Top Stories: Minimum Wage Increase Defeated, Internet Explorer Fixed

Top stories for small business owners this week involved the fate of a contentious minimum wage bill and the repair of a major Web security issue. The Small Business Trends editorial team has you covered with this important news and more. Just follow our roundup.

Policy

Minimum Wage Bill Fails in Senate, Small Business Groups Respond. A Senate bill that would have raised the federal minimum wage from $7.25 to $10.10 failed in the Senate Wednesday. But President Obama and other supporters have vowed to make it an issue in the 2014 elections. Small business leaders want elected officials to know they consider it an important issue too.

USDA Announces $150 Million Investment Fund for Rural Businesses. The U.S. Department of Agriculture has announced a $150 million fund the agency will use to invest in small rural businesses. The fund establishes a new Rural Business Investment Program with a new wrinkle for investment in rural ag-related companies. The new investment fund was announced as part of the Obama administration’s “Made in Rural America” initiative.

Michigan Creates $6.8 Million Fund for Tech Startups. Economically speaking, the news concerning Michigan typically focuses on the purported death of Detroit. To counter that negative trend, the Michigan Economic Development Corporation (MEDC) is hoping to spearhead some new growth among high-tech startups. The Michigan Pre-Seed Fund 2.0 is actually a continuation of a previous effort. It will provide $6.8 million for investment in local business.

Web

Microsoft Announces a Fix to the Internet Explorer Bug. Federal officials had issued a warning to users of Internet Explorer: Stop using the Web browser until Microsoft can mitigate a security threat. The U.S. Computer Emergency Readiness Team, a division of the Department of Homeland Security, said the vulnerability had already been used for attacks. But later this week, Microsoft announced a fix.

Alexa Has Gone Back To The Drawing Board. There’s good news for those who rely on Web analytics to negotiate website advertising deals. Alexa Internet Inc. has completely revamped its daily updated Web traffic analytics services for $9.99 a month. The company, which is owned by Amazon.com, is targeting digital marketers and content publishers for their new service.

AdRoll Raises $70 Million as Retargeting Space Heats Up. Those ads for new shoes or a new car or for your favorite store may be following you. They’re known as retargeting ads and you may be seeing a lot more of them on your computer and now your smartphone. The company behind a lot of those ads, AdRoll, recently announced $70 million more in funding led by its primary shareholder, Foundation Capital.

Google Is Growing at Double Digits But Wall Street Still Isn’t Happy. Google is growing at double digit rates, and if that were your company, you’d likely be thrilled. Apparently, Wall Street investors are not. Such is the fickle favor of Wall Street. The search giant’s first quarter earnings report shows an overall increase in revenue. But investors weren’t impressed.

Economy

60 Percent of Small Business Owners Report Revenue Increase. For the majority of small businesses, increased revenue is outpacing increases in taxes. That’s the consensus from a new survey by online payroll provider SurePayroll. SurePayroll recently unveiled its April 2014 Small Business Scorecard covering the previous tax year. The survey showed that 60 percent of small business owners saw revenues increase during the previous year.

One Third of Microbusiness Owners Rely on Second Jobs. If you own a microbusiness, defined as a business employing five or fewer people, you occupy a very important part of the economy. Yet chances are, at least early on, you aren’t able to make a full time living at it. If not, you’re not alone. Nearly one third (33 percent), of microbusiness owners depend upon another job as their main source of income, a recent Gallup Survey says.

Entrepreneurship

Moving Mountains Design: Staging Luxury Homes for Sale. This week we shine the spotlight on Moving Mountains Design. Those needing to sell a big luxury home in the Los Angeles area call on owner Michelle Minch. She and her team swoop in and choose just the right paintings, rugs, sofas and even duvet covers to make a property fetch top dollar. Minch says she has 6 part-time employees in all and has been in business eight years.

Entrepreneur Creates Ghoulish Treats Like Marshmallow Brains and More. When launching a business, it’s important to offer a product or service that stands apart. That’s certainly what baker Annabel de Vetten has done with her bakery, the Conjurer’s Kitchen. Instead of basic cakes and other desserts, de Vetten creates ghoulish treats and unusual custom edible creations ranging from chocolate skulls to graveyard cakes.

What One Old Uniform Company Knows…That You Don’t. Jim Wasserson thinks about uniforms all day long. More than 100,000 of them. As CEO and President of Clean Rental, Wasserson, whose grandfather founded the company in 1918, is a born-and-bred expert on what makes uniforms unique, memorable, functional, clean and comfortable.

Talk About Bad Company: The True Cost of a Bad Hire. Hiring the wrong person for a position is an expensive mistake for a company to make. In a recent Career Builder survey 42% of companies reported that a bad hire cost them at least $25,000 in the past year, and 25% reported a loss of at least $50,000.

Social Media

Pinterest May Be The Perfect Answer For Marketing Your Apparel Business. Social media is probably the best thing that has happened to businesses of all shapes and sizes. The viral nature of social media, along with the possibility of community and relationship building is an awesome deal that no business can afford to ignore. E-commerce stores that specialize in apparel are no exception.

Transforming Twitter With More Images Means More Social. You’ve most likely heard the old adage, “A picture is worth a thousand words” and it appears that Twitter would agree.  It is now possible to tag multiple photos in a single tweet. Twitter Tagging Photos Twitter 6.3, the upgraded version of Twitter, brings multiple features which are expected to make use of the site more engaging.

Google Plus Users With More Than 1,000 Followers Can Now Use +Post Ads. At the end of last year, Google started testing the concept of +Post ads. The ads enable those with an account to turn any of their Google Plus content into an interactive ad, and have it run across the Google Display Ad network. Now Google has moved +Post ads out of their limited testing phase.

Tools & Apps

Skype Introduces Free Group Video Calls for Up To 10 People. Your next video conference on Skype may now be free. Skype announced this week that its Skype group video calls service is now free for up to 10 participants on some platforms. Prior to this, group video calls on Skype had been available only if one participant had a premium membership ranging from $4.99 a month to $8.99 for a single day pass.

FedEx Office Launches New Printing App for iPhone and Android. FedEx Office has announced a new mobile print app for both iPhone and Android devices. The FedEx Mobile Office App allows customers to manage printing jobs from anywhere. Documents that are saved on your mobile device, in emails, or in several cloud storage apps can be sent to a FedEx Office store to be printed.

People Who Want to Visit Your Business Can Tell Their Friends Via Superb. The problem with consumers constantly being glued to their smartphone screens is that sometimes they forget there is a real world around them. A new iPhone app called Superb aims to show them what is in their area. That could mean bringing your local business to their attention and allowing them to tell their friends about it too.

Podio Redesign Makes Project Management Simpler for Non-Project Managers. Podio is a tool that allows teams create their own collaboration apps without knowing code or bringing in an IT department to help. So, for example, if you need an app to track your team as they complete a major marketing or other project, Podio can do that, the tool’s creators say.

Reading Photo via Shutterstock



This Was the First Video on YouTube

first video on youtube

Recently, YouTube marked its ninth anniversary. Since the site launched in 2005, small business owners and entrepreneurs around the world have used it to market their products and build their online networks. Some have even built their entire businesses around the platform.

But most of the videos on YouTube don’t have as many views as the very first YouTube video. Entitled “Me at the Zoo,” the video shows YouTube Co-Founder Jawed Karim on a visit to the San Diego Zoo. You can view the video in its entirety below:

Though only 19 seconds long and not exactly groundbreaking in the content department, the video has racked up more than 14 million views over the years.

This look back at YouTube’s first video serves as a reminder that there are so many different factors that can contribute to your video’s success. Of course, great content is key. But the timing of your video can be just as important. In this case, being the first-ever YouTube video made all the difference in the success of “Me at the Zoo.”

Over the last 9 years, there have been countless videos that have gained reach beyond anyone’s expectations. Who would have thought that a video called “Charlie bit my finger” would gain worldwide fame? And who could have predicted that “Gangnam Style,” a music video from a relatively unknown artist, would become the most viewed online video of all time?

The key, as with Karim’s video, is to create the right kind of content at the right time. Then let your customers and community do the rest.



Girish Mathrubootham of Freshdesk: CEOs Doing Time on the Support Desk

As small business owners build their businesses up, add new people and take on more responsibilities, it’s easy to become disconnected from the very folks spurring that growth - their customers. But customer needs and expectations change over time, just like small businesses do, which makes it critically important for the CEO of a growing company to find ways to stay in tune with the voice of the customer.

Girish Mathrubootham, CEO and founder of online customer support platform Freshdesk, came up with the idea of having CEOs dedicate some of their time playing the role of a customer support agent in order to help them stay within ear shot of what’s on the mind of their customers. He discusses what he calls CEO on Support, and the impact it can have on customer relationships.

* * * * *

ceo on supportSmall Business Trends: Before we jump in, can you give everybody a little bit of your personal background?

Girish Mathrubootham: Prior to starting Freshdesk, I worked for close to ten years as VP of Product Management at Zoho (another software-as-a-service company). In 2001, I joined them as a presales engineer and customer support person. Over the years, my career was built from being a customer support person to being a product marketer and then a product manager, and also having run customer support teams.

Small Business Trends: Talk a bit about Freshdesk and the role you play in helping your customer provide better support to their customers.

Girish Mathrubootham: Freshdesk is an online customer support software. We all know customer support software or helpdesk has been around for 20 or 30 years.

What we do differently at Freshdesk is integrate a lot of channels. We start with traditional channels. We also interlink social channels. If you have a mobile app, your users can even contact you via mobile app.

We integrate all these channels and bring those customer conversations to you, to be able to “respond” to your customers across these channels.

Small Business Trends: You have this really interesting new initiative you started called “CEO on Support” where the idea is for top executives to spend some time in the shoes of a support agent to really understand what’s going on. Talk to me a bit about why you started CEO on Support.

Girish Mathrubootham: I think when a CEO talks to customers, you get a sense of reality. When you’re able to match what you’re building with what customers really want, that’s when you start to have a successful business. When you talk to customers, you get insights into things you should be doing - they help validate whether you’re doing the right things or dreaming while your customers are actually suffering for lack of some basic software.

So I think every CEO needs to spend time on customer support just to have that reality check.

Small Business Trends: Share something that may have been a surprise that you learned as you went through this exercise yourself.

Girish Mathrubootham: In 2004, I was building a helpdesk for internal IT departments; we built a nice product, then we were sending it off for trials. We had an early version and found no customer was able to successfully trial it. People were looking for an easy way to get existing users or employees into the system, and we didn’t build an import to let them quickly do that. In those days, we didn’t know that was going to be a critical killer feature, so we invented everything, but didn’t make it easy for a customer to test it out.

So that was a lesson I learned when I first talked to customers.

Small Business Trends: You have put the challenge out to other CEOs to try this. Maybe you could talk a little about some of those CEOs.

Girish Mathrubootham: A few months ago, a lot of our customers seemed to be talking about simple small issues with email ticketing. I was able to focus on doing this, making it better, before taking on the big stuff.

This was what we were discussing last month with our marketing team when we saw this could be something most CEOs would relate to. For example, we’ve seen interest from the CEO of Buffer, a vocal proponent of CEOs being on support. Then we have the CEO of LaunchBit who’s expressed interest. And I think as we go on, we’re going to see more CEOs sharing their support stories.

Small Business Trends: What do you think CEOs should take away after going through this exercise?

Girish Mathrubootham: I think the broader takeaway for CEOs is customer support has fundamentally changed. It’s no longer about one-to-one colonization between the customer and the company. CEOs have to realize what we call customer support is the new marketing. Basically, it’s impacting a brand, so you better take care of your customers.

Small Business Trends: Do you expect CEOs that try this out this first time to start to look at this as something they should do on a regular basis?

Girish Mathrubootham: I definitely think that is going to happen, because this is valuable. I don’t expect every CEO to do it, of course, but I think a lot will find value.

Small Business Trends: I see there’s a hashtag, #CEOonSupport, but you also have a site. Is this where people will be able to hear the stories the CEOs are telling about their experiences?

Girish Mathrubootham: Yes. We created the hashtag because we’re trying to collect all the stories and put them together. We will have links to these interesting stories on CEOonSupport.com.

This interview on CEO on support is part of the One on One interview series with thought-provoking entrepreneurs, authors and experts in business today. This transcript has been edited for publication. To hear audio of the full interview, click on the player above. 



Apple\'s iOS encryption claims \'are false\'

The strength of Apple's email encryption is called into question by independent security research firm NESO Labs.

The strength of Apple's email encryption - a major selling point for the company - has been called into question by independent security research firm NESO Labs.

NESO CEO Andreas Kurtz, based in Germany, has revealed in a 23 April blog that, contrary to Apple's claims, email attachments sent from the latest Apple devices running iOS 7 such as the iPhone 4, iPhone 5 and iPad 2 are not encrypted. NESO found the problem affecting POP, IMAP and ActiveSync email accounts.

Kurtz said in his blog: “Clearly this is contrary to Apple's claims that data protection ‘provides an additional layer of protection for email messages attachments'.”

He discovered the bug when he used some “well-known techniques” - DFU mode, custom ramdisk and SSH over usbmux - to access test emails in an IMAP account and found all their attachments accessible without any encryption or restriction.

Kurtz notified Apple of the issue - then went public on it when they failed to commit to fix it quickly.

He told SCMagazineUK.com via email: “My repeated queries were responded with default replies only, stating either that they were aware of that issue or that they were still investigating this issue, up to today. As iOS 7.1.1 was released without fixing this bug, I decided to disclose details on it.”

Kurtz explained the significance of the flaw, telling SC: “The most serious point is that customers' trust in iOS data protection mechanisms is shattered by this email attachment issue and it might be a warning to not solely rely on iOS security mechanisms but to also apply additional defensive mechanisms to protect corporate data (such as a second layer of encryption/authentication), at least for in-house-developed apps.”

He explained: “Many enterprises share sensitive corporate data on their iOS devices, fundamentally relying on the data protection mechanisms provided by Apple. This is also why many enterprises deliver very restrictive MDM-enforced passcode policies to their devices, as the level of data protection highly depends on the passcode complexity.

“However, as iOS's data protection is an opt-in process, corporate data might still be at risk, when it is not applied correctly. And the current case demonstrates that even official iOS apps fail to apply it correctly.”

Kurtz warned: “The real implications of that email attachment issue are mainly confined to older iOS devices such as the iPhone 4, as files on these devices can be easily read out if a device is lost or stolen (due to a vulnerability in the bootrom of these devices). This means that in cases where no data protection is available (as this is the current state with email attachments in iOS 7), that data can be accessed without any restriction, no matter how long and complex the passcode is.”

UK security expert Sarb Sembhi, consultancy services director at research firm Incoming Thought, advised UK companies who are running iOS 7: “If they are using MDM technologies, the chances are those technologies have already taken this into account. In which case anything that's stored on the corporate side is most likely going to be stored securely.

“If they are not using MDM technologies the chances are there's not much they can do about it apart from, do not sync with anything else, because whatever you thought was secure is no longer secure.”

Sembhi said that Apple has made security one of its key selling points and this issue will affect its reputation - though not significantly.

He told SCMagazineUK.com: “Lots of people do use Apple products thinking they're secure. Apple have invested some time and resources in trying to build security, but something seems to have gone wrong in its marketing, stating functionality which doesn't match up to the reality. Some people may feel aggrieved about this but I don't think it's going to impact Apple in a big way.”

He explained: “Most email systems generally are not secure. If you really need email to be secure then encrypt it, and if you have encrypted it at the client end before you send it, then you should be secure if the encryption was implemented according to the standards.”

Kurtz advised: “As a workaround, concerned users may disable mail synchronisation (at least on devices where the bootrom is exploitable).”

Apple failed to respond to a request for comment on this issue at the time of writing.

NESO Security Labs is an independent information security consulting and research company based in Heilbronn in Germany. It has previously discovered several Apple security flaws including an iOS memory corruption vulnerability when importing Word documents (CVE-2011-3260) and the Apple iPhone OS and Mac OS X stack buffer overflow problem CVE-2010-0036.



ICYMI: AOL data breach, fighting cybercrime, Target CISO and Windows XP

In a roller coaster week which saw AOL report a data breach, Target appoint a CISO and all the madness around Infosecurity Europe, SC looks at all the major stories in our latest In Case You Missed It column.

AOL: Hackers stole data

It's been a horrible couple of weeks for AOL. One week after the integrity of their servers was questioned; the internet provider started sending out warnings to users advising them that their personal information had been stolen by hackers.

On Monday, the net giant said that the same hackers responsible for the deluge of spam last week had gained access to its servers and stolen information, including email addresses, contact lists and home mailing addresses. Encrypted passwords and security question-answer passwords - a back-up authentication method - had also been swiped.

AOL (via The Register) says that the breach affected around two percent of AOL's customer email accounts.

The news is the latest sign that - as various vendors promoted during the Infosecurity show - ‘it's not if but when' as far as data breaches are concerned.

And yet the lack of government action - coupled with the paltry fines for data breaches - makes it a worrying time.

In fact, a freedom of information act (FOI) submitted by ViaSat this week showed that while the number of data breaches reported to the Information Commissioner's Office (ICO) had increased in the last year, the penalties issued by the data protection watchdog had more than halved.

Some will say that this is all the more reason for the EU Data Protection Regulation to come into effect, although the ICO deputy commissioner David Smith predicted that it may not come into effect until 2017.

Fortunately - for American citizens at least - the US is trying to forge ahead in this area. The BBC reports that a White House Panel has called on Congress to bring in a US national standard for notifying consumers when their data has been hacked.

There are several data breach state laws at present, but no overall Federal law, which the panel would look to rectify.

Law enforcement wants to collaborate on cyber-crime

The message is coming loud and clear from police and law enforcement agencies - prosecuting cyber-criminals is tough, especially when they so often carry out their work across numerous countries and jurisdictions.

French and British government agencies have previously complained about this, and Troels Oerting - head of EC3- followed suit at Infosecurity Europe.

“The problem is that criminal groups are using the same tools [as the investigators]. You can't see the attack, don't know the motive...you need to do some homework.”

He added: “Not even NSA can infiltrate the darknet; cyber-criminals are utilising Bitcoin and the darknet, it makes it even more difficult for us to follow the money.”

The FBI's Michael J Driscoll and the National Cyber Crime Unit's deputy head Lee Miles also mulled cyber-crime collaboration at the event, according to CBR. 

"In 18 years, I've never seen a threat that requires greater involvement by the public than cyber issues,” said Driscoll. 

"I can't get out and conduct cyber investigations until you open the door for us. Folks out there in the information security world are the frontline in helping us identity the threat and eliminate it. We are at the whims of internet service providers to open the door for us." 

Miles added that international help is "essential" when dealing with cybercrime, saying: "We cannot do this without international assistance....often we don't stand a hope of prosecuting".

Should Target's first CISO report to the CIO?

US retailer Target this week appointed a chief information security officer (CISO) for the first time.

Bob DeRodes was former senior information technology adviser for the US Department of Homeland Security, Secretary of Defense, and the Justice Department, and will take up his new position on May 5.

Beth James, Target's outgoing CIO, resigned after the data breach late last year, which affected some 70 million customers (including 12 million with credit cards, according to the company's own figures), and some were surprise that a) she took the blame and b) that Target didn't have a CISO.

Target looks to have rectified this now although some will continue to debate the CISO's role, and specifically where he/she should report.

Some commentators told SCMagazineUK.com recently that an overall CISO should control information security, while SANS fellow Dr Eric Cole - former CSO at Lockheed Martin and CTO at McAfee - sat down with SC in London this week to stress that the CISO should sit on a par with the CIO.

Windows XP saved again

This week was a significant landmark in the timeline of Microsoft's Windows XP, which went end-of-life at April 8.

The Redmond software giant revealed that a remote code execution vulnerability affects versions on Internet Explorer 6 to 11 - with these running on all versions of Windows from Vista to 8 and Windows Server 2003 to 2012 R2.

The flaw allows hackers to access memory data on a user's computer - or even install and delete programmes if they have administrative rights - and will remain unpatched on windows XP. 

Microsoft has now rolled out a patch for current systems and - crucially - fixed the zero-day for XP too. The zero-day on XP was apparently being exploited by Chinese cyber-criminals targeting EU-based organisations, showing that hackers may well have been saving up exploits for a 'wild west' assault on the 12-year-old OS.



GCHQ wants access to NSA surveillance data

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

XP U-turn on zero-day attack

Microsoft's decision to provide additional patching could come back to "haunt" company, experts warn.

Android phone makers accused of ignoring security

MWR researchers hack the "best" new Android devices and say: "there will be a lot of issues like this."

Raising the barrier to entry for hackers

Make hacking more time consuming, difficult and uneconomic if you want to deter intruders, says Kevin Kennedy of Juniper Networks.



XP U-turn on zero-day attack

Microsoft's decision to provide additional patching could come back to "haunt" company, experts warn.

Microsoft has performed a major U-turn and decided to fix a zero-day flaw in its XP operating system that is now being actively exploited by suspected Chinese cyber-criminals targeting EU-based organisations.

The emergency fix will help the estimated hundreds of millions of users still running XP, which Microsoft officially stopped supporting last month - but experts have warned the move may come back to ‘haunt' the company.

Microsoft acted after security firm FireEye said that the remote code execution flaw it first revealed on April 26 to be targeting users of Internet Explorer versions 9, 10 and 11 running Windows 7 and 8, is now also being used against IE 8 users running XP.

FireEye threat research director, Darien Kindlund, gave more details in an interview with SCMagazineUK.com. He said that the exploit - which allows hackers to gain access and user rights to victims' computers - is being used by an APT attack group called Clandestine Fox, which FireEye suspects is Chinese, and another crime group from the same region to whom Clandestine Fox gave the exploit.

Kindlund said FireEye has seen the spear phishing-based attack being used against 10 or 11 organisations in the defence, financial, government and energy sectors - most of them multinationals with their headquarters within the EU. He said it's likely there will be other victims.

It was this escalation of the attack that tipped Microsoft into rushing out a fix for XP as well its newer operating systems in a highly unusual “out-of-band” release, ignoring its usual Patch Tuesday cycle of fixes.

Announcing the patch in a 1 May blog post, Microsoft group manager Dustin Childs said: “We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. While we've seen only a limited number of targeted attacks, customers are advised to install this update promptly.”

But while welcome to XP users, experts warn the decision could backfire on Microsoft.

Brian Honan, head of Dublin-based independent consulting firm BH Consulting, told SCMagazineUK.com via email: “While some may think it is laudable for Microsoft to provide this patch for Internet Explorer on Windows XP, it may be a decision that could come back to haunt them later.

 “This move by Microsoft to provide an ‘exception patch' sends a confused message to those still on Windows XP. Their expectations may now be set to expect Microsoft to continue to provide exemption patches for future issues. This could delay the migration of many computers away from XP to more secure alternatives.”

Christopher Boyd, malware intelligence analyst at security firm Malwarebytes, agreed. He told SCMagazineUK.com: “On the one hand, Microsoft releasing a ‘special' patch to fix the recent Internet Explorer exploit for users of Windows XP is a sensible move. There's no point putting all those users at risk when the operating system has only recently been killed off.

“However, we may be training XP users to stick with their systems in the hope that Microsoft may release similar patches in future and ultimately we all want those people to move to a more secure OS. They can't prop it up forever, at some point you will see the company draw a line in the sand.”

FireEye's Kindlund said: “It's a very difficult situation from the perspective of Microsoft. Obviously they want to motivate their users to migrate away from this out-of-date ancient platform but at the same time they don't want to leave all the current users of this OS to be completely vulnerable.”

Kindlund told SC that Microsoft decided to issue the patch after FireEye found the exploit was being crafted to be used against Windows XP running IE 8, “which was kind of disturbing”.

“We had in-the-wild proof that the exploit was getting worse. We relayed that over to Microsoft to emphasise that this is going to get worse, there needs to be a patch rolled out sooner rather than later. And literally the day before Microsoft released their patch we then started to see this particular threat group actually hand over the exploit to at least one other threat group.

“That was yet another reason why Microsoft decided to roll out the patch to support all these other out-of-date platforms.”

Kindlund said the threat groups were suspected to be from the same world region, sharing tools but with different delivery methods. Asked if they are from China, he said “We do not have conclusive evidence” but “that's our current suspicion.”

He said at least one US-based firm had been targeted; the others were multinationals with headquarters based in the EU. There were four clusters of spear phishing attacks, with 10-11 victim firms observed.

He added: “Our visibility of this threat is not conclusive, there are likely other victims that have not come forward.”



Outsourcing Your Networking: Pros and Cons

One of the most important decisions a business owner will make revolves around the handling of the company’s tech network. Facts are, most businesses today are driven by technology and when you have tech problems they invariably cause real life and real business problems.

Think I am wrong? What do you do when your email is down for hours because your network failed? What do you do when customer service can’t update a customer on the status of that important delivery? What do you do when you pick up the VOIP office phone and hear nothing for a dial tone?

If you answered “fix it myself,” congratulations! You are more knowledgeable than most.

But the majority of us will have to call somebody to figure out what is wrong, and this call has a price tag on it, whether this call goes to a staff employee or a third party that supports our network.

What is really best for YOU? Should you have an internal employee in charge of your network? Should you hire a consultant or other business that sets up and maintains networks? Should you outsource the handling of the network to your Internet services company?

Pros and Cons of Outsourcing Your IT Network

When outsourcing, you reduce or eliminate the costs and other issues associated with hiring an employee. It is highly unlikely that you would find a single employee who knows everything there is to know in the world of tech. It is much more likely that your employee will be a generally knowledgeable person who will have a lot to learn on the job.

Outsourcing lets you focus on what your company does best, i.e., whatever business you are in. Keeping up with the technology required to run your business is expensive and time consuming. By outsourcing your IT networking, you can spend your limited time and money on items that are directly related to satisfying your customers, rather than on the underlying infrastructure.  As important as your network is, remember, it’s still not your core business.

Your return on investment is so much greater when you outsource information technology to a firm that specializes in technology. Instead of just the knowledge of one person, you benefit from the experience of a team of IT professionals with wide expertise. Many IT companies require their IT staff to have proper industry training and certifications, a real benefit over using an employee who is likely to be a generalist with little training in specialty areas. And the cost of ongoing education is not your burden.

Professional providers work with multiple clients and need to keep up on industry best practices, so they usually have a better idea of what works or even better access to the knowledge they need because of technology partnerships. Technology is becoming more and more complex, and it is unrealistic to expect a generalist employee to perform in areas where specialized knowledge may be necessary.

IT professionals get benefits from the major vendors they work with, including access to expedited support from other tech companies, better pricing and access to account reps whose jobs are to make their operations run smoothly. In other words, you often gain cost efficiencies and shorter service turnaround times when you outsource to larger entities. Plus, you may have a single bill and possibly even a single support number when you outsource to your Internet services provider, making your management oversight easier and faster.

So What Do You Have To Worry About?

It’s important to have a good fit with any outsourced provider.  There are several things you should consider on the other side of the coin:

1.) First, are you outsourcing the entire network or bringing on a consultant who will assist you with your in-house network?

Outsourcing your entire network can be the easiest route, and involve fewer decisions by and much less daily management involvement from internal employees.

If outsourcing to an IT consultant to help you with your internal network, be sure they understand your needs. Provide them a list of your software and systems needs, and match these to their credentials or abilities.

2.) What kinds of clients do they represent?  Make sure they have clients of a similar size to your company, with similar tech needs and in similar industries.  You want speed and performance.

3.) What technology capabilities and advantages can outsourced providers offer to you and how easy do they make it for you to deploy those? Are upgrades and new services relatively easy to install?  If you are growing fast, you may not want to wait weeks or months.

4.) How reliable are their network services?  It’s always best to avoid outages in the first place. And how responsive are they if you need support?  That consultant from your church or neighborhood may be a great guy, but if he’s a one-man shop can he get your network back up and running quickly or will you be down for days? The more your needs grow and develop in complexity, the larger an outsourced IT company you need to rely on.

5.) Can you deal with a loss of  ‘some’ control? These are not employees after all, so trust is a major part of this relationship. And there is the matter of confidentiality and security, so get an agreement in place that covers a breach of data and its implications.  Understand the outsourced company’s security policies and safeguards.

Why To Say Yes To Outsourcing Your Network

In the long run it is highly unlikely that one person can keep up with all of the changes in tech today.

As your company grows, so will the demands in complexity for your network. The IT professional lives and breathes in this world. A team of IT specialists will undoubtedly have their own unique tech love and really understand it well and be able to stay on top of changes.

So using this knowledge and experience to your advantage will allow you to implement the soundest plans for your IT networking needs â€" and free your limited internal team to focus on your company’s growth. Just pick the right fit for whatever your needs are.

Computer Photo via Shutterstock



Raising the barrier to entry for hackers

Make hacking more time consuming, difficult and uneconomic if you want to deter intruders, says Kevin Kennedy of Juniper Networks.

Following his keynote speech on “The idiot's guide to destroying a Global 500 company for £500” at Infosecurity Europe 014, Kevin Kennedy, senior director counter of the security business unit at Juniper Networks, explained to SCMagazineUK.com how companies need to raise the barriers to entry for attackers.

“You can now go on the web and with no technical background, you can buy the malware you need, get toolkits to the spec you request, and view the instructional videos to learn what to do, so that for an outlay of less than £600 you can start stealing information. With a little bit of social research on Facebook you can tailor your phishing attacks and get your malware inside the target company.”

Kennedy suggests that the approach of simply building higher walls no longer works, and that the way to tackle the issue of attacks being low-cost and low-risk is to increase the time, effort and skill level that an attacker would need to make a successful intrusion.

“Relatively few of the attackers actually have the higher sophisticated skill sets - most are either entry or mid-level, so we can design our networks to increase the difficulty of successfully exfiltrating useful information," he said.

Many of the approaches are well known, but still need to be implemented more widely. So any new computer logging into a network could be sent an SMS requesting authorisation to access, with validation codes required in case credentials have been stolen. This would also drive down the value of stolen credentials, if there is a good chance that they are going to be useless for attackers.  This would extend to mobile devices, where all corporate applications used should use encrypted content so that if it is stolen, the hacker gets nothing.

“Don't sit and wait for an attack,” says Kennedy, “Prepare for it as you would in the physical world. Use deception and counter intelligence techniques to get the attackers to identify themselves.”

These techniques, already widely used in the military and intelligence communities, would include the creation of tar-traps and fake attack surfaces. 

So a seemingly interesting file may be one that no legitimate user would have a requirement touch, but it would attract an attacker, thus identifying them.  You can then decide how you want to respond. They can be led down complex false trails, tying them up and consuming more and more time for no gain. They can even be fed false information, which if they sold it, would prove useless, thus damaging their own reputation in the criminal fraternity. By watching those who respond to honeypots, Kennedy suggests that their infrastructure can be identified and monitored.

Potentially this could be used to implement command and control but Juniper does not promote 'hacking back', because of the potential negative consequences as the hack may have been committed via a bot-net involving innocent parties, such as a hospital, where the consequences for bringing down services could be catastrophic.

One of the big problems involved in tackling attackers and holding them accountable for their actions is the cross-boundary issue of laws being different in different jurisdictions, as well as the willingness (or not) of authorities to take action where laws are being broken elsewhere, thus whose jurisdiction is it? Kennedy sees this as another reason to hit the attacker financially and make the attacks less worthwhile economically.

The way to do this, says Kennedy, is to ‘productise' honeypots, so they are built into web apps from the outset.  He says that spam has been stopped where the server infrastructure has been brought down, and with Visa as a global brand, joining in the efforts to make it difficult to process illegal payments.  

Digital currencies can facilitate illegality, thus Liberty Reserve contributed as the transactions had no transparency - and other currencies such as Bitcoin potentially serve the same purpose.  Here Kennedy called for regulation, compliance, transparency and enforcement to avoid abuse and illegality.  But again, different countries have different ideas, so Norway and Sweden do not regulate use of digital currencies. 

“What we need is a BitCoin with compliance, oversight and control to deter criminal behaviour,” says Kennedy, adding that while technology can contribute, the industry also needs to promote such regulation.

Kennedy also suggested that one of the biggest difficulties was defining, ‘What is a crime?' When does free-speech criticism become a DDoS attack, and if possession of malware became a crime, how would legitimate pen testing happen, or research?'

He adds that the lack of international norms does mean that what is legitimate in one jurisdiction is illegal in another - just like in the physical world.  But unlike in the physical world, the criminal can stay at home, use assets in a second country to steal from a third and put the proceeds in a fourth - and when the asset is information, it is copied rather than taken, so the victim may not even know they have suffered the loss - until they reap the consequences.



New App, Lumiary, Helps You Sell Smarter and Market Better with Visual eCommerce Analytics

There’s many ecommerce platforms that help small businesses sell their stuff - Etsy, eBay, Amazon, Shopify, Big Commerce, and Magento all have robust ecommerce platforms to help you sell online.

A new service, Lumiary, provides visual analytics to help you sell smarter through 3rd party ecommerce platforms.

Lumiary is a marketing platform and seller community that helps growing online brands to quickly identify what marketing efforts are driving traffic to their website and ultimately driving sales. Most small businesses can’t afford to hire staff with expertise in analyzing web traffic and Facebook insights. Lumiary fixes that problem, by acting as a home baseâ€" connecting data from a brand’s social networks, store, website and campaigns and translating that information into simple actions that drive sales and create customer loyalty. Lumiary’s community tools help facility product and promotional collaboration between brands.

With Lumiary you can also reach out to customers, and know what messages work best and help you sell more.

Selling online is so much more than putting up a simple shopping cart, it’s also about understanding the details of your customers and products. Tools like Lumiary definitely help.

Check out this short video about Lumiary here - https://www.youtube.com/watch?v=4BGfXbqShYo or below:



Android phone makers accused of ignoring security

MWR researchers hack the "best" new Android devices and say: "there will be a lot of issues like this."

Android manufacturers are ignoring security vulnerabilities and brand-new Android devices can still be readily hacked to infiltrate corporate networks, MWR InfoSecurity's Rob Miller told the BSides security conference on Tuesday.

Miller, a respected UK Android security specialist, revealed how MWR had hacked two Android phones - “the best” offered by their respective manufacturers - before the user had installed any potentially vulnerable apps themselves.

The researchers examined whether they could remotely exploit flagship Android smartphones straight out of the box, exploiting weaknesses in the pre-installed apps provided. The answer was: “Yes, if the manufacturer has made significant changes - which almost all have.”

On one device, as soon as the user began browsing online, MWR was able to use a Man in the m Middle Attack (MITM) to inject custom URI malware - “a single piece of text” - into the vulnerable app and hijack its operation to run any code they wanted.

Describing the attack, Miller said: “It will end up with letting us install any app we want to silently on the phone. It ends up that we can install any app we want, with any permission we want, without any user interaction. So it's pretty bad.”

MWR were also able in this case to use the known Android Master Key vulnerability to overwrite any app on the phone, access its sandbox and for example gain access to secure systems like banking apps.

On the second device tested, another Android manufacturer's “best phone”, MWR used the known Android JavaScript bridge vulnerability to target a pre-installed application, again via a man in the middle attack.

“What we found was that if you were to ask for certain objects, certain classes, you can get a runtime object and actually execute any code you want and access any function on the phone,” Miller said. “In 30 minutes we had a fully working root exploit for this device.”

Miller said his talk was “slightly Snowdenised, slightly redacted” because MWR have contacted the two manufacturers concerned and they are still in the process of fixing the vulnerabilities exposed.

But he put the blame squarely on the phone manufacturers themselves, rather than the Android operating system.

Miller said “Android has come a long way in the last three years”, with the latest KitKat version 4.4 having strong security features. “Android gets security. It's actually pretty good,” he said.

But he told the conference: “Unfortunately, all these great security features are not being used. The simple issue is right now apparently you cannot sell a phone to the market saying this is the most secure one. You've got to have features. The drive to market is new features, not best security.

“The simple conclusion is you have the manufacturers, the network operators, it's such a rush to get the new features that they are not taking advantage of these new security features or worse they're actually poking holes in the walls.”

Miller warned: “There will be a lot of issues like this; I absolutely guarantee it - because currently these vulnerabilities are kind of being ignored by the manufacturers. If enough of us make enough noise, maybe they'll start doing something about it.”

Miller advised his audience: “With BYOD, you have to plan and know that currently Android can be undermined. For any security currently put on an Android smartphone, the apps that are on that phone can be compromised. Our research shows that for brand-new devices these issues still exist, this issue is not going away any time soon.”

Miller said MWR also examined the significance for corporate users of these flaws, as: “Most people don't carry around their bank details in a text file. If somebody broke into your Twitter account or your Angry Birds game, is it really that bad?”

MWR tested whether the exploits could be used to infiltrate a company with good physical and network security, where employees are allowed to use their personal mobiles in the office.

The researchers set up a scenario where they could use their exploits to compromise an employee's personal phone at a public WiFi spot, then detect when the employee went to the office, and successfully attack other users, phones and devices, even when the company had a safe Guest WiFi network separate to its own.

MWR could use privilege escalation to gain install privileges, and jump from the user's phone on to their desktop.



Prioritize, Optimize, Maximize and…Err

prioritize cartoon business

Business jargon is full of “ize” words. I was reading a business book one day and I swear I saw at least a dozen “ize” words on every page. Maybe it’s something in the culture that makes us want to verb so many words, but I think it’s gotten a bit out of hand.

In fact, I think it’s high time we recognize, reorganize, and minimize our supersized need to synthesize and rationalize this italicized and oversized… (See what I mean?)



Third-party security risks follow Target data breach

What should businesses be doing to ensure that contractors and other third-parties are aware of the risks in security? That was one of the key questions during a panel discussion at Infosecurity 2014 in London on Thursday.

Vicki Gavin, head of business continuity and information security of The Economist Group, Paul Haywood, chief technology risk officer of Capital International at GE , and Thom Langford, director of security risk management in Sapient's Global Security Office, discussed effective risk assessment during a keynote panel at Infosecurity Europe, and paid particular attention to educating C-suite and third-parties.

Gavin said that a key in all of these discussions is that security and risk assessment teams learn what the business considers as a risk, and then communicates this accordingly to the top-line board members.

“If I have to give everyone one risk assessment tip, it would be to learn to speak the language of business. You need to know what business considers as risk,” said Gavin.

If you do this, and spoke to senior folks, you'd more likely get the funding and resources required, he added, although Langford was keen to point out that this was only possible if risks were translated into ‘plain English'.

Haywood agreed, adding that it's important to prioritise risks and communicate in a ‘way that business understands', with this message needing to revolve around the impact on reputation, customers and revenue streams if a breach does occur.

He further suggested listing the top ten risks against a company, so that both IT staff and senior executives can understand the threats and mitigate against them.

However, the panel concurred that the issue is somewhat muddied regarding third-parties, with many contractors in the supply chain unaware of the risks and more susceptible to losing data.

This is particularly problematic in the cloud, says Langford, with many firms looking to lessen the load on their own resources, and staff, by adopting solutions like Amazon's AWS.

Urging a blended approach, Langford said of the cloud: “You don't even know where the data is half the time, it could be replicated somewhere else.”

“The cloud is a nice fluffy term but it just means someone else's computer...you put in those terms and understand the risks.”

This was particularly true of the Target data breach - affecting some 120 million customers (and 40 million credit cards), where hackers were able to gain data by the retailer's point-of-sale systems by stealing network credentials from Fazio Mechanical Services, a Pennsylvania-based provider of refrigeration and HVAC systems.

Citing this as an example, the panel said that companies need to manage contractors, implement service-level agreements (SLAs),  and continually assess their security credibility by doing onsite visits and distributing questionnaires. Checking their incident response should be mandatory as  well, Gavin said.

The Economist carries out similar assessments with third-party partners. Gavin said that the publisher will often do ‘joint exercising' on IT security risks to help them understand what's required and “where the gaps are” in defence.

Nonetheless, technology only goes so far, and Gavin believes that having ‘meaningful' discussions with third parties should at least minimise the damage should a data breach occur.

“At the end of the day, no matter how good your controls are, data breaches happen,” she said. “Its about relationship management, getting to speak to them, there's nothing more important than that.”

“Until they become our overlords, I truly believe that people run computers.”



BYOD \'explosion\' but security caveats exist for CYOD too

The Bring Your Own Device (BYOD) trend is already entrenched in many businesses, but some IT departments are trying to regain control - and security - by opting for Choose Your Own Device (CYOD) instead.

Speaking at this week's Infosecurity Europe exhibition in London, ESET senior research fellow Righard Zwienenberg talked through the advantages and disadvantages of CYOD, and was quick to state that it may not be for everyone.

For in addition to the difficulty of IT departments issuing corporate devices to workers already happy using their iPhones and iPads, he noted that employees may not like the corporate device, while IT workers themselves will be tasked with staying on top of exploits, firmware updates and the latest device features. 

 

What's more, he suggested that employee policies could be difficult to apply.

“You really have to be careful,” said Zwienenberg , further adding that there are decisions to be made on employing MDM (Mobile Device Management) control and enforcing controversial features, like remote wipe.

But he's adamant that - should businesses be able to get their heads around all this, and even smaller security difficulties like fending off the threats associated with USB attachments and interchangeable SD cards, CYOD represents a more secure alternative to BYOD, even if the latter is expected to represent a billion devices globally by 2018.

“Anyone thinking that BYOD is probably for the near future is wrong - we're already there and it's more and more of an obstacle. Sooner or later, it will be explode,” he said at the conference.

SCMagazineUK.com caught up with Webroot's security intelligence director Grayson Millbourne shortly after the talk, and he too believes that CYOD is potentially an enabler of mobile devices in the enterprise environment.

“When a corporate provides its own devices, it's much more secure,” he said.

That said, he stressed that companies' ‘employee bill of rights' will ‘go out of the window', with IT reclaiming control potentially having a knock-on effect on privacy and access.

What's more, he - like Zwienenberg -  suggested that it could be difficult for companies to get people to swerve their personal devices for CYOD, citing Webroot's own data which shows that almost 50 percent of BYOD users would stop using their devices for work purposes if data-heavy security applications were bolted on by corporate IT managers.

From the employer's side, Millbourne also suggested that some firms may be unwilling to make the switch away from BYOD when it's driving big financial gains, and instant productivity boosts. As a result, Millbourne believes that companies going down the CYOD route will perhaps embrace it for sensitive IP, something other commentators recommended recently, but said that this in itself was no guarantee that enterprise mobile users won't be targeted.

He cited malicious apps downloaded from third-party app stores, bogus in-app ads, social engineering and spoofed mobile websites (done at the web server level so that companies see their desktop version if OK and so perform no further checks) as common mobile attacks, and believes that the web - and the user - are the biggest vulnerabilities.

“The WebKit exploits we see on Apple also exist on Android...so the underlying technology, at least on browsers, is very similar.”



Skype Introduces Free Group Video Calls for Up To 10 People

skype group video calls

Your next video conference on Skype may now be free. Skype announced this week that its Skype group video calls service is now free for up to 10 participants on some platforms.

Prior to this, group video calls on Skype had been available only if one participant had a premium membership ranging from $4.99 a month to $8.99 for a single day pass. Skype launched the Skype group video calls service for premium members back in January 2011, The Next Web reports.

The company, which is owned by Microsoft, says the new free version is available for Windows and Mac desktop users as well as those who connect via the Xbox One game console so far. But in an official post on Skype’s “Big Blog,” Phillip Snalune, General Manager of Consumer Product Marketing, said the free service will eventually be available on smartphones, tablets and other platforms too.

Snalune explained:

“While Skype is known for one to one video calling, we know it’s also essential to connect with the groups of people who matter most, whether friends, family or colleagues.”

The new free video call service could be seen as an attempt by Skype to compete with services like Google Hangouts. It comes at a time when the market seems flooded with comparable services like Spreecast, and when others like Skype rival Viber are moving increasingly into the video chat  space.

Comparing Skype and Google Hangouts, both allow groups of up to 10 people to be in the same video call. But PC World reports that Skype considers groups of between three and five to be optimal. Google Hangouts is available as a mobile app while the service is still pending for Skype.

Both services are relatively easy to use, especially for creating and conducting group video calls. To start a new Skype group video call, one user begins by selecting a contact from their list. From that contact’s Plus (+) menu, selecting “Add People” will open a dialog box with more contacts to choose from. Once all the contacts for a specific call have been chosen, selecting the big green Video Call button will ring all the contacts at once.

The addition of Skype group video calls could be important for international business too. A recent study showed Skype international calls grew by 36 percent in 2013. The increase in volume of Skype calls the same year was 50 percent more than the growth in volume of every other telecommunication system in the world.

The new service clearly puts one more tool for free video conferencing easily in reach for small businesses.

Image: Skype