Top Stories: Twitter Reset in Error, Windows Version Rumored Free

You put in plenty of time on your business. The Small Business Trends editorial team gives you the news you need to make your business better. Take a minute to read our top stories this week. It’s a good investment of your time.

Social Media

Twitter reset was an epic fail. Nowadays, plenty of people are worried about having their information hacked online. So when thousands of Twitter users, including small business owners, got emails from Twitter saying their accounts had been compromised, it probably freaked them out. That is, until they found out it was just a simple system error.

Twitter redesign ignites passion. It’s a passionate debate online. And it’s not just over proposed changes to Twitter’s iconic logo. The possible new look of the site is being hotly debated, too. It’s not certain if the rumored changes being debated will become reality. But following the discussion is a story in itself.

There’s voice coming to WhatsApp. The only question is what the form of this voice service will be. There’s also a question of whether it will cost more. (WhatsApp is paid for by user fees, not advertising.) If it allows true voice calling, it may be a serious competitor to Skype.

Software

The thought of a free Windows 8.1 is exciting. Our story on the possibility that Microsoft is considering a free slimmed down version of its software has proved that much. But we don’t know whether it will ever happen. The question is whether the free version would really meet the small business community’s needs or be worth the savings.

PNC has a tool to manage your cash flow. Imagine watching the money flow in and out of your business while it’s happening. How much easier it might be to see where to cut â€" or even where you should be making more! PNC Bank has introduced a tool it says will give you this kind of overview.

There’s more malware on Google Play than ever. Here’s our story telling you about the risks. Though Google is removing some of it, they are by no means removing all of it. And the fact that many instances have been detected in gaming and entertainment apps should not make small business owners feel any more comfortable.

So, who has the coolest job? Would it be  a software developer or an architect? Yes, it’s the software developer. But the interesting thing about this top jobs list is how many of the positions can be filled by small business people.

Policy

U.S. Rep. Sam Graves wants more small business contracting. At least, he wants more at the federal level. Of course, the federal government has trouble hitting its mark for the percentage of federal contracts that are supposed to be awarded to small businesses now. But the point of the legislation proposed by Rep. Graves is that the current required quota is too low.

Obamacare will increase insurance for healthier workers. If your small business â€" a tech startup, let’s say â€" has younger, healthier workers, it used to be good news. Your insurance rates would likely be cheaper. But that’s not the case anymore, says Scott Shane, Professor of Entrepreneurial Studies at Case Western Reserve University.

Services

Verizon unleashes roll over data. It’s a brave new world of unlimited calling and text. But hold on. Not everything’s free. Now data is the most valuable commodity to companies like Verizon. So the deals will be based on how much you get and for how long.

This link will unsubscribe people from your marketing list. Gmail has made what appear to be some business unfriendly moves recently. That’s especially true if you happen to be an email marketer. It’s certainly not the intention of legitimate email marketers to bother anyone, so one way to look at this new Gmail feature is that it might cut down on spam accusations.

These analytics tools will enhance your business. From Google Analytics to Clicky and Crazy Egg, there are many analytics options out there. Many offer different features. But all have benefits you should consider. When choosing your analytics tools, look at which ones are best at getting the information your business needs.

Startups

This mompreneur tackled a problem with curly hair. Rikki Mor’s been known to call herself a reluctant entrepreneur. That’s because she started out, not to create a product, but to solve the problem of her daughters’ curly hair. Still, the determination she showed developing a prototype for her Knot Genie and finding an overseas manufacturer reveals true entrepreneurial grit.

Create a market of your own. In a sense, that’s what Stoney deGeyter of Pole Position Marketing did when he first redesigned his dad’s business website. Soon deGeyter was advising other entrepreneurs about how to make their business websites show up better in search. Today, SEO is a big industry with many big players. What market could you help invent?

Other Trends

Brighter lights lead to stronger emotions. There are both positive and negative connotations to that, by the way. If your selling items that evoke emotion â€" flowers and engagement rings, for example â€" then turn up those lights. But bright lights aren’t necessarily conducive to good business decisions.

There’s not enough coffee to go around. When you hear this phrase at a dinner party or other get-together, it’ a cause for disappointment.When you hear it in connection to  an actual shortage of coffee beans, it means something else. That shortage of beans is due to a bad growing season in Brazil, the world’s largest coffee producer. And the results will impact small roasters and cafes first.

Reading Photo via Shutterstock



Should You Invest In A Top Level Domain Name (gTLD)? GoDaddy’s Domain Guru Thinks So

So you have your “dot.com” domain name, right? You might have even bought your name as a domain name (I did - ramonray.com).

Is it time to consider owning a new top level domain name? Not .com, .edu, or .net but an entirely new set of domain names like .bike, .camera, .construction and many other domain names that might be just perfect for your industry.

I had a discussion with GoDaddy’s Mike McLaughlin who heads their domains for this take on what a top level domain is and why this new crop of top level domains are so important.

Check out our full interview below or here - http://www.youtube.com/watch?v=YTi-0pW190Y



Are You Complying with the Law on Call Recording Notification?

If your business records incoming calls for any reason, federal and state laws require you to notify the incoming caller.

When your business does not follow these laws, it could be subject to large fines. In many states, fines are imposed per call in which the incoming caller is not notified that they’re being recorded.

There may be a lot of reasons why your business records its phone calls. Some may do it just to assure that their protocols are being followed. Other businesses like to have a permanent record. Either way, notifying incoming callers that they are being recorded is the law, writes Brian Gabriel, Chief Operations Officer for Sound Telecom. The company provides call center, answering and other services for business clients:

“If you record calls and do not have a compliance notification program in place, you are at huge risk of direct legal action. Failure to comply with current Federal and State regulations is taken seriously and it is enforced at many levels.”

In a recent report on the official Sound Telecom blog, Gabriel highlights a recent incident in which a business was hit with massive fines after a would-be customer called in and asked whether they were being recorded. When the person at that business answered that the call was, indeed being recorded, the caller simply said, ”Thank you,” and hung up the phone.

A few weeks after that call, the business received notice that it was being sued to the tune of $2,500 per call in which the business didn’t notify a caller they were being recorded.

These laws extend to call center operations, too. Your small business may rely on a third-party call center to handle a lot of phone traffic. If so, it’s important to ensure that that service is also compliant with the law.

Depending in which state your business operates, the law and severity of punishment for breaking the law could vary greatly. Gabriel notes that California has the strictest laws on the books regarding call recording. A recent wave of lawsuits have flooded state courts there.

Even if your business operates exclusively in a state that doesn’t require two-party notification of a phone call being recorded, be aware. These laws are always changing, Gabriel reports. So vigilance is important.

“In simplest terms, business owners ought to make it standard procedure to notify all callers at all times whenever they record calls no matter what. This is the strictest interpretation of the law.”

Customer Service Photo via Shutterstock



Cisco flaws put routers back in the dock

A major flaw in Cisco's routers has been revealed just days after research firm Team Cymru reported it had found over 300,000 other routers infected with malware.

Cisco issued a patch for its vulnerability on 5 March. The problem lies in the web management interface of its leading Cisco RV215W and CVR100W Wireless-N VPN routers, which could allow a remote attacker to take control of them.

Cisco also issued fixes for multiple vulnerabilities in its Wireless LAN Controller (WLC) product family, and a flaw in its RV110W Wireless-N VPN firewall product.

The patches follow a report last month from the US SANS Institute that it had found the ‘Moon' worm infecting Cisco Linksys-branded routers.

Then on 4 March SCMagazineUK.com reported that researchers at US-based Team Cymru had uncovered a ‘Man in the Middle' attack dating back to at least mid-December which had infected more than 300,000 small office/home office (SOHO) routers from manufacturers including D-Link, Micronet, Tenda, TP-Link and others.

There are no suggestions the Cisco problem and the SOHO router attack are linked, but the incidents have underlined that routers are a major new corporate vulnerability, whether they are inside the network or being used by a partner small businesses or executives working from home.

Steve Santorelli, outreach manager at Team Cymru, said the two cases revealed the same “disturbing” and “fundamental” issue.

He told SCMagazineUK.com via email: “Hacking different elements on an enterprise topology is the new ‘black', as opposed to infecting the end client or server. It means that vendors and their enterprise customers have yet another thing to keep them up worrying at night: is your router, your appliance, your DNS infrastructure all actually doing what you think it is?

“It makes perfect sense to evolve in this direction, at least from a criminal perspective: it's harder to spot, you get a massive amount of opportunity to gather credentials and usurp traffic and, just by hacking one part of the topology, you get the equivalent of infecting the entire network of end users: you'd have to spend a huge amount of additional time to infect an equivalent number of individual computers.”

Santorelli added: “If Cisco machines are being targeted, it's likely due to economies of scale: their routers are everywhere so it makes sense to spend your criminal R&D on them as you'll get the most return on Investment.”

SCMagazineUK.com contacted Cisco for a comment on the issue but they declined. The company did say there are no known workarounds available for its router flaw, but that it was not aware of any malicious use of the vulnerability.

Cisco's security advisory confirmed the problem could allow an attacker to hijack the routers and potentially infiltrate company networks: “The vulnerability is due to improper handling of authentication requests by the web framework. An attacker could exploit this vulnerability by intercepting, modifying and resubmitting an authentication request. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to gain administrative-level access to the web management interface of the affected device.”



Third-party access adds vulnerability

Its time to take back third party remote access and increase visability on the network says Stuart Facey

It's very common for organisations to allow external service companies to access to their systems, typically vendors and support specialists who assist with the maintenance, installation and troubleshooting of IT systems.

Now cybercriminals are targeting vendors with network access privileges as an easy way to infiltrate enterprises; for example, last year's Target hack in the US that compromised 40 million credit card numbers was traced back to network credentials stolen from a vendor. Unfortunately, the Target breach isn't an isolated case. According to the 2013 Trustwave Global Security Report, up to 63 percent of data breaches are linked to a third-party component of system administration.

Yet many organisations still lack awareness of how third-party service companies are remotely accessing their systems, putting themselves at significant risk. With vendors and service providers often using free or basic remote access tools, and sharing the same generic credentials across technicians, hackers are getting easy access to remote systems by simply guessing passwords or using a brute force attack. In fact, the Trustwave report found that, “Organisations that use third-party support typically use remote access applications, like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers' systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators,” and the Verizon Wireless 2013 Data Breach Investigation Report found that 76 percent of network intrusions exploited weak o stolen credentials.

And external hackers are not the only issue: if credentials are shared and rarely changed, vendors' ex-employees are then able to remotely access your systems long after they leave the company.

This makes taking back control of third-party remote access imperative: once you know how your systems are being accessed, staying secure will become much easier using a combination of strategies and technologies.

The first step is to consolidate tools. By forcing every third-party and internal employee to use one, consolidated, company-owned solution for remote access, you will greatly improve your ability to monitor and block dubious activity. As part of this, it is important to shut off remote access from unapproved tools. For example, RDP port 3389 is a favorite target for hackers, and web-based solutions increasingly used by vendors wanting a cheap way to access your systems can pose a significant risk. The free versions are also commonly used by tech support call scammers, so blocking them provides a security bonus.

Once tools are consolidated, businesses can look at who has access, assigning roles using granular permissions. By selecting a third-party remote access solution that includes permission settings by vendor or team, you can designate who can access what systems, and when, instead of the traditional ‘on' or ‘off' VPN approach. This ensures that no user has more access than they need, as most third parties will only need to work on one or a small group of systems on your network and even then, they may not need full access.

Adding security layers to systems is also important. Requiring two-factor authentication for anyone who logs into your remote access solution will reduce the chance of stolen vendor credentials, while boosting your regulatory compliance.

However, preventing attacks is just one side of the story: what should a business do after an incident has occurred? Most companies don't know straight away when they have been hacked and according to the Verizon report, the majority of breaches take months to discover. To more quickly identify any unapproved activity through third-party channels, enterprises should capture a secure audit trail of all remote access activity and set up alerts for unusual actions. Firms should ensure the trail is captured in a secure place within the business network, rather than the vendor's. It will then be difficult to cover up if the third-party has made a mistake.

It is time to take back third-party remote access control. By implementing these guidelines alongside a strategy that encourages visibility, businesses can keep on top of security, ensuring that valuable company data is protected.

Contributed by Stuart Facey, VP International at Bomgar



14 Gadgets Every Serious Reporter Must Have at #SXSW - Ramon’s Tech Bag

This will be my third year going to SXSW, it’s the ONE place I can find awesome individuals, startups and small business focused companies and share their information with YOU.

This information (their best practices, new products, etc), will help YOU grow your business.

To capture this information and be an effective SXSW journalist there’s a few gadgets I bring with me.

Maybe you’re not going to SXSW but you might want to consider buying one of these gadgets to make your life easier.

This year the team at Infusionsoft will be covering SXSW on our Big Ideas Blog and through Twitter at #sxswsmallbiz .

I’m also happy to meet up with Shashi Bellamkonda (@shashib) who has showed me the ropes of SXSW . He’ll be posting content on Smallbiztechnology.com as well.

Some of what I expect to cover at SXSW are The Small Business Web, GE, Bit.ly, NY Tech Meetup and more!

Here’s my gadget list.

Kodak Zi8 - portable video camera with a microphone jack so I can capture the best audio (I use this for short and quick video)

Sony HD Handycam HDR XR-160 (this camera is light, HD and has a large hard disk to store the video files - no memory cards needed)

Kensington Presentation “clicker”

Kensington wireless portable mouse

iPad with The Snugg Case

portable Tripod from B&H photo

Mophie portable battery - Powerstation XL

Listerine (bad breath is just bad)

Verizon Wireless MiFi (portable WiFi)

Monster Outlets to Go Power Strip

Dell XPS 13 Notebook

Audio Technica Shotgun Microphone

Moleskin Notebook (writing notes with a pen and paper is best for me)

Samsung S4 phone

I’ma also bringing ear buds and several USB cables and chargers.



Here’s How A Business Psychologist Uses CRM and Other Tools To Boost Sales

Dr. Sharon Melnick is a business psychologist who specializes in helping professionals remove road blocks that are preventing them from being better versions of themselves.

Her book, “Success Under Stress” is one that every professional who lives a stressful life, should read.

In this interview Dr. Melinck shares how (and why) her business is a success.

One of her many power weapons is small business CRM Infusionsoft.

Check out our discussion here http://www.youtube.com/watch?v=6wu9z3-Qekg or below



Review: A Stylish and Functional iPad Case to Protect Your iPad (The Snugg)

Here’s my review of a great iPad case by Snugg. They have all sorts of cases for your gadgets - which SHOULD be protected. In this review I relay my story of my iPad crashing in church and why a case is a must for everyone important electronic gadget.

Check out my review below or http://www.youtube.com/watch?v=m0xKBX8vudg



When Do I Need to Register My Business In Another State?

These days, it’s easy for geographical lines to be blurred when it comes to your business. Countless small business owners work with virtual teams, partners, clients, and customers they’ve never actually met in person.

This new reality can make it even more confusing to know if you’re conducting business in multiple states. Are you unknowingly running afoul of state law by operating without registering? Here, we’ll break down all the details about when you need to register your business in another state and when you don’t.

“Doing Business” in Another State

If your company is conducting business in any other states than the state where you incorporated (or formed an LLC), then you need to register your business in those new states. This is often called “foreign qualification.”

So, what exactly constitutes “conducting business?” If a customer in Oklahoma buys your product or service, and you’re based in Nevada, does that mean you are operating in Oklahoma? In this case, the answer is no.

Questions to ask to see if you need to file a foreign qualification for a state:

  • Does your LLC or corporation have a physical presence in the state (i.e. office, restaurant, or retail store)?
  • Do you often conduct in-person meetings with clients in the state?
  • Does a significant portion of your company’s revenue come from the state?
  • Do any of your employees work in the state? Do you pay state payroll taxes?
  • Did you apply for a business license in the state?

If you answered yes to any of these, your business may need to file a foreign qualification in that state.

Examples of Foreign Qualifications

Here are some examples of common situations when you need to foreign qualify and when you don’t.

1) Let’s say you operate a restaurant in North Carolina and want to expand into South Carolina. You’ll need to file a foreign qualification in South Carolina.

2) You incorporated your business in Nevada, but you are physically located in California. You need to foreign qualify in California.

3) You live in Massachusetts and your business partner lives in California. The company is incorporated in Massachusetts, but lately your partner has been bringing in the bulk of your company’s clients and meeting with them in California. You need to foreign qualify the business in California.

4) You are a freelancer who formed an LLC for your business in Florida. You perform the majority of your work online, and have clients all over the country. In this case, you don’t need to file a foreign qualification, since you’re not frequently physically meeting in another state. Just because you are bringing in revenue from customers in other states doesn’t mean you are transacting business there according to the law.

If you have any questions about whether or not your business needs to foreign qualify, you should check with your attorney or accountant.

How to Foreign Qualify

If you have determined that you need to register your business in another state, you will need to submit an application with that state’s Secretary of State office. In some states, this is called a Certificate of Authority, in others it’s the Statement & Designation by a Foreign Corporation.

You can contact the Secretary of State’s office yourself or have the service that incorporated your company handle the filing for you.

The paperwork itself is relatively straightforward, but keep in mind that some states will require you to have a certificate of good standing from the state where your LLC/corporation is registered. That means you will need to be up to date on your state taxes and filings.

The Bottom Line

If you are legally required to foreign qualify, make sure you follow through on this obligation. Otherwise, you will end up paying fines, interest, and back taxes for any time when you were not properly registered.

In addition, you lose the ability to sue in a state where you are not foreign qualified (and you should be). So don’t overlook this legal requirement. It could end up costing you much more in the long run.

Map Photo via Shutterstock



Pregnancy advice clinic fined for \'unforgiveable\' data breach

Hacktivist thwarted in plan to reveal names of clients at BPAS following data breach.

Abortion provider, the British Pregnancy Advice Service (BPAS), has been fined £200,000 after security lapses enabled a hacker steal the names, addresses and phone numbers of thousands of people who had contacted the charity for advice.

The UK privacy watchdog, the Information Commissioner's Office (ICO), levied the fine after the hacker threatened to publish the names - and was only prevented from doing so by a police operation to recover the data.

But an ICO investigation found BPAS didn't realise its own website was storing the names, addresses, dates of birth and telephone numbers of people who had sought its advice, the data wasn't stored securely, and a vulnerability in BPAS website's code allowed the hacker to steal it.

In a hard-hitting judgement published on 7 March, the ICO accused the charity of ‘ignorance' and an ‘unforgiveable' data breach.

Deputy Commissioner and Director of Data Protection, David Smith, said: “The British Pregnancy Advice Service didn't realise their website was storing this information, didn't realise how long it was being retained for and didn't realise the website wasn't being kept sufficiently secure.

“But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.”

But a “horrified” BPAS said it is appealing against the ICO verdict. Chief executive Ann Furedi said the hacker was being “rewarded” by the scale of the fine.

BPAS said the case dates back two years to 8 March 2012 when the hacker broke into its website, defaced it with anti-abortion messages and obtained the personal details of people who had requested a call-back to discuss issues relating to pregnancy, contraception and sexual health. BPAS said it contacted the police immediately.

As a result, hacker James Jeffery, who according to The Independent newspaper, was linked with the Anonymous group, was arrested by specialist e-crimes police officers, found guilty and jailed for 32 months.

BPAS said in a 7 March statement: “These were not personal medical records of women who had undergone treatment at BPAS and such records were never at risk, but BPAS takes any data breach immensely seriously and we were appalled that any information we hold had been compromised.

“We accept that no hacker should have been able to steal our data but we are horrified by the scale of the fine, which does not reflect the fact that BPAS was a victim of a serious crime by someone opposed to what we do.”

Furedi added: “It is appalling that a hacker who acted on the basis of his opposition to abortion should see his actions rewarded in this way.”

But security expert Adrian Culley, global technical consultant at Damballa, said the fine was the right decision.

He told SCMagazineUK.com via email: “It is 30 years since the UK first introduced a Data Protection Act requiring safeguards around the handling of personal data. Today, it is both encouraging that we have a viable Information Commissioner's Office capable of policing and enforcing these matters, but also very disappointing that some individual organisations still do not protect the personal data they hold.

“Anyone who holds personal data of third parties must assume there are hackers going to great lengths to access this information and should seek actionable intelligence on an ongoing basis to detect suspicious activity. Personal data sitting on a computer system can be just as valuable as bank notes sitting in a vault. It needs protecting just the same."

Calum MacLeod, VP of EMEA at Lieberman Software Corporation, had some sympathy for BPAS's plight. He said in a comment emailed to journalists: "The fine for the BPAS is not a surprise, and I have to feel sympathy for them. Like many registered charities, they are never going to be able to attract top IT staff, and with their limited resources, it will very often mean that they will outsource services, such as website development.

“What this shows is that great care needs to be taken when doing this type of work. If you don't have the staff that can do proper penetration testing on applications such as websites, then you are at serious risk of a breach. There are so many risk areas associated with websites, that makes professional testing essential.”

The ICO's David Smith added: “There's a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it's subject to up-to-date and effective security measures.”

The ICO investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call-back details for five years longer than was necessary for its purposes.



\'Snake\' APTs call for new security approach

Snake malware has infiltrated the UK government for eight years says BAE, and is evolving to attack others.

British cyber specialist BAE has issued a “call to arms” to security professionals to find new ways to combat advanced threats, after revealing that the Russian ‘Snake' malware campaign has stayed almost undetected for at least eight years while infiltrating highly sensitive UK government and other systems.

BAE Systems Applied Intelligence (formerly Detica) revealed the ‘venomous' nature of Snake in a 7 March report, including its ability to hide in the victim's web traffic, more than 50 modules that allow it to adapt for different cyber attacks, a stealth mode to lie dormant for a specified number of days, and its ability to exploit a privilege escalation vulnerability in Oracle's VirtualBox malware analysis system, which enables it to bypass Windows 64-bit security - akin to a ‘zero-day' exploit, BAE says.

BAE has analysed more than 100 samples of Snake and found it targeting countries mainly in Eastern Europe, but also the US, UK and other Western European countries. The malware can infiltrate Windows XP, Vista, 7 and 8-based systems.

BAE has also confirmed Snake is a “far more menacing” update of the notorious Agent.BTZ attack, which in 2008 infiltrated the US Defence and State departments' network for transmitting classified material, and the Joint Worldwide Intelligence Communication System which was used to send top-secret information to US officials worldwide.

Agent.BTZ was also spotted when it ‘beaconed' out stolen data to its command server, but BAE says Snake can now hide its stolen data within the user's internet traffic, describing its architecture as “extraordinary in its complexity” and “quite unique”.

David Garfield, managing director for cyber security at BAE Systems Applied Intelligence, told SCMagazineUK.com: “It's very good at hiding in the actual web browser of the user so if you're trying to look for abnormal behaviour it's nigh-on impossible, because it's literally manipulating the web traffic that that user's already sending.”

Garfield said Snake also has a peer-to-peer mode that enables it to ‘hop' across networks protected from the internet until it finds a server that's connected. BAE's report confirmed: “The architecture is designed to grant Snake as much flexibility as possible. When most of the infected hosts are cut off from the outside world, it only needs one host to be connected online. The traffic is then routed through that host to make external control and data exfiltration still possible.”

Snake is the same toolkit as ‘Uroburos' (meaning snake or dragon), revealed by German research firm G Data SecurityLabs last month as stealing confidential data from government and other high-profile targets since 2011. But BAE's analysis shows Snake has been in existence since at least 2005, six years longer than previously thought.

G Data linked the toolkit to the Russian intelligence service. BAE notes its use of the Russian language but says only that a “well-established cyber espionage operation” is behind the attack.

In between its appearances in 2008 and 2011, BAE says that the campaign remained largely hidden from sight. And because of Snake's stealth and sophistication, BAE is urging security professionals to change their approach to this and other APT attacks.

Garfield told SCMagazineUK.com: “Snake is up with the most sophisticated tools we've seen out in the wild. That's led to it being able to remain largely undetected for so long. Its modular nature and architecture shows it can be rapidly improved and evolved. It remains a threat and this will be an ongoing battle.”

Garfield warned that while BAE is now sending out signatures and indicators to help CISOs spot the attack, Snake will inevitably evolve to evade these measures.

As a result, Garfield said: “The security community needs to come together - it's a call to arms to the community to look at this and other similar threat groups to try and understand how these more covert and more sophisticated pieces of malware can be detected in the future. It just underlines the gap that exists in current security measures.”

Garfield suggested CISOs need to move away from relying on signature and indicator-based threat indicators, to “more behavioural approaches and more sophisticated monitoring tools to look at all the data available to you to try and detect these attacks”.

Security expert Brian Honan of BH Consulting agreed. He told SCMagazineUK.com via email: “If organisations are solely relying on defences that are good at protecting against known attacks then they are vulnerable to much of the more advanced malware that is out there. In particular, if such an organisation should become targeted by sophisticated attackers they are vulnerable to attack tools like Snake. To better protect themselves organisations should look for unusual types of behaviour on their systems and networks.”

Honan said: “Too often when we help clients investigate breaches we find they could have detected, or indeed prevented, the breach if they had been proactively monitoring their logs and network. Proactive monitoring of network traffic, such as DNS requests, could indicate suspicious traffic being directed to unusual hosts. Likewise effective monitoring of system and security logs can provide early indications of a compromise.”

Snake can operate at both kernel and user level. In its 2008 guise, it got into the US intelligence network via a flash drive on a computer, but Garfield said it can now infect systems through an email attachment or link to a website.

BAE's report ‘Snake Campaign & Cyber Espionage Toolkit' is available at http://www.baesystems.com/ai/snakemalware. BAE urges CISOs to search their logs for connections to the Snake command and control servers listed in the report, search for MD5 hashes of the known samples shown in the report, use indicators of compromise for building host-based rules and deploy SNORT rules for network-based detection of Snake.



Remembering the Days of Good Old Regular Data

big data cartoon

I like data.

I use Google Analytics and Crazy Egg on my site to see how people use it. I track subscribers a few different ways in Recurly, I track tweets and retweets in Buffer, and between QuickBooks and Numbers, I have a good idea where my money goes.

Like I said, I like data. But even for a small company like mine, that’s a lot. So when you hear about larger companies leveraging Big Data and governments spying via metadata, it can feel like we’re drowning in data. Hence this metadata/Big Data cartoon.

I know it’s passé - but I miss the days when just watching your “hits” was data enough.



MasterCard Releases MasterPass Mobile Payment App

masterpass mastercard

MasterCard says its MasterPass In-App Payments feature will allow customers to make all mobile payments from one app.

In an official release, the company says the new product is a response to demand. The company says research shows revenues from mobile apps and in-app payments will reach $46 billion by the year 2016. Other sources suggest that about $90 billion in sales will be conducted via mobile payments by 2017.

MasterCard also notes that the average smartphone user has 26 apps downloaded on their device. Rather than having to load and store your payment information into multiple apps, the new app would allow you to make mobile payments from just one place. For MasterPass users, this may make mobile payments potentially more convenient and secure.

For small businesses that are looking for a way to take advantage of mobile payments, there could be at least two clear benefits. First, using a single mobile payment app should make mobile business payments easier. Second, especially for small retail businesses, it should make it easier to accept mobile payments from customers by working through a single payment system.

The release further explains:

“Apps with MasterPass embedded in them enable consumers to complete a purchase with as few as one click or touch on their favorite connected device without leaving the app environment. The optimized checkout process creates a seamless shopping experience, supported by the highest levels of security and cryptology.”

The new app is currently in beta for merchants, so an invitation is required to get started. The company says that the new feature will be widely available to app developers and merchants in the second quarter of this year.

Venture Beat reports that some companies are already using MasterPass’ mobile app, including Forbes Digital Commerce, Fat Zebra, MLB Advanced Media, NoQ, Starbucks Australia and Shaw Theatres Singapore. Meanwhile, MasterPass is already available as a browser add-on.

Image: MasterPass