8 Tips for Using Video Marketing In Your Business. Content Marketing Must Include Video.

Faceook has launched video advertising reports the Wall Street Journal.

Big advertisers can place video advertisements in your news feed. Right now it’s about $2 million a day to reach all users. Guess what’s coming next? Video ads for everyone to purchase, very targeted and low cost.

You already new that video was important, now you have yet another excuse to realize how important it is.

You can use video as a lead generation tool to bring traffic to your web site (or other online components).

Here’s a few ways to use video in your business. Why should I know about video? Heck, I was one of the first persons to speak with President Obama in a Google Hangout  - doesn’t that make me an expert? (just teasing…)

  1. You have a smart phone. Use it to capture short, video that’s interesting to you and your customers.
  2. Have a smart phone that can capture good video
  3. Buy a dedicated video camera like the Kodak Zii8 and use a shotgun microphone to capture better sound.
  4. Keep the videos short and to the point
  5. Have good audio and good lighting - it is VIDEO
  6. Upload to Youtube and create your own channel 


Topping the News: Kayne Sues over Coinye, Curved Phones Are Coming

Here’s the top business news this week from our Small Business Trends editorial team.

Entrepreneurship

Kayne West files infringement suit against virtual currency developers. The singer, wrapper and songwriter has become an icon. So it should have come as no surprise to a group of developers this week when West filed suit to protect his name.

Animal pillows are the products for this 14-year-old’s startup. Sydney Lowe goes to school in the  Silicon Valley. So it’s probably no surprise that entrepreneurship is part of her curriculum. But not every teenager launches their own ecommerce business.

Tech

Curved smartphones finally head to the U.S. Learn more about what’s behind this tech trend. Hint: Durability is certainly one thing. The question is whether you need and can justify the cost of one of these.

The world’s first Ultra HD laptops are here. And who knows? One of them could be perfect for your business. Of course, it will have to be a graphic or video intense business to justify the capabilities packed into this hardware.

Web

Web.com and MasterCard have a new product for online businesses. You can add the Take-A-Payment tool to your website and start processing payments from credit cards immediately. And all of it is powered through a MasterCard service called Simplify Commerce.

Vimeo builds faster, more mobile, more social player. One of YouTube’s many competitors is video site Vimeo. Though using Vimeo for business isn’t free, there are some new features that may make it an attractive option.

Yes, 60 percent of your traffic is bots. A report from Incapsula sheds new light on who (or what) is really visiting your website. So what does this mean to you as a website owner?

Yahoo unveils news digest, digital magazines. The Web portal is still trying to reinvent itself. But will these new products resonate with an audience? Online business owners who create branded news content know the challenges involved.

Social Media

The value of a Twitter follower. You’ve got them, of course. And sometimes you may even be a bit competitive when it comes to getting more. We’re talking about Twitter followers. And, in this post Small Business Trends publisher Anita Campbell reviews data showing what they can do for your business.

Vine is still growing. The video app has been overshadowed by Instagram of late. In fact, some say the photo sharing app’s attempt to steal Vine’s thunder by adding a video feature was the beginning of the end. But rumors of Vine’s death have been greatly exaggerated.

Facebook will shut down (some) sponsored stories. Time will tell what a notice published in Facebook’s development section recently will mean for the future of one of site’s more controversial advertising products. Chances are, if you’ve used sponsored stories you’ll see some big changes in the program soon.

Policy

Obama nominates new Small Business Administration chief. Maria Contreras-Sweet has been tapped to be the next Administrator of the Small Business Administration.  Her claim to fame is founding a community bank in California.

Update: New postage rates now available. We told you last week postage rates would go up Jan. 26. The new rates are now posted on the USPS website. We’ve added a link on our original story to let you have a look.

News tablet photo via Shutterstock



The Value of a Twitter Follower, In an Animated Presentation

Have you ever wondered about the value of a Twitter follower?  Or perhaps you know a colleague or have a manager who still needs to be convinced of the value of Twitter.

If so, take a look at this animated presentation from Twitter.  It’s called “The Value of a Twitter Follower.”

It illustrates how one person who checks out your business via Twitter, eventually may lead to new sales.  One follower can lead to new followers through retweeting and interacting.  And those followers and their word of mouth activity eventually lead to website / store traffic, sign-ups and sales.  The real-world follower progression is described this way:

Follower = word of mouth
Follower = reach
Follower = traffic
Follower = sign-ups
Follower = sales

And start all over again.

One of the best things about this presentation is that it is realistic.

(1) It doesn’t try to give you an exact dollar amount per follower.  That’s almost impossible given the vastly different businesses out there.

(2) While it’s possible that someone may discover your Twitter feed and instantly buy something that first time (yes, it does happen occasionally) â€" usually it’s not a straight one-shot path.  The real-world path to a sale from Twitter tends to be more nuanced.  It may involve word of mouth spreading from one person to another. It may involve a series of several activities that eventually lead to a sale.

In the animation, you see the scenario of Joe the surfer who gets a smoothie with friends and discovers a new surf store next door to the smoothie shop. He immediately checks out the surf store’s Twitter feed on his smartphone.  He begins following the surf store’s Twitter account. He then sees great new deals and passes those on to his friends.  He gets help solving a surf board problem, and he also signs up for the company’s newsletter.  Later on he sees a good deal on a surf suit and buys it from the store. It ends with him tweeting a photo wearing his new surfing suit.

By being active on Twitter, the surf-store business picks up new followers, word of mouth, newsletter sign-ups and eventually sales. If you have ever heard of the phrase “the kind of advertising money can’t buy,” then that surely applies here.

You don’t need millions of followers to get more business.  The example involves 17 new followers â€" a realistic number for most small businesses.

The animated presentation is backed up by data from a small business survey conducted for Twitter.  We covered some of the data here: 72% of Twitter followers are more likely to make a future purchase.

The presentation is the brainchild of the official Twitter Small Biz (@TwitterSmallBiz) channel. You can find the animated Twitter presentation here.

Image: Twitter

More in:

Solutions to Dealing with Difficult Clients

When you work in a B2B services industry, you have long client relationships. I have clients I’ve worked with for years and those are the ones I love. Then there are those, well, that require a bit more patience. Dealing with difficult clients is challenging, however, I’m fortunate that I rarely have this type of customer. But when I do, I try to deal with them in the appropriate manner.

Below I’ve identified the most common types of difficult clients and how to deal with each. See which ones sound familiar to you.

Dealing With Difficult Clients

1. The Ultra-Hands-On Client

You know the one: They call the second they send you an email to make sure you got it. They follow up before the deadline on a project to make sure it’s on track.

In the office, they’re known as the Micro-manager. But since you’re a consultant, it’s a bit weird that they try to get so involved. After all, they’re paying you to do what you do best, right?

The Solution

My advice here is to establish boundaries.

I’ve had an ultra-hands-on client call me on the weekend - yes, the weekend. I firmly let them know I’d be available at 8 AM on Monday to discuss the non-urgent marketing emergency they felt they were having. You can also give yourself some breathing room on deadlines so you can meet them before the client has a chance to check up on you.

If you tell them you’ll complete a project on Friday and you know they’ll call on Thursday, finish it on Wednesday to avoid them breathing down your neck. But be subtle about it - or else they’ll start calling you on Tuesday.

2. The Untrusting Client

This is the one who isn’t quite sure you’re able to handle the task or understand their company as well as they do.

They’re right to be a bit territorial. But it’s your job to reassure them that you’re skilled in what you do, and get them to let go of their firm grip on things.

The Solution

A lot of times, it’s about control in this situation. And you can’t fight someone’s will to be in control (just ask my husband).

To that end, include your client in the process. Ask for feedback and get their opinion â€" unless you start to get the sense that they think you’re doing so because you’re unsure of yourself. In that case, show extreme confidence in what you do. If it’s early in your relationship, point them to other clients that can give you a shining recommendation.

3. The “I Can Do It Better Myself” Client

If your client wasn’t so busy running their business, they’d be writing, designing and/or programming whatever you do.

They took a survey course in that field in college 10 years ago, so they know what they’re doing. (But do they really??) So they try to impart their opinion on everything you do. It’s getting in the way of you actually getting quality work done, and sometimes their opinions…how can we say - aren’t shared by the general public.

The Solution

Make them feel like you’re there to lighten their load. Stress the importance of them focusing on what they do best (run their company) while you do the silly, boring work they hired you to do.

When to Fire a Client

You can try all these strategies to try to make an ornery client easier to deal with, but sometimes it’s not worth the stress. In that case, it might be wiser to fire the client. If any of these situations below are coming up regularly, consider letting the client go:

  • Projects are taking longer than they should due to constant client involvement.
  • You have to revise work frequently and you aren’t getting paid for it.
  • The scope of projects gets bigger but the client is unwilling to pay for more work.
  • You don’t have time to focus properly on your other clients.

The better you can find successful ways when dealing with difficult clients you may have, the more streamlined your work will be. It’s a matter of determining the best strategy to handle each client.

Frustrated Photo via Shutterstock



6 Top Phone Systems for Startups and Small Business

What is the best SaaS product for managing phone systems for a fast growing startup company?

The Young Entrepreneur Council (YEC) is an invite-only organization comprised of the world’s most promising young entrepreneurs. In partnership with Citi, YEC recently launched StartupCollective, a free virtual mentorship program that helps millions of entrepreneurs start and grow businesses.
1. Drumbi

Drumbi is  the phone system built for SaaS startups. It captures caller info from the Web, which leads to better conversion rates and more satisfied customers.
- Patrick Vlaskovits, The Lean Entrepreneur

2. SaaS 44°

SaaS 44° is a great product that is easily expandable and transportable.
- Andrew Schrage, Money Crashers Personal Finance

3. Phone.com

I signed up for Phone.com because it offered a free trial, unlike others. Its customer support is phenomenal, the VOIP quality is excellent and the software is superb. For around $25 each month per employee, the price is great too. I signed a contract with a competing product and after two months, we had to cancel and get a refund. Phone.com saved us.
- Ryan Buckley, Scripted, Inc.

4. Grasshopper

Grasshopper is the most scalable phone system I have seen for entrepreneurs. All of its plans come with unlimited extensions, so you can add a line for a new employee in less than two minutes. It also offers reasonable pricing and the ability to share minutes across all employees. Many phone systems charge per line. If you are an entrepreneur always on the move, then Grasshopper is for you.
- Lawrence Watkins, Great Black Speakers

5. SendHub

I just love some of the custom functionalities that SendHub facilitates to make incoming phone calls less of a “resource suck.”
- Logan Lenz, Endagon

6. Google Voice

With Google Voice, you can set up a number and have it route to any number of phones. You’ll get transcriptions of the voicemails and can also create different voicemail messages for different phone numbers. If you have international customers, you can call them back cheaply using the Google Voice app on your phone. Best of all, there’s no monthly fee!
- Bhavin Parikh, Magoosh Inc



President Obama\'s NSA reforms to relax spying on allies

U.S. President Barack Obama has confirmed that the NSA will relax spying on the country's allies as part of the agency review.

Obama delivered a prepared speech when announcing the NSA reforms at the Justice Department on Friday,  and said that the agency had helped to “secure our country and our freedoms” by gathering insight on everything from the Soviet Union in the early days of the Cold War to compromising previously unknown Al Qaeda cells.

As part of the reforms, Obama said that the agency will store telephone data at private entities (the president downplayed suggestions that the program holds the contents of phone calls), and added that the agency will only collect data on phone calls ‘two steps removed' from a phone number associated with a terrorist organisation. The U.S President also wants intelligence agencies to get a secretive court's permission, prior to accessing such data from phone databases.

What's more, and in light of the widely-publicised leaks from former CIA contractor Edward Snowden that the agency was spying on senior world leaders, even from ally countries, Obama said that it will tone-down spying where necessary.

"Given the understandable attention that this issue has received, I have made clear to the intelligence community that - unless there is a compelling national security purpose - we will not monitor the communications of heads of state and government of our close friends and allies."

The U.S. President continued with a strong defence of the agency, by saying that the country's intelligence services would “continue to monitor the intentions of governments around the world", and rejected the opportunity to apologise for the surveillance. “We shouldn't have to apologise just because our capabilities are greater than others,” he said.

Glenn Greenwald, the journalist who broke the news of the NSA surveillance in a series of interviews with Snowden, was quick to react to Obama's speech, which he slammed as “basically a PR gesture”.

“It's really just basically a PR gesture, a way to calm the public and to make them think there's reform when in reality there really won't be," he said to Al Jazeera America.

"And I think that if the public, at this point, has heard enough about what the NSA does and how invasive it is, that they're going to need more than just a pretty speech from President Obama to feel as though their concerns have been addressed.”

Dr Rand Paul, a junior senator in Kentucky, US, also spoke of his disappointment on the announcement, and said that the proposal was for the “same unconstitutional program with a new configuration”.

“While I am encouraged the President is addressing the NSA spying program because of pressure from Congress and the American people, I am disappointed in the details,” he said on his website.

“The Fourth Amendment requires an individualised warrant based on probable cause before the government can search phone records and e-mails. President Obama's announced solution to the NSA spying controversy is the same unconstitutional program with a new configuration.”

"I intend to continue the fight to restore Americans rights through my Fourth Amendment Restoration Act and my legal challenge against the NSA. The American people should not expect the fox to guard the hen house."



Corporate Android users face flaw affecting billions of devices

Corporate Android mobile phone users are warned that potentially billions of these devices could be hijacked by attackers using a vulnerability first highlighted over two years ago.

FireEye researchers have reported a continuing “widespread security issue” hitting Android users who download apps from stores like Google Play, that include standard content from advert libraries. 

Many libraries use HTTP, which has weak security, to link with the application, allowing attackers to potentially hijack the app by inserting their own JavaScript code into the HTTP traffic. FireEye has identified a “JavaScript Binding Over HTTP” problem in apps running on Android version 4.1 or earlier, and a related “JavaScript Sidedoor” vulnerability on apps running Android 4.2 and above.

The company estimates that these vulnerabilities are present in billions of apps worldwide. A recent blog post from the firm reveals that nearly half of the top 40 Android ad libraries contain the JS Binding Over HTTP flaw, for example, and that 42 percent of the most popular Google Play apps access one or more of these ad libraries.

With over 12.4 billion downloads of these popular apps, the blog adds: “Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads.“

According to researchers at security consultancy MWR InfoSecurity, which raised the issue in September 2013, the vulnerability dates back years and was first exposed publicly in December 2012.

But Jason Steer, director of technology strategy for FireEye EMEA, told SCMagazineUK.com that the firm is now seeing actual exploitation of such weaknesses in the wild.

“The reason why we've blogged about it now is this is becoming more widely exploited - it's moved from being a theoretical security angle, to being used by attackers currently. We're seeing multiple Android apps having this abuse already in the third-party app stores where a lot of people go to.”

FireEye is advising ad library and Android apps developers to adopt better security features and practices. And Steer said they are responding when made aware that the problem is ‘real'.

“Apps developers take the off-the-shelf library and put them into their app without appreciating some of the security risks they may be exposing some of the users of these apps to, and perhaps even the business that these people work on behalf of as well," he said. "But when you see potentially thousands and thousands of people who inadvertently get exposed to it, then there's a responsibility to try and fix it.”

Rob Miller, security consultant with MWR InfoSecurity, told SCMagazineUK.com that corporate security professionals and end-users - as well as developers - need to take action.

“This issue does affect a large number of users. The actual implications will depend on how you use Android devices,” he said.

“So for developers, obviously they need to take this as a warning that they need to go away and check what third-party libraries they're using and what kind of functionality that those libraries might allow over a JavaScript Bridge connection.

“For users it's a matter of - think twice before downloading these applications and check ‘am I happy with the idea of keeping personal data on a device that has potentially these kinds of vulnerabilities?'.

“And finally for companies it's really a matter of making sure if you are implementing BYOD, that you've really locked down the policy; that it's not just a ‘yes you can bring in your own device and it's probably OK' - that you've actually gone through the security checks, that you've talked through the potential issues and that you then have the policies in place.”

FireEye said that with JavaScript Binding Over HTTP vulnerability, if an app running on Android 4.1 or below uses the JavaScript binding method ‘addJavascriptInterface' and loads library content in the WebView over HTTP, then an attacker over the network could hijack the HTTP traffic and thus take control of the host application.

With JavaScript Sidedoor on Android 4.2 onwards, an attacker could inject malicious content into the WebView, to misuse the exposed interfaces through the JS binding annotation.

FireEye said Android 4.1 or below is still running on more than 80 percent of Android devices worldwide.

FireEye has analysed the vulnerability specifically in relation to InMobi apps and says that it has informed both Google and InMobi of its findings. Both companies have been actively working to address the problems.



Corporate Android users face flaw affecting billions of devices

Corporate Android mobile phone users are warned that potentially billions of these devices could be hijacked by attackers using a vulnerability first highlighted over two years ago.

FireEye researchers have reported a continuing “widespread security issue” hitting Android users who download apps from stores like Google Play, that include standard content from advert libraries. 

Many libraries use HTTP, which has weak security, to link with the application, allowing attackers to potentially hijack the app by inserting their own JavaScript code into the HTTP traffic. FireEye has identified a “JavaScript Binding Over HTTP” problem in apps running on Android version 4.1 or earlier, and a related “JavaScript Sidedoor” vulnerability on apps running Android 4.2 and above.

The company estimates that these vulnerabilities are present in billions of apps worldwide. A recent blog post from the firm reveals that nearly half of the top 40 Android ad libraries contain the JS Binding Over HTTP flaw, for example, and that 42 percent of the most popular Google Play apps access one or more of these ad libraries.

With over 12.4 billion downloads of these popular apps, the blog adds: “Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads.“

According to researchers at security consultancy MWR InfoSecurity, which raised the issue in September 2013, the vulnerability dates back years and was first exposed publicly in December 2012.

But Jason Steer, director of technology strategy for FireEye EMEA, told SCMagazineUK.com that the firm is now seeing actual exploitation of such weaknesses in the wild.

“The reason why we've blogged about it now is this is becoming more widely exploited - it's moved from being a theoretical security angle, to being used by attackers currently. We're seeing multiple Android apps having this abuse already in the third-party app stores where a lot of people go to.”

FireEye is advising ad library and Android apps developers to adopt better security features and practices. And Steer said they are responding when made aware that the problem is ‘real'.

“Apps developers take the off-the-shelf library and put them into their app without appreciating some of the security risks they may be exposing some of the users of these apps to, and perhaps even the business that these people work on behalf of as well," he said. "But when you see potentially thousands and thousands of people who inadvertently get exposed to it, then there's a responsibility to try and fix it.”

Rob Miller, security consultant with MWR InfoSecurity, told SCMagazineUK.com that corporate security professionals and end-users - as well as developers - need to take action.

“This issue does affect a large number of users. The actual implications will depend on how you use Android devices,” he said.

“So for developers, obviously they need to take this as a warning that they need to go away and check what third-party libraries they're using and what kind of functionality that those libraries might allow over a JavaScript Bridge connection.

“For users it's a matter of - think twice before downloading these applications and check ‘am I happy with the idea of keeping personal data on a device that has potentially these kinds of vulnerabilities?'.

“And finally for companies it's really a matter of making sure if you are implementing BYOD, that you've really locked down the policy; that it's not just a ‘yes you can bring in your own device and it's probably OK' - that you've actually gone through the security checks, that you've talked through the potential issues and that you then have the policies in place.”

FireEye said that with JavaScript Binding Over HTTP vulnerability, if an app running on Android 4.1 or below uses the JavaScript binding method ‘addJavascriptInterface' and loads library content in the WebView over HTTP, then an attacker over the network could hijack the HTTP traffic and thus take control of the host application.

With JavaScript Sidedoor on Android 4.2 onwards, an attacker could inject malicious content into the WebView, to misuse the exposed interfaces through the JS binding annotation.

FireEye said Android 4.1 or below is still running on more than 80 percent of Android devices worldwide.

FireEye has analysed the vulnerability specifically in relation to InMobi apps and says that it has informed both Google and InMobi of its findings. Both companies have been actively working to address the problems.



UK firms urged to patch IGX industrial control systems

Major manufacturers and industrial companies in the UK, US and over 30 other countries are being urged to adopt a rapidly-released fix to their IntegraXor (IGX) industrial control software.

Major manufacturers and industrial companies in the UK, US and over 30 other countries are being urged to adopt a rapidly-released fix to their IntegraXor (IGX) industrial control software, following the discovery of a Zero Day vulnerability that allows attackers to crash the system.

The problem in IGX, a toolset used to create and run a web-based human-machine interface to SCADA industrial control systems, was revealed without warning at the S4 conference on 15 January by Malta-based security researcher Luigi Auriemma.

‘CVE-2014- 0753b' is a buffer overflow vulnerability that allows remote attackers to target the system. Exploits that target the vulnerability are known to be publicly available.

IGX is produced by Malaysia-based software developer Ecava Sdn Bhd, whose customers include BP, ExxonMobil, FMC, Honda, HSBC, Hyundai and Shell.

On the same day Auriemma revealed the flaw, the US Government's ICS-CERT team -  who respond to cyber emergencies in the critical infrastructure area - issued an alert on the issue. The following day Ecava published a patch on its website which is available for users to download.

The ICS-CERT's advisory highlighted Auriemma's approach of revealing the flaw without consultation. It said: “Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without co-ordination with NCCIC/ICS-CERT, the vendor, or any other co-ordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability.”

But Auriemma explained his approach in an email to SCMagazineUK.com: “The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosing of this issue is interesting moreover because Ecava has a very controversial bug bounty programme in which they pay researchers with points for the licences of the product instead of money.”

“We tested the patch and it fixes the vulnerability.”

The quick reaction to his revelation reflects the critical nature of industrial control products, which is perhaps unsurprising in light of notorious cyber attacks like the Stuxnet worm, which targeted Iran's nuclear facilities.

But Ross Brewer, managing director for international markets at security intelligence specialist LogRhythm, told SCMagazineUK.com that many manufacturing, process control and critical national infrastructure companies are still weak on the area of cyber security.

 “These organisations just need to start monitoring activity against all of their systems so they can look for abnormal behaviour which they are not doing today,” he said.

“Attacks on SCADA systems are becoming increasingly regular and the discovery of this latest vulnerability is yet another example of how vigilant users need to be. It really is the stuff of modern-day nightmares and more needs to be done to ensure these types of security gaps are spotted immediately."



UK firms urged to patch IGX industrial control systems

Major manufacturers and industrial companies in the UK, US and over 30 other countries are being urged to adopt a rapidly-released fix to their IntegraXor (IGX) industrial control software.

Major manufacturers and industrial companies in the UK, US and over 30 other countries are being urged to adopt a rapidly-released fix to their IntegraXor (IGX) industrial control software, following the discovery of a Zero Day vulnerability that allows attackers to crash the system.

The problem in IGX, a toolset used to create and run a web-based human-machine interface to SCADA industrial control systems, was revealed without warning at the S4 conference on 15 January by Malta-based security researcher Luigi Auriemma.

‘CVE-2014- 0753b' is a buffer overflow vulnerability that allows remote attackers to target the system. Exploits that target the vulnerability are known to be publicly available.

IGX is produced by Malaysia-based software developer Ecava Sdn Bhd, whose customers include BP, ExxonMobil, FMC, Honda, HSBC, Hyundai and Shell.

On the same day Auriemma revealed the flaw, the US Government's ICS-CERT team -  who respond to cyber emergencies in the critical infrastructure area - issued an alert on the issue. The following day Ecava published a patch on its website which is available for users to download.

The ICS-CERT's advisory highlighted Auriemma's approach of revealing the flaw without consultation. It said: “Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without co-ordination with NCCIC/ICS-CERT, the vendor, or any other co-ordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability.”

But Auriemma explained his approach in an email to SCMagazineUK.com: “The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosing of this issue is interesting moreover because Ecava has a very controversial bug bounty programme in which they pay researchers with points for the licences of the product instead of money.”

“We tested the patch and it fixes the vulnerability.”

The quick reaction to his revelation reflects the critical nature of industrial control products, which is perhaps unsurprising in light of notorious cyber attacks like the Stuxnet worm, which targeted Iran's nuclear facilities.

But Ross Brewer, managing director for international markets at security intelligence specialist LogRhythm, told SCMagazineUK.com that many manufacturing, process control and critical national infrastructure companies are still weak on the area of cyber security.

 “These organisations just need to start monitoring activity against all of their systems so they can look for abnormal behaviour which they are not doing today,” he said.

“Attacks on SCADA systems are becoming increasingly regular and the discovery of this latest vulnerability is yet another example of how vigilant users need to be. It really is the stuff of modern-day nightmares and more needs to be done to ensure these types of security gaps are spotted immediately."



14-Year-Old Entrepreneur Founds Pillow Startup, Becomes Chief Cuteness Officer

Fourteen-year-old Sydney Lowe got her brilliant idea for cute pillow designs while taking an entrepreneurial class at her middle school. With the help of her parents, she raised $20,000 on Kickstarter to launch her business. It’s become a family affair. Her mom became the CEO and, as the chief designer of the adorable animal pillows, she took on the title of Chief Cuteness Officer.

It’s not surprising. She goes to school in Palo Alto, in the heart of Silicon Valley and its thriving startup scene. Lowe attends The Girls’ Middle School, in Palo Alto. In seventh grade, she took a class that required her to work with a team to create a product. Eventually the students were required to pitch the idea to a panel of Venture Capital investors.

Her group wanted to do an animal theme and one member of the group had some sewing skills. So Lowe suggested pillows designed to look like cute animals.

It didn’t take long for Lowe to realize she had a viable business idea. The pillows, which are marketed under the name “Poketti, Plushies with a Pocket,” have four adorable designs: Sydney the Penguin, Toni the Bunny, Baxter the Puppy and Roxi the Kitty. The pillows are functional, with pockets in the back.

The family also brought in expert Dennis Kupperman of RB Toy Design Inc. to help them navigate the perilous seas of the toy making business.

In a recent article at The Huffington Post, Lowe writes:

“Working with Dennis has been a huge learning experience, not only for me, but for my mom as well. We had no idea how many little details there were to set up a toy business: trademarks, copyrights, websites, barcodes, patterns, fabric selection, regulations, and even safety testing!”

But nothing could deter them. The business now has an online store up and running carrying its adorable merchandise.

The lesson learned? You’re never too young to be an entrepreneur - the key is determination.



Book Review: “Success Under Stress” by Sharon Melnick, Ph.D Will Help Keep You Calm and Confident Under Pressure

For all of you small business owners who need help staying calm and confident when the pressures on, I strongly suggest you grab a copy of “Success Under Stress” by Sharon Melnick, Ph.D.

This must-read book outlines the powerful tools for staying calm, confident, and productive when the pressures on. Melnick shares tips on how to manage your personnel life and not get stressed out in your business. It’s all about preserving your well being and creating a balance between personnel and business.

Check out my full video review here or watch below:



Do You Mind If I Undermine Your Authority?

undermine authority cartoon

Sometimes, you don’t need a clever turn of phrase to make a cartoon. Sometimes, you don’t need to find a connection among seemingly unassociated ideas. Sometimes, you don’t need to set up a pun, or turn something upside down, or draw a really funny exaggerated pose.

Sometimes, all it takes is pointing out something we’ve all experienced - acknowledging it plainly and simply.



Brian Krebs: How Target was targeted

Internal network analysis security would have stopped this attack - Peter Wood, Firstbase CEO

Independent security researcher Brian Krebs - who specialises in ATM, EFTPOS and other forms of cybercrime - has been analysing the Target payment card leak, in which at least 40 million sets of card credentials were stolen by cybercriminals.

As reported previously, Target - the US equivalent of Sainsbury here in the UK - was hit by a card data breach when cybercriminals managed to install malware on its store EFTPOS terminals scattered across the United States. The event, which was revealed the week before Christmas, was described ex-Sophos consultant and security analyst Graham Cluley as one of the biggest for several years.

Krebs - who broke the story last month - now says that the criminals behind the attack and subsequent breach were using a memory scraping malware suite known as BlackPOS, which reortedly sells on the black market for around £1,100 (US$ 1,800). This type of code actively searches for credit card credential-style number patterns in the memory of the computers used - and typically exfiltrates that data to the hacker's servers.

The security researcher says his sources tell him that the cybercriminals broke in to Target's systems after cracking a company Web server, then they managed to upload the POS malware to the EFTPOS/PINpad machines located at Target's stores.

They even, he claims, managed to establish a control server inside Target's internal network that served as a central repository for data harvested by all of the infected point-of-sale devices.

According to James Forshaw, Head of Vulnerability Research with Context IS, Krebs linked to a US-CERT advisory in his report that offers sound advice on how EFTPOS terminals can be deployed securely.

"Many tills seen in Target's stores appear to be Windows-driven units and Brian says that data from these units was memory scraped," he said, adding that the data was then egressed to the criminal's Command&Control server.

This type of behaviour, he told SCMagazineUK.com, can be countered through the use of inbound/outbound firewalls, as well as deploying good Ethernet or IPsec security measures.

Embedded operating systems - such as those seen in bank ATMs - he says, would also not protect against malware insertions, as even the best embedded systems have no lockdown technologies in place, meaning that a compromised version of the operating system could be installed.

"The most interesting takeout from this story for me is that the Target systems were a networked POS (Point of Sale) system, using a centralised network. Ideally such a network should be fully PCI compliant," he said, adding that it remains to be seen whether this is the case.

Peter Wood, CEO of First Base Technologies, the pen testing specialist, said he was equally interested to read Krebs' latest report, adding that the criminals appear to have staged a series of attacks on Target's POS terminals.

"In some instances we have seen, thieves have used social engineering techniques to swap out the entire hardware of the PIN and EFTPOS terminals. This, however, is the first time we've seen a software-driven attack," he said.

"We have had a few clients that have been concerned about being hit by a malware attack of this type. Really, the only way to defend against this is to install network analysis technology within the corporate internal network. So often, we've found that external attacks are blocked, yet the company has little or no internal network analysis and security systems in play," he added.



Ultra-secure Blackphone coming soon

PGP founder links with Europe's first mass market Android vendor

Silent Circle - the company founded by PGP (Pretty Good Privacy) creator Phil Zimmerman and a number of military specialists - has announced it is teaming up with GeeksPhone, the Spanish smartphone developer and vendor, to develop an ultra-secure Android handset called the Blackphone.

GeeksPhone was founded in early 2009 by Javir Agüera and Rodrigo Silva-Ramos, shipping its first handset, the GeeksPhone One, a year later. The firm built on that model - the first European-developed mass market Android handset - with the Keon, Peak and Peak+ smartphones.

Blackphone - which will use a custom hardened version of Android known as PrivatOS - will feature much of Silent Circle's technology, including secure voice and text messaging facilities, although it remains to be seen whether a secure email function will be released.

The idea behind the handset - which will be formally unveiled this spring - is that it will allow users to make and receive secure voice calls, exchange secure text messages, transfer and store files, and use a secure video chat facility, all free from eavesdropping.

In a video to launch Blackphone - the company of the same name is based in Switzerland - Zimmerman said that he has spent his entire career working towards the launch of secure telephony products, adding that Blackphone provides users with everything they need to ensure privacy and control of their communications - along with all the other high-end smartphone features they have come to expect.

Commenting on the impending launch of the Blackphone, Nigel Stanley, CEO and analyst of Incoming Thought, the information security consultancy, said that it is an interesting move by Zimmerman, especially since it will offer competition for Cellcrypt, the main player in the secure mobile communications industry.

"The idea of creating an Android version of a device that does this is very interesting indeed," he told SCMagazineUK.com, adding that the big question is whether the Android device - and its customised/secure version of the mobile operating system - will open to inspection by the rest of the industry.

"The price point that Blackphone comes in at is also going to be fascinating, as well as how they are going to sell it," he said, noting that Cellcrypt's approach to date has been to sell through specialist vertical market dealers.

Stanley - who has specialised in smartphone security for several years - went on to say that his observations suggest that people do not usually know their voice communications are being supervised until it is too late.

This means, he said, that the Blackphone will have a ready market amongst those individuals and companies that are concerned about their communications being eavesdropped.

Rob Bamforth, a security analyst with Quocirca, was equally interested. He said that, as Cellcrypt have shown, this area of the mobile market is popular.

"The reality is that, for various reasons, many people do not want their calls monitored or recorded. My main question is that, if the Blackphone turns out to be the secure mobile phone system that users have been seeking, then what sort of black hat monitoring technology will be developed to try and counter it," he said.

The Quocirca analyst went on to say that he was talking to a set of Swiss banking professionals recently, and noted that their approach to security was very physical in nature, rather than electronic.

"Basically they were looking at airgapping systems, rather than using conventional IT security," he said.

“It's clear that we are entering into something of an arms race with secure mobile communications,” he told SCMagazineUK.com.

"I know Samsung have been developing a secure version of Android  for some time, but this could take things to a much higher level," he said.



Android and Java head-up weakspots

Unsurprisingly, threats designed to take advantage of users' trust in systems, applications and personal networks have also reached record levels while a worldwide shortage of nearly a million skilled security professionals is impacting organisations' abilities to monitor and secure networks.

Terry Greer-King, Director of Cyber Security, UK and Ireland at Cisco, commenting to SCMagazineUK.com on the report's findings, noted that, “As the new threats get more complex, it's not enough to deploy solutions and products that purely seek to stop attacks or address only part of the problem.”  Instead, a ‘before, during and after' (BDA) approach was proposed. “It's about looking at the whole continuum of security, understanding attacks before they happen, tracking events with advanced visibility, work out what's happening on the network, where it will go next, fix it and mop up afterwards.” 

The report also notes how rapid growth in intelligent mobile device adoption and cloud computing are providing a greater attack surface than ever before while new classes of devices and new infrastructure architectures offer attackers opportunities to exploit unanticipated weaknesses and inadequately defended assets. These sophisticated infrastructure-scale attacks seek to gain access to strategically positioned web hosting servers, and proliferate attacks across individual assets served by these resources.

One-hundred percent of a sample of 30 of the world's largest multinational company networks generated visitor traffic to Web sites that host malware says the report. Ninety-six percent of networks reviewed communicated traffic to hijacked servers. Similarly, 92 percent transmitted traffic to Web pages without content, which typically host malicious activity.

Distributed Denial of Service (DDoS) attacks are seen to have increased in volume and severity, often used in conjuction with and to distract from other attacks such as phishing. Multipurpose Trojans were the most frequently encountered web-delivered malware, at 27 percent of total encounters in 2013. Malicious scripts, such as exploits and iframes, were second at 23 percent; data theft Trojans such as password stealers and backdoors made up 22 percent, while malware was concentrated in fewer hosts and fewer IP addresses.

Commenting on the findings, Darren Anstee, Solutions Architect Team Manager at Arbor Networks, said in a statement to SCMagazineUK.com, “Businesses of every size should be in no doubt: if they are dependent on the Internet in any way for their business continuity, they need to have appropriate security solutions and services in place to protect themselves.  DDoS attacks are now being used as a distraction from fraudulent activities, to disguise data exfiltration or for competitive takeout - DDoS is just one of the tools that cyber-criminals use to achieve their goals.

“As DDoS attack size increases, so does the complexity of the hacker's toolkit, attacks now combine state-exhaustion, volumetric and application-layer methods. These multi-vector attacks cannot be dealt with by using a purely cloud or network-perimeter solution. To ensure protection from these threats, organisations must have multi-layered DDoS protection in place, using both cloud AND network-perimeter components,” says Anstee.

For Greer-King, the key advice for CISOs included identifying the key risks (eg Android rather than Apple phones as a cause for concern, and training of staff as an ongoing requirement) and prioritise resources accordingly in an integrated programme of action.