Yelp Pissing You Off? Here’s 5 Simple Ways Your Small Business Can Fight Back and Win

Are you pissed that the good reviews you’ve collected on Yahoo or other web sites are gone, thanks to a deal with Yelp? While it might be a challenge to understand how Yelp works, here’s a few things you can do to ensure you are in control of your reviews and not Yelp, or anyone [...]

The post Yelp Pissing You Off? Here’s 5 Simple Ways Your Small Business Can Fight Back and Win appeared first on SmallBizTechnology.



Heartbleed and Small Business Security. Hearbleed’s Affect on 7 Small Business Web Sites.

As you might know by now, Heartbleed is a security flaw that enables unauthorized users to access your encrypted information.

When you visit a web site, through a “secure connection”,  in theory the information is encrypted and can’t be accessed.

According to CNN, “Cybercriminals could exploit the bug to access visitors’ personal data as well as a site’s cryptographic keys, which can be used to impersonate that site and collect even more information.”

Just do a Google search for “Heartbleed” to see what you need to do.

But in short, you need to a) ensure that the web sites your use have fixed the Heartbleed security flaw b) if they’ve done this you need to then change your password.

There seem to be so many security holes, flaws and ways for un-authorized users to access your network. Here’s what you should do to be as secure as possible:

  • Be vigilant and aware when major secure flaws are announced by the general media
  • Sign up and/or be aware of security notifications from your software vendors
  • Regularly update your computer software (browser, operating system, software)
  • Backup your data and related software and applications
  • Train your staff (and you) in the basics of computer security
  • Be vigilant and smart (don’t write your password on a piece of paper, for example)
  • Consider “two factor authentication” to have not only a password to access your web sites but also a secret code provided on a cell phone or other 3rd party device

Here’s some popular small business online software and how they been affected by Heartbleed

Quickbooks online - not affected

GoDaddy - if you use their SSL services read this statement in what to do

PayPal - not affected

Dropbox - was affected but has patched it’s servers - password reset probably needed

Evernote - never affected, was secure

Asana - was affected, fixed their servers - you might want to change your password

Most all banks appear to have not been affected

Infusionsoft - not directly affected at all. However read this thorough blog post for more details.



In the News: Digg Founder Protested and Twitter Redesign Unveiled

Some interesting developments filled the news this week with issues touching on entrepreneurship, the tech industry and more. If you didn’t have time to catch it all, don’t worry. The Small Business Trends editorial team has you covered. Here’s our roundup of the big stories.

Entrepreneurship

Digg Founder Kevin Rose Protested for Creating Jobs. It’s No Joke.

We couldn’t make this up. Protesters stormed Kevin’s house in San Francisco this week. What’s their beef? He’s brought too many high paying jobs to the San Francisco area, that’s what. And in compensation, the protestors want Google to give them $3 billion for free housing. Read on and see if it makes sense to you.

Social Media

New Twitter Redesign Features Bigger Photos and New Features

Some may say the new Twitter looks to much like Facebook. There are certainly larger photos and some features that borrow from other social media. Try Pinned Tweets, for example. But take some time to look at the options. (Your new version will be rolling out soon. And listen to what others in the small business community have to say.

The FTC is Flagging This Pinterest Contest and Here’s Why

The Federal Trade Commission has made no secret of its policy to require disclosure when paid to promote on social media. But what about when those promoting your brand aren’t even your employees or contractors? Here’s an interesting case that will probably make you rethink that next Pinterest campaign, if not all your social media marketing.

Say Goodbye to the Products and Services Tab on LinkedIn Company Pages

It’s the end of an era (sort of). LinkedIn says adios to the Products and Services Tab on its Company Pages. If your business has a Company Page, the tab will be history as of April 14, 2014. For now you can edit your existing tab but can no longer add new products to it.

Web

Disqus Will Help Publishers Earn with Sponsored Comments

Yes, you heard right. Disqus is banking on the idea that brands are more interested in showing up where engagement happens, in your sites’ comment section. The company promises the ads won’t be obtrusive, and you can turn them off if you like. But it could be another way to monetize your content.

Want to Attract 20,000 Users to Your Platform in Just 3 Months? Read this

In 2011, Anthony Smith launched Insightly, a CRM platform aimed at the SMB market, because he couldn’t find a customer management product that integrated with Google Apps products to his liking. So he decided to build a product and business to meet that need. Anthony shares how he bootstrapped his vision and turned it into reality with over 400,000 users.

Google’s Product Listing Ads Will Soon be History

Recently, Google announced that PLA campaigns, or Product Listing Ads campaigns, will be replaced by the end of August with Shopping Campaigns. There are new features you’ll find with the Shopping Campaigns that are meant to help you manage your campaigns at scale. According to the announcement, these campaigns have received great feedback so far.

Mobile

Business By Miles Aims to Automate Your Business From Anywhere

It’s called Business by Miles. And its purpose is to automate your business functions. That’s everything from scheduling to human resources, billing, invoicing, project management, payroll and accounting. But where once you might have done this using multiple apps, Business by Miles wants to reduce that to one. And did we mention it’s optimized for mobile?

Video Message Your Colleagues on Vine (Whether They Use the Service or Not)

Vine has expanded beyond looping videos. Vine has introduced a new service where you send video messages directly to your friends. The addition of private messaging comes with the ability to send short video clips to any contact on your mobile device - not just other Vine members. Of course, non-Vine recipients of these messages will be limited to send you text responses back.

A Report Says Apps are the Clear Winners Over Mobile Browsing

When consumers are looking for information on your brand, it is more likely to be on a phone or tablet, instead of a PC. The mobile device is king. At least that’s according to a report released recently by a mobile analytics firm which concluded that mobile device usage is on the rise.

Tech

3D Printing May have Become even easier.

This new crowdfunding effort has already raised sufficient funds to produce the the Micro. The device is being billed as the first true consumer model 3D printer. It’s a 7.3 inch cube, weighing about half a pound and is expected to sell for around $299. Check out the video and more on the Kickstarter campaign here.

Linksys Introduces New Devices to Boost Wireless Access for Small Business.

Devices include the wireless AC Access Point and Smart Switches. Both provide opportunities for small businesses with a need to increase the number of Web enabled devices in your office. Linksys says the devices are part of new push into the small to medium sized business market. So, as your technology needs grow expect to see more innovation on the horizon.

Your Next Pizza Delivery Guy Might Actually be a Flying Drone

Perhaps you caught the story recently on 60 minutes on Drones Over America. Or more likely you’ve heard about the interview with Jeff Bezos of Amazon on their plans to begin using drones to deliver packages to your door. Drones are becoming a very hot, and controversial, topic.

Customer Service

Satanic Latte Art? How Should a Business Respond?

When a Louisiana teacher visited her local Starbucks, she didn’t expect that her coffee drinks would deliver a satanic message. But when she looked down at the two drinks, she allegedly saw just that. One of them depicted a star that appeared to be Lucifer’s pentagram and the other included a 666 made with caramel drizzle.

How Much Can Poor Customer Service Cost Your Business? Read On

Customer service is important. If you run a business, you already know that. But you might not realize just how great an impact poor customer service can have on your company’s bottom line. The data collected by ClickSoftware explains: “Poor customer experiences result in an estimated $83 billion loss by U.S. enterprises each year because of defections and abandoned purchases.

Policy

Newly Sworn SBA Chief Must Deal With Lending Defaults

Newly sworn-in Small Business Administration Chief Maria Contreras-Sweet may want to give small businesses access to more loans. But a bigger challenge may be adding some oversight to the administration’s current troubled loan guarantee program. Critics like the Government Accountability Office (GAO) say the program is already costing taxpayers billions.

An Update on the Greater Opportunities for Small Business Act

Government contracts for small businesses were discussed this week on Capitol Hill. U.S. Rep. Sam Graves (R-MO) asked the House Armed Services Committee Wednesday to include more contracting for small businesses in a defense spending bill for 2015. Graves serves as chairman of the House Committee on Small Business.

So, How Do You Really Feel About the Minimum Wage?

Yes, the President is pressing Congress to raise the federal minimum wage from $7.25 an hour to $10.10. Rieva Lesonky mentions some statistics here that suggest there’s a benefit to the increase. For example, some small businesses are already paying more. But, in the end, the question is whether your small business will be able to sustain potentially higher costs.

Reading Photo via Shutterstock



Recollective Baseline: Where SMBs Can Get Feedback On Ads, Ideas

Have you ever wished you could test out an ad and get feedback before launching a marketing program? Or how about testing a new product concept?

If so, the Ramius Corporation may have just the thing for you. The company has just launched a free version of its Recollective research software called Recollective Baseline. Think of it as software that lets you conduct a focus group online.

recollective baseline

The new version is free for up to 50 participants and is designed specifically for small and medium sized businesses to use.

The company says the product is a simplified version of its Recollective Professional version used by top research firms. It consists of a private online area where you can go to gain insights from the survey participants. The participants can respond in the form of text, images, videos, or files.

recollective baseline

However, administrators can decide not to conduct their survey in such a public manner, and instead have one-to-one discussions with participants instead.

People can participate in these surveys in one of two ways. You as the administrator can either invite them via email, or you can receive a unique link to hand out on, say, your Facebook company page, or your Twitter feed.

recollective baselineIn an interview to Small Business Trends, Alfred Jay, CEO of Ramius, explained:

“Think of it as a system that organizes information collection from a group by combining the structure of surveys, an interactive activity stream similar to the Facebook Newsfeed, and a powerful suite of research tools to help the administrator to analyze and interpret the data to identify valuable insights.”

If you are more of a visual type of person, here’s a tutorial video from Vimeo:

Though the video shows a professional version of the software at work, Jay says it is still an excellent way to get an idea of the software’s general functions. Both versions have a lot in common.

There are other specialized activities in addition to the questions and polls. For example, there is an image markup activity in which people can be asked to place markers and commentary over an image to indicate their impressions. And there is a sort and rank exercise as well. Jay explains:

“Quantitative surveys help understand the who, what, when, and where. Recollective Baseline is a qualitative research tool to help understand why and how, as well as understand motivations and behaviors. It really helps to discern what a business doesn’t know by being able to engage those who are important in dialogue and activities.”

An administrator can have up to 10 open studies simultaneously. This means that a business could have one study for customers of product A, another for customers of product B, and so on. Up to ten active studies can be run at once. What’s more, if the people aren’t the same in each study, the total number of unique people that can be supported is 50 x 10 - 500 people.

There are obviously many examples of why it would be good to have your own focus group on tap. Jay has one for you to think about.

“Whereas Recollective can be used to run a one-time limited duration study similar to a traditional survey, many of the most forward thinking organizations look at ongoing implementations of the system where people are constantly available to be engaged as strategic assets. These ‘insight communities’ allow companies to study customers over time or test concepts with customers on-the-fly and at anytime - all with the objective of ultimately making better decisions in shorter time.”

Anyone interested in the free software can simply visit the Recollective Baseline website and signing in. There is no cost. What’s more, international visitors outside the US can also take part as Baseline is available in French, Spanish, German, Italian, Brazilian Portuguese, and Dutch.

Images: Recollective



For Some Entrepreneurs, Tackling a Future Father-in-Law is a Requirement

In India, a father would not look favorably at giving away his daughter to an entrepreneur. The first question a prospective groom faces would be:

“Which company do you work for?”

A job in the public sector or a leading conglomerate would count more in the marriage market than a successful venture. You would be told:

“You are wasting your talent and taking too much of a risk. Why not get a steady job?”

Tushar Bhatia, Founder of Saigun Technologies, a human resource automation platform development company, faced a similar situation when he wanted to marry his girlfriend. Tushar had a master’s in computer and mathematics from a premier institute, IIT Delhi, and had won a number of national product design competitions. He had developed customized business applications for a Japanese company’s hardware platforms, which went on to be successes and a good source of income - enough to buy his first computer and splurge on his girlfriend.

But not enough to please his future father-in-law, who insisted that only a steady job with a reputed organization would do if Tushar wanted his blessings to marry his daughter. So contrary to his entrepreneurial instincts, Tushar joined the Tata Group as a software engineer and soon married his girlfriend. His work took them to Chicago where he came across a number of entrepreneurial opportunities. He worked on HR automation during this time and identified it as an area of opportunity. He went back to India in 2002 and started Saigun.

With his wife supporting his decision, Tushar did not hold back his entrepreneurial ambitions. He even managed to convince his father, Major General BK Bhatia, who was the head of HR at a Tata Group company, to become the functional expert for their product. He continues to work for Saigun as Director, HR and Products.

In 2004, they released EmpXtrack a SaaS-based multi-geography compliant human resource management automation platform that integrates the entire gamut of activities of a human resources department on the cloud.

The main value proposition of EmpXtrack is that it not only helps organizations cut down costs, but also provides a simple, intuitive interface to help employees, managers, and management quickly access data and make decisions. Their capability to customize their product, their services focus, and their lower cost, are their key differentiating factors. They offer 32 different modules and can automate all aspects of HR in any organization. Its initial customers came from the technology and finance sectors and they competed with companies such as SuccessFactors, Halogen, and Vurv. After consolidation in the industry, Workday is their largest competitor.

Their current revenue is about $850,000 from a diverse customer base of over 200 organizations spread across 21 countries. The customer size varies from 10 employees for the smallest one to around 15,000 employees for the largest. In all, EmpXtrac caters to around 75,000 employees across all its customers. Their top target segment is companies with 50 to 500 employees in the IT, consultancy, and BFSI sectors. They have also found significant success in selling to enterprise companies that have procured ERPs but are not satisfied with the capabilities of these ERPs.

Their geographic focus is on the US East coast, UAE, and India, especially Mumbai, Bangalore, and New Delhi. They have a network of channel partners to focus on the needs of small businesses across the world. They offer a free trial of EmpXtrack through their site. They are generating about 350 new enrollments a month.

By 2017, Tushar says the target is to get to 1 million users on its platform. They want EmpXtrack to be the product of choice for small and medium businesses in USA, India, and the Middle East with a focus on Finance, IT and Services

There are about 450,000 companies with 25-500 employees and about 17,000 companies with more than 500 employees that together employ about 90 million employees in the US. In the Middle East and India, there are about 300,000 companies employing 21 million permanent employees. At an average cost of $3 per employee per month, the potential market size in these three markets would be $3.9 billion. According to research firm Gartner, the human capital management products market is expected to reach $10 billion by 2015. The talent management market alone is expected to reach $4.5 billion with 75% of available solutions expected to be cloud-based.

Over the past few years, there has been a strong focus on optimizing employee costs all over the world driven by the uncertain economic climate. And this focus has resulted in the trend for automation in HR using the SaaS model. Now, that trend is crossing over to HR applications in the cloud, which comes as a boon to small businesses.

As for overcoming resistance from father-in-laws, it’s an issue most entrepreneurs face in India. With more and more stories of successful startups, the scenario is changing somewhat - but the bias remains.

Couple Photo via Shutterstock



Mandiant: Companies are getting worse at detecting data breaches

Organisations are getting worse at spotting security breaches and attackers still spend two-thirds of a year on corporate networks before being indentified, according to a new Mandiant report.

In response, the firm is urging people to change their mindset from “I can secure everyone” to “I am going to be attacked, what can I do to detect and contain that problem quicker and less expensively”.

‘Beyond the Breach', the fifth annual M-Trends report on advanced targeted attacks, published on 10 April by FireEye which now owns Mandiant, says that in 2013 just one-third of organisations detected breaches on their own - down from 37 percent the year before.

On the upside, organisations are finding breaches in their networks faster (229 days versus 243 in 2102), but that still leaves attackers spending two-thirds of the year on the networks before being found.

Jason Steer, director of technology strategy for FireEye EMEA, says breach detection “is by far the biggest challenge”. He told SCMagazineUK.com: “Detection is incredibly difficult and there isn't really any consistency because there aren't the products out in the market to do this I'm afraid. The gap between the attackers and defenders has never been wider.”

So Steer said: “Rather than ‘I can secure everyone' the mindset has to change to ‘I am going to be attacked, breaches are going to be an inevitable consequence of using the internet to do business, what can I do to detect and contain that problem and mitigate that risk quicker and less expensively?”

Information security researcher David Lacey, an expert on APT advanced attacks, was not surprised that the breach detection problem remains. He told SCMagazineUK.com via email: “Enterprises have always been poor at detecting attacks and frauds. At least the average dwell time of APT attacks is reducing. But we need to get it down to weeks from years.”

As well as security products, Steer was critical of some end users, saying: “The vast amount of customers we meet do not have an incident response plan.”

“Maybe we should educate our users a little bit more. End users are very often the weakest link in all security. A really strong message is you need a combination of the right people, the right products and the right processes to make that whole preparation, detection, validation and remediation process work smoothly.”

The report itself says: “To attack the security gap, organisations need smart people, visibility into their networks, endpoints and logs. Organisations also need actionable threat intelligence that identifies malicious activity faster.”

The M-Trends report also examines how companies are infiltrated - and finds phishing emails try to exploit trust in IT departments, with 44 percent of observed emails impersonating the IT department of the targeted organisation.

At the industry level, it said attacks in 2013 rose in two key industries: financial services (up from 11 percent of attacks to 15 percent) and media & entertainment - nearly doubling from seven percent of attacks to 13 percent.

At the international level, the report says the Chinese government and financial criminals are the most advanced and well-funded threat actors.

Mandiant last year famously exposed the APT1 cyber spy group as part of the Chinese People's Liberation Army - and this year's report tests the impact of that revelation. The report examines “whether revelations of China's state-sponsored cyber activity could spur a diplomatic solution to the problem of nation-state cyber espionage on behalf of private sector entities?”

Unfortunately, it says: “Within a short period of time we had our answer: no.” APT1 went quiet then “returned to consistent intrusion activity” around 160 days after its exposure.

This year's report also highlights Iran as a more active threat, saying that while it currently uses less advanced approaches than others, “it won't be hard for them to get more sophisticated. They also don't necessarily need advanced capabilities in order to have a big impact.”

Lacey commented: “It's not surprising to hear that Iran might be on the offensive, as they've been a major target themselves. And there's little difference in the skills required for attack or defence. Some authorities would even argue that attack is the best form of defence.”



UK police ill-equipped to deal with cyber attacks

A startling report from Her Majesty's Inspectorate of Constabulary (HMIC) shows that only three in 43 police forces in England and Wales have a comprehensive plan for dealing with a large-scale cyber attack.

The report, which was published earlier this week, shows that only Derbyshire, Lincolnshire and West Midlands have adequate plans in place to deal with such an attack, and further detailed that only two percent of police staff across 37 forces have been trained on investigating cyber-crime.

This result is a stark reminder to the UK government which - outside of its own initiatives to drive cyber security awareness - already advised the police to prepare for five threats last year but has failed to follow up adequately. These threats were terrorism, civil emergencies, organised crime, public order threats and large-scale cyber attacks.

"The capacity and capability of the police to respond to national threats is stronger in some areas than others - with the police response to the cyber-threat being the least well developed,” said HMIC's Stephen Otter.

The group found that the ability to deal with cyber-threats remains “largely absent” from some forces, and added that some senior officers across England and Wales are still “unsure of what constituted a large-scale cyber incident.”

In addition, the report - which didn't include Scottish police forces (police in the country have attempted to tackle cyber-crime by forming a “cyber-resilience group” with industry experts and academics) - claims that most forces were “silent" when it came to preventing cyber-crime and protecting people from these kind of attacks, despite the fact that they are “fast becoming a dominant method in the penetration of crime.”

Such news is unlikely to come as a surprise to those who attended the recent SC Congress London, where Mark Jackson - detective superintendent of the recently-established Met Police Cyber Crime Unit - gave an honest appraisal of the force's cyber-crime capabilities.

Jackson admitted that reporting cyber-crime is a “whole different process” and admitted that there are difficulties in that there are “no international boundaries” in cyber crime. Hackers often carry out attacks by using multiple proxies in numerous countries, making it difficult to identify who's behind the attack, and whose control the investigation falls under.

Responding to this latest report, Adrian Culley - a former Met Police Computer Crime Unit detective and now independent information security consultant - told SCMagazineUK.com that cyber-crime reporting will continue to flounder so long as police use traditional measures of law enforcement.

“The jist is, cyber crime coverage is at best a Curate's Egg. There are pockets of excellence, but as the report details, sadly the majority of constabularies are found wanting, and this starts and ends at a very senior level,” he said via email.

“Unfortunately the challenges of policing the intangible place that is cyberspace do not at all lend themselves well to traditional, measurable goals and objectives (both quantitive and qualitative).

“There is a far reaching question that needs addressing by all parties, police, government and society, which is does the Robert Peel model of policing, which has broadly served us well since 1829, continue to be fit for purpose?  It should be no surprise to anyone that a policing model founded in the early 19th Century is creaking at the seams with the demands of cyberspace and cyber-crime.”

Charles Sweeney, CEO of Bloxx, also expressed concern at the report's findings and said that bigger initiatives - such as CERT-UK and the National Crime Agency - would be undermined if cyber-crime couldn't be worked out on a local level.

"There has been a lot of political rhetoric about the threat of cyber crime and its rising dominance,” said Sweeney.

“However, establishing central resources such as CERT-UK is undermined significantly if police forces are unable to help and assist people at a regional and local level.  More needs to be done to help police understand the guidelines, their implications and to ensure that officers have the right skills to help victims of cyber crime."



Anthony Smith of Insightly: How to Attract 20,000 Users in 3 Months

In 2011, Anthony Smith launched Insightly, a CRM platform aimed at the SMB market, because he couldn’t find a customer management product that integrated with Google Apps products to his liking. So he decided to build a product and business to meet that need.

Anthony shares how he bootstrapped his vision and turned it into reality with over 400,000 users. He touches on the role the Google Apps Marketplace played in reaching the target audience, the collaboration tools used to get important customer feedback, and how his initial efforts on Google Apps Marketplace helped shape his efforts to engage other platforms and expand Insightly’s small business reach.

* * * * *

how to attract 20,000 usersSmall Business Trends: Before we jump into the conversation, can you tell us a bit about your personal background?

Anthony Smith: I started Insightly just over two-and-a-half years ago. I found a need for a small business customer management solution that worked with and integrated with Google Apps.

I couldn’t find something in the marketplace that met that need, so I decided to do it myself.

Small Business Trends: Can you talk a bit about how you leveraged the Google Apps Marketplace to get the business off the ground?

Anthony Smith: This appeared to be a great outlet for us to get visibility with small business customers and really show off the integration we had inside of Gmail, Google Calendar, Docs and Drive. Customers that were already Google Apps customers, if they had a need for a solution outside of the features set of Google Apps, could go to the Marketplace. Then with just a couple of clicks, could install one of those solutions - and try it out.

We were fortunate to launch into the Google Apps Marketplace when there were only a few hundred apps. As we were built primarily on that platform, we managed to get some traction really quickly very early on. There was great feedback with the customers that used us and reached out with suggestions and features.

Small Business Trends: So you were able to use that not only to get the application up and running, get the customers on board, but collaboration with customers was key to moving the product along?

Anthony Smith: That was certainly the case for us.

Small Business Trends: What kind of tools did you use to really further the collaboration?

Anthony Smith: Apart from the Google Apps Marketplace commenting and referral system, we used Google Consumer Surveys to reach out to our customers.

We used Zendesk, an integrated support and ticketing platform for customer support requests/inquiries.

We also used 99 Designs to design some of the pages and get some early prototypes up.

In the early days, we did outsource some specific pieces of our code base; we used Odesk to do that.

Small Business Trends: How quickly were you able to get your first 1,000 users, based on that approach?

Anthony Smith: Using those specific tools and that approach, we had over 1,000 users within the first week. Then we grew to over 20,000 within the first three months.

Small Business Trends: How did the initial workings with the Google Marketplace (and the way you collaborated with the customers there) impact what you did when you started to move out to some of these other systems to expand the business?

Anthony Smith: We stuck with the Google customer base and Google Apps Marketplace. Then once we had a fairly solid feature set that integrated with all the key Google services, we had a chat with Microsoft and asked how we could be part of the Outlook and Microsoft Office ecosystem.

Small Business Trends: Are there things you’d do differently today than you did when you first started three years ago?

Anthony Smith: For the first year and a half, we were very much focused on the Web and having a compelling CRM (customer relationship management) experience. Then in 2013, we started to execute in earnest on mobile apps, IOS and Android.

If I had to do that over again, I think I would have concentrated more on mobile a little bit earlier in the life of the company.

Small Business Trends: If I were to ask what you’re going to focus on over the next year or so, would mobile be the answer?

Anthony Smith: That would certainly be one of the things; being able to pour a lot of resources into mobile.

Small Business Trends: Where can people learn more about what you guys are doing?

Anthony Smith: They can learn more on Insightly.com and sign up for a free account. They can also find us on the Android and IOS marketplaces.

This is an edited transcript. To hear the full interview, click on the audio player below.

This interview on how to attract 20,000 users is part of the One on One interview series with thought-provoking entrepreneurs, authors and experts in business today. This transcript has been edited for publication. To hear audio of the full interview, click on the player above. 



Cyber attacks are targeting Heartbleed flaw, says US CERT

As the latest major security bug prompts cyber-crime and phishing attacks, experts advise on changing passwords and what CISOs can do.

The US Government has confirmed that, as feared, cyber-crime attacks have been launched that exploit the recently revealed Heartbleed security flaw, which affects hundreds of thousands of websites and other systems worldwide.

The ICS-CERT agency, part of the US Department of Homeland Security (DHS), issued a warning about Heartbleed on 10 April stating: “ICS-CERT is aware of several instances of targeted active exploitation of this vulnerability.”

It added: “ICS-CERT continues to monitor the situation closely. Entities are encouraged to report any and all incidents regarding this vulnerability to DHS.”

‘Heartbleed' has triggered a seismic reaction among security professionals and users, after researchers from Google and Finland's Codenomicon revealed on 7 April that web servers and other kit using the OpenSSL encryption system versions 1.0.1 to 1.0.1f have been vulnerable to the bug for the last two years.

An estimated 500,000 to 600,000 sites are affected - original estimates put it in the millions. Heartbleed allows attackers to hijack “crown jewel” encryption keys and steal any encoded data that has passed through the affected site and device, including user passwords, bank details and confidential company documents.

The latest OpenSSL 1.0.1g fixes the bug but, in the interim, security professionals are being warned of cyber-crime attacks and password-stealing phishing emails exploiting people's fears about Heartbleed.

Security firm Easy Solutions has confirmed the ICS CERT's report of cyber attacks, revealing that hackers have targeted over 10,000 web domains affected by the bug.

In a 10 April blog post, Easy Solutions CTO Daniel Ingevaldson said: “Hackers are posting huge lists of 10,000-plus domains that have been run through the automated web-based Heartbleed vulnerability checking tools. This list described if the web sites are vulnerable, patched, or if SSL was not present.”

Ingevaldson added: “Chances are that if you run an SSL-protected system, it has been assessed or will be assessed by one of these tools. These scans might lead to automated attacks that harvest login credentials en masse.”

Phishing attacks on the rise, password advice causes confusion

Heartbleed phishing emails have also started. On April 10 Rob VandenBrink, a senior consulting engineer at Metafore, warned in a blog for the US cyber security education body SANS: “I started getting emails yesterday asking me to change passwords on services I do not have accounts on - complete with helpful links - back-ended by malware and/or credential harvesting of course.”

Meanwhile, in a bid to calm fears - and contrary to some earlier advice - security experts say users should not immediately change their passwords because of Heartbleed.

Mick Paddington, security adviser at Trend Micro, told SCMagazineUK.com: “The advice is don't change your password until you're asked to by a genuine site, so for instance if you do get an email from Barclays and it's genuine. Some of these sites are doing remedial action to plug this vulnerability. As soon as that's done they'll either inform you on their website or through the media channels that their sites are now safe and it's safe to change your passwords.”

Security expert Brian Krebs added in a 10 April blog post: “It is a good idea for internet users to consider changing passwords, at least at sites that they visited since this bug became public (7 April). But it's important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords.”

As for security professionals, Paddington told us: “They should be looking at their own websites and seeing if they are at risk from this vulnerability and if so taking the remedial action out there to address it.”

Peter Allwood, senior manager at Deloitte, advised: “Organisations who are concerned they may have been impacted should be following an established vulnerability management process to apply security patches to affected systems. Extra focus should be given when assessing the implications of the Heartbleed bug, beyond applying the regular patches. Organisations may also need to revoke compromised certificates and create new encryption keys and certificates. They should also be giving users advice about their response to the bug and any steps users should take to remain secure.”

Some websites have been set up where CISOs and end users can check whether the websites they run or use are vulnerable. Two such sites are:

http://filippo.io/Heartbleed/

https://lastpass.com/heartbleed/

A comprehensive list of vendors and their patches and updates is provided by the Carnegie Mellon CERT team. CISOs are also being reminded that Heartbleed affects more than websites. Avivah Litan, a vice president with Gartner Research, said in a 9 April blog: “This bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications. Forget having to plant back doors in encryption libraries, as the NSA allegedly did. The backdoors are already built in.”

Confirming this, for example, Cisco said in a 10 April security advisory that Heartbleed has affected Cisco products including IP phones, a video communication server, Ethernet access switch and versions 2.x of the WebEx Meetings Server.

In a 10 April blog post, TrendLabs mobile threats analyst Veo Zhang reported that mobile apps are also vulnerable. TrendLabs scanned around 390,000 apps from Google Play, and found around 1,300 apps connected to vulnerable servers. Among them were 15 bank-related apps, 39 online payment-related, and 10 online shopping related.

“We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps - and most concerning, even mobile payment apps. These apps use sensitive personal and financial information - data mines just ripe for the cybercriminal's picking,” Zhang said.

Google product manager Matthew O'Connor said in a 9 April blog that it had applied Heartbleed patches to Google Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS were not affected. “We are still working to patch some other Google services,” O'Connor said.

Brian Krebs added: “It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, for example).”



The Day’s Full of Opportunities…Shall You Sink or Swim?

sink or swim cartoon

I love word pairings. To and fro, give and take, meat and potatoes, ebony and ivory, apple and oranges - there’s a million of them out there.

So one day, when I heard “sink or swim” in a conversation, it suggested the paperwork in and out trays and this cartoon wasn’t far behind.

It’s an easy sort of transference joke, but I was surprised how much research the art ended up requiring. It took a screen full of naval officers, ships, anchors and whatnot to get this to read visually.

Sometimes those easy ideas aren’t so easy.



Disqus Introduces Sponsored Comments For Publishers, Brands

If you have a company blog, you may also have the Disqus commenting platform powering it. But now the company is testing a new feature - Disqus sponsored comments. And it is getting a very mixed response from users.

Disqus Sponsored comments - both text and graphic based - will be a way of introducing advertising not to the main part of a page or post, but instead next to a comment hosted on Disqus. According to the company, ads won’t be placed next to just any comment. Instead, they will be placed in the same area as what Disqus calls a “featured” comment - pinned to the top of the thread.

A featured comment is one which the publisher feels is good, insightful, well written, adds to the conversation, whatever. The publisher pins it to the top of the thread to give it more exposure.

disqus sponsored comments

The sponsored comment can be upvoted or downvoted, just like any other Disqus comment. The brand behind the comment will initially be able to target sites in their particular market. So Nike can target sports sites or shoe sites. Vodafone can target cellphone sites, that sort of thing.

However, according to Digiday, one troubling aspect of the whole idea is that the brand will be able to moderate the feedback on their sponsored comment. So any critical ones will naturally be hidden from view.

Disqus says it feels running ads alongside the featured comment does not disturb the conversation, and puts the ad at the beginning “like movie previews.” In other words, it’s not what you are there to see, but it’s something extra to benefit from.

The new ad feature is being portrayed as both a way for brands to engage in conversations they want to be a part of. It’s also a way for publishers to make money off of their social engagement.

Techcrunch says that Disqus will have a dedicated team to moderate all sponsored comments, to ensure quality. Publishers can also set up their own filters. And those who really don’t want to participate can turn the ads off on their site.

However, this has not placated some rather annoyed users who have taken to the Disqus comment thread to voice their displeasure. As one commenter sarcastically pointed out, “I can’t WAIT to read more about that cousin that makes 2000 dollars a week on the internet.”

Image: Disqus