|
|
Often times, companies miss adding items to their website that will facilitate attracting sales leads, so I thought I would share 9 Website Must Have’s that every website should have.
Here are 9 Website Must Have’s that you should have on your website:
The post 9 Website Must Have’s That Your Website Needs appeared first on Small Business Trends.
CEB’s 2013 Executive Guidance analyzed some 20,000 employees worldwide to pinpoint the challenges facing business teams today.
Here’s the biggest challenge: While employers report they will need to squeeze 20 percent more productivity from employees to meet their business goals, employees say they’re already maxed out. More than two-thirds say their Read More
The post 10 Skills Your Employees Need to Succeed appeared first on Small Business Trends.
Home phone provider Ooma just announced a new product at CES that is aimed specifically at businesses. The Ooma Office communication system includes a lot of the same features as phone systems designed for large companies, but its target is businesses with fewer than 10 employees and it uses cloud technology to keep costs down.
The above photo shows what an Ooma Office product looks like. The main console hooks up to the internet and can also be used for fax machines. Then each extension device connects to employee phones so that they are included in the network. The service works with land line phones and cell phones and supports up to 5 phone extensions and up to 15 virtual extensions to reach remote workers.
The office system includes features like a virtual receptionist, extension dialing, conferencing, hold music, separate modes for business hours and after-business hours, HD Voice technology and more. Many of these features are pretty standard for an office phone system, but the ability to work remotely and on-the-go is becoming increasingly important for many companies.
So for modern small businesses that don’t necessarily have a full staff in the office each day, this is an option for presenting a professional communication system to customers and clients without all the added cost of a phone system designed for larger companies.
“The features in a business phone service are fundamentally important to establishing first impressions among customers - the first call often has a lasting impact,†said Jim Gustke, Ooma’s vice president of marketing.
Ooma Office starts at $19.99 per line and includes a do-it-yourself setup. Gustke said that the product’s price is one of its main draws, allowing businesses with small budgets to still maintain a professional phone system without using funds and resources that would be better allocated for other business functions.
Many small businesses don’t even find it necessary to have office phone systems anymore, with services like Skype and Google offering free or nearly free communication tools that are becoming more accepted by clients and colleagues for day-to-day communication. But for certain types of businesses, having an office phone system with multiple lines, call forwarding, and other traditional features is still important. So for those businesses, Ooma’s offering presents an interesting way to cut costs, since it is much cheaper than competitive services like Vonage.
Ooma was originally founded in 2004 and is based in Palo Alto, California. Ooma’s home phone offering, Ooma Telo, includes free calls within the U.S. The Ooma Office system launches later this month and will be available for $249 at U.S. and Canadian retailers.
The Red October malware attacks announced by Kaspersky Labs on Jan. 14 came with their own built-in clues as to the source of the unusually complex botnet. Modules used in Red October appear to have been coded by Russian-speaking developers, whereas the exploits used to target Microsoft Word and Excel vulnerabilities are thought to have been created by Chinese hackers, according to analysis by Kaspersky Labs. However, such speculation highlights the difficulties in attack attribution -- and at least a few forensics experts believe the efforts to find "whodunit" may be wasted.
According to Jesus Oquendo, senior security engineer at E-Fensive Security Strategies, most methodologies aimed at attribution are flawed, regardless of what their adherents may claim. Oquendo has taught offensive security, malware analysis and reverse engineering for the Cyber Security Forum Initiative's (CSFI) Defensive Cyberspace Operations Engineer course.
Oquendo said the elements commonly examined when investigating the source of an attack include analysis of IP addresses, the use of keyword searches, evidence from any code used, and plain-old guess work -- what experts in the field would prefer to call inference. "That's it; nothing more, and nothing less. There are really no other reliable means for establishing attribution," Oquendo said.
The crux of the attribution problem is that those elements can be manipulated by highly skilled attackers in an effort to throw investigators off their trail, and in many instances are orchestrated to implicate an uninvolved third party.
"The problems for the investigator are larger than those of the adversary," said network security expert Scot Terban, who specializes in Computer Forensics and Open Source Intelligence (OSINT) techniques. "Attackers want to distance themselves from the crime as much as possible, and muddy the water for those seeking to determine who did what."
Most investigators will examine any IP addresses associated with an attack, but skilled attackers are most likely pivoting in and out of third-party networks that they have compromised. "An IP address within a log that attacked your resource may just in fact be a pawn in a larger game, and that IP might just be a compromised machine doing the bidding of another at the behest of yet another," Terban said.
Oquendo agreed, saying that IP analysis can provide insight into the structure of an attack, but does little in the way of attribution. "Most attackers -- especially highly technical ones -- are well-versed at flying under the radar. If an attacker is so skilled as to remain out of sight for five years, such as those behind Red October, what makes anyone think they are really originating from whatever netblocks or IP addresses that investigators discover in logs" he said.
Compounding the problem, savvy actors will often route attacks through nations with a history of not cooperating with international investigations. "Often times the servers/systems involved as intermediaries are in other countries. It is hard to get warrants, [and even] if investigators get them at all, [it's hard] to look at logs," Terban said.
"It makes sense for an attacker to pick countries that have close to zero judicial interactions with other countries and dislike each other politically. This makes the likelihood of governments working together to investigate these crimes unlikely," Oquendo said.
Investigators also conduct lexical analysis and keyword searches for terminology or other linguistic clues to associate attacks with a known individual or entity, looking for items such as the Russian slang found in Red October executable code. But such terminology could have been planted by attackers to mislead investigators.
"For example, if a researcher sees something to the tune of Red Dragon, they are likely going to associate this with China. Never mind the fact that the author of any malware or virus could be a fan of the movie Red Dragon, or simply engaged in obfuscation efforts. Some vendors and those in the media will pounce on this and decide it must be so that China is the culprit," Oquendo said.
Another technique investigators use is the collection of open source intelligence -- available through the monitoring of social media, discussion forums and Internet Relay Communications, -- to look for chatter regarding a specific attack. "By monitoring open sources of information as a fly on the wall, one might glean who is attacking whom and why," Terban noted. Of course, these mediums can also be manipulated by attackers to distance themselves from an operation or to implicate a third party.
Decision makers do not necessarily require attribution to be conclusive in order to take action, as most of the time intelligence is never 100%, and decisions still have to be made. Often attribution efforts come down to educated guesswork. "More nuanced approaches are starting to be used to determine the attribution of an attack that may not come from solid evidence, but instead from inference and intuition," Terban said.
If attribution is so difficult, why is so much emphasis placed on it Some might say it comes down to creating a case for retaliation, but Oquendo noted that there is a "financial and economic side of vendor antivirus propaganda. From the government side, it is easy to attribute these kinds of actions to an enemy of choice. This is a logical route for governments to take, however, those making these determinations are not technical, so they typically rely on 'experts' who get attribution wrong from the start."
Or as Terban put it: "We are hanging too much on attribution. We need to clean our own house before we even consider trying to go after an adversary that has taken our data."
Restaurant owners, below are 5 things that I often see wrong with restaurant websites and these 5 things can really hurt your business:
Anytime we travel, we use various apps to determine where we might eat. They give us restaurant names and then we go to websites to look for a variety of things. Sadly many restaurants are not viewable on mobile devices, so I can’t figure out what kinds of dishes are offered, I can’t see images of the restaurant and I can’t find a phone number - because the site isn’t viewable on mobile.
FYI, mobile also includes tablets.
If website visitors can’t see a restaurant and get the information they want, via mobile, they will choose a different restaurant they can see online. Please check out your restaurant on multiple mobile devices and make sure it works well for all users.
Food images should make people hungry: Â They make people want to go to a restaurant to eat that dish. When taking pictures of food, you want to make sure everything looks beautiful - the plating, the background, the table the food is sitting on, the food should be fresh, etc.
You are trying to sell your restaurant through an image:Â Â Perfection is important. Hire a photographer or research cameras that specialize in food (Best Buy has a couple). Also, read these tips on taking great food pictures, from one of the best, the Pioneer Woman.
You shouldn’t have a restaurant website without your menu on it. In fact, if you have multiple menus they should all be on it. I have one client that has a sushi menu, a takeout menu, a lunch menu and a dinner menu. All are available online, and they are viewable on all mobile devices.
When ordering for takeout, people need to see what their options are:Â Â Make sure your menu(s) is available to website visitors. If you have a takeout menu, offer it in PDF form so businesses can print and share with colleagues easily before ordering. Regular menus often help people determine if they want to try out a new restaurant, so make sure the menu on your site is attractive and the dishes sound outstanding in your descriptions.
Restaurant owners need to keep in mind that busy people need to find things fast and they make food decisions fast because they are hungry. So make sure website visitors can see everything you offer quickly. Make it easy and idiot proof.
The phone number is really one of the most important things on a restaurant website. In fact, it may be the most important thing on a website. Some people won’t look at a website at all and just want to call the business for answers. So please make sure the phone number is on every page and close to the top of the page. Make it easy to find.
Make sure that the phone number is clickable on a mobile screen:  Make it easy for mobile users to call you. Often a phone number within an image isn’t clickable and people have to write it down and then call. This isn’t helpful for those that are driving, so make sure contacting you is easy.
Restaurants using mobile versions (especially in WordPress):  Make sure that the mobile version you use does not take out your phone number. I have seen this happen often. When it does, I go to the bottom of the page to look for the “full site†function to hopefully get the number and sometimes that option is not there. So, guess what I leave and get food elsewhere because often, my family is hungry and we are in a rush. Also keep in mind, many people that are not Web savvy and don’t know to look for the “full site†function.
Restaurant websites should have their address on every page of the website. You never know which page a website visitor will come in to a website on, so you want to make sure that they can easily find an address.
Include a map screenshot on the website: Â And not one I have to click on and find via mobile and/or on my computer. If you can let visitors see surrounding streets, you help them find your restaurant easier.
Include a small to medium image of the front of their restaurant:Â Â New customers need to see what the restaurant looks like so when they are driving, and looking, the restaurant is easy to find. This is especially true in strip malls and areas with many businesses around.
If You Are Creating a Restaurant WebsiteÂ
Please keep these 5 items in mind. Every website on the planet should make things easier for the audience that will be looking at the site. Think about the things you want to see when you are looking for a restaurant online or on mobile and make sure to include everything.
I used the term “idiot proof†above and want to explain why. I use it all the time when planning or working on websites.  Not because I think people are idiots, but because not everyone is as Web savvy as me or my clients. So I make sure things are as “idiot proof†as possible to ensure anyone can use what the website offers to meet their needs.
Empty Glass in a Restaurant Photo via Shutterstock
And even if we gave our moms grief and provided some push back against her wise words, in our heart of hearts, we got the message.
So, if we were able to get the message then, why is it that now, when the stakes might even be higher and we are all the more experienced and mature, we are still often caught with all of our eggs in one basket.
Give me some examples, you say. Okay, how about these:
And there are more, but you get my drift.
What I am stressing here is the absolute need for you to have a back-up plan at the ready if, and when, something goes awry. I mean you back-up your computer, right (Oh boy don’t even get me started on that!).
Mission critical aspects of your business cannot be left to chance and all of your eggs can’t be in just one basket. A smart business person will build in some redundancies and have concrete back-up plans. Do you
The best time to start is now BEFORE there’s a problem.
And even if we gave our moms grief and provided some push back against her wise words, in our heart of hearts, we got the message.
So, if we were able to get the message then, why is it that now, when the stakes might even be higher and we are all the more experienced and mature, we are still often caught with all of our eggs in one basket.
Give me some examples, you say. Okay, how about these:
And there are more, but you get my drift.
What I am stressing here is the absolute need for you to have a back-up plan at the ready if, and when, something goes awry. I mean you back-up your computer, right (Oh boy don’t even get me started on that!).
Mission critical aspects of your business cannot be left to chance and all of your eggs can’t be in just one basket. A smart business person will build in some redundancies and have concrete back-up plans. Do you
The best time to start is now BEFORE there’s a problem.
Now, Twitter has added nine new partners to the program, including Shoutlet, Spredfast, Sprout Social, Adobe Social, Percolate, Rallyverse, Sysomos, Simply Measured, and Visible Technologies. All of these products are built for businesses and can help them manage their social media presences, either by providing insights into social trends, monitoring conversations and interactions, or scheduling and managing important updates.
Certified Products are not the only ones that brands can use to manage their Twitter presence, but a certification simply means that Twitter has acknowledged the product’s usefulness for businesses and that it approves of the products integrations and its use of Twitter’s API and features.
To become a Certified Product, partners must solve some kind of service for businesses that Twitter itself does not address. For example, Twitter does not provide analytics services for businesses to learn about their network and their customers. But Adobe Social includes real-time insights that are updated as customers interact with your brand, among other functions.
Many of the Certified Products have overlapping functions, so brands that are interested in using any of the products to improve their twitter presence can sift through the list and decide which ones best suite their needs based on features, price, and any other relevant factors.
Since Twitter is a pretty simple platform compared to many other social sites, offering businesses a list of third-party products that can help make sense of data and manage more complex activity gives businesses more options, and hopefully more measurable impact, when using the site to reach potential customers.
When Twitter first launched the program in August, it included twelve partners, including HootSuite, SocialFlow and DataSift. The site plans to continue adding to the list, and developers can apply to be added to the list.
Now, Twitter has added nine new partners to the program, including Shoutlet, Spredfast, Sprout Social, Adobe Social, Percolate, Rallyverse, Sysomos, Simply Measured, and Visible Technologies. All of these products are built for businesses and can help them manage their social media presences, either by providing insights into social trends, monitoring conversations and interactions, or scheduling and managing important updates.
Certified Products are not the only ones that brands can use to manage their Twitter presence, but a certification simply means that Twitter has acknowledged the product’s usefulness for businesses and that it approves of the products integrations and its use of Twitter’s API and features.
To become a Certified Product, partners must solve some kind of service for businesses that Twitter itself does not address. For example, Twitter does not provide analytics services for businesses to learn about their network and their customers. But Adobe Social includes real-time insights that are updated as customers interact with your brand, among other functions.
Many of the Certified Products have overlapping functions, so brands that are interested in using any of the products to improve their twitter presence can sift through the list and decide which ones best suite their needs based on features, price, and any other relevant factors.
Since Twitter is a pretty simple platform compared to many other social sites, offering businesses a list of third-party products that can help make sense of data and manage more complex activity gives businesses more options, and hopefully more measurable impact, when using the site to reach potential customers.
When Twitter first launched the program in August, it included twelve partners, including HootSuite, SocialFlow and DataSift. The site plans to continue adding to the list, and developers can apply to be added to the list.
And even if we gave our moms grief and provided some push back against her wise words, in our heart of hearts, we got the message.
So, if we were able to get the message then, why is it that now, when the stakes might even be higher and we are all the more experienced and mature, we are still often caught with all of our eggs in one basket.
Give me some examples, you say. Okay, how about these:
And there are more, but you get my drift.
What I am stressing here is the absolute need for you to have a back-up plan at the ready if, and when, something goes awry. I mean you back-up your computer, right (Oh boy don’t even get me started on that!).
Mission critical aspects of your business cannot be left to chance and all of your eggs can’t be in just one basket. A smart business person will build in some redundancies and have concrete back-up plans. Do you
The best time to start is now BEFORE there’s a problem.
And even if we gave our moms grief and provided some push back against her wise words, in our heart of hearts, we got the message.
So, if we were able to get the message then, why is it that now, when the stakes might even be higher and we are all the more experienced and mature, we are still often caught with all of our eggs in one basket.
Give me some examples, you say. Okay, how about these:
And there are more, but you get my drift.
What I am stressing here is the absolute need for you to have a back-up plan at the ready if, and when, something goes awry. I mean you back-up your computer, right (Oh boy don’t even get me started on that!).
Mission critical aspects of your business cannot be left to chance and all of your eggs can’t be in just one basket. A smart business person will build in some redundancies and have concrete back-up plans. Do you
The best time to start is now BEFORE there’s a problem.
A million patients across New Mexico will have their health records transferred to an electronic platform developed by New Zealand's Orion Health after the company's technology was chosen to power a new health information exchange in the southwestern US state.
The Auckland-based company, which has developed systems that allow doctors and specialists to store and look up patient records online, has been expanding rapidly in the US in recent years.
Orion Health said the New Mexico Health Information Collaborative, the state's health information exchange, would expand the capabilities it offered to healthcare providers through the use of its technology.
The exchange planned to use the new platform to develop a long-term community health record for each patient, partly aimed at reducing the burden of chronic diseases throughout the state, which is sandwiched between Texas and Arizona and has a population of just over two million.
Orion Health said its technology would empower clinicians within the exchange through providing them with easy, secure access to the most up-to-date patient information.
"With the enhanced features that Orion Health ... offers, users will not only have access to the latest patient information, they'll have the tools needed to drive improvements in care throughout New Mexico," said Craig Hewitt, the exchange's chief information officer.
Paul Viskovich, president of Orion Health North America, said the company was proud to be a strategic partner in such an important project.
Orion Health's technology now provided the "backbone" of health information exchanges across the US, the company said.
The latest Tin100 report on New Zealand's biggest technology companies said Orion Health earned revenue of $100 million last year.
By Christopher Adams Email Christopher
The operators of the Red October espionage campaign have begun shutting down the infrastructure behind it.
According to Kaspersky Lab's Costin Raiu, the attackers have begun shutting down their infrastructure and the hosting providers and registrars involved with some of the command-and-control (C&C) domains are shutting those down too. Speaking to Threatpost, Raiu said that since the discovery last Monday, hosting providers and domain owners have been shutting down servers used to help run the campaign.
He said: “It's clear that the infrastructure is being shut down. This time it's being shut down for good. Not only [are] the registrars killing the domains and the hosting providers killing the C&C servers, but perhaps the attackers [are] shutting down the whole operation.â€
Speaking to SC Magazine, Raiu said that the shutdown began on the evening of the 14th January, nine hours after the report was released. He said: “I think this was down to three factors: some of the domains were suspended; some of the hosting providers for the C&Cs began to shut them down; while some other hosting providers shut down the servers themselves.
“We provided lots of the access points in the report to help law enforcement and hosting providers who observed the Red October report and proceeded with the shutdown.
“What is interesting is that Flame had a shutdown process for its C&Cs but it could set up a new one to self-destruct; in Red October there is nothing of the sort, as a few infected users are coming to our sinkholed servers. We find that of the 350 detected infected users, there are 35 still infected.â€
Kaspersky Lab's report on the campaign, which was announced last week, said that the attackers used up to 60 C&C servers and at least three different exploits for previously known vulnerabilities to infect users and harvest data from desktops and mobile devices.
Luis Corrons, technical director of PandaLabs, told SC Magazine that this was not something he had seen before, but it would make sense for the controllers to have a ‘panic button'. “I have seen that kind of option in botnet operations, but not for the C&C server itself, but for the bots,†he said.
“It is like a suicide option, or uninstall is another way of seeing it. First time I saw that was in a botnet we were tracking back in 2007. I made a presentation at Virus Bulletin about this botnet. Why does such an option not exist in C&C servers Well, there is an easy answer to that: when we talk about botnets and C&C servers we always think on complicated stuff, and up to a certain point it is.
“However, to remove it, the only thing that has to be done is to delete the folder containing all files, as simple as that. Once they have a backup of the stolen information, deleting the stuff in the C&C server is as trivial as that in most cases.â€
ServerSpace and Black Lotus have combined to offer enterprise-level distributed denial-of-service (DDoS) attack prevention.
According to the companies, the new solution incorporates two levels of behaviour analysis. The first is a ‘human behaviour analysis' that determines whether or not the request originated from a human. The second is a ‘network behaviour analysis' that detects abnormal traffic and decides if it was a result of a DDoS attack.
Managed hosting and cloud services provider ServerSpace MD Tim Pat Dufficy said: “Smaller businesses have been crying out for affordable protection against DDoS attacks and it remains one of the most critical problems that business owners face. How can businesses be expected to grow when they can face a number of cyber attacks each day Up until now they have been fighting a fire that won't go out.â€
Jeffrey Lyon, CEO of Black Lotus, said: “Small and medium-sized businesses in the UK are in dire need of a cost-effective DDoS protection system. Replicating such a system is not an option for these businesses, as it would cost in the region of £500,000.
“If one considers the repercussions of a DDoS attack and the long-term implications it could have on a business, up to £1,000 a month for a reliable protection service seems a very sensible price to pay.â€
Of the new threats mentioned, exploit kits are the most notable because they allow virtually anyone to launch a massive cyber attack with only a few clicks and limited technical knowledge. This new industry is known as Malware as a Service (MaaS) and allows individuals to pay licensing fees from as little as $50 a day to $1,000 for an unlimited license to access powerful malware suites for a fraction of what it would cost to develop such systems in-house. Due to this new revenue model, Malware has become increasingly  prevalent as technical knowledge is no longer a requirement for a successful cyber attack.
Another threat that falls under the MaaS model are botnets.  Botnets are networks of compromised computers (from as little as a hundred all the way to thousands), which are controlled (often without the owners knowledge) by Malware that allows criminals to lease out the networks for malicious purposes. Common usages for botnets range from sending out untraceable spam, providing a cover for attacks against corporate networks, or sometimes denial of service (DDoS/DoS) attacks are launched. For those unfamiliar with the terminology, a DDoS/DoS attack is when a malicious individual has a network of computers overwhelm a website’s servers. Rather than a data breach occurring, such attacks simply bring the website down for an extended period of time causing significant operational losses.
In light of these new trends in the computing industry, it is vital that all companies, regardless of their size, implement programs to protect both their websites and internal networks. When it comes to web security, due to the broad nature it cannot be covered in this article. However, steps such as complying with PCI, SAS 70, and HIPAA and/or SOX regulations, depending on your industry, are minimal precautions to protecting your website.
For internal network security, installing Windows Updates as soon as reasonably possible, along with having anti-virus/anti-Malware programs installed and updated is a must as Malware can download automatically when loading a website. This tactic, known as a drive-by exploit, has been around for awhile and is not going away any time soon. Aside from having adequate protection, Â having a solid backup regimen for all digital files is a must because ultimately, there is no silver bullet when it comes to preventing cyber attacks.
Of the new threats mentioned, exploit kits are the most notable because they allow virtually anyone to launch a massive cyber attack with only a few clicks and limited technical knowledge. This new industry is known as Malware as a Service (MaaS) and allows individuals to pay licensing fees from as little as $50 a day to $1,000 for an unlimited license to access powerful malware suites for a fraction of what it would cost to develop such systems in-house. Due to this new revenue model, Malware has become increasingly  prevalent as technical knowledge is no longer a requirement for a successful cyber attack.
Another threat that falls under the MaaS model are botnets.  Botnets are networks of compromised computers (from as little as a hundred all the way to thousands), which are controlled (often without the owners knowledge) by Malware that allows criminals to lease out the networks for malicious purposes. Common usages for botnets range from sending out untraceable spam, providing a cover for attacks against corporate networks, or sometimes denial of service (DDoS/DoS) attacks are launched. For those unfamiliar with the terminology, a DDoS/DoS attack is when a malicious individual has a network of computers overwhelm a website’s servers. Rather than a data breach occurring, such attacks simply bring the website down for an extended period of time causing significant operational losses.
In light of these new trends in the computing industry, it is vital that all companies, regardless of their size, implement programs to protect both their websites and internal networks. When it comes to web security, due to the broad nature it cannot be covered in this article. However, steps such as complying with PCI, SAS 70, and HIPAA and/or SOX regulations, depending on your industry, are minimal precautions to protecting your website.
For internal network security, installing Windows Updates as soon as reasonably possible, along with having anti-virus/anti-Malware programs installed and updated is a must as Malware can download automatically when loading a website. This tactic, known as a drive-by exploit, has been around for awhile and is not going away any time soon. Aside from having adequate protection, Â having a solid backup regimen for all digital files is a must because ultimately, there is no silver bullet when it comes to preventing cyber attacks.
Oracle has announced a security update for the zero-day flaw in Java that was widely reported last week that will be released soon.
According to a statement, it has released the security alert to fix the Java 7 Security Manager Bypass Vulnerability and another vulnerability affecting Java running in web browsers, which it rates as ‘high'.Â
It said: “These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity and confidentiality of the user's system.â€
It also acknowledged the public disclosure of technical details and the reported exploitation of CVE-2013-0422 in the wild, and strongly recommended that customers apply the updates provided by the security alert as soon as possible.
To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website and the execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system. “These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets,†it said.Â
However according to Polish research group Security Explorations, the update will leave several critical security flaws unfixed. The group claimed to have discovered several bugs in the software over the past year, but said that Oracle has not acknowledged the discovery of flaws, or added them to this or other patches.
Wolfgang Kandek, CTO of Qualys, said: “Oracle has made a statement that we can expect a fix for the current Java 7 zero-day vulnerability shortly, but has not given a specific date yet. However, next week on 15th January is Oracle's quarterly Critical Patch Update Tuesday when Oracle updates all of its other software packages with security fixes.â€
The announcement came after the US Department of Homeland Security encouraged computer users to disable Java in web browsers, as attackers could trick targets into visiting malicious websites that would infect their PCs with software capable of exploiting the bug in Java.
“Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers,†it said in its advisory.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. We are currently unaware of a practical solution to this problem.â€
Ross Barrett, senior manager of security engineering at Rapid7, said: “Oracle has moved quickly to release a fix for the vulnerability (CVE-2013-0422) which as of last week was publicly known to be ‘weaponised' in widely available black market exploit kits.
“This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately. This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild.â€
As you read these short vignettes, notice, that most of these entrepreneurs have bootstrapped their ventures with very little infusion of outside capital. You don’t hear about them, because they don’t have big funding announcements to make. The entrepreneurship media ignores all these companies that don’t raise big money, but they generate big revenues.
The entrepreneurship media of the world is yet to come to terms with a simple fact that entrepreneurship equals customers, revenues and profits; financing is optional.
Following a childhood filled with small-scale business ventures, including selling rulers to his neighbors, it was always clear to Minnesota entrepreneur Jamin Arvig that he would start a company. After attaining degrees in electrical engineering and law and a short time spent in the patent law practice, he decided to invest additional energy into an old venture, taking it online. Jamin and his wife come from technical backgrounds. They knew of the many opportunities associated with the e-commerce boom, and the benefits of building a business that drew upon the Internet’s global audience.
WaterFilters, started in 2002 while Jamin was still in college, simplifies the process of finding and purchasing water purification and treatment products. Jamin and his wife shared a limited knowledge of the water treatment industry. But they knew that the green industry was a growing trend, and they identified water filters as a key element.
After purchasing around $1,000 of water filters and setting up shop in his Minnesota condo, Jamin leveraged his wife’s existing connections in the industry to forge relationships with distributors, growing business slowly. These relationships allowed Waterfilters.net to list many of their products in an online catalogue. The couple also leveraged SEO and pay-per-click (PPC) advertising to acquire customers. The company reached close to $4 million in revenue by 2008.
2008 marked WaterFilters move to a custom-built warehouse that would serve as a distribution center. The business has also picked up a great many business customers, and even supplies retailers as a wholesale vendor.  The company has been entirely bootstrapped to the $10 million mark, running on only Jamin and his wife’s savings.
Also operating from Minnesota, Vicki Raport worked in retail software for a while, before setting up her own shop to plug gaps she observed in her domain.
Quantum Retail is Vicki’s missing piece: a layer of applications that takes information generated by enterprise apps, point of sale, customer transaction files and radio-frequency identification data, and brings it together in a manner valuable to retailers. This data, collected in a usable and manageable format, is intended to drive quantifiable improvement in retail operations. Quantum’s solutions align a company’s capabilities to buy and sell merchandise in tune with consumer preferences. Vicki described the product as “technology that thinks like a business.â€
Vicki and her five co-founders (with a sixth introduced shortly after) draw upon a common background at Retek. They began with retail analytics using small sets of data points. Using open source materials combined with the generous support of a sponsoring customer, the team developed a prototype that they used to garner initial customer validation. The prototype was funded by Guitar Center in 2005.
Quantum Retail now operates on a platform that supports three key retail processes: allocation replenishment, forecasting and order planning, and assortment planning. Customers are given the option to enroll in one, or multiple services concurrently. Direct competition comes mainly from Oracle, JDA and SAP. Â The business is fully bootstrapped by Vicki and her co-founders. Quantum Retail grew from six co-founders to over 100 employees and to $13.5 million in revenue by 2010.
Born and raised in Chicago, Aaron Block never imagined a career in commercial real estate would take him all the way to Moscow, where he was to develop a newly acquired division of Cushman and Wakefield in 2005. His return to Chicago in 2010 also marked his move to Bay.ru, the first cross-border e-commerce business in Russia and the country’s fastest growing shopping site. Just two years later, Aaron is its CEO.
Bay.ru was founded in 2007 by the Russian-born brothers Gene and Anton Herman to help friends and family concerned about the security of items purchased online outside Russia’s borders. While in Russia, Bay.ru is designated as a ‘middleman’ operation, in the Internet industry, the company is known as a cross-border e-commerce company. Working in the ‘cross-border space’ implies that purchases are made from one country, the shopping is done from another, and goods are delivered directly to the consumer from a third.
As for the business itself, the supply chain is almost entirely U.S. based. Products are shipped to the company’s Chicago warehouse, where they are inspected for quality and checked against the customer’s original order. Additional services for quality assurance, such as photographs and consolidation, are also performed here before orders are shipped to the Soviet Union. By ensuring that the vendor never sees the consumer, Bay.ru has established itself as a single point of trust with its buyers.
Bay.ru has further established its success by integrating popular American catalogues, such as eBay and Amazon, into its online inventory. Perhaps the largest generator of business, however, is the offering of 500,000 separate “touch points†in Russia available to take orders. Because Russia allows pre-payment, Bay.ru has established a strong presence in kiosks, bank branches, post offices, Western Unions, and online payment systems, making it possible for the customer to pay in whatever manner is most comfortable, at any time.
Gene and Anton, with the help of family loans, bootstrapped the business on their own. The company has also raised $2.3 million in angel investments. Bay.ru became profitable in March 2012, and was scheduled to reach the $40 million mark by the end of 2012. Profits are generated in part through product markup above retail price, which can be anywhere between 9-45%. The value-added services performed in the Chicago warehouse add more margin. Additional profits are made by purchasing shipping at wholesale prices, as well as wholesale purchasing of freight, postal and courier services.
So you see, if the Midwestern journalists focused on companies with good, solid revenues, they would have many strong entrepreneurs to write about. As it stands, though, they are more interested in which venture capitalist has funded the company. Â What a silly idea!
Shortly following the releases of the iPhone and Google’s Android operating system in 2007, then-University of Wisconsin student Justin Beck became intrigued by the possibilities that these new mobile technologies brought to the world of gaming. He began work on a concept for Parallel Kingdom, a location-based massively multiplayer game that uses the GPS on a player’s mobile device to place them within a virtual world overlapping their reality.
The first version of Parallel Kingdom, “The Age of Exploration,†was released in 2008 as the first game of its kind. The release coincided with the founding of PerBlue, Justin’s Madison, Wisconsin-based mobile and social gaming software company. Beck and his business partner, PerBlue’s CTO Andrew Hanson, both boast double degrees in Computer Science and Computer Engineering. The two bootstrapped the business, providing initial funds on their own and offering early employees stock options in place of a paycheck.
Justin’s concept garnered a great deal of attention, and soon demand was high enough for the release of a second installment of the game in March 2009, “The Age of Gathering,†as well as a third, greatly expanded version in November of the same year entitled “The Age of Emergence.†The most recent release, “The Age of Thrones,†launched in October 2010 and focused on the game’s social features. It joins two other mobile multiplayer RPG’s (role-playing games), Parallel Mafia and Parallel Zombies, to round out PerBlue’s products.
PerBlue eventually raised some financing, but more importantly, the company has crossed $2 million in revenue. Â And now, onto some entrepreneurs that are just about starting to get their businesses off the ground.
In 2010, Bala Deshpande and the three coworkers who would become his fellow team members were working in Ann Arbor, Michigan as resellers for a software startup, building an all-purpose analytical tool capable of identifying and managing risk in complex situations. Through his work in sales, Bala came to realize that not only were most companies incapable of extracting value from such complicated analytical tools, oftentimes the purchase of such software did not solve their original problem. With the assistance of these same coworkers, Bala decided to work toward a more tailored solution, avoiding the broad aspirations of general purpose analytics software.
SimaFore is a reliable way to convert data into an informational asset, providing analytics-based solutions to companies that cannot afford expensive software or a staff to extract value. The company develops custom-built apps tailored to solve specific issues based on a business need. Such services may include identifying key performance indicators, optimizing product quotes using cost forecasting, and overhead cost tracking, among others. By leveraging emerging trends in open source technology and cloud computing, the solutions SimaFore offers remain affordable.
The target market for SimaFore is small and medium-sized businesses, with an ideal customer that has between 10-100 employees, possessing at least some resources for collecting and managing their data. Â SimaFore hopes to deliver custom apps to at least 25 SMBs in 2013. The solution is set to be priced at $1000 for the first year, with an ongoing maintenance fee of $300-500 per month per customer thereafter. Over time, some of these apps would be productized and sold to larger numbers of customers in specific segments.
As a language specialist for over 20 years, Ohio-based Professor Rex Ferguson often finds he is called upon for his services. While working as a Spanish language medical translator, he observed his work save a child’s life. He realized that hospital personnel were not given the language instruction necessary to successfully do their job while working with ESL patients. In response to this industry deficiency, Rex created LinguistaLogix, an educational software business focused on teaching oral proficiency targeted toward medical professionals.
Of course, there are many more entrepreneurs working throughout the Midwest, often unsung due to the media’s obsession with venture-funded startups. It is every bit our intention to highlight their stories.
Midwest, USA Photo via Shutterstock
Following the launch of the Mega cloud service at the start of this week, a security researcher has found a cryptographic flaw in it that could reveal user passwords.
Steve Thomas is designing a tool dubbed ‘MegaCracker' that would crack hashes embedded into email confirmation links sent from Mega to users as they register for the service.
He said on Twitter that ‘a hash of your password is in the confirmation code. Cost is 65536 AES/password plus 1 AES/user. Which is very fast'. He also said that he has not yet completed the tool and did not say how dangerous the threat was, as the confirmation emails would need to be intercepted before passwords could be cracked.
Since its launch by Kim Schmitz [AKA Kim Dotcom], the cloud-sharing service has been under the microscope because of its claims of strong security through the use of 128-bit AES encryption and 2048-bit RSA public and private key infrastructure.
Schmitz was keen to avoid a repeat of the police raid on now seized cloud service MegaUpload, made on the grounds of copyright violation, by ensuring user data was encrypted before it hit Mega servers so the company would lack the keys to decrypt user data.
So far, security flaws including cross-site scripting and problems with random number generation have been discovered in the beta service. Security folk have also flagged problems with the fact that Mega uses a web browser to send encryption information, opening avenues for attackers to intercept keys by breaking SSL or by commandeering Mega's servers, some of which are said to be located in the United States.
Cryptocat creator and cryptography specialist Nadim Kobeissi went as far in his criticism of the site's security that he told Forbes that ‘it felt like I had coded this in 2011 while drunk'.
Yet allegations that Mega's use of deduplication - a function to avoid multiple uploads of a single file - would allow copyright enforcers to determine the names of files uploaded by users were overstated, according to Errata Security founder Robert David Graham.
“They think [deduplication is] impossible without the server knowing how to decrypt the file. It's actually quite possibleâ€, Graham said in a blog.
Mega, he says, trips up, because it allows users to check for duplicates using a filename which is cheap on bandwidth but allows copyright enforcers an easy way to snuff out pirated content.
“This will cause [a flood of] millions of hashes trolling for content, and in the end, probably use more bandwidth than it saves,†he said.
Mega's chief technology officer told Venturebeat some of the reported security concerns were overstated, and added Mega was investigating ways to allow users to change the password used to encrypt the AES key.
The Cyber Security Challenge is to launch a new cipher and its first mobile application.
Announced at an event in London this week, the PwC-developed cipher will be around a concept of a highly-sensitive piece of data which has been stolen from an executive's machine, and participants will require basic network traffic analysis skills, alongside programming or scripting skills and knowledge of cryptographic algorithms, which add a mathematical element to the puzzle.
According to the Cyber Security Challenge, those who tackle the cipher will be challenged to understand, unravel and piece together the attacker's actions and determine whether the stolen file can be decoded. It also said that it will demonstrate the type of targeted network intrusion and data compromise which affect companies on a daily basis.
Kris McConkey, leader of PwC's cyber threat detection and response practice, said: “Intellectual property, trade secrets, customer databases and corporate and personal communications are a key currency in organised crime and economic espionage.
“By developing a more realistic scenario, this cipher will test a far broader and deeper spectrum of skills than any we have previously run and more accurately reflects the nature of incident response engagements our team here at PwC conducts for clients day in, day out.â€
The app, which will contain new competitions and puzzles and archived ciphers, will be available to download for free from the iTunes app store in the coming weeks and will be available on both iOS and Android.
Stephanie Daman, CEO of the Cyber Security Challenge UK, said: “The challenge has already proven that there are many people out there who have the skills, aptitude and characteristics to become a UK cyber defender but who don't realise quite how capable they are. It is up to the challenge to find new ways of reaching these people, helping them acknowledge their talent, and nurturing it. This smartphone app is the latest addition to our armoury.â€
When a company as iconic as Atari files for Chapter 11, it could be game over, but any business big or small can find itself in legal trouble from time to time. Knowing how to avoid the pitfalls in the first place is the best way to dodge difficulties. We’ll look at the Atari case, then go on to some other tips for keeping your business on the straight and narrow.
Two player. Actually, the filing for bankruptcy protection by Atari’s U.S. operations is simply an attempt to extricate itself from a troubled French parent company. The plan is to take the game company private and develop a business based on products for digital and mobile platforms, sources say. Sometimes legal issues arise out of simple business necessity. Make sure you know your options. Los Angeles Times
Be prepared. In fact, Marsha Friedman, who today heads her own Florida-based PR firm but started her career as an entrepreneur by launching a Greenwich Village-style coffee house in Venice Beach, CA 42 years ago, insists that knowing the legal ins and outs of any business you start should be a top consideration. “It doesn’t matter whether the law is a major one or a technicality, violate it and it can kill your business,†Friedman warns. EMSI
Private property. Whether it’s a patent, trademark, or copyright, legal protection can also be applied to certain inventions, processes, and the intellectual property used in your business. However, according to intellectual property attorney Steve Hansen, entrepreneurs interested in this kind of protection should first make absolutely certain the process or invention is truly original and has commercial applications before pursuing a potentially costly and time intensive application. B4B Connect
Endangered. Small businesses also need legal protection against very real dangers like personal injury claims. These can be damaging to any business, say business bloggers and consultants Harry and Sally Vaishnav. Their post looks at nine tips every small business owner should consider when trying to avoid costly litigation. Read to discover whether your business might be taking any unnecessary risks. Small Biz Viewpoints
Data on the Duchess. Circumstances surrounding a prank phone call to a hospital treating the Duchess of Cambridge that apparently resulted in the tragic suicide of a nurse raise surprising questions about business liability, says commercial lawyer Flor McCarthy, in this guest post about the importance of protecting data in your company. The now infamous prank demonstrates how sharing personal data inappropriately or without permission can lead to trouble for any business. Tweak Your Biz
I was a teenage hire. Many people landed their first jobs while still in their teens. In fact, here in the U.S., an estimated 18 million teens will work this year, and most will work for small businesses, reports small business expert Daniel Kehrer. However, there are rules employers need to understand about tapping this valuable labor market. They include minimum wage, overtime, and child labor laws, which are enforced by the U.S. Department of Labor with fines and sanctions levied against violators. BizBest
A good place to start. These six tips will help you take some steps you either should have taken already or will definitely want to take before heading into the new year. They cover everything from preparing for legal liability to the need for contracts and to retain legal counsel. If there are any points here you haven’t really thought about for your business, do yourself a favor and revisit them, suggests business writer Rieva Lesonsky. You’ll have a better 2013 if you do! Grow Smart Biz
