, hit back at RIM's claims.

“This appears to be validation from RIM that credentials are sent and dodges the question of the default configuration sending in cleartext,” the company said, adding the problem is amplified by the majority of users who will turn to the Discovery Service to set up email and never be aware of the issue.

Rieger reiterated that the issue is only about entering private IMAP or POP email credentials into the BlackBerry 10 Discovery Service and is not related to PIN messaging, push messaging or any other service where credentials are expected to be sent to RIM.

BlackBerry's end-user software license agreement did not mention information would be sent to RIM, Risk Based Security said.



12 Tips for Merchants to Fight Credit Card Fraud at the Point of Sale

Credit card fraud

It’s well documented that accepting credit cards is good for business, but there is one snag to accepting credit cards that every retailer knows and fears: fraud.

Credit card fraud can come in different forms, but they are avoidable if you know what to look for. These 12 tips will help you fight credit card fraud.

1) Educate Your Employees About Fraud

You need to be aware of fraud to avoid it, but so do your employees. You both make up the first line of defense. Train your employees well to know the signs of potential fraud and remind them periodically to always stay alert.

2) Compare Signatures and Ask for Identification

Very few retailers take the time to glance at the signatures anymore, but it’s simple and quick. Check for misspellings and make sure the name on the card matches the signature. Address the customer using the name on the credit card. If he or she doesn’t respond, ask for a photo ID and compare those signatures.

3) Ask to See the Card

Look for the card’s security features, such as a clear hologram with a moving picture and the Bank Identification Number above or below the first four digits of the account number. Check the numbers themselves for signs of alteration and look for signs of tampering on the signature strip.

4) Be Wary of Customers Who Keep the Credit Card Separate From Their Wallet

Most legitimate customers will keep their credit cards in their wallet along with some form of ID. Fraudsters are more likely to keep the fraudulent credit card separate from their wallet, so they do not have any means of ID with them.

5) Watch Out for Customers Who Are Distracting

They may either be very talkative or very angry. Or they may wait until the last second before closing time to make a big purchase. Either way, they could be a potential fraudster trying to rush the clerk and keep their attention off the card authorization process.

6) Think Twice Before Manually Entering Damaged or Worn Cards

Fraudulent cards are often damaged on purpose so the magnetic strip cannot be swiped. Instead, the customer may insist the clerk manually key in the card number, which bypasses the antifraud features of the magnetic strip. Always swipe the card, no matter how damaged. If the card can’t be read, ask for another form of payment.

7) Do Not Accept “Letters of Authorization”

Some fraudsters will present a letter from the cardholder that authorizes the use of their credit card. This should never be accepted as a form of verification. No one is allowed to “borrow” another person’s card, regardless of relationship. Only the cardholder is authorized to use their credit card.

8) Take Note of What the Customer is Purchasing

Have they purchased more than one of the same expensive item? Did they make their selections quickly, without thought to size or color or price? Or maybe they want a costly rush delivery to a different address, or they want to carry their purchase out of the store when it’s something normally delivered (such as large appliances or furniture). All these could be signs of a potential fraudster looking to leave your store quickly with their “hot” card and goods.

9) Use the Address Verification System (AVS)

Address Verification is most common with card-not-present situations (like online purchases), but it can also be used when the card is present at the POS. In addition to the usual checkout process, the terminal asks for the customer’s billing ZIP code. The transaction will reject if the ZIP code entered doesn’t match the one on file.

10) Know Your POS System and Equipment

Sophisticated criminals can access information on the magnetic strip of a credit card when it is swiped at checkout. This process is called “skimming,” and it requires an actual attachment to the terminal that reads the card. To combat this, make sure you know what your payment processing equipment looks like and how it should work. If you see an extra device or notice malfunctioning software, you know to investigate further before continuing to accept credit cards from customers.

11) Keep Accurate Records of Credit Card Transactions

Some fraud situations result from legitimate cardholders who make authorized purchases, only to fraudulently dispute the charges later. You can fight this kind of fraud if you are armed with the right information. Your acquiring bank can assist you with the process, but at minimum you will need the customer signature and evidence that you swiped the card and received an authorized approval.

12) When in Doubt, Call

If you feel something is not quite right, do not hesitate to call the card issuer for authorization. Keep the card with you and move away from the customer to make the call. You may feel you’re risking a sale by making the customer wait, but even if they are legitimate cardholders, it’s for their protection as much as yours.

Avoiding fraud is critical in ensuring safe transactions at your business. For more information, you can check out Community Merchants USA’s resources on fighting fraud.

Credit card image via Shutterstock