Dumb Starbucks Mystery Solved: Comic Owner Stands Behind “Parody Law”

dumb starbucks coffee

Plenty of buzz surrounded a mysterious “Dumb Starbucks Coffee” cafe that opened in southern California over the weekend.

What has happened since should get the attention of every business owner. It reveals the potential power and influence of viral marketing and the importance of protecting a brand’s identity.

The coffee shop, almost a dead ringer for Starbucks, started serving free coffee on Saturday and Sunday at a strip mall in Los Feliz, Calif., a suburb of Los Angeles. The only marketing was a tweet from the coffee shop’s own account:

Based on photos posted online by visitors, the outside and inside of the cafe seemed almost identical to a Starbucks. The only difference was the addition of the word “Dumb” in front of the brand’s iconic name. Products were similarly named: Dumb Venti, Dumb Espresso, Dumb Tea, Dumb Norah Jones “Duets” CDs, etc.

At its busiest, people were lined up outside for more than an hour to get a free cup of coffee. And the coffee wasn’t even that good, according to some customers who talked to inquisitive local reporters.

As it operated throughout the weekend, speculation grew about who might be behind the cafe.  Employees said they were hired via Craigslist and didn’t know the owners. There was also question whether this was a legitimate business or some kind of prank.  How could it be legal to run a business that was essentially a rip off of such a popular brand?

Starbucks told the press at the time  that the company was still investigating its legal options.

In an FAQ sheet prominently displayed inside the store, the unknown owners said they were operating under the protection of “parody law.” At a press conference Monday, the person behind the business/hoax, take-your-pick, was revealed to be Canadian comedian Nathan Fielder, who has his own show on Comedy Central:

In the end, it’s unclear whether Fielder really considers his Dumb Starbucks Coffee a prank or a real business, insisting he plans to open another location in Brooklyn.

But in the end, it wasn’t Starbucks that got Fielder. It was the Los Angeles County Health Department, who shut the coffee shop down on Monday for not having the proper permits.

Image: Video Still



Skin Care Company Lessons in Social Media, Partnerships and Publicity (Wix and Infusionsoft Small Business Breakfast)

At the last Small Business Breakfast by Wix and Infusionsoft attendees learned from Tara Atwood, co-founder of skin care company Amber Blue.

Tara shares how this “mother-daughter” duo is building a powerful brand and profitable business through small business growth best practices in social media, partnerships, publicity and more.

Hosted by Annie Malarkey (Wix) and Ramon Ray (Infusionsoft and Smallbiztechnology.com) you’ll learn from the Small Business Breakfast tips on:

  • Free publicity through media coverage of your business
  • How to have a success partnership
  • Business Web Site best practices
  • Social media for profit
  • and more.

You’ll enjoy this lively discussion and be well informed. Grab a bag of chips and something to drink….

Watch the video here - http://www.youtube.com/watch?v=fSN2AoddM5I or below



YouTube Producers: Tough To Build Business on Ad Revenue Alone

With Google Ads Chief Susan Wojcicki the new head of YouTube, sources say the video site wants to start competing with TV for ad share. The trouble is, some YouTube producers, small business owners who share revenue for ads that appear on their videos, say they’re not making enough money.

YouTube launched its revenue sharing program in 2012. At the time, the site even gave a number of $1 million grants to producers to encourage them to make higher quality videos.

The strategy has worked for YouTube, which generated $5.6 billion last year in ad revenue. But some seem less happy.

For example, Olga Kay, who runs five channels on YouTube, told The New York Times recently she makes between $100,000 and $130,000 a year from her channels, but must invest a substantial part back into production.

Meanwhile, video producer Jason Calacanis told the paper:

“We were huge fans of YouTube, but we are not creating content anymore because it’s simply not sustainable. YouTube is an awesome place to build a brand, but it is a horrible place to build a business.”

Critics say part of the problem is the slice of revenue YouTube keeps for itself. A Variety report notes that revenue partners get 55 percent of ad revenue and YouTube takes 45 percent.

Others say videos are being loaded to YouTube so quickly, the site can’t sell ads fast enough, meaning too few ads are being spread too thin.

There’s also the concern YouTube is getting too little for its ads. Recent data suggests the site gets about $7.60 per 1000 views compared with $20 per 1000 on network TV.

This makes ads on YouTube a great buy but perhaps not such a great source of revenue for producers.

YouTube, of course, points to the fact that its parent company Google provides a 12,000 member global sales force which sell the ads on YouTube in the first place. The company also points to the investment in the technology that allows for the upload of high quality video.

But YouTube executives say producers seeking to make money from YouTube only may be going at things the wrong way anyway. The site is also a place to launch programming that might eventually lead to more profitable ventures in other markets.

They use as an example Awesomeness TV which started on YouTube, but now provides content for Nickelodeon on cable, too.

Video Photo via Shutterstock



October 2015: Say Goodbye to Credit Card Swipes and Signatures, Hello to PINs

Starting October 2015, MasterCard and Visa will usher in a major change in the U.S. credit card industry.  Credit cards will have microchips in them.  Consumers will use PIN numbers instead of signing credit card receipts.  And consumers will insert the credit card into or wave it near the card reader, instead of swiping a magnetic strip.

It’s all part of a major shift that experts say will cut down fraud and credit card data breaches â€" and bring the United States more in line with the rest of the world.

At Senate hearings last week surrounding the Target stores data breach affecting 70 million people, there was a call to move to “chip and pin” technology for security reasons. Delara Derakhshani, Policy Counsel for Consumers Union, testified:

“Many other countries have shifted or are in the process of shifting to what is known as EMV ‘smart cards’ - or chip and pin technology, which utilizes multiple layers of security…. Total fraud losses dropped by 50 percent and card counterfeiting fell by 78 percent in the first year after EMV smart cards were introduced in France in 1992. The United States has lagged behind because replacing all payment cards, updating ATMs to accept the new cards, and updating the terminals in retail stores all cost money.  We believe it is money well-spent, and it is a penny-wise pound-foolish philosophy to wait any longer, particularly when the burden of guarding against harm following a breach falls most squarely on the shoulders of innocent consumers whose data was compromised.”

In an op-ed at CNBC.com, Chris McWilton, president of North American Markets at MasterCard, pointed out that magnetic stripe technology was new … way back in the 1970′s.  Fast forward 40 years, and technology has advanced.  Yet, the United States lags behind Europe and Asia in adopting chip-based cards, which are “widely used” there, he wrote.

Why are they more secure? Microchips in the credit cards contain more data than magnetic strips.  That makes the microchip cards harder to counterfeit. The data is also encrypted, making it harder to steal credit card data.  And the use of a PIN number cuts down on unauthorized transactions by anyone other than the rightful owner of the card.

Here’s what you, as a merchant, need to know as we head toward this credit card industry shift by October 2015:

Microchip cards become common - You will be seeing more customers between now and October 2015 with cards containing microchips.  You can recognize the cards from the square chip (see image above).  Some banks have already started issuing chip credit cards.  More will follow.

Liability shift will occur - MasterCard and Visa say they are not mandating the change, but are encouraging it by a liability shift.  What this means is, if as a merchant you’re still swiping and not using the chip for credit card transactions, you could end up with liability in a fraud situation.  Speaking in the Wall Street Journal, Carolyn Balfany of MasterCard said:

“So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way - if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.”

Through the liability shift, MasterCard and Visa are trying to encourage all players in the marketplace to adopt the new technology.

New card readers required -  By October 2015, you will want to upgrade your credit card terminals to accept the new chip-based cards, if you haven’t already. Because of the microchip, a new type of reader will be required that can read the data on the chip.

Processes and staff training must be updated - Moving to chip based cards and pins may not be a big change to some small-business merchants.  For other small businesses, it may require fundamental changes in process and staff retraining.  One such example is restaurants that today take the credit card away from the table to process it.  According to Heartland Systems, “Businesses that typically have “back-of-store” terminals (like restaurants) will have the greatest paradigm shift as terminals will have to be brought to the cardholder to input a PIN.”

Contactless cards are different - The chip based cards are not necessarily the same as “contactless cards,” so called because they don’t need to be swiped (today) or inserted into the reader (future).  In fact, mobile devices, key fobs and other devices can also be used for contactless transactions â€" it doesn’t always have to be a plastic card. Contactless cards or devices send a radio frequency signal a very short distance to process the transaction.  That means they need only be tapped on the credit card terminal or can be waved very close to it - at most a couple of inches away.  

Educate yourself on all implications - Carefully read all communications from MasterCard, Visa, your credit card processor, and POS system provider. You will want to understand all the practical aspects and costs of making the shift.  More information on the chip and PIN shift can be found at MasterCard and also at Visa.

See also our earlier piece, “EMV: The Upside Of Smart Card Adoption, Will Small Businesses Be Ready?”

Chip and Pin Credit Card image via Shutterstock

More in:

Hunt on for attackers after Kaspersky unmasks major APT campaign

The perpetrators behind the Mask, reportedly one of the most sophisticated APT attacks ever seen, may never be traced after they hurriedly shut down the attack once they realised Kaspersky was onto them.

Kaspersky revealed details of the attack on Monday, saying the Mask's servers were closed down last month after an attack that ran from 2007 - and struck at least 380 victims at over 1,000 IP addresses in 31 countries, including the UK and Gibraltar.

Victims ranged from government agencies, embassies and diplomatic offices to oil, gas and energy companies, private equity firms, as well as research organisations and activists. Kaspersky said their numbers could be “much higher” as it tracked down only some of the servers involved.

In a 10 February blog post, Kaspersky described the Mask as “one of the most advanced threats at the current time” - so advanced that they suspect a nation state was behind it. The company also warned: “We cannot rule out the possibility of the attackers resurrecting the campaign at some point in the future.”

Company chairman and CEO Eugene Kaspersky tweeted that the Mask operation was shut down just four hours after Kaspersky posted the first information about it.

The Mask was a Spanish language-based attack that Kaspersky says used “extremely sophisticated malware”, a rootkit and bootkit to target users of Windows, Mac and probably Linux systems. The researchers suspect there were also versions hitting Android, iPad and iPhone users.

The attack was based on spear-phishing emails that lured victims to exploit websites that infected them, depending on which areas they clicked on and their system configuration. It then redirected the target to the benign website referred to in the email, before covering its tracks by mimicking sections of the websites of legitimate newspapers such as The Guardian, Washington Post and the main newspapers in Spain.

Its perpetrators stole information from victims that would have allowed them to crack highly secure computers - including encryption keys, VPN configurations, SSH keys and RDP files, and data which Kaspersky said “could be related to custom military/government-level encryption tools”.

Information security consultant Brian Honan of BH Consulting said this target information was significant. He told SCMagazineUK.com via email: “Instead of documents, financial details or login credentials, the malware looked to steal encryption keys. These could then be used to intercept secure communications of those whose encryption keys had been stolen, and also to digitally sign documents or other files to imitate the genuine users.

“To me this points that the Mask was a tool used to gather information to enable the attackers to launch more sophisticated attacks against their targets. So in effect the Mask is a good example of a genuine APT - advanced persistent threat - in that while the tool itself is sophisticated it is the parties behind the tool that are the APT.”

Kaspersky tried but failed to identify the attackers and while it suspects a nation state, it may not necessarily be one that uses the Spanish language. The company said the high degree of professionalism and operational security of professionalism among the attackers was not normal for cybercriminal groups.

“This and several other factors make us believe this could be a state-sponsored campaign,” the company said before adding: “Attribution is a difficult task. Some clues such as the use of the Spanish language are weak, as it is spoken in many countries, including Latin America, Mexico or the US. We should also keep in mind the possibility of false flag attacks before making any solid assumption on the identity of who is responsible without very solid proof.”

Jaime Blasco, director of AlienVault Labs, agreed that it will be hard to uncover who is behind the Mask “unless they made mistakes operating the infrastructure".

In an emailed comment to SCMagazineUK.com, Blasco added: “One important thing about the attackers is that they are really professionals. They were able to anticipate Kaspersky's public disclosure and they shut down all the infrastructure within four hours after Kaspersky published a short press release announcing the discovery. I think that Kaspersky didn't give any technical detail at that time, but the people behind the Mask were able to discover the operation was uncovered and they took the actions to remove as much information as they could.”

In its blog, Kaspersky said the Mask at one point used the Adobe Flash Player CVE 2012-0773 Zero Day exploit. Dana Tamir, director of enterprise security from Trusteer, saw this as evidence of why it was so damaging.

She told SCMagazineUK.com: “The fact that the attackers took advantage of at least one zero-day vulnerability explains why it successfully infected users. Because a zero-day vulnerability is unknown, there is no patch available, and very little can be done to prevent the drive-by download and malware infection.”

“The best protection against zero-day exploits and drive-by downloads is based on exploit-chain disruption technology that breaks the malware delivery process,” she added.

Kaspersky confirmed that “at the moment all known Careto C&C servers are offline” but Brian Honan believes there is no guarantee that the Mask won't spark off future attacks.

“As we may have no way of knowing how many systems have been infected with this malware we have no guarantee that all the infected systems can be cleaned up. This leaves several systems remaining infected which could come under attack by anyone else who can set up the command and control systems for the Mask.

“Of course now that the Mask has been discovered it would be expected that many anti-virus software products will now detect it. But as we have seen in the past, many systems may not have effective security controls, which is why we still see old viruses such as Conficker still infecting systems.”

Kaspersky spotted the Mask (‘Careto' in Spanish) when it tried to exploit a vulnerability, now fixed, in the company's security products to make the malware invisible in the system.

Previous high-profile APT attacks have included Flame, which infiltrated computers in the Middle East, Stuxnet designed to sabotage the Iranian nuclear programme, and RedOctober which attacked diplomatic institutions. 



CloudFlare spots \'largest ever DDoS attack\'

Content delivery network CloudFlare says that one its clients was hit by one of the biggest distributed denial of service (DDoS) attacks ever seen on European networks.

CloudFlare said that the attack was close to 400Gbps in size, making it bigger than last year's DDoS attack against anti-spam outfit Spamhaus, which was measured at just over 300Gbps.

Confidentiality stopped CloudFlare from revealing the identify of the customer under attack, and there were few details on how many other companies had been affected. The DDoS attack did, however, seem to pose a bigger threat on European networks, with French hosting outfit OVH later reporting that it had fended off a 350Gbps attack. It's not known if the same attacker was responsible.

Company CEO Matthew Prince responded to the news by saying on Twitter that "someone's got a big, new cannon" and the attack was the "start of ugly things to come".

While the size of this attack is likely to draw the headlines, it's worth noting that hackers carried out the DDoS attack by using NTP reflection and amplification techniques, which are increasing common for overwhelming target servers by sending more data packets than switches can support.

The attack technique has been seen in relatively recent hacks against online gaming services like Steam, League of Legends and Battle and essentially aims to push big traffic to the target's Network Timing Protocol (NTP) server.

In this instance, attackers used NTP reflection to exploit a weakness in the UDP-based NTP, which connects to the Internet to synchronise clocks on machines. The hackers then spoofed the IP address of the target, and sent DNS queries to open DNS resolvers that will answer requests from anywhere. As a result, overwhelming levels of traffic were sent back to the NTP server. CloudFlare has a detailed blog post on NTP reflection attacks.

Martin McKeay, senior security advocate at Akamai Technologies, told SCMagazineUK.com that this method of attack troubles unpatched DNS servers, and said that is attractive to attackers because it can reflect huge traffic back to the target. He added that it's also favourable to the attacker because UTP is “easily spoofed” and because it's hard for victims to see who is behind the intrusion.

“The main reason for using NTP as an attack tool is that it increases traffic by 100 or 200 percent. It's a great reflection index and makes for a very effective tool if you're an attacker.

“At 400Gbps, it's conceivable that the attack is being run by a small botnet outputting 20Gbps to 30Gbps of traffic,” he added.

McKeay, and other industry commentators, have advised IT administrators to patch and upgrade their NTP servers in light of this attack, although the Akamai exec admitted that some can assume that NTP servers are safe.

“NTP servers are often stable and so haven't often been looked at before. [IT departments] are having to now.”

IT administrators are advised, in light of this attack, to patch and upgrade their NTP servers and to check management rights.

Speaking recently to SCMagazineUK.com, Visiting Professor John Walker, of Nottingham Trent University, warned that DDoS attacks will continue to be a big threat in 2014, and added that, since company divisions struggle to get their heads around the issue, the firm itself struggles to establish an effective defence strategy.

"Since they see the issue solely from their perspective, they cannot hope to develop an effective strategy to deal with this security problem," he said at the time.

A previously unknown division of the UK Government was recently accused of launching DDoS attacks against hactivisim groups such as Anonymous and LulzSec, while a report from the end of last year revealed that most UK companies ignore DDoS threats.



London Police-BBA cyber crime partnership gets mixed response

The City of London police has partnered with the British Bankers' Association (BBA) to tackle cyber crime, but the alliance has already come under criticism from one cyber security expert.

The new partnership has been established to prevent cyber criminals stealing from customers and reportedly prevented the theft of £173.9 million over the past nine months. In addition, it has apparently identified 20,000 suspect bank accounts since April last year.

Under the terms of the agreement, reported in the FT on Monday, the organisation will attempt to create a virtual “ring of steel” around the City of London - a reference to physical security employed around the UK's financial centre - and also aims to educate global banks on the cyber risks via its new global centre of excellence. This centre is to run training workshops on subjects such as the latest threats and techniques used by cyber criminals to commit fraud, bribery and corruption.

Commissioner Adrian Leppard of the City of London Police said in a prepared statement: “In 2014, serving the country as the national policing lead for economic crime, the City of London Police is focusing on the rapidly evolving and expanding threat of fraud and cyber crime.

“The next logical step for us to take is to create a ‘virtual ring of steel' around what is the financial engine room of the UK. The way we are going to do it is by teaming up with City workers and sharing our experience and expertise with the banks that are now the target or being used as a facilitator for organised crime.”

But despite this new initiative, which follows shortly after mixed results at the latest Waking Shark exercise, some cyber security experts have questioned the project.

Adrian Culley, technical consultant at Damballa and formerly of Scotland Yard's Computer Crime Unit, told SCMagazineUK.com that collaboration is “very good thing” but urged that there is more work to be done.

“More communications are great but they're never going to solve the problem alone,” he said, adding that this partnership needs to focus on educating on skills and technology. “We need to address the fundamentals first.”

Those fundamentals, according to Culley, should include improved bank collaboration and education (he says that “most people didn't know the 1990 Computer Misuse Act” at Waking Shark).

Damballa's Culley continued that the “ring of steeling” terminology has been lifted from the days of IRA attacks, but believes that it's hard to achieve this kind of defence in a digital world where perimeter solutions such as firewalls, for example, are designed to allow and block access in equal measure.

“A physical ring of fire doesn't translate into cyber space. Plus, it's missing the point of where the industry is now,” he said, adding that IT departments have become too reliant on perimeter technologies.

“We've got to start educating on the basics of what is an attack, but at the same time educate on protecting compromised network systems, and what [companies] do and don't care about [in terms of data]. We need to raise the bar.”

Nick Polland, senior director of Professional Services at Guidance Software, agreed and said that banking institutions must up their game independently, and said that laws should be clarified on data breach notifications - something which could yet result from the EU's impending Data Protection Reform. 

“Overall, the partnership is a very positive move,” he told SCMagazineUK.com via email. “The creation of a virtual 'ring of steel' around the City of London sends a clear warning message to the cyber criminals.

“However, collective action must be balanced with individual responsibility; each bank has to take charge of its own house. Institutions not only need to ensure that they have the right policies in place to participate in the CISP platform, report to regulators, law enforcement and so on, but also ensure that these policies are fully updated and acted on. 

“One of the ways through which we can move to a culture of effective collaboration is to strengthen and clarify the law around notification.  This, I believe, would help organisations to identify a critical path to notification, which will vary between and within institutions, and to instil a new culture of co-operation - where ideas, techniques and skills can be shared. A cultural change is essential if we are to make serious gains in the arms race with the cyber criminals."



London Police-BBA cyber crime partnership gets mixed response

The City of London police has partnered with the British Bankers' Association (BBA) to tackle cyber crime, but the alliance has already come under criticism from one cyber security expert.

The new partnership has been established to prevent cyber criminals stealing from customers and reportedly prevented the theft of £173.9 million over the past nine months. In addition, it has apparently identified 20,000 suspect bank accounts since April last year.

Under the terms of the agreement, reported in the FT on Monday, the organisation will attempt to create a virtual “ring of steel” around the City of London - a reference to physical security employed around the UK's financial centre - and also aims to educate global banks on the cyber risks via its new global centre of excellence. This centre is to run training workshops on subjects such as the latest threats and techniques used by cyber criminals to commit fraud, bribery and corruption.

Commissioner Adrian Leppard of the City of London Police said in a prepared statement: “In 2014, serving the country as the national policing lead for economic crime, the City of London Police is focusing on the rapidly evolving and expanding threat of fraud and cyber crime.

“The next logical step for us to take is to create a ‘virtual ring of steel' around what is the financial engine room of the UK. The way we are going to do it is by teaming up with City workers and sharing our experience and expertise with the banks that are now the target or being used as a facilitator for organised crime.”

But despite this new initiative, which follows shortly after mixed results at the latest Waking Shark exercise, some cyber security experts have questioned the project.

Adrian Culley, technical consultant at Damballa and formerly of Scotland Yard's Computer Crime Unit, told SCMagazineUK.com that collaboration is “very good thing” but urged that there is more work to be done.

“More communications are great but they're never going to solve the problem alone,” he said, adding that this partnership needs to focus on educating on skills and technology. “We need to address the fundamentals first.”

Those fundamentals, according to Culley, should include improved bank collaboration and education (he says that “most people didn't know the 1990 Computer Misuse Act” at Waking Shark).

Damballa's Culley continued that the “ring of steeling” terminology has been lifted from the days of IRA attacks, but believes that it's hard to achieve this kind of defence in a digital world where perimeter solutions such as firewalls, for example, are designed to allow and block access in equal measure.

“A physical ring of fire doesn't translate into cyber space. Plus, it's missing the point of where the industry is now,” he said, adding that IT departments have become too reliant on perimeter technologies.

“We've got to start educating on the basics of what is an attack, but at the same time educate on protecting compromised network systems, and what [companies] do and don't care about [in terms of data]. We need to raise the bar.”

Nick Polland, senior director of Professional Services at Guidance Software, agreed and said that banking institutions must up their game independently, and said that laws should be clarified on data breach notifications - something which could yet result from the EU's impending Data Protection Reform. 

“Overall, the partnership is a very positive move,” he told SCMagazineUK.com via email. “The creation of a virtual 'ring of steel' around the City of London sends a clear warning message to the cyber criminals.

“However, collective action must be balanced with individual responsibility; each bank has to take charge of its own house. Institutions not only need to ensure that they have the right policies in place to participate in the CISP platform, report to regulators, law enforcement and so on, but also ensure that these policies are fully updated and acted on. 

“One of the ways through which we can move to a culture of effective collaboration is to strengthen and clarify the law around notification.  This, I believe, would help organisations to identify a critical path to notification, which will vary between and within institutions, and to instil a new culture of co-operation - where ideas, techniques and skills can be shared. A cultural change is essential if we are to make serious gains in the arms race with the cyber criminals."



CloudFlare spots \'largest ever DDoS attack\'

Content delivery network CloudFlare says that one its clients was hit by one of the biggest distributed denial of service (DDoS) attacks ever seen on European networks.

CloudFlare said that the attack was close to 400Gbps in size, making it bigger than last year's DDoS attack against anti-spam outfit Spamhaus, which was measured at just over 300Gbps.

Confidentiality stopped CloudFlare from revealing the identify of the customer under attack, and there were few details on how many other companies had been affected. The DDoS attack did, however, seem to pose a bigger threat on European networks, with French hosting outfit OVH later reporting that it had fended off a 350Gbps attack. It's not known if the same attacker was responsible.

Company CEO Matthew Prince responded to the news by saying on Twitter that "someone's got a big, new cannon" and the attack was the "start of ugly things to come".

While the size of this attack is likely to draw the headlines, it's worth noting that hackers carried out the DDoS attack by using NTP reflection and amplification techniques, which are increasing common for overwhelming target servers by sending more data packets than switches can support.

The attack technique has been seen in relatively recent hacks against online gaming services like Steam, League of Legends and Battle and essentially aims to push big traffic to the target's Network Timing Protocol (NTP) server.

In this instance, attackers used NTP reflection to exploit a weakness in the UDP-based NTP, which connects to the Internet to synchronise clocks on machines. The hackers then spoofed the IP address of the target, and sent DNS queries to open DNS resolvers that will answer requests from anywhere. As a result, overwhelming levels of traffic were sent back to the NTP server. CloudFlare has a detailed blog post on NTP reflection attacks.

Martin McKeay, senior security advocate at Akamai Technologies, told SCMagazineUK.com that this method of attack troubles unpatched DNS servers, and said that is attractive to attackers because it can reflect huge traffic back to the target. He added that it's also favourable to the attacker because UTP is “easily spoofed” and because it's hard for victims to see who is behind the intrusion.

“The main reason for using NTP as an attack tool is that it increases traffic by 100 or 200 percent. It's a great reflection index and makes for a very effective tool if you're an attacker.

“At 400Gbps, it's conceivable that the attack is being run by a small botnet outputting 20Gbps to 30Gbps of traffic,” he added.

McKeay, and other industry commentators, have advised IT administrators to patch and upgrade their NTP servers in light of this attack, although the Akamai exec admitted that some can assume that NTP servers are safe.

“NTP servers are often stable and so haven't often been looked at before. [IT departments] are having to now.”

IT administrators are advised, in light of this attack, to patch and upgrade their NTP servers and to check management rights.

Speaking recently to SCMagazineUK.com, Visiting Professor John Walker, of Nottingham Trent University, warned that DDoS attacks will continue to be a big threat in 2014, and added that, since company divisions struggle to get their heads around the issue, the firm itself struggles to establish an effective defence strategy.

"Since they see the issue solely from their perspective, they cannot hope to develop an effective strategy to deal with this security problem," he said at the time.

A previously unknown division of the UK Government was recently accused of launching DDoS attacks against hactivisim groups such as Anonymous and LulzSec, while a report from the end of last year revealed that most UK companies ignore DDoS threats.



Adobe Announces Flash Vulnerability, Hackers Can Control Your Computer

Adobe recently announced a vulnerability in its Flash Player and has issued a security update to patch up the hole. Media reports warn the vulnerability could allow attackers to remotely seize control of your Windows, Mac or Linux computer.

Adobe’s announcement, after the vulnerability was reported by Kaspersky Labs, also included details about two web browsers with Flash Player which are potentially affected - Google Chrome and Internet Explorer. According to CNET, Adobe has assigned a Priority 1 rating to the vulnerabilities, which is Adobe’s highest threat level.

Even cellphones are not immune. If you have Flash Player on your Android phone, you need to check which version you have by going to “Settings > Applications > Manage Applications > Adobe Flash Player x.x”. But Adobe does not specify which version Android users need to have, or how it will be pushed to the phone. Will it be automatic? Or does the user have to download it?

According to Adobe, if you are the owner of a Windows or Mac computer, and have Flash Player version 12.0.0.43 or earlier, then you are vulnerable. If you use Linux and have Flash Player 11.2.202.335 or earlier, then again you are open to attack.

There’s two very quick and easy ways to check what version of Flash Player you have. The first is to go to this page and it will tell you your version number.

The second option is to right-click on any Flash content and choose the option “About Adobe Flash Player” from the contextual menu.

Windows and Mac users are urged to update to Flash Player 12.0.0.44 as soon as possible, while Linux users should install version 11.2.202.336. Chrome and Internet Explorer will apparently be automatically updated without any input needed from the user.

After installing the latest patch, it would also be a good idea to run your malware program to make sure that there is nothing nasty lurking on your computer. If you are stuck for what program to use, give MalwareBytes a try. The free version does more than enough to give your computer a thorough check-up.

“Adobe does seem to have an unfortunate history of people finding security flaws with Flash that require updates” independent security consultant Alan Woodward told the BBC in an interview.

Image: Flash



Microsoft rushes out patches to stay ahead of cyber crooks

Microsoft's latest Patch Tuesday security fixes for its products included two last-minute updates that show the company rushing to respond to the escalating pace of cyber attacks.

The two late patches fix problems in Internet Explorer and VBScript. In all, Microsoft issued seven updates on Tuesday - four of them ‘critical', addressing remote code execution flaws in Windows, Internet Explorer versions 6-11, VBScript and the company's Forefront security software. The three ‘non-critical' patches plug gaps in Windows and.NET Framework.

But because the fixes affect all versions of Windows, from XP to 8.1, they have reignited the controversy over the safety of Windows XP once Microsoft stops supporting it in April.

Security expert Paul Ducklin, a senior security advisor at Sophos, welcomed the fact that Microsoft changed its plans just 24 hours before the patches were released.

He told SCMagazineUK.com: “It's good news that Microsoft was able to get those extra two bulletins out this month. Otherwise a bunch of critical holes would have remained unpatched until next month.

“In the ‘old days', Microsoft would probably just have held over those extra two bulletins instead of sneaking them in at the last minute. The fact that Redmond bothered to keep plugging away at the patches - presumably doing some final testing right until the day before Patch Tuesday - isn't a sign that the company is getting slacker at patching but rather the opposite.

He added: “We need an ever-increasing urgency to fight back against the crooks by working to ever more aggressive patching deadlines.”

Ducklin pointed to Target's recent payment card breach, where crooks stole 40 million records in less than a month, as a sign that cyber criminals moves quickly and urged CISOs to be fast too when it comes to patches.

“As always, don't delay,” he said. “The days of months or weeks of change committee meetings to weigh up patches are over.”

But the Windows XP fix - one of the last before Microsoft stops supporting it on 8 April - has stirred up the debate over how vulnerable XP users will then become. Ducklin explained that patches to other Microsoft products after April could effectively ‘signpost' potential XP weaknesses to hackers.

“If Windows 7 and 8 have security holes that can be traced back to bugs originally in the XP source code, then reverse engineering Windows 7 or 8 patches might give a fantastic hint to crooks - a sort of ‘exploit beacon' - on where to look for exploitable holes in XP, holes the crooks know will never be fixed.

“As Microsoft itself has put it, any hole patched in Windows 7 that matches a hole in XP will pretty much be a zero day in XP for ever. From that time on, it's all downhill from an XP security perspective.”

Kevin Linsell, head of service development at Adapt, told SCMagazineUK.com that the April deadline should serve as a reminder to businesses that they could soon be at serious risk.

“Microsoft ending support for Windows XP next April means that companies still operating XP (estimated 30% of computers worldwide) will not be able to effectively maintain their IT systems and potentially put at risk their brand and customer information,” he said.

“With no new security updates, non-security hot fixes, free assisted support options or online technical content updates on the horizon, being dependent on Microsoft XP could be a disaster after April.” Linsell urged XP users to adopt Desktop as a Service (DaaS) options to reduce the threat.”



Top 10 Interview Questions to Ask Prospective Employees

While unemployment is the lowest in 5 years, it is still challenging to find the best employees for your company. Not only do they need the skills to perform their job well, but they also have to fit within the company’s culture.

To hire the perfect people, it’s important to ask the right questions. This is a challenge for many small business owners because they typically talk more than the job candidate or they just ask questions which review their resume.

Can You Tell Me About Yourself?

This is always a good introductory question. Ask and then don’t say another thing until they are done. What they actually say is not critical, but how they answer this question is.

Do they focus on personal or professional details? How do they see themselves? Does this view fit into the culture of the company?

Can You Tell Me About a Time When. . .

Many job candidates can talk in generalities about their skills and accomplishments. However, asking for a specific example is a much more effective why to discover what they have really achieved.

For example, when interviewing a sales candidate pose this to them, “Tell me about a time when you won a customer from a competitor.”

How Will You Contribute to the Company?

This will highlight their goals for the specific job and which of their skills would be most beneficial for the company. It also will tell you how they see themselves as part of a team.

Remember, their goals should match the company’s. When they deviate, employees leave.

What is a Specific Example of the Biggest Professional Challenge You Have Faced?

How a candidate faces adversity is key. Even if a project didn’t go as planned, it’s important to find out how the applicant would reacted and would remedy the problem in the future.

How Would You Solve. . .

Test them. In a professional setting, these are typically hypothetical situations or ones that have actually occurred at the company. They should demonstrate job-specific problem solving skills.

Don’t be afraid to ask them to solve problems they would face in the first month of their job at the actual interview.

Why Are You Here?

Andrew Alexander, President of Red Roof Inn, says it helps reveal what the person’s passion is. The applicant should want to work at the company, not just want a job.

Employees that are passionate about the company’s mission excel at their position.

What is Your Ideal Job?

Liz Bingham, Partner at Ernst & Young, says it helps match whether or not the person is suitable for the open job.

It reveals what their passions and strengths are.

What Areas of Improvement Were Identified in Your Last Job Review?

Andrew Shapin, CEO of Long Tall Sally, says it can show self-awareness and weaknesses when people answer this question honestly.

Where’s Your Passion?

Hilarie Bass, Co-President of Greenberg Traurig, says they only hire people who are passionate about that profession.

It helps attract committed employees that will make the business successful.

How Do You Measure Success?

This answer will tell you what the candidate values and if it matches the job compensation structure.

What are your favorite top interview questions to ask?

Interview Photo via Shutterstock

More in:

Nothing Says I’m Sorry Like a Crate Full of Shaving Cream Cans

Go overboard to compensate your customers when you make a mistake. This is a business lesson that few entrepreneurs have learned and even fewer have put into practice.

It doesn’t mean simply replacing an item that was damaged or refunding a purchase that didn’t live up to expectations. It means going beyond all of that to compensate them past the point where it would be even remotely fair. Never mind whether it’s profitable to you and your business.

It might seem like bad business in the immediate sense, but doing this not only rectifies the problem situation, but also helps to create customers for life.

In 2006, NPR’s Scott Simon shared an anecdote about customer service that illustrates the importance of this practice. Joshua Steimle of Entrepreneur shares his takeaway from the story:

“His father, upon complaining to his favorite shaving cream company that they weren’t delivering the 90 shaves per can they promised, received a crate full of cans of shaving cream. ‘I think my father may have been buried with the last few cans,’ Simon says. If you unfairly compensate your customer to their benefit, your company’s actions may one day become the stuff of legend.”

In this situation, it wouldn’t be surprising to hear that the shaving cream company simply offered an apology and maybe a small discount for future purchases. But when customers feel that a company has wronged them, this type of small gesture often isn’t enough.

Instead, this company went beyond what was expected of them to apologize to their customer. Keep that customer happy, and most importantly keep them purchasing new items.

Aside from this lesson, Steimle also shared a few more tips for correcting business mistakes. They include: Taking full responsibility for the failure, explaining to customers why the failure will never happen again, and then making sure to actually never do it again.

Shaving Cream Photo via Shutterstock