Facebook Sued Over Privacy Concerns…and Maybe More

It’s not the first time and it probably won’t be the last. Social media giant Facebook has been named in another class action suit for its oft criticized treatment of user data.

This part of the story may not be all that surprising. Concerns about online privacy, especially where social media is concerned, are old news.

So the question becomes, why has there been so much buzz over the latest case? Well, ultimately it may be because Facebook is again really being sued over its business model.

After all, there are lots of businesses these days that use customer data…including small ones. And in the end, that’s what the suit filed on behalf of about 160 plaintiffs really boils down to.

Facebook Suit Focuses on Company’s Data Use

Specifically, Facebook is accused of violating California privacy laws and the Electronic Communication Privacy Act. The suit says the company scanned users’ private messages. It then sold information it collected to advertisers and data aggregators, reports AdWeek and other news sources.

Though the fact that Facebook and other businesses use customer data isn’t that surprising, the amount of data used and the disclosure to customers is the real issue here.

In a recent post on LinkedIn, Bernard Marr, an enterprise performance expert from the UK observes:

“In principle, there is nothing wrong with Facebook using our data to make commercial gains. In the end, the service is free and Facebook has to make money somehow. However, my biggest concern is that the data mining activities are not as transparent as they should be.”

In another class action suit filed last year, Facebook was accused of sharing members’ “likes” on sponsored posts without their permission. The company ultimately settled in that case.

Many Companies Use Customer Data

Certainly many companies today large and small use customer data. What’s important is for these businesses to think carefully about how they are using this data, and to be aware of the risks.

For example, Pam Nelson, co-owner of Butter Lane, which operates two specialties bakeries in New York, says her business tracks customers by their credit card number to separate first time and repeat customers. More recently, the company has begun tracking more detailed data using a new customer loyalty program.

Nelson says that by signing up for the program, customers are allowing the business to track them by name with each credit card transaction.

Customers are then given cash back or other rewards depending upon the amount of money they spend. The program allows Butter Lane to cater to their best customers, reward their patronage and encourage them to spend more.

Consider How You Use Customer Data

Of course, it’s important to seek legal counsel when determining whether your use of customer data fits the rules. But there are some things to consider in the meantime:

  • Consider whether you have customer consent. In the case of Butter Lane, customers are asked to provide their names so that their buying behavior can be tracked and rewarded.
  • Consider whether you’ve been transparent. As Marr points out, the greatest concern in the most recent Facebook case is whether users were made aware that data from their private messages would be shared.
  • Consider whether the data you are collecting is aggregate or personal. Data that follows customer behavior as opposed to data that identifies customers individually is very different, Tom Lefroy, chief executive of the U.K.-based Advertising Association told the Financial Times recently. Are your customers more comfortable with you using one than the other?

Bottom line: The answers to these questions will not guarantee whether your company is safe in its use of customer data in the rapidly changing digital economy. But it may get you thinking about the risks you face and how to minimize them in the future.

Dislike Concept Photo via Shutterstock

More in:

Top 10 issues in IT security for 2014

From banking hacks and malicious mobile apps to insider leaks and a serious data breach each month, 2014 promises to a challenging year for CISOs.

From banking hacks and malicious mobile apps to insider leaks, 2014 promises to an interesting but challenging year for CISOs. Here, SCMagazineUK.com looks at the issues coming into view.

1. Insider threat isn't going away

Former CIA contractor Edward Snowden may be holed up in Russia but his influence over the IT security sector is still tangible, casting a shaddow over 2014.

That's especially true in the corporate world, with large organisations fearful that their own employees could readily leak data to unauthorised, outside sources.

"Companies should know who they are giving their data to and how it is being protected," said Tim Ryan, managing director and cyber investigations practice leader at US-based risk mitigation and response firm Kroll.  "This requires technical, procedural and legal reviews."

Ryan suggests that the “insider threat” is still very real and believes that there may be others like Snowden across a range of organisations.

“There's a tremendous amount of data compromised today where the act is never discovered or disclosed.

"People discount the insider threat because it doesn't make the news. The insider threat is insidious and complex. Thwarting it requires collaboration by general counsel, information security, and human resources."

Malcolm Marshall, UK and global leader of the KPMG Information Protection and Business Resilience team, added that the insider threat could, however, boost Internet privacy.

“Snowden's revelations have triggered a privacy debate which will continue to rage in 2014,” Marshall told SCMagazineUK.com. “Expect more disclosures, more calls for greater transparency over government actions, and more efforts by the Internet giants to persuade customers that their data is secure.”

2. Cyber attacks, including government-sponsored, continue; education and standards prioritised

Government states are stepping up their cyber efforts all over the world, both for offensive and defensive purposes. As just such an example, North Korea reportedly spent some £470 million on a wave of cyber attacks against South Korea between March and June 2013.

2014 will see a continuation of these kinds of efforts, especially with companies and governments increasingly understanding the full repercussions of a cyber attack. Some will even reportedly carry out state-sponsored attacks.

“Within the next couple of years, we will experience an increasing number of cyber attacks resulting in militaristic and economic damage,” said Jarno Limnell, director of cyber security at Stonesoft, when speaking to SCMagazineUK.com. 

“As states compete to become credible world players we can expect to see further announcements by various states regarding their offensive and defensive strategies. Cyber is the new battlefield, and the fifth element of warfare. As such, it's likely that future conflicts will involve cyber battles and because of this, states will be - and already are - pouring a huge range of resources into developing defence and offence capabilities for cyber war.”

Limnell added that cyber security education will come into focus in 2014, while KPMG's John Marshall believes that the cyber security threat will see the introduction of voluntary compliance.

“As governments worry about the scale of the cyber security threat, we can expect to see more national standards emerge, and greater pressure for “voluntary” compliance,” he said.

“The US NIST cyber security framework and the UK government's ‘kitemark' are just two examples. On the back of emerging standards we will see the cyber insurance market develop and begin to provide market incentives for compliance, whether that is a willingness to insure or reduce premiums. Non-compliance will also lead to a legal debate over liability for incidents.”  

3. Enterprises deploy faster response and recovery solutions

Kroll managing director and Cyber Investigations practice leader Tim Ryan says that companies will look for technology solutions that enable them to react to issues faster than ever before in 2014.

"We've seen a dramatic improvement in response technology over the last year," says Ryan. "Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response." 

"Companies will gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to affected customers," he adds.

4. 'Social' the new frontier for cyber crime

Cyber criminals will increasingly attack social platforms in 2014.

 “We predict many of the cyber crime tactics that are successful when targeting social networking users will be applied in new, innovative ways within professional social networks,” reads a forecast report from Websense. Indeed, other studies suggest that the frequency of cyber attacks will be so common that consumers will face “data breach fatigue”, meaning they'll be less likely to protect themselves.

Websense cited one example of a fake LinkedIn user pinpointing users for an upcoming phishing campaign, and said that attackers lure in execs by sending messages with innocuous titles like “Invitation to connect on LinkedIn” and “Dear customer”.

5. DDoS attacks get even bigger but Botnets stick around

Distributed denial of service (DDoS) attacks were a big deal in 2013 and could be even more prominent in 2014 - NASDAQ temporarily went down as a result of an attack in August, while Dutch web hosting company CyberBunker caused a global disruption of the World Wide Web with a massive DDoS attack of its own.

If that wasn't bad enough, one study from Corero reveals that most organisations lack an appropriate DDoS response plan, and security experts now warn that the severity of these attacks could get worse over the next 12 months.

“One thing that I have noticed over the past year is that almost all successful DDoS attacks have had massive traffic volumes associated with them,” Joakim Sundberg, security solution architect at F5 Networks, told SCMagazineUK.com. “However, these attacks have not been very smart and volumetric scrubbing, combined with access control, has, in most cases, solved the problems. Volume, as an attack vector itself, will become less relevant as time goes on.

“Instead, I see two main themes emerging. Firstly, over the next 12 months I believe we will see hackers developing more intelligent tools that are capable of adapting to and using the weaknesses in the protection systems of specific targets.  Secondly, we will start to see underground organisations refining the user credentials stolen from platforms like Facebook, Gmail and Twitter. There is a huge opportunity for hackers to use stolen passwords in their attacks provided they can be put in the right context.”

“These smarter, more targeted DDoS attacks which leverage context and refined user credentials for specific DDoS campaigns will be a lot more commonplace in 2014.”

Sophos global head of security research James Lyne believes that botnets still curry favour with cyber criminals.

“I know we're talking about stealthier APTs but that doesn't eradicate the threat of the old botnet adversary,” he told SCMagazineUK.com, before adding the ensuing visibility of ZeroAccess, botnet payloads and other botnets that can do everything from mining bitcoins to credit card fraud, is something that needs monitoring.

“In the middle of 2013, there was a dip in ZeroAccess botnets, after a sinkhole traffic effort across the whole industry,” said Lyne. “But after a short period of time the attacks were stronger than before the action was taken.”

Lyne says that hackers are now “squaring up” to businesses, something he puts down to greater skills and more tools.

“They've designed their infrastructure to make [their botnet] immune from sinkhole attacks and moved around the static [security] infrastructure.

“The average cyber criminal has upped their skill level or gained access to new and better tools. In 2014, there will be more players, more competition and more innovation. The quality [of attacks] is going to increase.”

6. Android to see a malware explosion

Google's Android is a constant concern as far as security is concerned, but Lyne thinks that the threats will get worse in 2014.

“In 2013, we've seen a set of cyber trends that are now beginning to take off,” he said. “There are now more malware attacks, and they're actually challenging to deal with,” Lyne told SCMagazineUK.com.

“Now, apps are encrypted to command and control (C&C) as used in the PC world and detection is more difficult. That's actually starting now.”

Lyne urged businesses to put employees on “awareness training”, employ basic configuration to enforce encryption and restrict downloads to being only from trusted app stores, as well as forcing encryption. He added that firms should have a “good hard look” at anti-malware and anti-virus solutions. 

7. Internet of Things extends threats to 'dumb' platforms

Internet of Things is a hot new term which describes how devices are interconnected via the internet, but it will be under the microscope as far as security is concerned in 2014.

“You can expect dumb things will get smarter in 2014,” writes Symantec researcher Kevin Haley.

“With millions of devices connected to the Internetâ€"and in many cases running an embedded operating systemâ€"in 2014, they will become a magnet for hackers. Security researchers have already demonstrated attacks against smart televisions, medical equipment and security cameras. Already we've seen baby monitors attacked and traffic was shut down on a major tunnel in Israel, reportedly due to hackers accessing computer systems via a security camera system.”

“Major software vendors have figured out how to notify customers and get patches for vulnerabilities to them. The companies building gadgets that connect to the Internet don't even realise they have an oncoming security problem”.

He added that these systems are not just vulnerable to attacks, but also have little way of notifying consumers and businesses when they are discovered.

8. Consumer products penetrate the perimeter, boost demand for security protection

The increasing deluge of smartphones, tablets and other devices into businesses may be improving employee productivity, but they represent a very real - and growing - security risk.

“The security perimeter is a more penetrable boundary and cyber criminals can take advantage of multiple attack vectors to gain access to a company's network,” said Sam Maccherola, VP of sales and general manager for EMEA at Guidance Software, in an interview with SCMagazineUK.com. 

“These points of vulnerability - mobile devices, USB drives and Bluetooth speakers - will multiply through next year, making it difficult for organisations to keep track of all the different entry points. 

“Just as cybercriminals will exploit the increasing consumerisation of IT, as part of the fight back we're likely to see organisations focused on the extension of security protection to non-corporate owned devices to shore up their defences."

“We will see an increased volume of malware targeting hardware with cybercriminals attacking beneath the operating system. The entry route to infect the network could be  mobile devices as cybercriminals use smart phones or USB devices to gain access to PCs via Wi-Fi."

Banks continue to be susceptible to advanced persistent threats (APTs), as well as Man-in-the-Middle attacks which make two-step verification measures inadequate.

9. Regional clouds proliferate

Perhaps unsurprisingly in light of the National Security Agency (NSA) tapping data centres and cloud storage providers in the US, security analysts foresee the rise of regional cloud centres.

Writing for Microsoft's official blog, Trustworthy Computing director Jeff Jones said that this represents an opportunity for vendors.

“In the wake of heightened concerns about unauthorised access to data, we will see the emergence and broad promotion of regional cloud service offerings,” wrote Jones.

“The increased sensitivity to both legal data access and intelligence monitoring will be seen as a market opportunity that will be actioned in two ways - start-ups and existing providers.

“Regional start-ups will see a new opportunity to compete against global providers, while existing providers will develop and offer services delivered from regionally-based data centres in an effort to allay concerns and provide increased customer choice.”

10. Criminals prey on Windows XP vulnerabilities

Microsoft is dropping support for Windows XP in April 2014, and that means no more patches and probably a lot more cyber attacks.

“Once Microsoft halts support of [Windows] XP, companies running the OS will not only be faced with huge custom support costs, but will also expand their attack vector, becoming potential targets for new malware and vulnerabilities targeting unpatched systems,” blogged Avecto's  Andrew Avenessian.

“The coming end of support for Windows XP combined with Java 6 (which is already out of support) and the issue of how broadly these legacy platforms are deployed means we are likely looking at the largest number of un-patched and attackable vulnerabilities in history,” wrote Trend Micro's Christopher Budd on a blog post, adding that 20 percent of PCs still run the dated operating system. Just as concerning, most ATMs have yet to transition away from XP.

“If that doesn't describe a perfect storm, I don't know what does,”  concludes Budd.



Top 5 most common security development errors

Keeping it simple and ensuring the basics are properly covered is likely to result in the biggest improvement in software security, says Cigital's Paco Hope.

Over the past year, a lot of attention has been focussed on the security failures of software and devices. When these vulnerabilities are presented by clever and talented security experts, it is easy to imagine that protecting software from hackers requires equivalent talent and ingenuity. The reality is quite the opposite.

Most of the prevalent vulnerabilities stem from some fairly common failures in software development. We highlight five of these failures here, but there are many more. The trick to making hackers' lives difficult is to get really good at the basics and pick all the low-hanging fruit during the development process. Avoiding these five errors is not everything, but it's a really good start. Advanced protections in software will not succeed unless the basic requirements are all met.

API validation - The world is evolving into connected “things”. Each “thing” that is networked - a camera, phone, television, printer, electric meter or medical device - has an API for interacting with it. It will accept messages and it will respond to them. For every API, you must know a few things: Who are you talking to? Are they allowed to have what they're asking for? On the web, this is fairly obvious (even if we get it wrong fairly often). Someone asks for a web page, we check who they are and their authorisation, and then return appropriate results. However, these two requirements don't change when coding the navigation system in a car. We must distrust callers until they prove their identity and authority. This is notoriously hard to do from scratch, but there are lots of protocols at lots of layers that we can leverage.

Information leakage - Modern software leaks information everywhere. We leak it in error messages, parameter names and in the source and object code. To top it off, software and devices often record verbose logs that tell an observer the functions that called, the values of some parameters, the order in which they are called and the results. Anyone who looks to attack software will get a wealth of information from these logs. Developers must be extremely aggressive in minimising the output of any errors, standard headers, progress messages and state indicators. Any code that runs outside your data centre should be obfuscated, whether it's mobile, embedded or just JavaScript in the browser. Security through obscurity is never sufficient, but it is no longer superfluous, either.

Input validation - Like the 17-year cicada, input validation lays dormant for a little while and then suddenly springs to life making a lot of noise and nuisance for everyone. Years ago, a stray hole in a paper tape might crash the whole mainframe. A few decades later, we feared buffer overflows in C++ programs. Cross-site scripting and SQL injection were last decade's big problems, and today we revisit many of the old buffer overflows on new platforms, like Android, iOS, cars and smart TVs. We have to be incredibly pessimistic and pedantic with our input - we can't cut corners and make assumptions about language, character set or encoding. We have to strictly enforce it throughout the data's lifetime. The fact is that a massive number of bugs leading to major vulnerabilities turn out to be input validation failures.

Output encoding - The other side of input validation is making data safe for release to the wild. The two big problems are knowing the storage format of the data and knowing the output context. There are numerous examples of bugs related to double encoding - or lack of encoding - because developers did not know what format the data was in when it was stored. Knowing the output context, however, is extremely complicated. Consider HTML: If the output is going to text, an HTML tag, an HTML attribute, an HTML comment or a JavaScript context, the characters that are special differ. The less-than character - “<” - might be very special in some contexts, and not at all special in others. It is notoriously tricky to encode correctly based on context, but that's exactly what we have to do.

Testing - A major limitation to successfully developing software is successfully testing it. Too many development organisations relegate “testing” to mere checking that functions execute as expected. Not nearly enough open-ended, exploratory testing is performed with the explicit aim of finding previously unknown defects that arise when the whole system is integrated. In addition to human exploration, fuzz testing is a valuable technique for teasing out strange edge cases and behaviours. Penetration testing, a popular late-lifecycle security technique, rarely has enough scope, domain knowledge or time to cover a significant percentage of code and functions. It can find egregious oversights, but cannot match the level of coverage of functional testing. Functional testers must incorporate basic security testing activities into their regression tests and build regression tests based on penetration test findings to eliminate the recurrence of known vulnerabilities.

In summary, a grand master of any martial art earns rank by spending countless hours practicing basic moves: stances, punches, kicks, etc. This expert can probably win nearly any fight with just those rudiments. 

Writing secure software is much the same. This list of top five errors is the coding equivalent of basic moves towards secure development mastery. If development teams practice and apply these techniques to software consistently, they will win many more fights with hackers.



Keeping up with the bad guys

Malware writing has undergone many changes over the years - from hobbyists to a criminal business - with mobile and social now the hot targets, Rob Buckley reports.

“Even 10 years ago, malware was mostly about fun," says Ondřej Vlček, CTO at Avast!, a Prague-based anti-virus company. Virus writers, he says, were after bragging rights. But now it's very professional, organised and very profitable. Malware writing changed with the realisation that people could make a lot of money from it.

Now, rather than trying to grab the headlines with another appeal to a worldwide love of Anna Kournikova, malware developers aim to stay below the radar. “If you're trying to do something nefarious, you don't want publicity, you want it to be quiet,” says Vince Steckler, CEO at Avast! “You want it to be much smaller scale so you can get some money. They don't want to be on the news for the same reason bank robbers don't want to - that's when they failed.”

And that means developing ways to not only avoid detection, but to ‘follow the money', whichever platform that might be on. That's meant the shape-changing polymorphism of the likes of Zeus, designed to evade the signatures of AV software; the targeting of lucrative PC-uses, such as online banking; and the migration of malware onto other platforms, such as mobile phones, that can offer similar, as well as their own unique sources of revenue.

For both Vlček and Steckler, the key to catching up with the malware writers is Big Data. “Our mantra is not to go after individual cases, but look at it as a statistical problem,” says Vlček. He argues that by collecting data from all the computers and devices on which AV software is installed and then feeding it all into their systems, AV companies can crunch the numbers to work out the nature of the threat and how to defeat it. The more users and systems each company has, the better the quality of the protection provided.

That's why, for Steckler, free consumer versions of products shouldn't just be adverts for the premium versions. These software offerings are a vital component of AV protection, a ‘sensor net' gathering data that will protect not just them but everyone who pays for the products, whether they're consumers or users of the corporate products. “Without this sensor net, the technology wouldn't be where it is today.”

This Big Data-approach also helps to keep up with the constantly mutating families of malware that criminals are producing, Vlček says. “The polymorphism is still usually machine-generated, so there are ways of detecting it, although it's more difficult."

Part of Vlček's research in the company's virus lab is related to how to match these representations of the same family so as to provide more generic protections to the same thing. "We see many samples coming in and they may not look alike from the first sight or the second sight, but they either have a similar behaviour or they have some similar characteristics that we uncover," he says. They then find a more generic description to the whole family. "I still believe it is extremely important to have as much data as possible for that. The more samples or the more metadata you have - not only of the sample but the URLs they came from - the more you can match them and provide a generic description even for samples you have not seen yet.”

As technologies evolve or gain popularity, the criminals are not far behind. Mobile is looking more and more appealing to the malware writer. “Especially on Android, the KPIs are exploding, because its openness and design make it a logical choice for the attacker, and it has reached a critical mass in terms of penetration and market share,” Vlček says. And, he adds, with the smartphone's ability to send premium SMS and spam SMS messages offering new channels for malware writers to make money, it's only going to get worse.

On desktops, many of the browsers and the operating systems have become secure, so attackers are searching for new ways to find exploits and vulnerabilities that are not so obvious or directly addressable from the network," he says. Adobe, for example, was a huge target in the last couple of years. Java became a huge target as well. He believes similar opportunities will only grow with all the other add-ons that come installed on PCs which didn't go through scrutiny by security researchers. "I think the shift to mobile hasn't really happened yet," he says. "We are going to see that in the next couple of years. There's an obvious appetite for that from the bad guys. It's a new platform, just a couple of years old." These criminals are not yet so proficient with it, he explains, but that will change. "Commercialisation is clearly set to continue. The more money there is, the better they will get and the harder it will be to keep up.”

With both iOS and Windows Phone likely to open up more of their APIs to developers to provide additional functionality, they will become as viable as Android as targets, Steckler says, so no platform will be safe in the long run. In the meantime, these systems will be as vulnerable as Android because of other malware techniques. “The iOS isn't protected from phishing attacks, which is a favourite of the bad guys anyway.”

The next aspect of security that needs consideration is privacy, Steckler says. Both consumers and corporates are going to need social media protection capabilities, including checking of links for malware, better control of privacy settings, and control over apps. That goes for tracking in browsers as well.

Vlček agrees. “'Do not track in browsers' doesn't really work," he says. "It's up to the servers whether to adhere to [the HTTP Do Not Tracker header] or not. Most commercial services don't adhere to it.”  However, there are plug-ins that work very differently and filter out the JavaScript snippets that come from the servers. These also remove things like tracking from ad networks, analytics services or Facebook's Like buttons without breaking the service. Vlček suggests this approach is an important piece of the puzzle for privacy protection.



Phishing attack exploits fears over JPMorgan Chase breach

Phishing scam targets data-breach victims at JPMorgan Chase.

A new phishing scam is trying to profit from the fears of 25 million people affected by the data breach revealed last month by global financial services firm JPMorgan Chase.

The scam was highlighted in a 6 January blog post by Sophos senior security advisor Paul Ducklin, who says it shows how “cyber criminals use real security disasters to cause follow-up disasters of their own”.

The fake email targets the 25 million US users of Chase's UCARD debit card. About 465,000 of these people were told by the firm in December that their card data had been stolen, while the rest were left “in a sort of data security limbo”, Ducklin said.

He told SCMagazineUK.com that the new phishing attack exploits that situation. It asks people to provide more information in relation to the data breach and drives them to a credible-looking website.

“People should know about phishing, but this is believable and with the number of people involved they are probably going to hit their target very frequently. Whether by accident or design, this is also perfect timing. This one caught our attention because of the timing and the content.”

Ducklin reminded people of the need to “never log into a website reached by clicking on an email”.

Mike Loginov, chief cyber security strategist for HP ESS, said phishing attacks like the JP Morgan Chase scam are growing increasingly sophisticated in their ability to compromise individuals. He told SCMagazineUK.com: “Cybercriminals are taking phishing attacks to a whole new level by combining pertinent and trusted personal information that makes it even more difficult to spot in a fake email.”

Loginov cited examples of attacks that target high net-worth individuals “initially qualified by the bad guys using compromised credit cards and financial details, and followed with a simple surveillance or research exercise where anecdotal information overheard in a private conversation is utilised as part of the scam”.

The JPMorgan Chase data breach took place last July, but the firm only realised it had happened in September, and then notified people two to three months after that.

Companies use UCARD to pay salaries and US government agencies use it to issue tax refunds and benefits.



Cooperation is key to Africa\'s security future

It has been a slow process, but the world is finally waking up to the reality of cyber-security in Africa. 

The International Cyber Security Protection Alliance (ICSPA) has identified Africa as a problem area in its eight-year evaluation of the modern threats to the world's internet security. The most serious issue is the large gap between the scale of the continent's security capability and the volume of internet-enabled devices now in the hands of ordinary Africans.

Africa is a hotbed of cyber-crime activity

The problem isn't necessarily one of education, however. Both the criminals and the security forces already have a wealth of skills gained from direct experience on their home turf. 

The Duqu malware, successor to the infamous Stuxnet, was first reported in Sudan. South Africa is home to the malware Dexter, perpetrating credit card fraud every bit as sophisticated as those you would find in Europe, Brazil and the US, and Nigeria has even provided the name for the “419” scam, after section 419 of its criminal code which the trick violates.

In response, governments across Africa have been setting up computer security incident response teams (CSIRTs) designed to counter the threat. These provide both a practical defence against on-going attacks, and a knowledge-base for the government of each country when passing laws regulating the internet. Some have even grouped together in regional initiatives, such as AfricaCERT, offering advice and expertise across the region.

The major problem, though, is that these promising ventures are by no means the norm across the continent. Just as the problems that each country faces are often very different, so too are the methods used to combat them and the laws that are in place. For example, with a higher proportion of higher wealth individuals, credit card fraud is the hot-button issue in South Africa. In North African Morocco, with greater links to Europe, network security is a priority.

Governments must come together

This inconsistency makes it difficult for Africa as a whole to present a united front against cyber-crime, which can cost the economy millions of dollars. It is estimated that ordinary Kenyans lost £14 million last year as a result of fraud, but the knock-on effects of an ongoing crime problem can have a deeper impact on the economy. It is impossible to calculate the damage to Nigerian businesses, who have been virtually blacklisted by retailers around the world that refuse to ship to the country that has become a byword for online scams in recent years.   

In order to provide a lasting defence for the whole continent, much more cooperation is needed between governments, security agencies and IT professionals to align their laws, training and policies and make sure there is nowhere for criminals to hide amongst the patchy legal and security systems.

It is pointless eliminating high tech crime from Egypt if the perpetrators can cross the border to Sudan and carry on undeterred. And improving network security in Senegal is only a partial solution when the vast majority of internet use is on mobile devices.

FIRST is looking to Africa, offering training and networking between agencies, because of the threat that cyber-crime in Africa poses to the rest of the world. If Africa continues to be a weak link, criminals won't need to fear even the most sophisticated European security, because they already have a softer entrance into the global network through Africa. 

When we help develop the same terminology, similar approaches, and get innovative CSIRTs to share their technologies and experiences, that's when we can make meaningful change.



Hacker gains access to Downton Abbey series finale script

Will Guccifer's hacking activities cost ITV lost advertising revenue?

Guccifer, a hacker who is seeking to carve out a Kevin Mitnick-style place in the hacker-hall-of-fame stakes, has reportedly hacked into several high profile email accounts, including the BT Internet account of writer - and Peer of the Realm - Baron Julian Fellowes.

By answering BT Internet's `security questions' Guccifer was apparently able to gain access to the script for the series finale of Downton Abbey, the popular ITV Drama series, and has posted snippets on the Internet, much to the horror of ITV executives.

According to veteran security analyst Graham Cluley, Guccifer's victim list also includes comedian Steve Martin, three members of the UK's House of Lords, ex-Nixon aide John Dean, and the director of Romania's intelligence service.

Phil Turtle, the Brighton-based marketing professional and NLP (Neuro Linguistic Programming) practitioner, told SCMagazineUK.com that the hack of the Dowton Abbey series finale could hit ITV where it hurts most - on the advertising revenue front.

"A script has been stolen, and you could say `so what?', but here's what will happen. Some people might think ‘why bother to watch it if I can get the script on the Internet?'" he said.

"Whilst the truth is that most viewers will probably still watch the series finale of Dowton Abbey, the really important thing is that advertisers will think that fewer people will watch," he added.

Turtle went on to say those same advertisers will likely already be on the phone to ITV demanding a discount.

And he says that the people at ITV will have to cave in, meaning they will lose significant advertising revenues as a result of the Guccifer hack.

"The other aspect should be  a wake-up call to IT people  in all businesses. The more complex you make ‘password' requirements, the more people can't remember them and have to write them down. 

"Plus the ‘password reminder' questions are nearly always easy to research personal questions given that everyone's life history is now on Facebook," he said, adding that it is time to stop all this complex unmemorable password nonsense and make them easy to remember but difficult to guess.

Cluley, meanwhile, said that, if you are a public figure, it's not a great idea to use information, which may only be a Wikipedia search away as protection for your account.

Unlike Turtle, however, he questioned whether the `Dowton' hack will cost ITV any money in advertising. All it would have done, he says, is to spoil the plot points for avid fans.

"That's something the tabloids do all the time with soaps," he said, adding that it is an example of how any of us could potentially be a target of a hacker - "whether you are a Lord like Julian Fellowes, a reporter or a regular member of Joe Public," he said.

"Make sure you're using strong, hard-to-crack passwords and that you haven't chosen easy-to-determine answers to your security questions," he added.



Forrester report says firms spend 21% of security budget on networks

Corporates need to invest in the human firewall - Forrester analyst

A study just published by Forrester Research claims to show that businesses on both sides of the Atlantic invested an average of 21 percent of their IT security budget on network defences last year - with 46 percent of businesses planning to increase this budget allocation during 2014.

http://www.forrester.com/Understand+The+State+Of+Network+Security+2013+To+2014/fulltext/-/E-RES112201

The report - Understand The State Of Network Security: 2013 To 2014 - says that businesses are boosting their investments in pro-active control and threat intelligence services, along with better wireless security, next-generation firewalls and increasingly advanced malware detection.

And when it comes it comes to security services, the analysis - which polled 2,000 IT executives and decision-makers across North America and Europe - predicts that firewall management and threat intelligence services see the most demand as we move forward into 2014.

Recommendations

Recommendations from the report - authored by Heidi Shey, Stephanie Balaouras and Kelley Mak of Forrester Research - include organisations continuing to invest in people and not just technology plus services.

A lack of staff and unavailability of security staff with the right skills is a challenge cited by almost half of organisations today according to the report. As firms continue to compete for skilled staff, Forrester says they should continue to invest in skills and career development for their current security team.

Andrew Rose, Forrester's Principal Analyst for Security & Risk in the UK, told SCMagazineUK.com that the report is the latest in an annual series from the company, all of which have noted a trend of extra investments in network security, even during the height of the recession.

"The problem has been that these investments have not been enough to secure the network resources, with predictable results," he said, adding that, whilst it is good to see budgets for IT security on the up - as this report observes - it is clear that many organisations still have legacy security systems in their architecture that are costing them a lot more to maintain than they should.

There are, he explained, lots of legacy systems, but it is also clear that many organisations would be better off on several fronts by investing in a completely new security architecture, rather than patching and maintaining legacy security systems which do not represent good value for money.

"The bottom line here is that corporates need to look at the actual bang-for-the-buck they are receiving from their IT security systems. They also need to remove the old layers of technology and refresh their security," he said.

"Then they also need to invest in what we call the human firewall - which amounts to better security training for staff. More technology on its own does not make for better security - organisations need to invest in training in order to enhance their security," he added.

The pen tester's view

Peter Wood, CEO of First Base Technologies, the pen-testing specialist, said that the Forrester report illustrates that network perimeter security is now quite mature - but we still find plenty of weaknesses inside organisations when we conduct a penetration test.

“Poor levels of staff awareness still leave organisations open to social engineering and advanced attacks - a growing problem, and inadequately secured internal systems are easily exploited by insiders - still the most significant source of attack according to the report,” he explained.

Wood went on to say that organisations need to engage independent experts to test their defences in a much more holistic fashion - simulating the more sophisticated, multi-stage attacks which are now so prevalent.

“Advanced testing should start with background research and social engineering, moving through end point exploitation, to network attacks and data exfiltration. Since this is what the criminals do, we believe it's critical to simulate these attacks and test defences against real-world threats,” he said.

Focus on weaknesses

“Finally, risk-based testing is critical to optimise the use of limited budgets and to focus on the key weaknesses in each sector and each individual organisation,” he added.

Delving into Forrester's report - which forms part of the firm's Forrsight's programme - shows that inadvertent insider breach (36 percent) and malicious insider breach (25 percent) were two of the top five most common ways in which breaches occurred in 2013.

Network firewall monitoring and management/Web application firewalls, meanwhile, were noted as the top two growth categories that organisations would like to have as-a-service in 2014, with 28 percent of organisations stating that they plan on investing in either adoption or expansion in both technologies.

Interestingly, whilst 57 percent of organisations indicated that they prefer to source from one single vendor's portfolio, more than half of firms rated lack of staff as a challenge to achieving security goals, with 48 percent citing unavailability of security employees with the right skills as a major challenge, and lack of security operations skills as the biggest pain point.



Understanding the role of hacktivism

Check Point VP says individual hacking actions are not always criminal

Gabi Reish started life working for IBM back in the early 1990s - and for the last four-and-half-years has been working with Check Point, the veteran IT security vendor, where he is VP of Product Development.

Reish's time with Check Point has coincided with a shift away from what is perhaps best described as `conventional security' and a move to software-based boxes, in the shape of the company's Software Blade Technology.

His job, as he often says, involves looking over the horizon at what threats are rising and coming down the technology turnpike, and then helping his team to develop the technology defend against these threats.

It was against this backdrop that we spoke to Reish just before Christmas for an update on what he sees as the likely threats we - as an industry - will see in 2014.

The key worry that he and his team are currently concerned about, he told SCMagazineUK.com, is malware, which he says infects computers from many different directions today.

The attacks seen over the last 12 months, he explained, have been very sophisticated in nature.

"In addition, where previously these attacks were against individuals, we are now seeing them taking place against entire companies and organisations. Coupled with the fact that 10 or 15 years ago the attacks were mainly mischievous, they are now almost all criminal in nature, this is a serious problem," he said.

Over the last 12 months, these attacks have also been seen using a bot - an automated Internet-based attack - to launch a number of attacks, both simultaneously and at very high velocity, meaning that some security defences can be overwhelmed, he went on to say.

Espionage on the rise

And just to make life even harder, he says, there has been a rising tide of industrial espionage attacks being launched against companies, by Chinese entities, who are seeking to discover information from the organisations they are launching attacks on.

The idea behind these attacks, he told SCMagazineUK.com, was originally to scan for information, but these scans are now changing into full-blown attacks, where cybercriminals - or groups of cybercriminals - are staging attacks on systems for reasons best known to themselves.

So where, we asked Reish, does hacktivism sit in the attack threat landscape?

He replied that it is important to understand that many politically motivated hacktivists are not criminals, nor do they have any criminal intent.

"The group as a whole, however, has a different intent. And they are classed as a criminal group for this reason," he said, adding that in April of this year, the Associated Press came under attack from a hacktivist group - and a news message claiming that President Obama has been injured was posted, even though the President of the US has clearly not been injured in any way.

"Then there was a hacktivist attack against MasterCard and Visa several years ago," he noted, adding that whilst the actions of individuals within a group may not have been criminal by themselves, the actions of the group as a whole were clearly criminal in nature.

What is interesting about these types of attacks, says Reish, is that the motives of the individual members of the group can be quite different, even though end result of the group as a while is quite obvious - and criminal in nature.

One attack trend the Check Point VP of Product Development and his team are concerned about in 2014 is the arrival of complex attacks on portable devices such as smartphones, which by their very nature, he says, are normally less well defended than desktop computer systems.

"This means that there are more vectors of risk [against the smartphone] than we saw previously with a desktop system. Furthermore, you do not know if your organisation will be next on the hacker's list. As a result it is clear that organisations must do a lot more to better defend themselves against what can often be a relatively short-lived attack," he explained.

Another trend that Reish and his team are concerned about is the arrival of hybrid attacks with social engineering used as a means of amplifying the effects of the attack threat.

So what are the solutions that he advises CSOs and CISOs to look at for the New Year?

"That's an interesting question. I would say that we really do need to go back to basics and go for a basic approach to defending elements of a given system that truly need protecting, rather than adopting a complex and multi-layered approach. This involves taking a segment approach to the defence, as well as introducing a pro-active form of defence, dealing with problems as they occur, rather than planning for them," he says.

The key elements within this defence strategy, he advises, include:

a) Defeat signature-seeking malware

b) Tackle zero-day attacks

c) Sandbox attacks to analyse what the attack consists of

d) Use firewalls and IPS technologies more effectively

e) Use threat emulation to plan for an attack



Why security is the next challenge for Bitcoin

As global commerce increases, some say Bitcoin has the potential to play a large role in revolutionising how people pay for their goods.

However, just like any other crypto-currency, there have also been reports of numerous scams, hacks, thefts, defunct “stock exchanges” and lost wallets of huge financial value, which has led to a number of concerns being raised about just how safe this e-currency is. Therefore, in order to take full advantage of the flexibility and cost-saving benefits Bitcoin offers, there are a number of security challenges that need to be addressed.

Firstly, let's look at what Bitcoin is and how it works. Bitcoin is essentially a decentralised digital currency which is based on an open-source, peer-to-peer Internet Protocol. While it isn't linked to real money, it is traded on various electronic exchanges, which establishes its value.

A Bitcoin wallet (BTC) is basically just like a real wallet filled with cash, which means if it is lost or stolen, there are often large sums of money at stake. One of the most notable BTC losses is the Bitomat.pl loss. During a routine maintenance restart, the server that hosted its Bitcoin wallet was unknowingly configured so that it was irretrievably destroyed when shut down. This resulted in the loss of 17,000 BTC (about $14.5 million at today's value).

So far there is no air tight solution for those wanting to keep their BTC safe and secure. With the unregulated, decentralised BTC market still in its infancy, and each coin worth such a significant amount of money, it creates the perfect opportunity for bad actors to try and exploit it in any way possible.  Fortunately for the Bitcoin miners, the Bitcoin protocol is built in such a robust fashion that there haven't been any reported exploits against the Bitcoin protocol itself. This narrows down the threat vectors to scams, hacks, and user negligence.

One notable scam is the Ubitex scam. Ubitex was the first company to be listed on the now-defunct GLBSE “stock exchange”. The firm's business model was simple - provide the service to let anyone buy and sell BTCs for cash by charging a small fee. It sounds like a good idea; until the founder disappeared with the BTCs (the company had raised 1,100 at that point).

So what needs to be done to better secure Bitcoin? First and foremost, secure wallet software needs to be created which automatically keeps your BTCs safe while also making access to your wallet user-friendly. The wallet must also include multi-factor authentication that requires transactions to have a signature from more than one private key in order to spend the BTC. This adds different layers of protection, as something like this would require a thief to compromise not just your wallet, but all of the private keys as well.

Once a secure method of storing your BTCs is in place, all that is left is the due diligence of the user.

With no standards or regulations in place, cyber criminals are more easily able to avoid law enforcement when using or stealing Bitcoins, therefore doing your homework on the company or services you plan to spend your BTCs on is key. In addition, to better protect your wallet from loss or theft, BTC wallets should not only be backed up and encrypted, but copied and stored in more than one location. And finally, as Bitcoin's value increases, users would be well advised to follow one golden rule - never keep all of your Bitcoins in the same wallet.

Over the past year, the level of hype around Bitcoin has grown, and it's likely this buzz will only continue throughout 2014. With a single Bitcoin recently peaking at $1,240, the long-term promise of this currency is big - and it's only matter of time before cyber criminals find a way to exploit this.



Bank customers left adrift by increasingly draconian security T&Cs

US banking fraud case highlights serious online banking security issue

A Californian business that went bankrupt last year after cybercriminals withdrew £900,000 (US $1.5 million) from its accounts has taken legal action against its former bank to recoup the losses.

The move comes against a backdrop of increasingly draconian terms and conditions relating to online and card security being imposed by UK banks - with security experts observing that the changes in terms and conditions (T&Cs) impose a higher duty of care on businesses - and consumers - to look after their credentials.

According to security researcher Brian Krebs the state-appointed receiver for Efficient Services Escrow has filed a lawsuit against First Foundation Bank, alleging that the bank's security procedures were insufficient, and that "it failed to act in good faith when it processed three fraudulent international wire transfers totalling £946,760 (US$ 1,558,439) between December 2012 and February 2013."

The lawsuit, says the researcher, is the latest in a series of court cases seeking to determine whether banks should be held more accountable for losses stemming from so-called cyberheists.

In the lawsuit, the receiver to the company alleges that a component of the bank's core security protection â€" the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds â€" had failed in the days leading up to the fraudulent transfers, which included a £305,000 (US $ 0.5 million) bank wire to China.

The bank - First Foundation - claims that the fraud was down to insecure actions by a member of the firm's staff, SCMagazineUK.com notes, but closer to home, most UK business and consumer bank customers will have noticed their online banking - and general - T&Cs changing to accommodate the shift towards Internet banking plus online card usage.

Negative Trend

This trend it not at all positive, says Sarb Sembhi, an Analyst and Director of Consulting with Incoming Thought, the security research and analysis house, which says that none of the T&Cs he has seen actually state the specific processes that customers must adhere to in order to secure themselves.

"The problem is that there is no single and agreed standard amongst the UK banks about what steps customers should be taking," he said, adding that the UK banking industry needs to develop a security check list to which businesses - and consumer - customers can adhere.

They need this check list, he says, to meet the requirements of their bank's T&Cs, and so gain protection in the event of their being hit by fraud.

The good news, he went on to say, is that cyber liability insurance can go a long way to filling the gap between the actual losses sustained by an online bank or card fraud, and what the company's bank is prepared to pay out in the event of cyber fraud coming to light.

Sembhi, who is also a leading light in ISACA, the not-for-profit international security association, says that most insurance firms in this field have a track record of paying out on Internet banking fraud claims, especially where the bank denies liability.

"It's also worth bearing in mind that the UK's CNI (Critical National Infrastructure) is predominantly in the hands of smaller companies, many of whom could be put out of business by a banking cyberheist. Since the banks are taking a more draconian attitude to these types of incidents, there is a clear risk of a banking cyberheist putting elements of the UK's CNI out of action," he explained.

Sembhi's concerns were echoed by Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, who said that it is highly ironic that some of the UK banks are now admitting their own security architectures are not up to scratch.

This was witnessed, he told SCMagazineUK.com, by the comments of Ross McEwan, the chief executive of RBS late last year, when he blamed the bank's latest card payment and systems outages on a failure to “properly invest” in technology.

"It's clear the banks have a security problem of their own. One bank I was called in to audit found it had Chinese-connected systems hanging off its network - about which it had no knowledge whatsoever. The reality is that the banks - and their customer accounts - are regarded as low-hanging fruit by cybercriminals, so there is no doubt they are increasingly being hit by cyber frauds," he said.

Outrageous

"For this reason it's outrageous that they should hide behind their T&Cs in trying to escape paying when an account holder is hit by cyber fraud," he added.

Professor Walker - who is also CTO of IT security consultancy Integral Security Xssurance - noted that Mark Carney, the Governor of the Bank of England, has admitted that UK bank security needs bolstering and last October revealed plans to help protect the UK's banking system from the mounting threat of cyber attack.

"The reality is that the UK banks are every bit as vulnerable to cyber fraud as their US counterparts. Hiding behind T&Cs as a means of not paying out to customers for an obvious fraud is made all the more outrageous in the light of Carney's comments," he said.



Gamers trust tested as hidden Trojan attacks World of Warcraft players

A malicious Trojan is infecting World of Warcraft accounts and testing gamers trust to the brink.

Blizzard, developer of the popular online video game World of Warcraft which has more than seven million subscribers worldwide, was forced to alert users about a new threat this week.

Announcing the news on a blog post, the firm detailed how the Trojan poses as Curse, a genuine add-on for the game which can be downloaded from a fake Curse website. The Trojan steals both player account data and authenticator passwords when installed.

“We've been receiving reports regarding a dangerous Trojan that is being used to compromise players' accounts even if they are using an authenticator for protection,” said the company.

”The Trojan acts in real time to do this by stealing both your account information and Blizzard's authenticator password at the time you enter them.

The company advises people to solve the problem by deleting the fake Curse Client and running scans with an anti-virus solution. It also recommends changing passwords and downloading software only from official providers.

This latest data breach follows on from the DDoS attack on rival cloud-based games platform Steam earlier in the week, and has led some infosec experts to stress that gaming companies must copy the security tactics of financial institutions in order to maintain user trust.

“In terms of defensive strategies to hinder such attacks going forward, online games companies should consider developing systems similar to financial services to prevent, detect and degrade an aggressor's ability to move any stolen assets around,” Paul Vlissidis, technical director at the NCC Group, told SCMagazineUK.com.

“These strategies could include fraudulent or anomalous transaction detection, and the ability to trace and roll back asset movement between players to disincentivise the movement of stolen items,” he continued, adding that users too must be educated on the risks.

“These two, combined with monitoring of underground exchanges for stolen information and assets, could act as an early warning system that something may be amiss.”

Larry Ponemon, founder and analyst at Ponemon Institute, believes that games may be more susceptible because users trust both the online platform and physical consoles to keep them safe.

“The gamers who submit their credit card details online are really susceptible to social engineering and spear phishing attacks,” he told SCMagazineUK.com.

“These people are very computer literate, are aware of the latest and greatest technologies, and employ the highest level of security for email and Facebook. But there's a high level of trust in the gaming community. They believe it's their private place and they're really not anticipating a cyber attack."

Users who have been compromised by the Trojan can find support on the World of Warcraft forums.



Mashable Raises $13 Million, Its First Ever Outside Investment

mashable logo

We’ve all heard of huge investments and acquisitions in the world of tech startups.

Last year alone saw Yahoo’s $1 billion acquisition of publishing platform Tumblr. And there was also news of accounting software company Xero raising $150 million in capital for further expansion.

In fact, we even saw some failed attempts like Facebook’s two unsuccessful attempts to acquire photo sharing app Snapchat. (Perhaps they wouldn’t have been so eager had they known something like this was brewing.)

Anyway, many small business owners online don’t happen to be developing the next great iPhone app. Instead, a blog or other website with unique niche news or other content is more likely to be their product.

And though big investments and acquisitions in the world of independent news brands may be somewhat unsung, it turns out they are no less prevalent.

Business Insider, Huff Po Show News Brand Value

In fact, big investments and acquisitions in the world of independent news brands is kind of old news. Remember when Amazon CEO Jeff Brazos’ personal investment firm Brazos Explorations led a $5 million round of funding for Business Insider last year?

It turns out as recently as late 2013, AOL had offered to pay between 100 and 150 million for the business news site. But talks eventually broke down over price, Fox News reports.

And, of course, most memorable of all might be AOL’s other big news acquisition. In 2011, the online media giant acquired the Huffington Post for what then seemed a hefty $315 million.

Though AOL’s other investments, most notably its group of local news sites known collectively as Patch, have not fared nearly as well.

Lessons to Take From Mashable Success

So it should be no surprise to learn that Mashable has raised $13 million in private equity funding â€" even if its the first funding the news site has received in its near decade of existence.

CNN News says investors include Updata Partners, New Markets Venture Partners, Social Starts, Buddy Media Co-Founders Michael and Kass Lazerow, Iglo Group Chief Executive Elio Leoni Sceti, and Havas global CEO David Jones.

There are some simple lessons other independent news brands can take from Mashable’s success:

News Sites Can Wait Longer for Investment

Mashable CEO Pete Cashmore founded the company at age 19 as a blog he ran from his home in Aberdeen, Scotland. From there it has survived and thrived into a news site that now claims to receive 30 million unique visitors per day.

With the digital publishing tools available now, independent news publishers need little more than unique content to start them out. So money for expansion can wait until later.

Growth Comes From Broadening and Deepening Coverage

Mashable started as a blog about technology and matured into a news site dedicated to the social media space. But since then, its coverage has expanded to include business, entertainment and other subjects. While early coverage was largely regurgitation of material already on the Web, the company continues to do more original reporting.

Hiring additional editorial talent like Jim Roberts, a veteran of both The New York Times and Reuters, shows a commitment to more of the same.

Technology is Used to Improve Experience

Certainly most online publishers can start today with very little investment using available tools. But that doesn’t mean independent news sites should ignore investing in new tech solutions.

At a social media summit, Cashmore observed that the greatest challenge faced by online publishers was lack of control over reader experience. (Is your reader coming to your site using an iPad or Kindle tablet? What difference does this make in his or her experience?) To address the issue, Mashable has built products like its Google Glass app. The company also has a special products division aimed at creating technology to help readers consume its content in a variety of ways.

See the video of Cashmore and Mashable CEO, Robyn Peterson, at Internet Week New York 2013:

Bottom line: Mashable shows independent news brands may require a more gradual, long-term growth plan than some other tech businesses, but investments are low to start and rewards can be significant.

Image: Wikipedia



5 Business Structures: Find the Right One for Your Small Business

If you’re getting started in your business ventures, one of the first things you might be thinking about is how to structure your business. Will you be going solo or will you form a partnership?

1. Sole Proprietorship

A sole proprietorship is the most basic - and easiest - type of business to establish. There’s no distinction between the business and you, the owner. You’re entitled to all profits and are responsible for all your business’s debts, losses and liabilities.

You don’t have to take any formal action to form a sole proprietorship, but you do need to obtain any necessary licenses and permits, like all businesses.

2. Partnership

A partnership is a single business where two or more people share ownership. Each partner contributes to all aspects of the business, including money, property, labor or skill. In return, each partner shares in the profits and losses of the business.

Because partnerships involve more than one person in the decision making process, it’s important to discuss a wide variety of issues up front and develop a legal partnership agreement. They’re not legally required, but they’re encouraged so that you know from the beginning how you’ll make future business decisions.

3. Corporation

A corporation (sometimes referred to as a C Corporation) is an independent legal entity owned by shareholders. This means that the corporation itself - not the shareholders who own it - is held legally liable for the actions and debts the business incurs.

Corporations are more complex than other business structures because they tend to have costly administrative fees and complex tax and legal requirements. Because of these issues, corporations are generally suggested for established, larger companies with multiple employees.

4.  Limited Liability Company (LLC)

A limited liability company (LLC) is a hybrid type of legal structure that provides the limited liability features of a corporation and the tax efficiencies and operational flexibility of a partnership.

The “owners” of an LLC are referred to as “members.” Depending on the state, the members can be a single individual (one owner), two or more individuals, corporations or other LLCs.

Unlike shareholders in a corporation, LLCs aren’t taxed as a separate business entity. Instead, all profits and losses are passed through the business to each member of the LLC. LLC members report profits and losses on their personal federal tax returns, just like the owners of a partnership would.

5. Cooperative

A cooperative is a business or organization owned by and operated for the benefit of those using its services. They’re common in healthcare, retail, agriculture, art and restaurant industries. Profits and earnings generated by the cooperative are distributed among the members, also known as user-owners.

Typically, an elected board of directors and officers run the cooperative while regular members have voting power to control the direction of the cooperative. Members can become part of the cooperative by purchasing shares, though the amount of shares they hold does not affect the weight of their vote.

So now that you’ve got the basics about business structure, which one is right for your small business?

If you’re looking for some additional guidance, consider reaching out to a mentor who can help you decide what may be best for you.

Business Structures Photo via Shutterstock



Postage Rates Go Up Jan. 26: Stamps, Bulk Mail, Packages

The U.S. Postal Service will be charging higher postage rates effective later this month, starting Jan. 26, 2014.   Following is a summary of some of the increases likely to affect small businesses.

Letters and Postcards

  • Regular 1st class letter stamps, such as the Forever stamp, will increase from 46 to 49 cents.  A single stamp covers a one ounce letter (typically 4 to 5 sheets of paper plus an envelope).
  • Additional ounces will cost a penny more, at 21 cents each.
  • Postcard rates also go up a penny, to 34 cents.
  • Bulk mail rates and the cost of mailing periodicals such as magazines, will go up by 6%.

Packages

Packages will see a number of increases:

  • First class package rate (used for domestic mail up to 13 ounces) goes up an average of 5%.  For instance, there’s a flat rate for the first 3 ounce, and it goes up 24 cents, to $1.93.
  • Media mail rate (used for books, DVDs and CDs) goes up an average of 6.3%.
  • Most flat rate Priority remains the same.  Exceptions are the small flat rate box which goes up 10 cents, and the large flat rate box, which goes up 50 cents.
  • Priority Express  (formerly called Express mail) will increase on average  3%.  There will also be a new option for 10:30 am delivery, costing an extra $5 â€" so if it absolutely must get there by the morning, you now have this option as long as you are willing to pay extra.

In a few sizes, Priority Express package rates and Priority Regional box rates may actually go down slightly.  But taken as a whole, the rates are increasing.

The rates for packages are complex.  Stamps.com has a good series of charts showing various increases and decreases.

Back in September the Postal Service requested the rate hikes as “exigent” (emergency) increases needed to make up for losses due to the Great Recession of 2008-2009.  The Postal Regulatory Commission, which has oversight,  approved the changes in a 2 to 1 split decision, but refused to make them permanent.  However, it’s not clear how long “temporary” will be. 

The US Postal Service website as of this writing is not yet showing the new postage rates for 2014.  Any mailings up through January 25th will be at the old rates.

What can you do to save money on 2014 postage?

Many small businesses have already moved toward electronic communications.  Electronic invoicing, direct payroll deposit, electronic bill payment, email marketing instead of printed mailers, and other techniques cut down on paper and attendant postage costs.

But electronic is not always feasible. Here are a few other techniques to consider, in order to guard your bottom line. While not always big savings, they may help a bit:

  • Stock up on Forever stamps, if you mostly do onesy-twosy mailings.  The Forever stamp will be good for a 1st class letter, no matter what you paid for it or when you use it.  Example: if you purchased 5,000 Forever stamps before the rate hike kicks in (at a cost of $2,450) you’d save $150.
  • Use a postage meter or online postage.  The changes include a new category, called the “First-Class Meter.”  You get a one-cent discount off the single-piece rate for all First-Class letters, up to 3.5 ounces. That equates to a 2% savings.  But you must use a postage meter, online postage or a commercial mailing permit.
  • Adjust your shipping and handling costs to recoup the rate hikes from end customers, if you are an e-commerce seller.  Make sure shipping calculators take the increases into account, especially on heavier packages where costs really add up.

Image: USPS



How to Manage Offline Versus Online Leads

It almost doesn’t matter what type of industry you are in today - sales leads typically derive from two very important but vastly different sources. I’m referring to offline leads (non-Internet) and online leads (Internet). While both of these types of leads are vital to the success of business, many companies are managing sales leads in a “one size fits all” manner - and that is not always the best practice.

We already know that search marketing is much different than traditional marketing in that traditional marketing is trying to “grab the attention” of a person and convince them that they cannot live without this product and/or service. Whereas those searching are already in a frame of mind to buy, or at least learn more about a product and/or service.

So wouldn’t it be common sense that the behaviors of offline and online sales leads would be different as well?

The folks at Salesforce have created the following sales leads infographic which looks at this in more detail and provides easy-to-follow directions for managing sales leads of each type.

managing sales leads infographic

[Click for full size version]