Blog

June 21st, 2016

2016June21_SocialMedia_AIn today’s modern age, the speed in which your reputation can change almost as fast as the speed of light. For example, your reputation might be stellar one day and completely flop the next - meaning that striking a balance isn’t no walk in the park. In order your business to reach its peak, it’s important to understand how to utilize reputation marketing to establish much-needed consistency. Here are ten tools to help get you on your way:

ConsumerAffairs

Businesses can forge a strong online reputation and boost revenue with an array of advanced features. Namely, unpaid business plans along with third-party accreditation programs coupled with powerful software as a service (SaaS) platforms - offering companies various resources to convert customer engagement into cash.

BazaarVoice

Ideal for companies with deeper budgets, BazaarVoice extends the online marketing potential of customers’ voices to shopping portals, offline channels as well as natural search. Customers are also able to leave reviews, rating, questions and other customer-generated content on client websites which will then be shared on social media.

Better Business Bureau

Suitable for entrepreneurs and SMBs, not only does this non-profit group mediate and resolve customer-business disputes but also helps you to personally interact with customers - other networking services are also available at an affordable price.

Yotpo

The mechanism behind this ecommerce-oriented plug and play solution is that if you have made online purchases via Yotpo, after receiving them you will get an email asking you to review the product(s). This Mail After Purchase (MAP) provides more verified reviews since they are sent directly to the customer.

Cision

Focusing more on public relations, Cision allows your company to connect with over 1.6 million contacts and outlets, including influential journalists, bloggers and social influencers that would normally be inaccessible.

Percolate

Create campaigns, store files, create content and manage your business’s marketing efforts with Percolate. It takes into account all your details, target audience, brand identity and objectives, after which it provides a cross-channel marketing calendar that helps you plan ahead and eases the process of sharing content with consumers on social media, the Internet and other methods.

Reputation Loop

Similar to Yotpo, Reputation Loop primarily works by automatically emailing customers for product reviews but with this tool, additional features such as real-time reporting, review monitoring on Yelp and Google+ are at your brand manager's disposal.

TinyTorch

Utilizing social influencers and user-generated content (UGC) to build your online profile, TinyTorch is a social platform that allows brands to identify, monitor and manage their online presence. The tool helps you locate your most influential customers and redistribute their stories and photos across multiple marketing channels.

HootSuite

This social media management platform allows your business to monitor and sync all social media accounts onto one interface. HootSuite makes it easier to monitor customer feedback on their social media accounts and share positive reviews across multiple social media networks at once.

TrustPilot

TrustPilot is ideal for businesses looking for something simple to work with. Users get to leave business reviews on its website while offering both free and paid brand listings. It’s an easily-navigable site equipped with an assortment of analytic and engagement tools,

Building a credible and consistent brand reputation might not be easy, but it isn’t an impossible task to complete. Whether or not you have one, it’s never too late to start. Please contact us if you have any questions regarding the efficient tools that’ll help you get started on creating your own company’s reputation.

Published with permission from TechAdvisory.org. Source.

Topic Social Media
June 20th, 2016

b

The NBA Finals may now be over but for one team, the losses keep coming. Yahoo! Sports reported that the Milwaukee Bucks fell victim to a spoofed email scam last month. Names, addresses, Social Security numbers, compensation information and dates of birth of the players were unknowingly sent to a hacker and created a massive security issue for the team. And just because your employees don’t make millions of dollars doesn’t mean hackers won't target your company. Here are four ways to protect yourself from spoofed emails.

Education is key There are countless cliches out there promoting the importance of education, but when it comes to cyber security, you might as well embrace them all. In the case of spoofed emails, you need to make sure your employees know what these are and how they can harm your company. They can come in several forms and look to attack your organization in a number of different ways. A good defense starts with trained employees using best security practices when it comes to emails. Knowledge isn’t just the key to success, it’s the building block of a comprehensive email security plan.

Check the sender The easiest way to determine a real email from a spoofed one is to view who is sending it. While your basic junk mail folder will screen the really lazy attempts at spoofing, you and your employees can’t rely on it to weed out everything. A lot of cybercriminals have gotten skilled at mimicking the look and feel of companies through professional looking graphics and signatures. For starters, you are going to want to ignore email display names as these can be deceptive. The domain name provides the best clues as to who the sender really is. For instance, if an email requesting your company’s financial documents claims to be from the IRS but the domain reads IRSgov.com, it’s a spoof email since that domain is not what the IRS uses. If you ever spot an email containing a domain you consider to be suspicious, delete it immediately. If it is from a legitimate sender, they will send you a follow up email in a couple of days.

Embrace DMARC Domain-based Message Authentication, Reporting and Conformance (DMARC) can help reduce the risk of spoofed emails being sent internally. For businesses that do not set this up, it is possible for someone to spoof an email account that looks like it is from your business or a current employee and send it from a different server. As we saw in the case with the Bucks, these can appear legitimate to employees who will then in turn do what is requested such as turn off security settings or handover sensitive data. With DMARC in place you can prevent spoofed emails from utilizing your domains by requiring any email sent by your domain to come from your server. This greatly reduces the risk of an internal spoofed email showing up in the inbox of your employees.

Utilize email protections A lot of companies believe they can get by with the simple protections that come standard with an email client. However, doing the bare minimum is rarely enough to stop spoofed emails, not to mention all of the other threats lurking in your inbox, and high-powered email and spam protection will give your organization the added layer of security it needs. Much like elite-level basketball players need the best coaching and equipment to succeed, the only way to truly reduce the risk of falling victim of a spoofed email is to educate your staff properly and then equip them with email filtering. This ensures they aren’t wasting their time constantly trying to identify legitimate emails from fake ones but are prepared when the situation presents itself.

When it comes to email security, working with us is a slam dunk. We may not have the skills of Steph Curry on the basketball court but when in the realm of IT, competitors say they want to be like us. Give us a call today to find out more.

Published with permission from TechAdvisory.org. Source.

Topic Security
June 17th, 2016

2016June17_VoIP_ABig data is a phrase that gets thrown around a lot these days, but rarely in conjunction with SMBs. VoIP has often been touted as a way for small businesses to access enterprise-level functionalities, and better access to customer data is one of the many ways to do exactly that. Keep reading for coverage of the best ways to leverage your VoIP data to increase conversions and provide better service to your clients.

Time/Date Data

One source of information that nearly any VoIP system should be able to easily access is time, date and duration of calls. As a small or medium-sized business, you probably work on a tight budget. Properly analyzing this data can be invaluable when deciding how many staff you need on the phones and on what schedule.

For example, you may notice that on Mondays you get a rush of calls in the morning, but by Tuesday afternoon the lines are dead. Just asking your employees when the phones are dead may work, but consider looking for more specific trends to better assign call responsibilities to your staff. You may find that there is a particular combination of time and day that simply doesn’t generate a need for anyone to work the phones.

The more agreeable the person on the other end of the line is, the more likely they are to vote for your company with their dollars. If you’re making outbound calls, pay close attention to when you see the most success. Everyone knows that no one likes to get a call during dinner time, VoIP allows you to take this one step further and find other stress points in your call schedule.

Location Data

Location data is also easy to track and a simple way to make your call strategy more agile. Understanding how purchasing or support habits differ between different locations can improve your marketing, customer service and client retention.

Ask your VoIP service provider about call-routing options so that whoever answers your phones is an expert on the area the caller is from. With the right amount of preparation you can help a client on the other side of the country as if your company was right around the corner, and there are few things as valuable as being helped by a local.

Customer Intelligence

Combining your VoIP services with your Customer Relationship Management (CRM) software opens up entirely new data points. How many times have you called a support line with an issue and have had to explain all of your history with the company? Even if you somehow did win the customer service lottery and got the same representative every time, the chances of them remembering you and your story are slim to none. With proper CRM integration, your VoIP system can route callers to the same service representative every time they call and provide your staff with a detailed support history.

Customer Habits/Personalities

Analyze client call habits and predict how to contact them and offer assistance before they even realize they need it. Does your data show that one of your clients generally calls once a week, but missed last week’s? Give them a call and check up on them.

If you want to really get in the weeds with your data, you can begin to match clients with your service and sales representatives based on ‘personality’ data. Data points like staff’s age, gender and average call time can potentially be used to route customers to the best possible representative.

Product/Service Trends

Whenever possible, tie data to specific products and services in each call and look for the most consistent patterns that result in a successful contact. If you notice that most of the customers that buy your flagship product come back and buy an accessory to it within three months, stop dumping money into marketing the accessory products during the original sale and trust what your data tells you. Follow up in a month and ask if they’re interested in that ancillary product.

You may be thinking that some of these data points were accessible with your legacy systems by simply logging the information separately. Tracking data that way is prone to user error and requires a pre-meditated plan. VoIP services track all of your data, all the time. Your SMB can easily view and analyze up-to-date data in no time. This agility and efficiency can revolutionize how you design your customer interaction strategies.

Do you feel like you could be getting a better ROI from your VoIP services by taking another look at your calling data? It could be as simple as better organizing your usage statistics, or as intricate as installing specialized analytics software. Regardless of how you want to go about it, we’re the ones to do it -- contact us today!

Published with permission from TechAdvisory.org. Source.

Topic VoIP
June 14th, 2016

2016June14_Productivity_AThe word ‘Community’ is derived from the Latin term communitas meaning ‘things shared by many or all’, which hints at our innate desire to connect with others. With the Internet being such a powerful medium, connecting people regardless of their locations has never been easier. Imagine thousands and thousands of people that are genuinely interested in what your company does -- that level of attention would not only propel but possibly skyrocket your business to heights you didn’t think possible. But before running, we must first walk. Here are five tips for building an online community for your business:

Make sure your customers are passionate

The number one rule of online community is that it should be a place where like-minded people are genuinely interested in your brand and are able to engage, if that’s not the case, it won’t be any different from throwing a party that everyone ignored. Make sure you have brand appeal, pick up on vibes your customers are giving off and figure out what they really want. The size of your online community isn’t what’s important, customer’s annual revenue and genuine passion for your products play a much bigger role.

Loosen the reins

It’s an undeniable fact that you have put copious amounts of time and energy into building and managing your business - so you can’t help but develop an attachment to it. What business owners have to realize is that your company really belongs to your users. This is a difficult obstacle to overcome, but when you are still clinging on for dear life and discouraging open discussion, you’ve basically shot yourself in the foot. Several times.

Another rule to follow is NEVER delete a post (unless it’s spam), under no circumstances would you want to hide negative feedback. Online communities might be the reality check you’ve been looking for, so accept honest feedback with open arms.

Create a rich experience

Thriving communities are the ones that engage in numerous activities, the same can be said for online communities as well. An example to help put things in perspective is bird watching. Let's say one community only has support forums dedicated to basic subjects whereas the other community offers a feature request area that allow customers to give their thoughts on what they want to see next as well as a visual library on local species. Ensure that there’s always something for your community to do.

Invest in infrastructure

Dedicated team members and the right software are essential components required in taking on an online community - don’t pinch any pennies here. Growing the team and utilizing suitable tech resources are necessary steps that (although nerve-wracking) need to be taken. Entice customers further by tying up all the technological loose ends, make it easy-to-use and devoid of downtime.

Don’t stress over measurements

We live in a time where numbers hold immeasurable power and people expect dashboards to show trending activity constantly. It’s a fact that measuring the ROI of an online community is like trying to find a needle in a haystack. There is one way of measuring your community’s value, not with a measuring tape, but by looking at the number of posts.

If you're aiming to establish higher brand credibility, corporate integrity and customer loyalty but aren’t exactly sure how to go about it, just give us a call! We’ll help you with any questions you may have about building an online community for your business.

Published with permission from TechAdvisory.org. Source.

Topic business
June 9th, 2016

2016June9_Security_AAlthough some may have hoped that the threat of ransomware was on the decline, the reality is that it’s quite the opposite. Until now, attacks seemed to be targeted directly at its victims, but Microsoft warns that may no longer be true. With their discovery of self-propagating ransomware it’s vital to fully understand the possible risk of infection.

Ransomware, the malware that locks up infected systems and demands payment to return access to users, has been steadily increasing its infection rate over the course of this year. Enigma Software reported that, “After staying steady for the last six months of 2015, ransomware detection has begun to climb; February saw a 19 percent increase over January, while March had almost a 10 percent increase over February. Then, in April, infections more than doubled.”

And as if that wasn’t frightening enough, Microsoft announced last week that a recently detected ransomware software was found copying itself onto USB and network drives. The ransomware, titled ZCryptor, disguises itself as either an Adobe Flash installer or a Microsoft Office file to trick users into opening it.

Once opened, it displays a prompt that says “There is no disk in the drive. Please insert a disk into drive D:”. If you see this after opening a suspicious file, it is most likely ZCryptor trying to distract you while it works in the background to add a registry key that buries itself deep in your system and begins to encrypt your files.

Although previous ransomware iterations like Alpha Ransomware had the ability to find and encrypt files on shared network drives, security experts believe this is the first time a ransomware variant has included self-replication via removable drives into its framework.

When it was first detected in May, Microsoft found ZCryptor singling out 88 different file types for encryption. However, later on a security expert analyzed the ransomware and found 121 targeted file types -- inferring that creators of the malware were continuing to develop its source code.

It’s commonplace for ransomware to demand payment to be made in Bitcoins as they’re an almost totally untraceable online currency. ZCryptor is no different, demanding 1.2 Bitcoins (500 USD) unless payment is more than four days after infection -- then it increases to five Bitcoins (2,700 USD).

Compared to other more complex security threats, ransomware is still relatively easy to avoid. Always verify the source of email attachments and website downloads before opening files, disable macros in Microsoft Office programs, maintain regular backups and update your security software.

Still concerned about security at your SMB? It doesn’t have to be as difficult and draining as you may think. Contact us today for advice on keeping your network protected around the clock.

Published with permission from TechAdvisory.org. Source.

Topic Security
June 1st, 2016

2016June1_Facebook_AWe all know you can buy ad space on Facebook. And while ads on the world’s largest social network are generally quite affordable, they still cost money - which as a small or medium sized business owner, may be in short supply. Thankfully, there are many ways to market your business for free on Facebook. Here are a few of the most popular methods.

Get your friends on board

A business is nothing without its fans...at least on social media. So after setting up your Facebook business page, your first order of duty should be to invite your friends to “Like” your company page. Bear in mind, we use the term “friends” broadly here. Really, you should be telling pretty much everyone you know about your business. This includes family members, colleagues, that random parent you chatted with at your son’s baseball game, and any acquaintances from all walks of life. The goal of this is to create a foundation of followers to build upon as you grow your business.

Create your brand identity

On Facebook, your brand needs to do more than simply sell a product or service, because no one wants to interact with a company they feel is constantly trying to sell them. This is exactly why your brand should have a persona and human characteristic. In other words, you need a brand voice. So ask yourself, how should your brand sound? Should it be funny, easy-going, serious or inspiring? Once you’ve figured it out, ensure this voice is consistent in all your posts as it will help your audience form a relationship with your brand as they get to know it better. While you can and definitely should advertise different products or services your business offers, most of your posts should aim to entertain, inspire, and encourage social interaction. As your followers get to know your brand better, they will develop shared interests with it, which will eventually lead to trust. And when your audience finally trusts you, the sales will start to come in naturally.

Exploit algorithm changes

If you thought Google was the only platform that changed their algorithms, think again! Just like Google, Facebook also uses algorithms to determine the amount of organic reach your updates get. This raises an interesting question...how do you discover what algorithm changes Facebook has on the docket? Well, they occasionally post them on Facebook’s newsroom, so regularly check there to stay updated.

So once you’re aware of an upcoming algorithm change, how can you exploit it? Let’s look at an example. Back in the Fall of 2014 Facebook announced they’d begin to favor link posts with an image attached, over photo posts with the URL in the caption. Users who were aware of this change in advance and implemented it accordingly, were reportedly getting three times as much organic traffic by February 2015. Those who missed the announcement were left scratching their heads wondering what happened to their traffic.

Check your data

Many people believe there’s a best time and day of the week to share a post. While this is true, the actual day and time that’s best may be different from what you expect. While some people are quick to proclaim Tuesday and Thursday mornings are the best time to post, the reality is the best time to post depends on your unique business. Everyone’s audience is different, and results will vary from business to business. So while some SMBs may discover they have their audience's full attention on Tuesday and Thursday mornings, others may learn their customers are most engaged on Thursday and Friday evenings. So how can you find out when your audience is watching? Check your page’s Insights tab. This will provide you a plethora of information about your customers, including the days and times when they’re on Facebook.

While all these tips to market your business on Facebook are free, bear in mind you’ll need to invest a significant amount of time if you want to see results. To really succeed with Facebook marketing, you need to regularly interact with the platform - and not just treat it as an afterthought.

To learn more about how your business can leverage Facebook and other social media platforms, give us a call.

Published with permission from TechAdvisory.org. Source.

Topic Social Media
May 31st, 2016

2016May31_BusinessValue_ANot long ago, uploading a video to the internet was still a new and novel concept, but now we have access to multiple services for live video streaming. Most of these are free and offer great opportunities for increasing your visibility with little to no investment. Let’s take a look at 6 different ways you can utilize live internet video to increase your business value.

Business Introduction/Behind the scenes

If your company is new or suffering from low visibility, one of the best things you can do is give customers direct access to your staff and your product. A great use of live video is to take viewers on an office tour, show them how a product is made or even broadcast your business’s launch event.

Make sure to invite as many viewers as you can, but remember that most live broadcasts can be saved and viewed later. This is a video you’ll likely want to keep available after it’s finished.

Ask Me Anything (AMA)

Depending on your product or service, you may be getting a lot of conceptual questions about innovative ways to use it, what direction the company is heading and so forth. There’s no better way to address these questions than to do so in a personal and unscripted AMA segment.

If there’s a good turnout make sure to keep questions and answers moving in relevant and interesting directions. There’s nothing wrong with updating everyone on what you had for breakfast, but addressing service bugs or product feature requests is going to be a lot more beneficial for wider audiences.

How-to

Whether it’s a soon-to-be-released product or simply rehashing an existing one that’s getting lots of support requests, there’s no better way to guide customers through a ‘how to’ process than step-by-step, face-to-face.

Not only does this help to show existing clients the best way to use your product or service, it also allows potential consumers to see both your product and your customer service philosophy in action. Saving these videos can be invaluable as you continue to get questions on the product or service outlined in these videos -- it’s an easy way to build a video reference library for sales and support.

Webinar

Although all of the previous uses can be categorized as ‘customer service’, there’s no reason you can’t simply open a help desk broadcast and invite viewers to join with their support questions. If you advertise this as a customer service broadcast and steer clear of any conversations that deal with non-support related questions, you may be able to tackle more than one client’s questions at a time and no one can ever complain that contacting your support line is frustrating or tedious.

Announcements

All of the live broadcast services are deeply integrated with social media. Whether it’s Twitter or Facebook, post updates about an upcoming announcement along with a scheduled time and take the chance to make your product or service announcement far more interesting and personal than a press release or faceless status update.

Text based announcements and pre-recorded videos severely limit how you address the ‘fine-print’ questions from customers. Think of this as a chance to hold your own personal press briefing and address questions after your scripted announcement.

Promotions

In the same vein as live announcements, use social media to promise a special promotion to anyone who tunes in to a live broadcast. Before it begins, create different thresholds for how big the promotion will be depending on participation. Once you begin, check how many viewers you have to decide whether to augment or reduce the scope of what you want offer. In addition to being a more dynamic method for releasing promotions, it will create motivation among your customers to interact more directly with your company.

Socialmediatoday reports that Facebook users spend three times longer watching live broadcasts than pre-recorded video. Combine that with Facebook’s announcement that live videos are more likely to be promoted to the top of news feeds and you’d be crazy not to utilize live broadcasts.

However, there are a handful of different services to use for live video broadcasting and deciding which one is the best for you can depend on a lot of different variables. Call us with any of your questions and we’ll be happy to assist you in adding value to your business with today’s best live video services.

Published with permission from TechAdvisory.org. Source.

Topic business
May 23rd, 2016

2016May23_VoIP_AAs SMBs continue their steady transition away from traditional telephony services in favor of VoIP, threats of cybercrime and fraud are more common than ever before. Risks to VoIP systems are distinctly unique from those posed to your other networks and understanding how to combat them is critical. Here are 5 tips for securing your organization’s internet-based communication devices and services.

Types of threats

The majority of VoIP services involve live communications, which often seem far more innocuous than stored data. Unfortunately, your business has just as much valuable information moving across VoIP networks as it does hosted on company servers. Internet-based calls are far more vulnerable to fraud compared to more traditional telephony services and face threats from identity theft, eavesdropping, intentional disruption of service and even financial loss.

24/7 monitoring

A recent study by Nettitude reported that 88 percent of VoIP security breaches take place outside of normal operating hours. This could be attackers trying to make phone calls using your account or gain access to call records that contain confidential information. This can be avoided by contracting outsourced IT vendors to monitor network traffic for any abnormalities or spikes in suspicious activity.

VoIP firewalls

Every VoIP vendor should provide a firewall specially designed for IP-based telephony. These protocols will curb the types of traffic that are allowed, ensure the connection is properly terminated at the end of a session and identify suspicious calling patterns. Consult with your VoIP or IT services provider about which of these features are available and currently in use at your organization.

Encryption tools

One of the reasons that eavesdropping is so common is because a lack of encryption. Inexperienced attackers can easily download and deploy tools to intercept and listen to your calls. Although some services claim built-in encryption, be sure to investigate how effective they really are. Many of these protocols require the same VoIP client on the receiving end of the call -- something that’s much harder to control. Encryption should be compatible with as many other software clients as possible to effectively prevent anyone from undermining the privacy of your calls.

Virtual private network

Virtual private networks (VPNs) create a secure connection between two points as if they were both occupying the same, closed network. It’s like building a tunnel between you and the call receiver. In addition to adding another layer of encryption, establishing a VPN can also overcome complications involving Session Initiation Protocol trunking, a recommended VoIP feature.

Password protection

Usually password protection refers to requiring password authentication to access sensitive information. However, in this case it actually means protecting the passwords themselves. Eavesdropping is one of the easiest, and most common, cyber attacks against VoIP networks and even with all of the protocols above, employees should be instructed to never give out any compromising information during a VoIP call.

VoIP is as important as any of your other network security considerations. It requires a unique combination of protection measures, and we’d love to give you advice on implementing any of these protections or managing your VoIP services. Give us a call today to get started.

Published with permission from TechAdvisory.org. Source.

Topic VoIP
May 20th, 2016

2016May20_BusinessContinuity_AJust because your IT provider has a plethora of awards and certifications under its belt doesn't mean that you can blindly hand over your business’s future to them. Often times, there are some aspects in your business continuity plan that tend to be overlooked by your provider. We have rounded up some of these issues that could appear when you enact your business continuity plans.

Over-optimistic testing

The initial testing attempt is usually the most important as it’s when IT service providers can pinpoint possible weak points in the recovery plan. However, what usually happens is a full transfer of system and accompanying operations to the backup site. This makes it difficult to look at specific points of backup with too many factors flowing in all at the same time.

Insufficient remote user licenses

A remote user license is given by service providers to businesses so that when a disaster strikes, employees can log in to a remote desktop software. However, the number of licenses a provider has may be limited. In some cases, more employees will need to have access to the remote desktop software than a provider’s license can allow.

Lost digital IDs

When a disaster strikes, employees will usually need their digital IDs so they can log in to the provider’s remote system while their own system at the office is being restored. However, digital IDs are tied to an employee’s desktop and when a desktop is being backed up, they are not automatically saved. So when an employee goes back to using their ‘ready and restored’ desktop, they are unable to access the system with their previous digital ID.

Absence of communications strategy

IT service providers will use email to notify and communicate with business owners and their employees when a disaster happens. However, this form of communication may not always be reliable in certain cases such as the Internet being cut off or with spam intrusions. There are third-party notification systems available, but they are quite expensive and some providers sell them as a pricey add-on service.

Backups that require labored validation

After a system has been restored, IT technicians and business owners need to check whether the restoration is thorough and complete. This validation becomes a waste of time and effort when the log reports come in a manner that is not easy to compare. This usually happens when IT service providers utilize backup applications that do not come with their own log modules, and have to be acquired separately.

These are just some of the many reasons why business continuity plans fail. It is important for business owners to be involved with any process that pertains to their IT infrastructure. Just because you believe something works doesn’t necessarily mean that it works correctly or effectively. If you have questions regarding your business continuity plan, get in touch with our experts today.

Published with permission from TechAdvisory.org. Source.

Topic business
May 17th, 2016

2016May17_Security_AImageMagick, one of the internet’s most widely used image processing services, is susceptible to attacks that may put your site at a huge risk of exploitation, according to recent reports. The discovery of this vulnerability means attackers could potentially steal your site’s data, or corrupt it entirely. Let’s take a look at what your SMB should be doing to protect itself from this security flaw.

What is ImageMagick?

ImageMagick is a tool that allows sites to easily crop, resize, and store images uploaded by third parties. Vendors continue to improve user interfaces and experiences by consolidating functions into all-in-one packages, which means administrators are becoming increasingly unaware of what specific services they are actually utilizing. ImageMagick is deeply integrated into countless web services and many webmasters may not even be aware they are using this unsafe software.

How can an image make my site vulnerable?

Recently, it was discovered that images can be uploaded that force ImageMagick into executing commands and permitting attackers to remotely insert harmful code into vulnerable sites. Images are actually made up of complex code that is translated into photos, icons, etc. Different file extensions use what are called “Magic Numbers” to define their file types. Manipulating these numbers allows attackers to exploit a flaw in ImageMagick. The service scans the uploaded file, and attempts to decode the source information whenever it detects the file is not what it claims to be. Scanning that code and attempting to rectify the file misappropriation can then trigger whatever was hidden inside the image and result in remote command of your site.

How should I protect my site?

ImageMagick has admitted knowledge of the security flaw and promised to release a patch very soon. Until then, experts advise implementing multiple workarounds to keep your systems safe. However, if you're not well acquainted with your web server and its code, then it's wise to consult an expert instead of attempting these changes on your own.

For those who are familiar, follow these steps. The first is to temporarily incorporate lines of code that preemptively block attackers from exploiting these holes. Those lines of code, and where to insert them, can be found here.

The next step is double checking that any image files utilizing the ImageMagick service aren’t hiding any harmful information. This can be accomplished by opening an image file with a text editor, and checking for a specific set of letters and numbers at the beginning of the text that define what type it is. The list of these “Magic Numbers” can be found here, and will reveal if an image is hiding its true purpose.

Ideally, administrators will halt all image processing via ImageMagick until a patch is released from the developers.

Data security is one of the most crucial aspects of any SMB, however, keeping up with the constant flow of security exploits and patches can be overwhelming for administrators of any ability level. Why not contact us to learn more about keeping your network secure and protected from exploits like this one?

Published with permission from TechAdvisory.org. Source.

Topic Security