RSA 2014: Sharing data key to beating APTs

February 26, 2014

Collaborative sharing of security data across enterprises, countries and industry sectors in a single big data store will be the future of protecting against advanced persistent threats, RSA delegates were told today.

Highly targeted attacks have become the new norm, and attackers have an advantage over defenders because it's an asymmetric battle in which our opponents have access to tools which they can pull apart and probe to discover weaknesses.

So we go for strength in depth with lots of products, and while it's true that best of breed barrier products stop many attacks, Stephen Trilling of the Symantec Group noted that endpoint products, firewalls, gateway and server protections each maintain their own security logs and don't interact with each other. Each knows what its data is telling it - he added - and can only provide protection in relation to its limited view of the world.

Not only that, companies are often unable to even look at the volumes of data created, nor store it all, and administrators can't keep up with the threat and product developments.

And it's not just the products that are islands, but each company is an island too.

In response to the questions, ‘why not use security information management?' and ‘why haven't SIEMS solved this problem?'  Trilling answered that unfortunately, “they are only as good as the information that they get, so if the attack is missed, they can't deal with it.”

He added: “SIEMS are also working in a limited time window, minutes or hours - so the SIEM may see nothing during this period, and older data goes into archive and is never looked at again.  And they only cover one company.”

The other option of having all security products talk to each other and sharing data creates the problem of N products talking to N products equals N squared and a lot of complexity.

Trilling then outlined his alternative view of how the security world might be:  Companies would have security managed for them, by a single multi-enterprise entity, achieving economies of scale and visibility across your customer base. The integration will be done for you by the provider, and it would not one time integration, but deep and evolving along with new attacks.  And the company would not be a security island, but form part of community sharing information.  As a result, even the most highly complex attacks would be discovered in hours or even minutes, he suggests.

How to get there?

The need is to unlock value and leverage the results of current tools to be more than the sum of their parts, said Trilling. They would be recording every event seen and not just attacks, and store the material for years - every connection from every machine, log in, executable file, email, all collected whether or not they seemed suspicious, from premises, cloud, mobile and other sources sent to a completely secure off-site database which met global privacy regulation. The intention would not just be to block attacks but also provide a rich source of data to protect from future attacks. This multi-tenant data repository would be able to uncover new targeted attacks that might otherwise be invisible. There would be massive amounts of telemetry data connecting the dots across many thousands of companies, across multiple industries throughout the world.

Such cross-connection would be achieved by automated scripts getting data from many machines across many companies. This system would primarily detect after attack, which is still seen as better than today where many attacks go undiscovered, and the information can be used to protect others.

The aim would be to create a secure elastic big data store with all the data you choose to send, that you can mine and do analytics with including running third party analytic engines over your data.  Social type features could be added within this secure integrated platform enabling organisations to share with peers, policies, intelligence, attack IPs - then you could check all machines in your enterprise that, say,  have connected to a suspicious IP to which you have been alerted.

“We believe this will be the new security reality,” says Trilling.

RSA 2014: Touchlogging the new attack vector for mobile hackers

February 26, 2014

Two senior security researchers have detailed how hackers can use "touchlogging" attack techniques to take control of iOS and Android devices.

Neal Hindocha, senior security consultant at Trustwave, first announced his research last month, where he ran through how he was able to install malware on rooted Android and jailbroken iOS devices to see logs on where the user touches the screen.

Specifically, he said that he was able to locate the X-Y coordinates on a smartphone's touchscreen, and estimate the area on the screen being ‘touched', which would be enough alone to bypass the virtual keyboard log-in process needed for accessing the device and even for passing security on some online financial services. At the time, Hindocha described it as a “logical continuation of keylogging”.

Touchlogging targets jailbroken and routes devices

"We discussed the problem and, whilst there have been proof-of-concept keyboard bypasses in the past, this is the first time that the security of a virtual keypad has been beaten," he told SCMagazineUK.com.

But Hindocha went one step further at the RSA conference on Wednesday, where he and Nathan McCauley, security engineering manager and mobile payments firm Square, demonstrated how they were able to hack into rooted and jailbroken Android and iOS devices - as well as those that haven't been tampered with.

Hindocha said that his research into mobile touchlogging was born out of desktop malware where hackers have increasingly found that they are “quite successful in getting money through”. 

Both he and McCauley detailed how they were able to attack predominantly jailbroken and rooted devices, but also revealed flaws on Android devices where they could be compromised by the same attack methodology when connected via USB to the PC (often required for battery charging) or when they had USB debugging disabled.

But worryingly, the Trustwave analyst - an industry veteran formerly of Symantec and Verizon Business- said that hackers could get enough data just by data logs and as such -  and wouldn't necessarily need the screenshots, something he insisted upon in his initial research.

“When we stated this, I thought we really wanted screenshots but as we progressed the project, we realised that it is easy to see what's happening around the touch dots,” he told conference attendees. “It was a lot easier than expected, and you can get really far from basic logging and touch dots.”

McCauley detailed that iOS vulnerabilities come about when iPhones and iPads are first jailbroken, subject to method swizzling (essentially a type of programming which allows for a man-in-the-middle attack in an attempt to steal data). But he said that these can be avoided embracing jailbreak detection, checking for method swizzling in the code and screen mirroring to check for hackers exfilitrating screenshots.

But more worryingly, Hindocha said that both rooted and non-rooted Android devices can be targeted using this method of attack.

On routed devices, he said that hackers can run command ‘Getevent' in order to get X-Y coordinates on any touches that occur on the device, the home button, or even when someone stops pressing on the screen.  But on unrooted devices, this attack can also be carried out albeit “not directly on the device” - something Symantec unearthed when it came across the Trojan.Droidpack bug.

This does rely on the Android device being connected via USB to the desktop, where hackers can run Android Debug Bridge (ADB) to run getevent and grab screenshots, PIN codes and other types of personal information.

These aren't the only vulnerabilities susceptible to touchlogging tactics. Trustwave's Hindocha found that live wallpapers - fairly commonplace on Android smartphones - log events, which can be a security issue when they run in the background while other widgets are being used. There are also concerns over overlays, like social networking chat functions, which run in the background as users commit to other tasks.

On the plus side, Hindocha said that cracking Windows-powered phones is proving to be more difficult in this regard.

Attackers switch sights to mobile

All of this, according to Hindocha (whose slides can be found here), makes for a trend that is growing, with malware authors increasingly turning their attention to the mobile landscape.

“The malware is quite advanced at this point, it's quite impressive actually. Attackers are following users so are going to mobile. It's inevitable we are going to see an increase in this space.”

This demonstration was just days after FireEye had discovered the same touchlogging vulnerability on iOS devices that were not jailbroken. The keylogging flaw enables hackers to potentially record every keystroke made on iOS 7 but remains unpatched by Apple. Until that happens, FireEye is urging users to use the iOS task manager to prevent possible background monitoring.

Social Media Customer Care Company Raises $1 Million for Growth

UK-based Brand Embassy, a company that offers management of social media mentions, recently raised $1 million in funding. The company currently has only 20+ employees, but the money will be used to take its service global and to expand its features.

Co-founder and CEO Vit Horky explains in a recent post on the official Brand Embassy blog:

“We’ve opened offices in the USA, Dubai, Portugal, Slovakia, Spain, and Latin America to complement our offices in Prague and London. The partnership with new investors will help us expand our sales and product development team and launch new unique product features.”

Besides monitoring your company’s social media mentions, Brand Embassy places a big emphasis on customer service. Managers can assign social media mentions to company employees (known as ambassadors) so they can respond. If the mention is a complaint and likely to gain traction online, it is given high priority.

In the past few years, customers have increasingly abandoned toll-free telephone numbers, and instead taken to social media to praise a brand or complain. So businesses must focus more on monitoring social media everyday.  It can become quite a chore to keep on top of all the social channels separately. So having a dashboard where it all comes together is a huge plus.

Vit says his company’s clients have handled over 7.5 million service issues via its service since 2012. Currently Brand Embassy primarily serves companies in the telecom and financial services sectors.

The company’s clients may include mainly larger brands at the moment like Vodafone, Telefonica O2, T-Mobile, General Motors and ING.com. But with professional packages starting at $70 per month, it’s conceivable Brand Embassy could become an option for small boutique social media marketing firms with multiple brands to manage.

If you are curious about how Brand Embassy works, the company has released an 8 minute video, showing the main features:

As brand management on social media becomes ever more important, Brand Embassy would appear to offer a higher end service than tools like HootSuite, for example.

Other services, like Socialbakers, offer variations on social media measuring and management for brands. Socialbakers also recently announced it had raised additional funding to expand its services.

RSA 2014: Panelists debate role mobile takes in tomorrow\'s auth

February 26, 2014

While data is often considered major currency in the online marketplace, one CTO made a case for authentication trumping its value among information brokers.

On Tuesday, Nils Puhlmann, CTO of Endgame, an Arlington, Va.-based security intelligence and analytics provider, spoke on the topic at RSA Conference 2014 in San Francisco.

“If you look at all of the recent big breaches, they all started with [an attacker gleaning] a users' credentials,” Puhlmann told attendees during a panel on authentication.

The session, titled “Are Mobile Devices the Answer to the Strong Authentication Problem?” also included thoughts from panelists Phillip Dunkelberger, CEO of mobile authentication firm Nok Nok Labs, Michael Barrett, the president of the FIDO (Fast Identity Online) Alliance, and Brett McDowell, the head of ecosystem security at PayPal.

The execs - all leaders at forward-thinking entities as it pertains to technology for verifying users' identities - essentially agreed that the industry was making strides towards improved authentication methods, though passwords still remained a dominant, even if outdated, standard for users.

Nok Nok Labs' Dunkelberger told attendees that “it's not a technology issue” that holds the widescale adoption of password alternatives at bay. Biometric authentication, for instance, has been used for quite some time, he explained.

According to him, a real shift in security will occur when users change their behaviors and incorporate password alternatives into their everyday online activities.

“That may happen when there are enough interesting things to do with it,” Dunkelberger said of authentication technology.

For instance, using one's fingerprint to purchase items online, or to view medical records, instead of just as a means of logging into their computer, could make the difference for users, Dunkelberger said.

PayPal's McDowell mentioned that such occurrences are not as far off as many would think.

On Monday, PayPal and Samsung announced a partnership what would allow Samsung Galaxy S5 users to login and buy items online via PayPal with just their fingerprint, instead of passwords, he told attendees.

“That's the beginning of something that is more usable…and secure,” McDowell said.

This article was originally published on SCMagazine.com.

360 million records on sale to cyber criminals

February 26, 2014

In addition to the 360 million stolen records for sale, there are apparently 1.25 billion stolen emails also available, which would be "enough to spam China".

The personal details of hundreds of millions of people have been discovered for sale on the cyber black market, including one tranche of 105 million electronic records that represents one of the largest hacks ever recorded.

The data - which comprises individual records such as people's names, email addresses and largely unencrypted passwords - was discovered in the first three weeks of this month by US cyber research firm Hold Security.

The company announced on 25 February that it had found nearly 360 million sets of stolen and abused credentials and another 1.25 billion records containing only email addresses.

The firm is now de-duplicating the 360 million accounts against its existing database, but chief information security officer Alex Holden told SCMagazineUK.com that he expects the eventual tally will be around 300 million new stolen sets of credentials. This would bring the company's overall total to 520 to 560 million records collected over the last 10 months. Holden emphasised that these figures are an “educated guess”.

He estimated that just 10 percent of the passwords involved are encrypted or encoded, making the data much more vulnerable than that stolen last October from Adobe where the passwords were encrypted.

Holden said the email addresses involved are from major providers, primarily Yahoo, Hotmail, AOL and Gmail.

He told us the data had been obtained by Hold Security monitoring “resources” and hackers, many located in the former Soviet Union.

Holden said the firm does not yet know which company the 105 million records were stolen from, and believes the new data comes from multiple breaches that have not yet been reported.

“We don't know who the victims are. To find the victim and to notify them, this is a difficult task, it's a daunting task, it's not a pleasant task and it's an expensive task. We try and notify as many victims as we feasibly can.”

Holden added: “The key here is that it's massive. The fact that there are credentials out there should not be surprising to anybody - however the indication is that this has reached a huge scope, the indication is that the database is the size of a large country - 1.25 billion email addresses is enough to spam China.”

Asked if he knew what criminals are doing with the data, Holden said: “The hackers are using this for spam - which is a good thing, we have spam filters, we have defences against spam. But when hackers try to use this huge chain of keys against every lock that they have, they are very likely to have a large amount of success.

“If you had a key set of 100 million email addresses and you're going to go to a large provider; if the large provider allows retrying these credentials over and over, they're going to have a high degree of success. Even 0.1 per cent success would yield them 100,000 accounts which is a huge breach.”

The scale of the find has surprised industry watchers. Professor John Walker, a director of Integral Security Xssurance, said: “If there was an Olympics in data breaches this one would take the gold medal.”

Walker said the discovery indicates major failings on the part of those responsible for cyber security. He told SCMagazineUK.com via email: “This is an example of the amount of data that has been lost, breached, stolen that's floating round in the public arena - which is only coming to light when somebody in the criminal world publishes it. And it is demonstrating a clear gross failing on the part of those upon whom it is incumbent to protect our security.

“The fundamental challenge is that with data breach notifications, companies are not doing the right thing. I know from inside of organisations that have lost data and simply haven't reported it.”

Andy Heather, VP for EMEA at Voltage Security, said organisations need a new security approach in response. He told SCMagazineUK.com: “Traditional security approaches continue to fail to protect the real assets - which is the sensitive data. Only a data-centric approach, which neutralises the data and makes it valueless to the hackers, can ensure that when these inevitable breaches occur the data remains safe and secure.

“The fact that this involved account information and not just credit card numbers highlights that the criminals will take the path of least resistance to compromise consumers' credit card details and bank accounts. Companies must use strong encryption to protect all personally identifiable information, especially if it can be used to gain access to consumers' hard-earned money.”

Walker added: “I think it's clear that the protection - be it onsite, on servers or the way companies handle data internally and the mobile aspect of data - one or all of those factors must be flawed because this stuff is escaping. It's still the case that organisations are not taking security seriously. People need to start to think security, rather than react to the circumstance of a breach. We have to think before it happens not after the horse has bolted.”

RSA 2014: Experts discuss the most dangerous new attack techniques

February 26, 2014

Our reliance on rapidly advancing computer technologies in an increasingly interconnected world is enabling some dangerous new attacks.

Those techniques were discussed by Ed Skoudis, SANS instructor and Counter Hack founder, Johannes Ullrich, CTO and dean of research with Internet Storm Center, and Mike Assante, SANS Institute director, at a packed RSA Conference 2014 session on Tuesday.

“Bad guys are using wireless as their attack platform,” Skoudis said. 

He explained that being untethered gives attackers more flexibility, portability and safety in their crimes - particularly because they do not have to retrieve physical devices, such as skimmers. Skoudis pointed to retailers and hotels as recent victims of these kinds of remote attacks. 

Skoudis, who added that mobile devices are also being targeted by attackers, said the best defense against wireless attacks is turning the devices off. He added that designers of such devices should carefully consider replay attack vectors and should not rely on the obscurity of their hardware as a defense.

“Hardware is not that hard to reverse-engineer,” Skoudis said.

Air gaps - a type of security essentially designed to ensure that secured and unsecured computer networks remain isolated from each other - are dying, Skoudis said. He explained that USB devices can carry malware across air gaps and added that organizations that rely solely on air gaps will be “pwned.”

Speaking on hacking the Internet of Things - our world increasingly controlled by computers - Skoudis said attackers are reverse engineering underlying embedded systems in order to gain understanding and control.

He pointed to recent compromises of planes, trains and automobiles as examples, and added that power grids, health care environments, medical devices and weapons systems are other big areas of concern. Skoudis said best defenses include constant patches and strong patch and testing strategies, as well as engagement of the hacker community. 

Ullrich kicked off his portion by discussing the dangers of using Bitcoin, particularly relating to theft. He said that a private keys can be stolen by malware and used to transfer bitcoins to other users, and that bitcoin mining malware - often installed as an “add on” to other software - can go unnoticed for a long time.

Shifting to point-of-sale (POS) malware, Ullrich said that these malicious programs - Dexter is one example - infect Windows-based systems and exfiltrate data in real-time. Some of the best defenses against POS malware include tough passwords, firewalls and constant patching, he said.

With regard to socially engineered webmail account takeovers that could ultimately result in attackers receiving payments, Ullrich said that strong two-factor authentication and user awareness are just some of the best defenses.

“This is so simple, I'm surprised [these attacks don't] happen more often,” Ullrich said, explaining there is “very little that can be done against this” because it does not require malware to be installed and is difficult to detect.

Speaking exclusively on compromise of industrial control systems, Assante explained how attackers use research and social engineering, and even keyloggers, to take over workstations and steal credentials.

The end result could be that the attackers gain direct access to supervisory control and data acquisition (SCADA), a large-scale industrial control system spanning multiple sites, as well as can control perimeter enforcement settings. 

Best defenses include network segmentation, employee education, and alerts for abnormal user authentication, Assante said, adding that the amount of available information makes these attacks quite easy to pull off.

This story was originally published on SCMagazine.com.

New TouchBase Business Card Could Transfer Digital Profile to a Smartphone

The way people network may be changing. Swapping business cards has been a mainstay of small business networking. Sites like LinkedIn and a number of others have offered new ways to connect with industry professionals.

But through it all, traditional paper stock cards have stuck around. One startup, however, is proposing a new option that doesn’t aim to replace business cards, but to enhance them instead.

TouchBase Technologies, a startup out of MIT, is pitching a new business card embedded with conductive ink. The company says the technology allows users to transfer their information by tapping the card against a smartphone.

But the new cards would contain more information than what you might find on a typical business card. It might include, for example, digital information, including links to your profiles on sites like LinkedIn and Twitter. Even digital photos, videos, contact and biographical information could be transferred to a contact’s smartphone, company representatives say.

Here’s the idea behind the cards the company’s CEO shared with Mashable:

“We realized that business cards really aren’t going away. It’s a critical part of business etiquette…This is a way to keep the look and feel of your card, but when you want to share more information, you have that ability.”

Though the company still has some kinks to work out, such as creating cards that are flexible enough to transfer information to phones with cases, the concept is an interesting one. In-person networking is not going away. But there may be ways to improve the process with technology .

Whether TouchBase can make the cards convenient and inexpensive enough to catch on with business owners remains to be seen. To do that, the app will have to run on as many devices as possible, and the cards will have to be easy to obtain and use.

Will TouchBase cards, or ones like them, actually replace traditional business cards?

Maybe not. But smartphones and social media have greatly changed the way we communicate. So at some point it would make sense for the plain old business card to catch up and integrate those features.

The company is currently running an Indiegogo campaign to fund the project. The pilot version of the product will only include apps for the iPhone 5, 5S, and 5C. But TouchBase plans to add other native iPhone and Android apps in the future.

Image: TouchBase Technologies

RSA 2014: CISOs must move beyond perimeter-based security

February 26, 2014

In an age of advanced attacks and insider threats, traditional perimeter-based security just doesn't cut it, argue two leading InfoSec experts.

It's been fashionable of late to criticise perimeter-based security technologies, not least when they are discovered to be porous given the latest advanced malware, insider threats and the continually popular bring-your-own-device (BYOD) schemes and new Internet of Things trend.

Two industry analysts today continued that focus by urging CISOs and other IT managers to progress from traditional perimeter-based techniques and embrace a multi-layered, risk-based security approach.

That was the take-out from the ‘Castles in the Air: Data Protection in the Consumer Age' talk from Jason Clark, chief security and strategy officer at Accuvant, and John Deere global security strategist John Johnson at the RSA Conference in San Francisco today.

The title of the topic, and the mention of castles was particularly apt with Johnson equating castle defence - used effectively by armies in Europe and the Middle East from the 10th century - to today's common information security defence measures.

“I thought we lived in a castle. It was a black and white approach to keep out the bad guys and keep the good guys in,” said Johnson at the start.

“I think we've matured a lot - it's not a world we live in. A castle is built on high ground to see enemies far away, has thick and impervious ways, and the guards watch everyone who is coming in and out.

“But the walls are coming out and the perimeter is evolving. The internet doesn't have high ground or good visibility - and there are holes in the walls that we put in ourselves,” he added, the latter perhaps a reference to firewall access. “We don't inspect all the traffic coming and going.”

Johnson instead urges an approach to ‘SMAC' (social, mobile, analytics, and cloud) and says that IT teams must engage with business to form security strategy “top-down rather than bottom-up”. He added that IT departments have for far too long been sitting on the "kiddies" table and, as such, have had little dialogue with the C-level suite.

But it was former Websense CSO Jason Clark who urged CISOs to look beyond the perimeter defence, although he was keen to stress that technologies like firewalls, anti-virus, and intrusion detection systems (IDS) are still important.

“I don't think the perimeter is dead, it's just changed. It's new and different. These strategies are 20 years old and have to change. A completely different way of thinking is required.”

“Authentication might be the new perimeter. The bad guys are going straight to the user and getting the data,” he added, touching on the increasingly common spear phishing and social engineering attacks.

As some way of showing that traditional perimeter based technologies aren't working and are being overused, Clark said that 80 percent of security spend is going on firewalls, IDS and anti-virus solutions, despite only being effective to 30 percent of threats. 

“How does that help in the cloud world? It's not. [Businesses] keep doing the same thing over and over again and expect the same result." Instead, he urges CISOS to move to a risk-based approach, where they evaluate the risk and the assets they want to protect.

This talk came just two weeks after the Kickstarter hack, which led SafeNet's VP of cloud services Jason Hart to tell SCMagazineUK.com that the days of perimeter-based defence are coming to an end.

“CIOs have long considered the best defence to be a good offense when it comes to handling security threats, so the vast majority of time and money is spent building the perimeter security measures that keep the outsiders from getting into the network,” Hart told SCMagazineUK.com at the time.

“But in the new reality of security, the best offense is now the best defence and encryption is the key to that.”

Chuck Hamrick on Succeeding with Affiliate Marketing in 2014 #AMDays

Meet Chuck Hamrick, a 15-year veteran of digital marketing, seasoned outsourced affiliate program manager (OPM) who currently serves as the administrator of the world’s largest affiliate marketing forum, ABestWeb.com. At the upcoming Affiliate Management Days SF 2014 conference (March 19-20) Chuck will moderate “Inside the Mind of the Super Affiliate” panel, as well as speak on “Using Affiliate Forums and Blogs to Create an Online Reputation.”

* * * * *

Question: If you were to emphasize one area that every affiliate manager should be paying attention to in 2014, what would it be, and why?

Chuck Hamrick: Mobile marketing. This spring mobile will surpass traditional desktop/laptop as the main way consumers shop and make online purchases. Is your site optimized for mobile and your cart? Do you offer mobile banners to your affiliates? Does your affiliate software/network track mobile traffic and sales?

Question: What do you see as the main areas of opportunity for affiliate marketing (and affiliate marketers) 2014?

Chuck Hamrick: Online sales grow year over year. Are you taking advantage of it? Affiliate marketing isn’t shrinking, it’s growing. Poorly managed affiliate programs are no different than poorly managed social media, SEO or paid search. Site conversion is your first step while you grow your advertising and traffic. Affiliate marketing is an incremental addition to a successful eCommerce merchant.

Question: As a veteran digital marketer and affiliate program manager, what do you view as the main areas where affiliates can truly help online merchants?

Chuck Hamrick: To partner with the merchant/AM/OPM. When I send out a newsletter we have pushed the affiliates - the latest promotion, hottest products, latest coupon. These are also promoted through the merchants email, display and social channels.

Consumers may check via a search engine to research the product before purchase or if it’s the best deal. Affiliates can endorse this for the merchants brand and are rewarded with a commission for closing the sale. Merchants are spending heavily on TV and radio yet consumers will go to the Web to purchase. Affiliates can be there to capture those eyeballs.

Question: With the vast majority of merchants interested in having their affiliate programs drive truly incremental business, what types of affiliates you would recommend they recruit, and why?

Chuck Hamrick: My preference is a mix and it takes time to recruit productive affiliates to your program and get them active.

Partner with 1-2 PPC affiliates who “bid the gap” for your merchant, finding terms they missed. Pick 5-10 coupon/deal sites that are responsive to getting your ads up quickly and taking them down when expired.  Content/Review sites are great and will need content/videos. Bloggers have low conversion so you need a bunch. Offer samples for reviews.

Datafeed/price comparison needs a detailed datafeed with sales price (often left out). Partner with a few loyalty but insure they are not using software to hijack others sales. Specialty affiliates can be tested such as email marketers, contextual, third party tool sites, cart abandonment, social. Be open minded as affiliates are the R&D arm of online marketing. When in doubt, talk to the affiliate directly.

Question: If you were to leave online advertisers/merchants and affiliate managers with one piece of advice, what would it be?

Chuck Hamrick: Investigate and understand attribution. With total visibility through your total online marketing channel you can better understand where to allocate resources. Marketing channels need to complement each other and not compete with each other. Don’t double pay for sales.

* * * * *

The upcoming Affiliate Management Days conference takes place March 19-20, 2014 in San Francisco, CA. Follow @AMDays or #AMDays on Twitter as well as Facebook.com/AMDays. When registering, make sure to use the code SMBTRENDS to receive $500.00 off your two-day and all-access passes.

See the rest of the interview series here.

More in: AMDays

Recent hacks drive up UK security spending

February 26, 2014

Almost half the UK's top businesses have increased their cyber security spending in the wake of recent high-profile attacks like those on US retailer Target, according to new research.

The survey - ‘Business and the Cyber Threat: The Rise of Digital Criminality' - was published by BAE Systems Applied Intelligence (formerly Detica) and also finds the UK is leading the way globally in awareness of the cyber threat.

It questioned more than 500 strategic and IT decision makers in £350 million turnover-plus companies across the UK, US, Canada and Australia, and found that most UK businesses (57 percent) now regard cyber threat as one of their top three business risks.

An encouraging 70 percent of UK companies possess crisis plans in the event of a cyber-attack, while 65 percent believe that their board fully appreciates the business risk presented by cyber-attacks, compared to 54 percent globally.

However, the survey paints a gloomy picture of the continuing cyber threat, with nine out of ten British businesses expecting the number of cyber-attacks to increase.

This pessimism is backed by new research from the respected US SANS Institute which finds 47 percent of respondents assume they've been compromised - and another five percent assume that if they have not already been breached, they eventually will be.

The first-ever SANS Endpoint Security survey, which questioned nearly 1,000 IT security professionals in the US, also reveals that companies are struggling to secure their growing number of endpoint devices.

“The survey results demonstrate clearly that organisations are failing to close the loop between their network and endpoint protections and intelligence,” said Deb Radcliff, executive editor of the SANS Analyst Programme - which produced the report.

Commenting on the BAE survey, Martin Sutherland, managing director of BAE Systems Applied Intelligence, said: “We're starting to see genuine interest from British businesses that realise that the threat of digital criminality is something that affects their whole business and is not just an IT issue.”

But experts are warning against any complacency. Paul Henninger, global product director at BAE Systems Applied Intelligence, told SCMagazineUK.com via email: “The evolving nature of the threat and the constantly changing digital landscape means that we can never afford to be complacent.”

Mike Loginov, chief cyber security strategist at HP Enterprise Security Services, supported this attitude. Commenting on the SANS statistics, he told SCMagazineUK.com: “To hear that some 47 percent of respondents assume they have been compromised - frankly speaking the rest need to wake up to the reality that this is by far the healthier approach to take. There is still much to be concerned about. Best advice in this space is to assume the worst-case scenario, a compromise has occurred, and work from there.”

Henninger added: “In part the UK is better positioned to ensure an adequate level of preparedness as UK institutions have been a target for digital criminals for many years. In response the UK Government, via the Cyber Information Sharing Partnership and the National Fraud Authority, have been proactive in understanding the severity of the threat and in creating awareness across industries targeted by cyber and fraud attacks.

“The increase in spending on security post-Target [attack] seems to be positive, not least because the attack showed that even a well-prepared organisation needs to limit the damage a determined cyber-criminal can do. Organisations must increase spending in order to improve their ability to quickly understand threat intelligence and to use it to spot attacks quickly.”

Henninger said: “Responding to the threat effectively will require businesses to develop holistic threat intelligence management programmes supported by security platforms that not only provide the raw intelligence data but also the ability to process and analyse large amounts of complicated information as quickly and clearly as possible.”

The BAE report can be downloaded here.

The complete SANS survey results will be presented by the SANS Institute on a webcast on March 13. To register visit https://www.sans.org/webcasts/97817.

Recent hacks drive up UK security spending

February 26, 2014

Almost half the UK's top businesses have increased their cyber security spending in the wake of recent high-profile attacks like those on US retailer Target, according to new research.

The survey - ‘Business and the Cyber Threat: The Rise of Digital Criminality' - was published by BAE Systems Applied Intelligence (formerly Detica) and also finds the UK is leading the way globally in awareness of the cyber threat.

It questioned more than 500 strategic and IT decision makers in £350 million turnover-plus companies across the UK, US, Canada and Australia, and found that most UK businesses (57 percent) now regard cyber threat as one of their top three business risks.

An encouraging 70 percent of UK companies possess crisis plans in the event of a cyber-attack, while 65 percent believe that their board fully appreciates the business risk presented by cyber-attacks, compared to 54 percent globally.

However, the survey paints a gloomy picture of the continuing cyber threat, with nine out of ten British businesses expecting the number of cyber-attacks to increase.

This pessimism is backed by new research from the respected US SANS Institute which finds 47 percent of respondents assume they've been compromised - and another five percent assume that if they have not already been breached, they eventually will be.

The first-ever SANS Endpoint Security survey, which questioned nearly 1,000 IT security professionals in the US, also reveals that companies are struggling to secure their growing number of endpoint devices.

“The survey results demonstrate clearly that organisations are failing to close the loop between their network and endpoint protections and intelligence,” said Deb Radcliff, executive editor of the SANS Analyst Programme - which produced the report.

Commenting on the BAE survey, Martin Sutherland, managing director of BAE Systems Applied Intelligence, said: “We're starting to see genuine interest from British businesses that realise that the threat of digital criminality is something that affects their whole business and is not just an IT issue.”

But experts are warning against any complacency. Paul Henninger, global product director at BAE Systems Applied Intelligence, told SCMagazineUK.com via email: “The evolving nature of the threat and the constantly changing digital landscape means that we can never afford to be complacent.”

Mike Loginov, chief cyber security strategist at HP Enterprise Security Services, supported this attitude. Commenting on the SANS statistics, he told SCMagazineUK.com: “To hear that some 47 percent of respondents assume they have been compromised - frankly speaking the rest need to wake up to the reality that this is by far the healthier approach to take. There is still much to be concerned about. Best advice in this space is to assume the worst-case scenario, a compromise has occurred, and work from there.”

Henninger added: “In part the UK is better positioned to ensure an adequate level of preparedness as UK institutions have been a target for digital criminals for many years. In response the UK Government, via the Cyber Information Sharing Partnership and the National Fraud Authority, have been proactive in understanding the severity of the threat and in creating awareness across industries targeted by cyber and fraud attacks.

“The increase in spending on security post-Target [attack] seems to be positive, not least because the attack showed that even a well-prepared organisation needs to limit the damage a determined cyber-criminal can do. Organisations must increase spending in order to improve their ability to quickly understand threat intelligence and to use it to spot attacks quickly.”

Henninger said: “Responding to the threat effectively will require businesses to develop holistic threat intelligence management programmes supported by security platforms that not only provide the raw intelligence data but also the ability to process and analyse large amounts of complicated information as quickly and clearly as possible.”

The BAE report can be downloaded here.

The complete SANS survey results will be presented by the SANS Institute on a webcast on March 13. To register visit https://www.sans.org/webcasts/97817.

RSA 2014: The \"double-edged sword\" of disclosing software vulnerabilities

February 26, 2014

An interesting discussion at the RSA conference revealed that vendors often face a "double-edged sword" when tasked with disclosing software vulnerabilities.

A panel comprising Nadya Bartol - senior cyber-security strategist at the Utilities Telecom Council, Eric Baize - senior director of the product security office at EMC Corp, Microsoft's partner director of software security Stephen Lipner and Veracode co-founder and CTO Chris Wysopal, tackled the issue of software vulnerabilities at the RSA Conference in San Francisco on Tuesday.

The conversation - entitled “Evaluating the security of purchased software: can we find common ground?” - centred on how security can be measured internally and externally in software products, and to what degree vendors must divulge information when they find vulnerabilities within their own products.

The experts talked through issues like auditing, testing and how reliable these measures are when trying to ascertain how secure these software products are.

But one particular sticking point in the debate appeared to be the willingness of IT vendors to share information, when they've discovered new details on vulnerabilities, such as SQL injection, buffer overflows or cross-site scripting.

EMC'S Eric Baize admitted that while the computer storage firm does shares data internally about new and existing software vulnerabilities, doing that in the outside world is not so easy.

“I think it's important to think about internal and external measures, and what you can share with the customer. Internally, it's a secure environment but sharing [outside] can create new risks,” he told conference attendees.

Baize continued that some customers ask for the source code to spot the issues for themselves but doubted how reliable this information really is. “Customers are asking for the source code, but it's not a secure way to find vulnerabilities and other issues.”

Microsoft's Stephen Lipner concurred with Baize that reporting issues has its drawbacks, and admitted that the firm's own Patch Tuesday - while celebrated in the information security community for highlighting and addressing Windows flaws - is far from perfect.

“Externally, there are concerns about the things you can and can't share. I wouldn't care to open up [inside information] to the world because that says a lot about what vulnerabilities are left, and where the weak spots are. It's a problem,” he said.

Bartol and Baize argued that it's a case of educating users on what they can rightly ask for, and on developers of building quality and secure software.

Bartol added that this is likely to be an increasing concern as the Internet of Things, which is largely being pushed by hardware vendors with no experience of patching, takes hold, while Veracode's Chris Wysopal expressed concern that smaller software vendors may struggle to reach certain testing standards for disclosing vulnerabilities and flaws.

Reflecting on Lipner's point that Microsoft publicly reveals vulnerabilities on its website in accordance with ICO guidelines (the firm, along with Google and other tech giants, has also issued guidelines and statements on how it deals with vulnerability disclosures for a number of years) Wysopal said that today's software small start-ups are less likely to have security frameworks in place to do this.

“A lot of software today is being built by small companies that throw something up onto AWS. Smaller firms don't have a framework - they think ‘I like the product, I want to make sure it's secure, what can do I do to do the bare minimum testing.”

11 Direct Mail Marketing Secrets

Remember when getting a letter in the mail was exciting? So do we. But how do you recreate that feeling and get customers excited about your business when they’re facing a sea of junk mail, flyers and credit card offers?

We asked 11 members of the Young Entrepreneur Council (YEC) their top secrets for making direct mail marketing more appealing to the people who matter most â€" those opening the envelopes.

Here’s what YEC community members had to say:

1. Make Mailers Useful

“Consumers use scrap paper every day for grocery and to-do lists, phone books and notepads. So, why should your promo, assuming it’s not immediately trashed, languish uselessly in a drawer somewhere? This year, we sent something people tend to keep â€" a New Year’s resolution sheet (with business info, of course). Brands should think of an additional use for their mailers; consumers sure could.” ~ Manpreet Singh, Seva Call

2. Open With a Proposition

“Consumers have short attention spans. Instead of building excitement toward your value proposition, just open with it. This will attract the recipient’s attention and force you, the sender, to see if your value proposition is worth sending to potential customers.” ~ Brett Farmiloe, Internet Marketing Company

3. Make It Lumpy

“The first goal of a direct mail campaign is to get your envelope opened. We’ve sent thousands of direct mail pieces to prospects, and we find mailers with a lumpy object inside of the envelope have a near 100 percent open rate. People are curious what’s inside, and the curiosity gets them to open it. Now your job is to make it personal, relevant and captivating to get your piece read.” ~ Charles Gaudet, Predictable Profits

4. Include Product Samples

“Paper direct mail can be a nuisance to most customers, but if you include a product sample, the direct mail instantly becomes more valuable as a trial tool. There are several companies that specialize in creating product samples, such as Arcade Marketing for the fragrance and makeup industries, and they often have interactive programs that aim to increase the ROI for your brand.” ~ Doreen Bloch, Poshly Inc.

5. Make Mailers Creative

“Direct mail can be very, very powerful. The key is what you send out. Last week, someone mailed me a message in a bottle. The message was about the company changes this business planned to instill in the new year, and the idea was so well put out that I called them immediately. Here’s the key: Send a more creative message to less people. It’s about quality, not quantity. “ ~ Joe Apfelbaum, Ajax Union

6. Include Something Useful

“People often only think of promotional products as items to give away during a tradeshow or to clients. But what about using them in direct mail campaigns? Along with your sales/marketing message, include something like a pen. Those who are on the receiving end are at least 50% more likely to keep the pen, and in doing so, you’ll remain in their house in the future, used or not. “ ~ Logan Lenz, Endagon

7. Tailor Content to the Consumer

“Invest in learning about your customer, and communicate with them accordingly. Leverage information on customer purchasing behavior and shopping preferences to segment and personalize marketing content and drive sales.” ~ Katie Finnegan, Hukkster

8. Use MailLift

“MailLift is basically an API for direct mail marketing. It allows you to integrate your CRM or customer service software directly into its messaging system. You can write out a message, and it will be transcribed as a handwritten letter and sent to your customer. It’s completely revolutionary because you can do mass mail customization efficiently for the first time.” ~ Liam Martin, Staff.com

9. Provide Value

“Most direct mail pieces deserve the moniker of “junk mail.” To make sure yours stands out from the crowd, you must deliver some kind of real value that transcends your brand message. There are so many creative things you can do that are cheap: Deliver curated content, use creative techniques (such as punch-outs or folds) to make something that consumers can use or write witty copy. Be boldly creative!” ~ Brittany Hodak, ZinePak

10. Partner Up

“Partner up with a complementary company to increase the value of the piece. By doing this you can create a more creative, useful piece. Tap into their customer base as well and use the piece both ways.” ~ Brooke Bergman, Allied Business Network Inc.

11. Use a Stamp

“Consumers can tell when something has been mass-mailed. If you make the envelope look like it came from a person rather than a machine, then the piece will more likely get opened. Try using stamps instead of metered mail, and use a font that looks like handwriting instead of typed text.” ~ Sarah Schupp, UniversityParent

Direct Mail Photo via Shutterstock

Apple faces recriminations after finally fixing Mac bug

February 26, 2014

Apple Mac users can breathe a sigh of relief as the company has finally fixed a flaw that meant their personal details could be stolen while they were browsing online.

The patch plugs a hole in the Mac OS X operating system which enabled hackers to break into their supposedly secure communication with popular SSL security-protected websites. It was released on Tuesday - but this was four days after Apple issued a similar fix for iPhone and iPad users running the iOS operating system.

The timelag left Mac users vulnerable and brought heavy criticism of Apple from industry experts, especially as the problem was caused by Apple accidentally leaving an extra ‘goto fail' line in its source code.

A second Apple bug, revealed by FireEye earlier this week, remains unpatched. This keylogging flaw means hackers can potentially record every keystroke made by users of any Apple device running the latest iOS 7 operating system, even ‘non-jailbroken' devices.

Until Apple fixes the problem, FireEye said users can use the iOS task manager to prevent potential background monitoring (SC Magazine UK.com, 25 February).

Context Information Security senior consultant Kevin O'Reilly said earlier this week that Apple's reputation for security was “in tatters” after the two problems were exposed - and he believes Apple's apparent aloofness in the face of widespread criticism means it now has work to do to win back user confidence.

He told SCMagazineUK.com: “Recriminations will now begin in earnest, with Apple having a lot to answer for. The conspicuous absence of comment from Apple, even after releasing the patch, will leave many users with serious questions about their attitude and response to serious security flaws in their own products.”

O'Reilly added: “The burning question is why, if the bug was so simple as a duplicated line of code, it took Apple so long to release the patch for OS X, particularly as the patch for iOS was released so much more quickly.”

He said that the bug fix “will come as a huge relief to Mac OS X users who, in the meantime, have been sitting ducks for attackers that might attempt to exploit this flaw” and he urged users “to update promptly to protect themselves”.

The SSL patch was one of more than 40 issued by Apple on Tuesday across its OS X, Safari and QuickTime for Windows systems. Users can upgrade to the latest version via the Mac OS X App Store.

Pinterest Marketing Tool Discover Can Give Better View of Your Brand

Tailwind, the analytics and marketing suite specifically for Pinterest, has announced an interesting new service called Discover. The company claims it is the first ever targeted Pinterest marketing tool, and will seamlessly integrate into the existing Tailwind suite.

Discover will give a more “holistic view” of a company’s customers, community and brand. Companies will be able to see all Pinterest content related to a campaign, including pins from the brand’s website, repins from their Pinterest profile and recent pins about related topics.

The company says the new tool allows users to:

• Track the increase in followers, repins, likes and comments for your brand and compare growth in engagement across various time periods.
• Measure Key Performance Indicators including virality, fan engagement level and content engagement rate. You can also benchmark and compare your results with competitors.
• Analyze content performance by category, keyword, hashtag and pin.

Discover has been compared to Twitter listening and monitoring tools. But since Pinterest is based on images, Tailwind believes that their tool provides a different kind of insight. In an official release on the new tool, Tailwind CEO and Co-Founder Danny Maloney explains:

“Yesterday’s listening and monitoring tools use simple text-based analysis or outdated pixel-matching technology, which simply do not serve the needs of today’s visual marketer. In a visual world, real insights come from understanding the complete context of an image - including accompanying text, as well as image analysis and factors such as where the content originated. Tailwind provides such insights, helping marketers engage customers in meaningful ways that drive awareness, purchase intent and brand loyalty.”

Tailwind is positioning Discover as a way to engage with people in real-time on Pinterest, and to build a “targeted community” which will include influential pinners in their area of expertise.

Prices start at $29 a month for the Lite plan, but the $99 monthly Professional package is prominently displayed. Each package has a 14 day free trial. For most small businesses, the $29 monthly package should be more than enough.

More in: Pinterest

Automate The Hiring Of New Staff For Your Business With iCIMS

Sometimes one of the most difficult aspects of running a small business is the hiring of new staff. That’s because it doesn’t just involve an interview and a handshake.

As any Human Resource employee will tell you, there are other aspects to keep on top of. They include keeping in touch with interested parties, searching for talent yourself and keeping a list of all the open jobs. But you also need to maintain career portals so prospective candidates can submit their resumes. And this is only part of the list of tasks.

iCIMS is a complete system that can handle all of these tasks, and more.

If you do a lot of hiring of new staff, then iCIMS is definitely something you should think about using. It enables you to maintain a broad overview of everything your company needs to do and remember to fill your job openings.

For example, you’ll need to advertise the vacancy on your site, collect resumes, keep notes and interview questions. Then you’ll need to keep track of the paperwork needed for a successful candidate. All of this can be viewed and edited from the convenience of one single dashboard.

Though iCIMS hosts the system on its servers, configuration and branding can make it look as if the pages are on your company’s website.  iCIMS guarantees a 99.9% uptime, so there’s no need to worry about the pages crashing when you need them the most.

People interested in applying for a job with your company can submit their resumes through the Candidate Career Portal. Resumes can be sent via Google Drive or Dropbox. After all, the applicant may not have his or her resume immediately on hand. Job vacancies can be shared via social media, and you can refer a vacancy to a friend.

Interested applicants must create a profile on the iCIMS system.  If you prefer, you can make the profile using an account on either Facebook, Google Plus, or LinkedIn. Or you can do it the old-fashioned way and make an account with the online form, or by email.

When the profile has been created, the applicant can log in and see the vacancies they have applied for in your company. They can leave their resume (which can be uploaded from LinkedIn), and their contact details such as email and Skype ID. They can even upload a photo.

In addition to resumes, a candidate can also submit images and even a 2 minute video cover letter. A video cover letter is especially useful if the candidate is too far away for an initial interview, for example.

Video cover letters are a great tool to find the candidates you need before you spend the time and resources on a face-to-face interview.

On the employer side, all job vacancies and descriptions can be edited using HTML markup. But the system also gives you the ability to set pre-screening questions, to make sure that the applicant is qualified to apply for the job. There is also an iForms section, where relevant forms can be sent to the applicant electronically.

But what if you have a sudden vacancy and you need to find a suitable candidate?

iCIMS allows you to search for applicants in the system who specified the relevant skills in their application. So if you’re looking for someone with Java and XML experience, you could type “Java XML.” You would then be given all of the applicants in the system who have that experience listed in their resumes.

The system’s email templates should also save you time when responding to applicants. If you want to send out an email offering a job, or requesting more information on a job, then you can pull up the appropriate template, and just add the applicant’s details.

The iCIMS system can be configured for companies of many different sizes from a few dozen to 10,000 or more. And since the company handles all hosting, configuration and branding, you don’t need an IT department to maintain it all.

For pricing, contact iCIMS and tell them the details of your company, including the number of employees and your specific needs. But regardless of your company’s size or industry, the system should streamline your hiring process, and automate the many tasks you need to handle in the process.

Automate The Hiring Of New Staff For Your Business With iCIMS

Sometimes one of the most difficult aspects of running a small business is the hiring of new staff. That’s because it doesn’t just involve an interview and a handshake.

As any Human Resource employee will tell you, there are other aspects to keep on top of. They include keeping in touch with interested parties, searching for talent yourself and keeping a list of all the open jobs. But you also need to maintain career portals so prospective candidates can submit their resumes. And this is only part of the list of tasks.

iCIMS is a complete system that can handle all of these tasks, and more.

If you do a lot of hiring of new staff, then iCIMS is definitely something you should think about using. It enables you to maintain a broad overview of everything your company needs to do and remember to fill your job openings.

For example, you’ll need to advertise the vacancy on your site, collect resumes, keep notes and interview questions. Then you’ll need to keep track of the paperwork needed for a successful candidate. All of this can be viewed and edited from the convenience of one single dashboard.

Though iCIMS hosts the system on its servers, configuration and branding can make it look as if the pages are on your company’s website.  iCIMS guarantees a 99.9% uptime, so there’s no need to worry about the pages crashing when you need them the most.

People interested in applying for a job with your company can submit their resumes through the Candidate Career Portal. Resumes can be sent via Google Drive or Dropbox. After all, the applicant may not have his or her resume immediately on hand. Job vacancies can be shared via social media, and you can refer a vacancy to a friend.

Interested applicants must create a profile on the iCIMS system.  If you prefer, you can make the profile using an account on either Facebook, Google Plus, or LinkedIn. Or you can do it the old-fashioned way and make an account with the online form, or by email.

When the profile has been created, the applicant can log in and see the vacancies they have applied for in your company. They can leave their resume (which can be uploaded from LinkedIn), and their contact details such as email and Skype ID. They can even upload a photo.

In addition to resumes, a candidate can also submit images and even a 2 minute video cover letter. A video cover letter is especially useful if the candidate is too far away for an initial interview, for example.

Video cover letters are a great tool to find the candidates you need before you spend the time and resources on a face-to-face interview.

On the employer side, all job vacancies and descriptions can be edited using HTML markup. But the system also gives you the ability to set pre-screening questions, to make sure that the applicant is qualified to apply for the job. There is also an iForms section, where relevant forms can be sent to the applicant electronically.

But what if you have a sudden vacancy and you need to find a suitable candidate?

iCIMS allows you to search for applicants in the system who specified the relevant skills in their application. So if you’re looking for someone with Java and XML experience, you could type “Java XML.” You would then be given all of the applicants in the system who have that experience listed in their resumes.

The system’s email templates should also save you time when responding to applicants. If you want to send out an email offering a job, or requesting more information on a job, then you can pull up the appropriate template, and just add the applicant’s details.

The iCIMS system can be configured for companies of many different sizes from a few dozen to 10,000 or more. And since the company handles all hosting, configuration and branding, you don’t need an IT department to maintain it all.

For pricing, contact iCIMS and tell them the details of your company, including the number of employees and your specific needs. But regardless of your company’s size or industry, the system should streamline your hiring process, and automate the many tasks you need to handle in the process.

Got a Startup Tech Hardware Product to Sell? Try Grand St.

Grand St. aims to give independent hardware manufacturers a place to sell their products and to test prototypes.

If you’re looking to get any consumer electronic to the marketplace, there’s an arduous process involved. One of the biggest obstacles is getting funding for a venture that could miss the mark. Another is finding customers interested in your product.

Grand St. provides potential solutions for both problems.

Right now, the site is the place to get The Loop, a leather organizer that can charge your iPhone. There’s also a hackable alarm clock kit and an iOS enabled guitar for sale there, now.

Fortune says that the addition of independent manufacturers selling their gadgets on the site has turned it into the Etsy of the electronics world.

On the official Grand St. blog, co-founder Amanda Peyton explains:

“Our goal has always been to create a better way for hardware creators to find an audience and get their products to market. For this new version of Grand St. we wanted to create a flexible solution that addressed indie hardware makers at different stages in the development cycle.”

The company says it now has about 200,000 users. And indie gadget makers have three ways to sell their new products through the site:

Consumer Ready

When you’re ready to sell the gadget you’ve created, you can list it through the Grand St. Shop. Grand St. says it previews and must approve any new listing. If a product doesn’t make the cut, Grand St. notifies the maker of its reasons for rejection.

If a product is approved and listed, the site takes an 8 percent commission on all sales. It takes the same commission on Beta sales. These are products that haven’t received any customer feedback and aren’t quite ready for a mass audience.

Beta

A Beta product maker can pick testers for the products and await their feedback. Based on the feedback, Grand St. says the maker of the product can then decide to seek more funding for changes or get the product ready for the marketplace or pre-order sales.

Pre-Order

If a product is within six months of being ready for the marketplace, it can be sold through a pre-order feature on Grand St. The site doesn’t take a commission on those sales and there are no monthly fees linked to selling on Grand St.

Sellers need to handle all their customer service and shipping commitments, the company notes in its seller guidelines.

RSA 2014: In the dock - understanding a data breach trial

February 26, 2014

If you have broken no law, nor failed to comply with any agreed industry standard, are you liable for the consequential loss incurred by your clients if you suffer a data breach that causes them loss?

That was the question posed at a mock trial for the security information legal fraternity at RSA on Tuesday.

The conclusions - based on US law, but reflecting international practice - are that both the law and industry standards lag behind best practice in protecting the consumer, suggesting the situation needs clarification and the bar needs to be raised - and quickly.

The basic premise of the trial followed the breach of a hypothetical tax returns company, Tax R Us, with stolen tax returns information and credit card data being used for fraudulent tax filings and other illegal activity.  The stolen credit card information was never used as it was encrypted in compliance with PCI standards, but a customer (plaintiff) wanted to know why their data wasn't protected too, as its' misuse has caused their credit rating to drop and meant they missed out on buying a house at below market value.

The presiding judge, John Facciola (US Magistrate , US district court for the District of Columbia) called on the plaintiff's counsel, Steven Teppler (Partner, Abbot Law Group) to put the case, and explain why the defendant should either be immediately found guilty of negligence, or have the case go to court for trial by jury.

It quickly became apparent that all the assumptions that we, in the security industry, may take as givens, would be called into question by both sides, highlighting manifold deficiencies in the system.

Tax R Us confirmed that it stored credit card data, which it kept in compliance with PCI DSS, and thus encrypted at rest, while social security card data that it stored was kept in plain text.  So when a worker clicked on a phishing email and allowed the download of a piece of malware, the hacker increased their access privileges inside the system over a period of two months, and was then able use the social security data of clients once it had been exfiltrated. 

The defendant, represented by Hoyt Kesterson, as company CISO, openly admitted that encryption was only used for the credit cards, because it faced financial penalties for non-compliance, whereas the breach on other personal identifying data only required the reporting of the breach - which was done. “No one told me that I had to encrypt the data,” Kesterton told the court.

The Counsel for the defence, Jay Brudz (Partner, Drinker Biddle & Health), contended that the defendant had done everything legally required of them.  He went on to probe the expert witness Carlos Villalba (Director of Services, Terra Verde) who had carried out the forensic examination. He then questioned his competence as an expert, the efficiency of PCI DSS as not being the best standard available, and encryption of resting data as not being the norm in the industry.  But firewalls and malware were employed, staff were trained in the correct procedures including changing passwords every seven days, and thus in the defendant's view they had done all that could reasonably be expected of them, and given the cost of encryption, there was no business case to implement it.

Now prosecution questioned the credentials of the CISO, his background, experience and competence to know what best practice was - and having worked his way up without experience elsewhere did undermine his credibility.

The prosecution's case was that the absence of an agreed standard did not absolve the defendant from blame, that there were steps they could have taken to mitigate the likelihood of breach, and they knew what these steps were, including encryption. As such, prosecutors argued that to be negligent like everyone else was no excuse. Case law referred to New York factory fire with locked doors, smoking permitted, and lax standards contributing to several deaths, for which the owner was found guilty of negligence despite there being no agreed standards.

In fact, this was the crux. In common law there is a duty of care to customers; if the terms of business spoke about security of data then this was even more explicit, and the loss of confidential personally identifying data showed the level of care provided was not commensurate with the value of data with which they had been entrusted.

But while it was demonstrated that there was a case, not all in the audience felt that it was beyond question, and most felt the case should go to trial, with just one person arguing that there was no case to answer.  The other issue raised was whether a jury of lay people would understand the technical aspects of the case - but having experts versus experts is not uncommon thus the case probably would have gone to trial.

In the opinion of the presiding judge, common law which protects those hurt by other people's negligence would support the plaintiff.  But it was pointed out that in most cases where no loss could be demonstrated the case would be dismissed - with Facciola noting that in the US only one percent of breach cases go to trial because there is no loss.

If this case had gone to trial, the argument that it was too expensive to encrypt non-card data would be shot down by the counter argument that the benefit outweighs the burden.   But equally, even if there were a standard, it wouldn't fit everyone and there would need to be a risk assessment.  It was not decisive whether there should be statutory standards in such a fast moving tech area, though some called for a baseline while others wanted a common law basis.  In the US, different states were likely to introduce different standards - but national players would need to meet the most onerous. 

So in the absence of a standard, the expectation is that sooner or later, maybe not for three or even five years, there will be a ‘bell weather' case that establishes liability with punitive costs on any losing defendant.