B-Sides SF: Hackers urged to step up and influence legislation

Hackers and InfoSec experts need to stand up and become part of a wider plan to influence and reform government legislation on information security, so says Rapid 7 global security strategist Trey Ford.

Ford, the former Black Hat General Manager, was speaking at fifth B-Sides San Francisco where he gave an impassioned plea for the hacking community to get involved in order to change the dated laws in place for cyber security, and actively lobby to ensure there is a clear definition of what is legal and what is criminal for white hat hackers to help improve security

Pointing to current legislation like the age-old Computer Fraud and Abuse Act, the recently-introduced Aaron's Law, the presidential order 13636 for protecting critical infrastructure, NIST security framework v1.0, FedRamp and CISPA, Ford doubted if all of these are relevant in a modern age where cyber threats live large, and where government surveillance - pre and post Snowden - remains a major concern.

Ford said that standards are at least a “framework” and while he and some visitors criticised some - most notably PCI DSS, he urged experts from within the hacker community to come together and get involved.

“I want to challenge us to get out of our heads the idea of ‘I' and ‘you' and think about ‘we'. A lot of research is an exercise in ego - we enjoy that, the learning and discovery, and value elitism in our community. But we've got to get past perfection and set standards and goals, and then celebrate incremental wins.”

“We need to think ‘how are we going to make a difference?' We're going to have to organise, become part of the conversation, step up and be experts. We need to partner with industry, publicly endorse baseline knowledge and I am pretty sure we could argue over where criminal activity starts and stops, when attacks are evil or friendly actors, or just poking and prodding.

“The singular focus should be to protect consumers.”

As part of that focus, Ford and Rapid7 are now trying to establish an alliance in a bid to form legislation and devise laws to encourage and protect researchers.

He's urging white hats, researchers and other industry folk to go to password123.org, which after the talk was renamed with the title the ‘Security Transparency Alliance'.

At this time, it's essentially a glorified email list with a view to encouraging debate and - specifically - on implementing legislation which “protects security researchers”, “defines simply how research and criminal actions are different” and which “enables partnerships between the technology industry, community and government in protecting consumers.” Despite its infancy, Ford says that he has already held key meetings with some US senate groups.

“This is a fleeting opportunity to separate what we do from becoming criminalised or becoming essential to part of the Internet,” he summarised at the conference.

Ford's talk, entitled 'Legislative Realities', came after a recent interview with SC Magazine where he also urged that testing and notification should not be criminalised.

“The legislation impacting information security should be something everyone in the industry watches closely, and it's a priority for us at Rapid7,” said Ford, who also used to work for McAfee at gaming company Zynga, at the time.

“We need to see legislation achieve a balance of protection for researchers, clear guidelines for corporate due care, and simple definitions for criminal and malicious acts.”



B-Sides SF: US government a \'threat\' to the future of encryption

Christopher Soghoian, of the ACLU (American Civil Liberties Union), concluded his speech at BSides San Francisco with the observation that developers building encryption models need to consider the US government a threat.

In an engrossing talk at the DNA Lounge on Monday, Soghoian spelled out the security dangers in the wake of Edward Snowden's revelations last year and went onto urge the technical community to respond to government demands, made via coercion, bribery and threat to get their hands on encryption keys, by coming up with different models that make sure this isn't possible. 

As just one example, he said that developers and companies could distribute tools and expertise across multiple national jurisdictions.

The premise of the presentation, “When ‘trust us' is not enough' : Government surveillance in a post-Snowden world', was simply that the government has demonstrated through its actions that it will do whatever it deems necessary to break private encryption. 

As Soghoian noted, this not only includes forcing companies such as Skype, which had boasted of its security, and the long list of other tech companies to allow back door access. It also extends to demanding companies such as Lavabit, specifically set up to provide encryption outside the reach of government, to change their product -  and effectively destroy their business by undermining its initial premise.

The same approach is expected to be taken with newcomers such as Silent Circle, which will likely be asked to change its product before it is launched - but as a small company it does have the option of moving elsewhere - unlike tech giants such as Microsoft, Google and others - who invariably have complied.

Soghoian certainly didn't hold back from criticising the bigger players, and noted that Google chairman Eric Schmidt has previously made comments hinting at government cooperation over data. RSA's decision to accept payment for compromising its encryption also came in for particular criticism.

BSides runs alongside the RSA conference, which has seen some speakers drop out in protest of the surveillance in recent weeks. Some boycotting companies are supporting the new Trustycon event, one of which is the Electronic Frontier Foundation, the non-profit organisation which supported BSides at the event, where it sold anti-NSA merchandise.

Despite the bad publicity over its relationship with the National Security agency, Art Coviello, executive chairman of the RSA, told SCMagazineUK.com prior to the show that he remains confident that any proposed boycott will have little effect on overall numbers.

“We are expecting more visitors than ever - more than 25,000 and perhaps up to 30,000. So we aren't worried about the boycott. I don't expect it to hit us next year either.”



B-Sides SF: Researchers estimate three \'major\' data breaches each month

Verizon Risk researchers Kevin Thompson and Suzanne Widup have been crunching some numbers of data breaches...and they reckon that the number may be higher than you think.

Addressing hackers and InfoSec experts in their “Ripped from the headlines, what the news tells us about information security incidents” speech at B-Sides San Francisco, Widup and Thompson revealed how they have been investigating the data breach numbers since May of last year.

Since then, they've been using Verizon's Data Breach Investigations Report and the open-source Veris Community Database to compile over 3,000 data sets from sources including news articles, Google Alerts, nondisclosure agreements, the Attorney General's website, government breach tools, Freedom of Information Act requests and sometimes - just “asking nicely”.

Thompson admitted that their data analysis is in its early days and as such it's not perfect. He noted reporters getting information wrong, submitted data being duplicated and a lack of data consistency. There also appears to be a slight slant towards government and healthcare data (both of which are required to log major data losses), while the two used data systems (DBIR and VCDB) showed different results. For example, point-of-sale systems were the biggest source of a data leak on Verizon's own Data Breach Investigations Report, while human error was the biggest factor on VCDB.

However, Thompson said that what is not in denial in the sheer number of data breaches. Indeed, he noted Trend Micro's prediction last month of there being a major data breach each month in 2014 and said that that number is actually pretty low.

Using the Poisson Distribution theory to test the frequency of data breaches over a given time, Thompson revealed that major data breaches - which he classified as being over a million records and based on data from 2011 to 2013 - could be as high as three a month

“When I saw Trend Micro's prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now. Brace yourselves for an average of 3 [data breaches] a month.”

Thompson later told SCMagazineUK.com that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. “It was hard to tell if the zeros were real or if the breaches were not just being reported”.

Numbers like this have been hard to come by, although security software provider IS Decisions recently estimate that there have been over 300,000 internal security breaches in UK businesses over last year- averaging 1,190 per day. Intelligence consultancy firm Risk Base Security (RBS) estimated last week that there were 2,164 separate incidents, and over 822 million records exposed, in 2013 - nearly doubling the figures set in 2011.

Verizon's data is available on Github and the researchers are actively reaching out to companies and individuals to help them with their data (via participate@vcdb.com). They currently have just over 3,000 data sets, a significant rise from last August, when the database had just 1,200 incidents primarily from 2012 to 2013.



BSides SF: Hackers urged to step up and influence legislation

Hackers and InfoSec experts need to stand up and become part of a wider plan to influence and reform government legislation on information security, so says Rapid 7 global security strategist Trey Ford.

Ford, the former BlackHat General Manager, was speaking at fifth Bsides San Francisco where he gave an impassioned plea for the hacking community to get involved in order to change the dated laws in place for cyber security, and actively lobby to ensure there is a clear definition of what is legal and what is criminal for white hat hackers to help improve security

Pointing to current legislation like the age-old Computer Fraud and Abuse Act, the recently-introduced Aaron's Law, the presidential order 13636 for protecting critical infrastructure, NIST security framework v1.0, FedRamp and CISPA, Ford doubted if all of these are relevant in a modern age where cyber threats live large, and where government surveillance - pre and post Snowden - remains a major concern.

Ford said that standards are at least a “framework” and while he and some visitors criticised some - most notably PCI DSS, he urged experts from within the hacker community to come together and get involved.

“I want to challenge us to get out of our heads the idea of ‘I' and ‘you' and think about ‘we'. A lot of research is an exercise in ego - we enjoy that, the learning and discovery, and value elitism in our community. But we've got to get past perfection and set standards and goals, and then celebrate incremental wins.”

“We need to think ‘how are we going to make a difference?' We're going to have to organise, become part of the conversation, step up and be experts. We need to partner with industry, publicly endorse baseline knowledge and I am pretty sure we could argue over where criminal activity starts and stops, when attacks are evil or friendly actors, or just poking and prodding.

“The singular focus should be to protect consumers.”

As part of that focus, Ford and Rapid7 are now trying to establish an alliance in a bid to form legislation and devise laws to encourage and protect researchers.

He's urging white hats, researchers and other industry folk to go to password123.org, which after the talk was renamed with the title the ‘Security Transparency Alliance'.

At this time, it's essentially a glorified email list with a view to encouraging debate and - specifically - on implementing legislation which “protects security researchers”, “defines simply how research and criminal actions are different” and which “enables partnerships between the technology industry, community and government in protecting consumers.” Despite its infancy, Ford says that he has already held key meetings with some US senate groups.

“This is a fleeting opportunity to separate what we do from becoming criminalised or becoming essential to part of the Internet,” he summarised at the conference.

Ford's talk, entitled 'Legislative Realities', came after a recent interview with SC Magazine where he also urged that testing and notification should not be criminalised.

“The legislation impacting information security should be something everyone in the industry watches closely, and it's a priority for us at Rapid7,” said Ford, who also used to work for McAfee at gaming company Zynga, at the time.

“We need to see legislation achieve a balance of protection for researchers, clear guidelines for corporate due care, and simple definitions for criminal and malicious acts.”



BSides SF: US government a \'threat\' to the future of encryption

Christopher Soghoian, of the ACLU (American Civil Liberties Union), concluded his speech at BSides San Francisco with the observation that developers building encryption models need to consider the US government a threat.

In an engrossing talk at the DNA Lounge on Monday, Soghoian spelled out the security dangers in the wake of Edward Snowden's revelations last year and went onto urge the technical community to respond to government demands, made via coercion, bribery and threat to get their hands on encryption keys, by coming up with different models that make sure this isn't possible. 

As just one example, he said that developers and companies could distribute tools and expertise across multiple national jurisdictions.

The premise of the presentation, “When ‘trust us' is not enough' : Government surveillance in a post-Snowden world', was simply that the government has demonstrated through its actions that it will do whatever it deems necessary to break private encryption. 

As Soghoian noted, this not only includes forcing companies such as Skype, which had boasted of its security, and the long list of other tech companies to allow back door access. It also extends to demanding companies such as Lavabit, specifically set up to provide encryption outside the reach of government, to change their product -  and effectively destroy their business by undermining its initial premise.

The same approach is expected to be taken with newcomers such as Silent Circle, which will likely be asked to change its product before it is launched - but as a small company it does have the option of moving elsewhere - unlike tech giants such as Microsoft, Google and others - who invariably have complied.

Soghoian certainly didn't hold back from criticising the bigger players, and noted that Google chairman Eric Schmidt has previously made comments hinting at government cooperation over data. RSA's decision to accept payment for compromising its encryption also came in for particular criticism.

BSides runs alongside the RSA conference, which has seen some speakers drop out in protest of the surveillance in recent weeks. Some boycotting companies are supporting the new Trustycon event, one of which is the Electronic Frontier Foundation, the non-profit organisation which supported BSides at the event, where it sold anti-NSA merchandise.

Despite the bad publicity over its relationship with the National Security agency, Art Coviello, executive chairman of the RSA, told SCMagazineUK.com prior to the show that he remains confident that any proposed boycott will have little effect on overall numbers.

“We are expecting more visitors than ever - more than 25,000 and perhaps up to 30,000. So we aren't worried about the boycott. I don't expect it to hit us next year either.”



RSA 2014: RedOwl Analytics named \"Most Innovative Company\" at Innovation Sandbox

RedOwl Analytics - a Baltimore software company whose cloud-based product, Reveal, provides solutions for entities to analyze digital communications data - was named “Most Innovative Company” at the RSA Conference 2014 Innovation Sandbox event.

“We're really excited to see that people appreciate the human layer of security,” Guy Filippelli, RedOwl Analytics CEO, told SCMagazine.com after accepting the honor. “We were fortunate to be a part of a great group of companies. We're really blown away.”

The Innovation Sandbox program offers people an opportunity to view demonstrations by up-and-coming groups in the industry, and is also designed to promote new technologies and ways of thinking.

Organizations that entered into the “Most Innovative Company” competition were privately held, in the market for less than a year, and earned less than $5 million in revenue in 2013.

Mobile app security company Remotium took first prize in 2013, and Appthority, also a mobile app security company, earned top honors in 2012. The other finalists in 2014 were White Ops, Bluebox Security, Cylance, Co3 Systems, ThreatStream Inc, Skycure, Defense.Net, Light Cyber, and Cyphort.

This story was originally published on SCMagazine.com.



RSA 2014: Richard Clarke speaks on rebuilding trust with the NSA

Richard Clarke, chairman and CEO of Good Harbor and a member of Obama's review group on intelligence and communications technology, kicked off the Cloud Security Alliance (CSA) Summit 2014 at the RSA Conference by discussing his observations about the NSA surveillance controversy.

Clarke ultimately took a positive stance regarding the NSA, explaining that the organization has been responsible for gathering intelligence on countries that have weapons of mass destruction, as well as for uprooting drug cartels and deterring various types of terrorist threats.

But following the revelations by NSA whistleblower Edward Snowden, the name of the game has to be about rebuilding trust, Clarke said, explaining that the NSA is comprised of talented people dedicated to protecting the United States. 

Clarke said he observed a disconnect between the policymakers' desire to collect information and the people doing the collecting, but explained that NSA workers are not randomly tapping into the emails and phone calls of Americans, even though they could. 

Some of the fallout of the NSA surveillance revelations has caused U.S. companies to lose market share in Europe and Asia, Clarke said, adding that non-U.S. companies are using the revelations as a marketing tool to deter consumers from purchasing American products.

Clarke said he does not buy into governments using the NSA revelations as a means to push the concept of localization of data - the NSA can access your data no matter where it is located, he explained - and said that, instead, the real solution to fears about hacking into cloud servers need to be addressed in improved and unchanging encryption standards.

“The real solution lies in adopting the standards of the Cloud Security Alliance, which I hope will become more formalized and more globally accepted,” Clarke said, adding that, with a growing black market for zero-day vulnerabilities, fixing those and making them immediately known to the public should be a priority.

This story was originally published on SCMagazine.com. 



BSides SF: Researchers estimate three \'major\' data breaches each month

Verizon Risk researchers Kevin Thompson and Suzanne Widup have been crunching some numbers of data breaches...and they reckon that the number may be higher than you think.

Addressing hackers and InfoSec experts in their “Ripped from the headlines, what the news tells us about information security incidents” speech at Bsides San Francisco, Widup and Thompson revealed how they have been investigating the data breach numbers since May of last year.

Since then, they've been using Verizon's Data Breach Investigations Report and the open-source Veris Community Database to compile over 3,000 data sets from sources including news articles, Google Alerts, nondisclosure agreements, the Attorney General's website, government breach tools, Freedom of Information Act requests and sometimes - just “asking nicely”.

Thompson admitted that their data analysis is in its early days and as such it's not perfect. He noted reporters getting information wrong, submitted data being duplicated and a lack of data consistency. There also appears to be a slight slant towards government and healthcare data (both of which are required to log major data losses), while the two used data systems (DBIR and VCDB) showed different results. For example, point-of-sale systems were the biggest source of a data leak on Verizon's own Data Breach Investigations Report, while human error was the biggest factor on VCDB.

However, Thompson said that what is not in denial in the sheer number of data breaches. Indeed, he noted Trend Micro's prediction last month of there being a major data breach each month in 2014 and said that that number is actually pretty low.

Using the Poisson Distribution theory to test the frequency of data breaches over a given time, Thompson revealed that major data breaches - which he classified as being over a million records and based on data from 2011 to 2013 - could be as high as three a month

“When I saw Trend Micro's prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now. Brace yourselves for an average of 3 [data breaches] a month.”

Thompson later told SCMagazineUK.com that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. “It was hard to tell if the zeros were real or if the breaches were not just being reported”.

Numbers like this have been hard to come by, although security software provider IS Decisions recently estimate that there have been over 300,000 internal security breaches in UK businesses over last year- averaging 1,190 per day. Intelligence consultancy firm Risk Base Security (RBS) estimate last week that there were 2164 separate incidents, and over 822 million records exposed, in 2013 - nearly doubling the figures set in 2011.

Verizon's data is available on Github and the researchers are actively reaching out to companies and individuals to help them with their data (via participate@vcdb.com). They currently have just over 3,000 data sets, a significant rise from last August, when the database had just 1,200 incidents primarily from 2012 to 2013.



Here’s Three Things Every New Printer Must Have. A Look at HP’s New LaserJet

Printers are by default boring and un-glamorous office appliances thy spew out paper and just chug along eating up ink and at times getting us frustrated with their paper jams. However, printers are changing and keeping up with the times and many of them are designed to use less ink and jam much less - or never.

There’s three things every printer must have.

1. An LCD screen to see the settings. I’ve found that if i can at least see some basic information about the printer it makes using it easier. Especially when it comes time to reset the network settings, for example, it’s so much easier to see what’s going on using the printer’s menu screen rather than printing the settings page out over and over again.

2. Your printer should be built to work with mobile devices. HP’s new HP Color LaserJet Pro MFP M476 is Mopria certified and comes ready to print from your Android or Apple or other mobile devices.  It can also print from NFC enabled devices as well.

3. Your new printer should be able to print directly from the printer to online services such as Dropbox, Google Drive and other online services.



LinkedIn Will Open Publishing Platform “Soon” to All Members

unlocking the experts linkedin

LinkedIn is opening its publishing platform to all its members. Last week, the platform was opened to about 25,000 users. More will be added gradually until every member has publishing privileges. Multiple languages will also be supported when the service is fully implemented.

Until recently, the ability to publish articles was reserved for well-known leaders like Bill Gates, Martha Stewart, and Richard Branson. With publishing privileges being opened to all members soon, LinkedIn can become a place where you build your brand and share your expertise too.

In a recent post on the official LinkedIn blog, Ryan Roslansky, director of product management, explained:

“The valuable Influencer posts and the wide range of professional content from millions of publishers that we currently aggregate on LinkedIn are powerful, but only the tip of the iceberg. Combined, our members have extremely valuable and varied experiences; however, their knowledge and expertise has not yet been captured and shared.”

Posts you publish will appear as part of your professional profile. From there they can be shared with your immediate network. Your network will be able to comment, like, and share your posts within their networks.

Photos, videos, other images, and SlideShare presentations can be shared through Influencer posts too, Roslansky noted.

Influencer posts can also reach a much broader audience through the LinkedIn network. Other members not in your immediate network can follow your Influencer posts and like them, sharing them with their networks.

LinkedIn introduced Influencers in 2012. At that time, only 150 Influencers were selected to post content. Since then, dozens more Influencers have been added.

Recent topics from Influencer posts range from hiring advice to business trends. Last July, LinkedIn added a social feature to Influencer posts that allowed you to comment on, like, and share these posts with your network, a previous post on the official LinkedIn blog explains.

Image: LinkedIn

More in:

Document Management Can Work Better With These Three Tips

Guest post by Jeff Pickard, President and CEO of Lucion Technologies, makers of FileCenter.

No matter what size or type of business you run, chances are, you’re overwhelmed with incoming files - both paper and electronic documents. It generally starts slowly - an email here, a receipt there, incoming invoices and customer correspondence, and before you know it, you’ve got a mountain of paper and no way to find the documents you need.

There’s a better way. Document management software can put important documents at your fingertips in seconds and help you keep everything organized. But which document management solution would work best for your office? Here are three tips to help you understand how document management software can help and which features you’ll need to make it work.

1. Make sure the scanning feature is easy to use - before and after the scan

Scanning has been the biggest barrier to widespread adoption of paperless office practices because many professionals think it’s a hassle. But scanning technology has evolved since the slow, clunky models that first arrived on the scene.

Now scanning takes just seconds, and if you get the right technology package, you can automatically create editable, keyword-searchable files in a universal format like PDF while you scan. A good scanning solution even makes bulk scanning easy, recognizing where separate documents begin and end in a stack and sending them to the right folder like a virtual file clerk.

2. Look for an intuitive organization system that can be shared on your network

Another reason some business professionals are less than enthusiastic about going paperless is that they worry about the way files will be organized online. Some document management systems have a complex interface that looks like you’d need a database expert to help you extract a receipt. The good news is it doesn’t have to be that way.

You can get a system that makes sense - a simple, intuitive electronic file cabinet that anyone in your network can access. If you find a solution with integrated search features, you can simply conduct a keyword search to pull up documents in seconds, receiving a preview to make sure you’ve got the right file before opening it.

3. Use a document management system that enables editing

When you’re running a business, it’s handy to be able to make changes to electronic documents on the fly and transform printed pages into editable electronic files. If you choose a paperless office solution that fully embraces a universal format such as PDF, you’ll have these capabilities and more - including standard form tools.

With a document management system that has full PDF functionality, you can easily combine files by dropping them on each other and scan new pages into existing documents. The right document management system makes these tasks quick and easy.

If you’re ready to go paperless - and to conquer that mountain of paper before an avalanche occurs - a document management system is your best bet. But keep in mind that there are many types of paperless office systems on the market, and check the features carefully before you pick the one that’s right for your business.

Going paperless is a great way to streamline office operations - and help save the planet by reducing paper. Once you find the right solution, you’ll never want to visit Paper Mountain again.



Document Management Can Work Better With These Three Tips

Guest post by Jeff Pickard, President and CEO of Lucion Technologies, makers of FileCenter.

No matter what size or type of business you run, chances are, you’re overwhelmed with incoming files - both paper and electronic documents. It generally starts slowly - an email here, a receipt there, incoming invoices and customer correspondence, and before you know it, you’ve got a mountain of paper and no way to find the documents you need.

There’s a better way. Document management software can put important documents at your fingertips in seconds and help you keep everything organized. But which document management solution would work best for your office? Here are three tips to help you understand how document management software can help and which features you’ll need to make it work.

1. Make sure the scanning feature is easy to use - before and after the scan

Scanning has been the biggest barrier to widespread adoption of paperless office practices because many professionals think it’s a hassle. But scanning technology has evolved since the slow, clunky models that first arrived on the scene.

Now scanning takes just seconds, and if you get the right technology package, you can automatically create editable, keyword-searchable files in a universal format like PDF while you scan. A good scanning solution even makes bulk scanning easy, recognizing where separate documents begin and end in a stack and sending them to the right folder like a virtual file clerk.

2. Look for an intuitive organization system that can be shared on your network

Another reason some business professionals are less than enthusiastic about going paperless is that they worry about the way files will be organized online. Some document management systems have a complex interface that looks like you’d need a database expert to help you extract a receipt. The good news is it doesn’t have to be that way.

You can get a system that makes sense - a simple, intuitive electronic file cabinet that anyone in your network can access. If you find a solution with integrated search features, you can simply conduct a keyword search to pull up documents in seconds, receiving a preview to make sure you’ve got the right file before opening it.

3. Use a document management system that enables editing

When you’re running a business, it’s handy to be able to make changes to electronic documents on the fly and transform printed pages into editable electronic files. If you choose a paperless office solution that fully embraces a universal format such as PDF, you’ll have these capabilities and more - including standard form tools.

With a document management system that has full PDF functionality, you can easily combine files by dropping them on each other and scan new pages into existing documents. The right document management system makes these tasks quick and easy.

If you’re ready to go paperless - and to conquer that mountain of paper before an avalanche occurs - a document management system is your best bet. But keep in mind that there are many types of paperless office systems on the market, and check the features carefully before you pick the one that’s right for your business.

Going paperless is a great way to streamline office operations - and help save the planet by reducing paper. Once you find the right solution, you’ll never want to visit Paper Mountain again.



New Chrome Feature Prompts When Malicious Downloads Are Detected

new chrome feature

The Chrome browser has been updated by Google, in an effort to thwart phishers who try to hijack the browser using malware. Even though a reset button was added to Google’s settings last year, the search giant clearly felt that it wasn’t enough. Apparently browser hijackings are on the increase, and something else was needed to reinforce Chrome’s defenses.

Now, if the browser detects that your settings have been changed without your knowledge, a box will pop up asking you if you want the browser settings to be reset (image above).

Helpful?

Well….not quite. Ironically, some users on Arstechnica have pointed out that such a box is the sort of thing they wouldn’t click on, if it suddenly came up on the screen. How do they know it really came from Google? Isn’t this the sort of thing that Google is telling everyone not to do? One commenter explained:

“If I saw that popup I’d worry that it was malware masquerading as Chrome and be very leery of clicking it.”

Another commenter on the site added:

“That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I’d bother teaching her how to identify it, as I’d assume someone will develop malware to closely resemble it. May not be as useful as intended.”

The second commenter makes a valid point. What’s to stop a malware maker from making a spoof Chrome warning box, which would install malware?

If you do decide to click that box, you will have to remember that all of your extensions, themes, and Chrome apps will be deactivated. They can be manually reactivated one by one, by going into your settings, so don’t worry - nothing will get uninstalled.

It was reported last month that malware makers were buying up well known and popular Chrome extensions, and inserting malicious advertising code into them. Not realizing that the extensions were now the property of someone else, users kept on installing them. One high profile person on the Web who was particularly stung was Amit Argawal who runs the highly popular tech blog Digital Inspiration.

Image: Arstechnica



New Chrome Feature Prompts When Malicious Downloads Are Detected

new chrome feature

The Chrome browser has been updated by Google, in an effort to thwart phishers who try to hijack the browser using malware. Even though a reset button was added to Google’s settings last year, the search giant clearly felt that it wasn’t enough. Apparently browser hijackings are on the increase, and something else was needed to reinforce Chrome’s defenses.

Now, if the browser detects that your settings have been changed without your knowledge, a box will pop up asking you if you want the browser settings to be reset (image above).

Helpful?

Well….not quite. Ironically, some users on Arstechnica have pointed out that such a box is the sort of thing they wouldn’t click on, if it suddenly came up on the screen. How do they know it really came from Google? Isn’t this the sort of thing that Google is telling everyone not to do? One commenter explained:

“If I saw that popup I’d worry that it was malware masquerading as Chrome and be very leery of clicking it.”

Another commenter on the site added:

“That looks like the kind of message I tell my mum to avoid, or to talk about with me before she does anything. Not sure if I’d bother teaching her how to identify it, as I’d assume someone will develop malware to closely resemble it. May not be as useful as intended.”

The second commenter makes a valid point. What’s to stop a malware maker from making a spoof Chrome warning box, which would install malware?

If you do decide to click that box, you will have to remember that all of your extensions, themes, and Chrome apps will be deactivated. They can be manually reactivated one by one, by going into your settings, so don’t worry - nothing will get uninstalled.

It was reported last month that malware makers were buying up well known and popular Chrome extensions, and inserting malicious advertising code into them. Not realizing that the extensions were now the property of someone else, users kept on installing them. One high profile person on the Web who was particularly stung was Amit Argawal who runs the highly popular tech blog Digital Inspiration.

Image: Arstechnica



Forensic readiness - the new \'business continuity\'

If you don't have good forensic readiness planning and testing in place, you are neglecting a core requirement of good organisational planning, no less than if you failed to have disaster recovery or business continuity planning argues David Rimmer

A common and generally accepted method of expressing a level of risk is that it is a product of the impact and likelihood of a negative event occurring. As either the impact or likelihood rise, the threat to the business (and the urgency of sensibly managing the risk) increases accordingly. Using this (or any other) risk model, the importance of the two traditional areas of readiness planning - business continuity and disaster recovery - can be seen to have increased significantly over the past decade.

Business continuity planning has become more important because the likelihood of severe disruption to business is perceived to have increased. With severe weather becoming more frequent and tabloid headlines proclaiming in large, bold fonts that we're overdue for anything from a global bird flu pandemic to another Icelandic eruption, modern businesses would be seen as negligent if they didn't plan for disruption.

On our scale of risk assessment, the likelihood of extended business disruption is increasing even though the impact could arguably decrease due to BYOD, remote working and the general ability for many staff to function without a bricks and mortar office. The London Olympics led to some great examples of UK businesses transforming the way that their employees were able to work, albeit in many cases only for a matter of weeks.

Disaster recovery has followed the opposite path, with significantly increased reliance on IT systems leading to a spike in the potential impact of extended periods of downtime. Turning IT services into a commodity which can be bought and discarded almost at whim has allowed businesses to become more agile and to buy in systems and services at lower cost, but has also turned many supplier/customer relationships into transient, short-term arrangements on standardised terms.

With that in mind, many businesses can no longer rely on being prioritised in the event of external systems going down - there's no five to seven year contract which is at stake for the supplier, and those standard terms which meant you didn't need to involve the legal team in the procurement process may also mean that your service level agreements aren't quite as tight as they once were.

Equally, internal systems may not be as well supported as you'd hope if the development (and, barring superlative handover processes to internal developers, second or third line support) have been outsourced or even offshored. Frantic international calls following a 9 am emergency in the UK might not be answered until office hours begin on another continent, leaving your business unable to do much more than reboot the server and cross as many fingers as you have to hand (no apologies for the pun).

The perception of disaster recovery has changed over the past decade so that it now sits alongside business continuity as an expected part of "business as usual" operational management. A business which hasn't implemented and tested their disaster recovery provision is likely to be seen as negligent, and is likely to have breached any client contracts for provision of services if extended disruption does occur.

The last few years, and the increasing acknowledgement that security breaches are a “when, not if” event, have seen the rise in importance of a third branch of readiness planning to sit alongside BCP and DR - forensic readiness, or the ability to access (and trust) sufficient log data to identify when a breach has occurred, what happened, and what datasets have been compromised.

Going back to our risk model, the likelihood of an organisation suffering a security breach is approaching 100 percent - and the impact of a breach turning into a significant data loss event is likely to exceed the impact of a building being burned to the ground or a few days without IT systems. A data breach can be a company killer, particularly for smaller organisations or those with reliance on a limited client base.

Forensic readiness has to be seen as a core requirement of good organisational hygiene, alongside business continuity and disaster recovery - and should be specified in standard contract clauses. Businesses without forensic readiness planning and testing in place should be seen as negligent in the same way as a business which decides not to cover business continuity or disaster recovery. The penetration test should no longer stop when all vulnerabilities have been identified, and should continue to identify whether or not the intrusion was detected and recorded for reactive investigation.

By implementing and testing their forensic readiness, a business can prepare itself to be in a much better position when - not if - a security incident occurs.

Contributed by David Rimmer, Head of Information Security, TDX Group



HP EliteBook 850 Laptop is For Business Power Users

There are plenty of small laptops on the market if you want to reduce the weight in your business bag. You could even rig up an Apple iPad or Android tablet with a wireless keyboard to really trim things down. But if you need a serious workhorse machine, that is both light, powerful and secure, this review of the HP EliteBook 850 laptop is for you.

As small business owners make decisions on technology, price is often considered the most important option. There are some very good reasons to consider spending a bit more than the lowest priced machine you can find - let me give you three:

  • Easy-to-configure
  • Security
  • Warranty

A Laptop That is Easy to Configure

Let me start with my favorite thing about this device (as you can see in the photo below): On the back of the 850 laptop there is a latch which allows you to easily access the components (RAM, hard drive, battery, etc.).

For an IT manager, it’s an invaluable feature that allows quick upgrades or repairs. This may not seem like a big deal, but anyone who has ever tried to open up a laptop knows that this is terrific. Some manufacturers use special, proprietary screws or latches that make these changes difficult, or downright scary, to say the least. Extra points to HP for making this so easy.

hp elitebook 850

PC Security

The 2013 Symantec Internet Security Threat Report (PDF) says that small businesses are “the path of least resistance” for attackers. In 2012, half of all targeted attacks were directed at businesses with less than 2,500 employees. But the largest growth area for targeted attacks is businesses with less than 250 employees - accounting for 31 percent of all attacks. [Note: The above link is to the Symantec PDF report which can take a while to download.]

HP’s SureStart technology is designed to catch and stop security breaches before they can get to your data. Without going out of my own tech understanding zone, this technology is part of the firmware loaded at the chip level. It will automatically restore your computer’s Basic Input/Output System (BIOS) within 30 seconds if it is ever attacked or corrupted. You can even install an optional tracing program that will allow you to find a lost or stolen computer.

3-Year Warranty

I have a 3-year business warranty on my current laptop, but it was an additional cost. [Note: my current work machine is not an HP but the principle applies here.] I have used the on-site service option two or three times so far and this is from a well-known manufacturer.

Things go wrong, that’s life. However, I want to know that I’m not shelling out more cash for fixing a machine that should work for at least three years. HP has gone above and beyond by making this warranty a standard “feature.”

Things I Really Like:

  • Intel® Coreâ„¢ i7-4600U processor (Here is a link to a site that does speed checks, not an HP site.)
  • 8GB of memory (Expandable, of course).
  • 180GB SSD (Keeps it cooler and quieter, in my experience, but you’ll likely need a backup drive when you fill this up.)
  • 15.6 inch screen, full HD display (1920 x 1080).
  • Backlit keyboard (This comes in handy in low light situations, of course.)
  • 4 USB ports.
  • The keyboard is made of aluminum and the rest of the machine is made out of magnesium, so that makes it a lot more durable than the usual plastic. I did not do any “drop tests.”
  • These machines start at $814 for the base model. You can see the various models, prices and configurations at the main HP site, then click the “configure” button to see different options.

Things I’d Like to See:

Aside from Sure Start, it has a fingerprint reader so you can lock down the machine to a specific user, which is cool in a lot of ways - no password to remember, for one.

But, I would like to see this moved away from where your hand rests because I kept thinking I’d trigger it to lock the machine. To be fair, I didn’t have this happen, but I kept thinking about it and this is my personal quirk, to be sure. Thankfully, it is to the far right side.

All in all, this is a great machine. If you are in the market for a lightweight laptop, the HP EliteBook 850 is worth a serious look.



Google Fiber Bringing Faster Broadband to Your Business. 2 Reasons to Care.

Google is bringing faster internet access to your business. Starting in Austin, Kansas City and Provo.

Google Fiber’s web site claims that Google’s speeds will be up to 100 times faster than the average broadband speed your used to.

Google popularized online video (thanks Youtube), Google brought us better email (thanks Gmail), Google brought us better search (thanks Google), Google brought us DIY online advertising (thanks Google Adwords). It’s going to make the availability of faster broadband a reality for us all.

Why is Google launching Google broadband?

The faster broadband becomes, the more readily available and more used, content services will be. The more content there is online, the more advertising Google (and others) can make money from.

Of course we all benefit from faster broadband with better communication overall including boost of online storage, boost of WiFi availability and other benefits.

The second benefit of Google stepping into this market is that it will provoke existing and competing broadband providers to offer high speed Internet to its customers.

Comcast, Time Warner Cable, Verizon and other carriers will BOOST the speeds and availability of their offerings.



The Power of Optimism: 91 Percent of Entrepreneurs Confident

Startup entrepreneurs have to be optimistic in order to overcome the challenges of starting a business. So in a way, it really isn’t a surprise that the majority of entrepreneurs surveyed are optimistic about the year ahead.

That confidence seems to come from within entrepreneurs - not necessarily from conditions around them.

The survey, released recently, says a whopping 91% of entrepreneurs are confident that their businesses will be more profitable in the next 12 months. Of those, 49% are “very confident.”  The survey was conducted on behalf of the Ewing Marion Kauffman Foundation by LegalZoom, based on numbers from the the fourth quarter of 2013. 

Yet, interestingly, a majority don’t believe the economy will actually improve during the next year.  In the survey 47% think the economy will improve.  Yet 32% think the economy will remain the same and 21% think it will deteriorate.  That right there tells you something about the psyches of entrepreneurs.

Many entrepreneurs have an unstinting faith in themselves and their ability to start and grow a business, regardless of the conditions around them.  Yes, they may be pragmatic and recognize that the economy and market conditions might not be ideal.  

But when are conditions ever “ideal?” 

Some household name businesses were launched and built during slow economic times â€" Microsoft, Revlon, FedEx just to name a few.  Even during slower economic times, customers still buy.  The economy goes through cycles.  There will always be times of slower growth and times of faster growth. 

If you are waiting for conditions to be just perfect, you may wait forever.  While one entrepreneur is making plans for when things will be “just right,” another is out seizing the day and grabbing that opportunity.  The economy isn’t ever going to be just right.  Instead of waiting for the economy to “get better,” be a leader and be part of making it better by seizing and building opportunities.  Successful commerce drives the economy.

And that’s what the entrepreneurs in this survey seem to know instinctively.   It’s about the power of optimism and belief in their businesses.

A total of 1,375 entrepreneurs responded in the survey, from startup entrepreneurs who formed their business entities in the previous six months.  The Kauffman Foundation is known for its support of startups.  LegalZoom provides incorporation filing services. The company had been planning to file an IPO, but withdrew that in early 2014 and instead announced plans to sell a large stake to Permira, a European private equity firm.

Image: Kauffman LegalZoom Startup Confidence Index