fbpx

What Developers Should Tell Clients About SEO Optimization

“Why isn’t our website ranking higher on Google?”

This often means you – the designer or developer – might receive questions like the above. Clients want to know why their site isn’t performing as well as it should.

After all, that’s what they’re paying you for, right?

But what happens when the website is finished to the client’s specs, but it’s still not performing well?

Sometimes the fault for an underperforming website falls back on you, even if it’s not directly included in your scope. That’s why it’s important to be able to identify potential reasons why a website might underperform, and know how to respond in those situations.

Here are a few things that might be hurting your client’s website performance.

“Your Domain Authority Is Too Low”

Appearing on the first page of Google’s Search Engine Results Pages (SERPs) is a common concern for many clients, and it might be one of the reasons they came to you to build their site in the first place.

But according to RankBrain, the most search traffic goes to the first result, with click-through rates (CTR) decreasing significantly after the second position.

(Image Source)

Google also reports that 34% of search results – yes, even those on the first page – get no clicks at all, and that 12% of all clicks go to the top 100 search-traffic-receiving domains.

So not only is it important for sites to rank high, but they really need to be number one to see significant traffic from their SEO efforts.

But one of the reasons they most likely won’t see the first page SERPs is due to low page authority. As mentioned, unless you’re in the top 100 domains, you may not rank on Google.

It doesn’t matter if your site is the best designed, most beautifully crafted website in the world. If you don’t have high site (domain) authority – a predictive score dictated by Moz and used by Google to rank results – you won’t rank.

This is doubly true for new websites. New sites usually start with a score of 0-1. For reference, well-established sites, like Facebook and Wikipedia, are close to 100.

If you’re developing or designing a brand new site for a client, and they complain about not showing up in Google, tell them that they need to focus their energy on driving traffic in other ways.

Paid ads, more posted content (on a blog, typically), or social media traffic can all help to improve domain authority.

Another reason why a site may not be showing up as high on Google’s SERPs is due to low or poor quality backlinks – links that point back to your website.

According to Andrey Lipattsev, Search Quality Senior Strategist at Google, high-quality content and link building are the two most important signals used by Google to rank your website for search.

In fact, the top ranked pages on Google have an average volume of 100,000+ high-quality backlinks.

(Image Source)

High-quality backlinks can be notoriously difficult to get, especially for new sites, because they require other more popular sites (think top 100 domains for best results) to link to your landing pages or content.

The good news is that quality does make up for the lack of volume. A link from a relevant website in your niche, for example, might be worth 100 links from a lower quality source.

So how do you earn high-quality backlinks?

Over time you may naturally gain some links from other websites, especially as your organic traffic grows from regular content production or social traffic. But in order to gain the quality and volume needed to rank, you need to make some effort.

The first step is to focus on providing valuable and high-quality content on your website. This should ideally come from a blog that can be frequently updated, and not just landing pages.

Google looks for fresh content when considering rankings. Former Google Fellow Amit Singhal once explained that, “Different searches have different freshness needs.”

In other words, fresh content is needed for all your desired keywords.

You then need to find ways of sharing your content on other sites in order to create those backlinks.

Try posting content as guest blogs on larger editorial sites, or by linking to it on sites like Quora. You can also syndicate traffic from sites like Facebook and LinkedIn, both of which have domain authority ranks close to 100.

If you’re curious about your current site backlinks, you can use a free tool like Backlink Watch. Other paid sites like Open Site ExplorerMajestic SEO and Ahrefs will give you a lot more information as well.

If clients don’t know why their site isn’t performing, you might recommend they try some link-building strategies, like guest blogging on popular editorial sites or asking customers to link to you on their landing pages.

“You Need to Optimize Your Content”

Because content plays a big role in how Google ranks sites – from the freshness of the content to the links it contains and more – it’s important that sites are creating content that can be shared.

In other words, a pretty website is not enough. It has to have more content.

And that content needs to be optimized so Google knows what to do with it. CTR for content on Google’s first page SERPs increases by 667% for posts that appear as Featured Snippets.

Featured Snippets are selected search results that appear on top of Google’s first page in a special box.

If you’re not sure how to get a Snippet, or you don’t yet have the domain authority to get a Snippet, there are other ways you can optimize your content to rank higher.

Posting content that is engaging – keeps people on the page and has a higher number of conversions into another action, like an email subscription (etc.) – can also improve your relationship with Google.

Their algorithm can track how long someone stays on a page, and what other actions they take and whether or not they click on other content from your site.

Creating content that keeps people enthralled will help improve search results.

You can also help your odds by focusing on long tail keywords in your content in order to gain more organic search traffic and improve your odds of appearing in either a Featured Snippet or on the first page SERPs.

If clients want methods for improving their Google search rankings, tell them to produce more high-quality, optimized content.

Final Thoughts

It’s important to explain to your clients that creating a beautiful website won’t guarantee them a high ranking on Google SERPs.

Even if it’s fully responsive and includes SEO optimization, if it’s a new website, it needs more to be truly successful.

The top strategies they can focus on include an improved domain, adding backlinks and creating optimized content.

You should also remind them that it takes time to build a reputable and high ranking site, and they shouldn’t give up if they don’t see results right away. With a little effort, it will happen for them.

If you have a responsive site that’s relatively new, we can facilitate your site to help you, or us, create rich snippets, send your blog posts to multiple social media outlets and more.  Drop us a note and we’ll help you make it happen.

5 Steps for Building Your Reputation Strategy

by Jessica Seitz

5 Steps for Building Your Reputation Strategy

How does your reputation online affect your business offline?

We live in a day and age where consumers openly air their complaints online for all to see. Ask any business owner to think back to a negative review left online, and they’ll sigh, wishing they could have resolved their customer’s concern privately before public and permanent damage to their reputation was done. Studies show that businesses risk losing 22% of business when potential customers find one negative article on the first page of their search engine results. Two negative reviews on the first page? 44% lost. Four or more? You could lose up to 70% of potential customers.

by Jenna Treat

Why Automating Your Email Marketing Pays Off

Many business owners worry that automating their email marketing makes their business seem impersonal. In reality, when done right, email automation demonstrates to your customers just how well you know them. When you send your entire customer database the same email – the information may not be relevant to every customer. This runs the risk of customers disengaging with your emails, deleting them from their inbox, or even flagging the messages as spam. Instead, use automated email marketing to target key groups of customers with messages relevant to them.

 by Jenna Treat

Writing Emails with a Purpose

Do you ever get an email and think “what was the point of sending me this?” It wasn’t informative. It didn’t tell you anything you didn’t already know. It wasn’t actionable. So what exactly were you supposed to do with it?

by Jessica Seitz

Game’s on? Make sure your spot is the hotspot

If you run a bar, it’s never too early to start thinking about football season. We all want to make sure our spot is the go-to place to watch every game. So how do you get fans in the door? And how do you keep them coming back for more?

by Alyssa Wee

How to Get The Most Out of Your Restaurant Email Newsletter

A compelling email newsletter can be a very powerful tool for restaurants. They can inform customers about latest dishes and events and promote a restaurant’s unique personality to differentiate from other restaurants. But how can you ensure that you are creating an effective newsletter?

Look for our next blog post about creating compelling content.  Meanwhile, learn more about Spearhead Multimedia and Zenreach and how we create an automated, hands-off system to build your customer list, manage your reputation and keep your current customers informed. Learn more…

Special offer: Sign up between now and March 31, 2018, to receive a free first month and we’ll waive the cost of the access point (a $199 value). Sign up now.

 

 

[PHISHING ALERT] “Hey Did You See That Fake AI Porn Movie Of Yourself?”

Heads-up. I am sorry to have to bring up a very distasteful topic, but in the very near future your users will get emails with something close to the ultimate click-bait, luring them to see an AI-generated porn video starring… themselves.

Forget about fake news. Its been all over Reddit the last month, we are now in the age of fake porn.

Read More

Microsoft issues emergency Windows patch to disable Intel’s buggy Spectre fix

meltdown-spectre-malware

If your Windows PC seems buggier than usual after the recent round of Spectre patches, you might want to download this.

By   Senior Editor, PCWorld

If you’ve noticed any unexpected reboots or PC instability as a result of the recent Spectre patches, there’s a solution: Microsoft has issued an emergency Windows patch that rolls back the recent Spectre mitigations.

Confused? It’s a bit complicated. After the intial Spectre and Meltdown vulnerabilites were disclosed, both Intel and Microsoft hustled out patches to mitigate the problem. Unfortunately, Intel’s latest microcode updates—and the BIOS updates from PC makers based upon them—were themselves buggy, causing instability, reboots, and data loss in some PCs.

Microsoft’s latest patch (KB4078130) allows people with affected systems to download the patch via the Microsoft Update Catalog, which disables the mitigations for the “Spectre variant 2.”

Note that the patch notes specifically state that you should run this patch “if you are running an impacted device” (emphasis ours). In other words, if your system is working normally, don’t bother downloading this patch. This is what Microsoft calls an “out of band” patch, and it doesn’t appear that it will be made available via Windows Update, either.

Why should you consider it? Intel has warned previously that the faulty patch can sometimes cause data loss and corruption, and Microsoft is saying the same: “Our own experience is that system instability can in some circumstances cause data loss or corruption,” the patch notes state.

There’s another wrinkle, though. As part of the patch, Microsoft is allowing users to edit the Windows registry to toggle the mitigations on or off. (Instructions are here.) It’s possible to toggle Microsoft’s patch off, and then, when Intel solves its own patching problem, re-enable it. That scenario is actually what Microsoft recommends—again, only if you’ve noticed system instability and want to take action against it.

Toggling the mitigations on and off is also a feature of the latest InSpectre utility.

As Bleeping Computer noted, system makers such as Dell and HP also advise rolling back their own BIOS patches to an earlier version, which they’re redeployed. It’s all horrendously confusing for consumers and IT organizations alike. Fortunately, at least, there haven’t been any public cases of these vulnerabilities being exploited, Microsoft says.

What should you do? There’s no one-size-fits-all answer to this question. But we can tell you what we’re doing: if a PC is working as expected, we’re leaving it patched and in place. If you’re backing up your data (to Remote Backup Services or an external drive) chances are your most crucial data will be saved in case your system goes down unexpectedly. Obviously, install Microsoft’s emergency Windows patch if you’re running into system issues. There’s no perfect solution—if you’re more paranoid than we are, feel free to deploy the patch even if your PC hasn’t hiccuped.

Amazon has created a new computing platform that will future-proof your home

AP/Elaine Thompson

Amazon has created a new computing platform that will future-proof your home

Steve-Kovach

By Steve Kovach

Amazon is in a better position than any other company to dominate ambient computing, the concept that everything in your life is computerized and intelligent.
Amazon’s Alexa platform continues to get better while remaining open to third parties, unlike Apple’s Siri.
Buying into Alexa now will future-proof your home.

Almost four years ago, New York Times tech columnist Farhad Manjoo wrote out a strategy to keep all your technology future-proof in a rapidly evolving environment.

His advice still holds up.

Use Apple hardware for your smartphone and PC. Use Google services for things like email, calendar, and maps. Buy all your digital music, movies, and TV shows from Amazon.

Of course, there are caveats to all of these suggestions, but you’ll future-proof yourself nicely by following them. Amazon’s media can (usually) play on all your devices, no matter what company makes them. Google is not only the best at digital services, it’s also platform agnostic. You don’t have to be an Android user to get the most out of Google. And Apple still makes the best phones, tablets, and PCs you can buy.

But I think it’s time to add one more category to the list: ambient computing, or the concept that there can be a layer of intelligence powering everything in your home from your lights to your thermostat. Many see this as a new phase of computing where our technology works for us automatically. We’re in the early days of ambient computing, but there’s already a clear front-runner powering its future: Amazon Alexa.

Right now, Alexa is great at answering basic questions or playing music from streaming services like Spotify. It’s also laying the foundation for an Alexa-powered smart home as more and more accessories make themselves compatible with Amazon’s platform. Even better, Alexa lets you control all your smart home accessories with your voice, which is a lot more convenient than poking around your iPhone to turn your lights on.

I gave it a try a few weeks ago, starting small by connecting most of my lighting. I bought a bunch of Wemo smart plugs for all the lamps in my apartment. (My apartment doesn’t have a lot of built-in lighting, so I have lamps all over the place instead.) After setting each plug up, I fired up the Alexa app and added the Wemo skill. A few seconds later, I was able to control all my lights with my voice.

Now I’m obsessed with the idea of Amazonifying the rest of my home. I have an Apple TV, but I plan to make the change to the new Amazon Fire TV 4K instead since I can control it with Alexa. (“Alexa, play ‘The Good Place’ on Netflix.”) Instead of a Nest camera, I’m going to buy Amazon’s new security camera, which will let me beam the feed to my phone, Fire TV, or Echo Show. (“Alexa, show me what’s happening in the living room.”)

You get the idea.

No other platform is better poised to dominant ambient computing. It’s not going to happen tomorrow, or even next year, but Amazon has done an incredible job of laying the foundation for something much more profound beyond just playing your favorite Pandora station with an Alexa command.

So what is that foundation? Here are the four key advantages that will propel Amazon to dominate ambient computing.

Alexa is everywhere
During CES this year, I was shocked at how many companies decided to integrate Alexa into their products. Toyota and Ford cars. Kholer bathtubs. Whirlpool ovens and dishwashers. And a bunch of third-party speakers.

Ambient computing needs a voice assistant to be ubiquitous in order to be successful. If you call for “Alexa” and it’s not there to do what you want, it has failed. Amazon’s head start getting Alexa into everything, everywhere will help it maintain its lead.

Alexa is open
Part of the reason why Alexa is showing up everywhere is because Amazon turned it into an open platform that anyone can build into. But it’s not just physical appliances. Services and apps can build into Alexa, making it easy to add a layer of voice controls to their stuff.

It’s the opposite approach rivals like Apple take, which is why devices like the HomePod feel like a wasted opportunity to take on Amazon’s dominance. Siri is limited to Apple’s own services and a few other third-party categories like messaging and to-do list apps. It’s unlikely Apple will want to go against its DNA and completely open up Siri.

Amazon dominates the smart speaker market
Amazon already owns two-thirds of the smart speaker market, with Google playing catch up. It’s likely going to be a two-horse race between the two companies, with Amazon consistently in the lead. The large install base of Echo and Alexa-powered smart speakers provides greater incentive for people to build into Alexa first as opposed to rivals.

Alexa keeps getting better
When the Echo first launched back in 2014, it couldn’t do much more than play streaming music from Amazon and help you buy stuff from the company’s online store.

You know what’s coming next.

Over the years, the Echo has become immensely more powerful and capable. It can stream music from a variety of music services. You can use it to call an Uber or order a pizza from Domino’s. It can even make phone calls. Amazon has done a spectacular job at improving the Echo over time. These are speakers you’re likely to keep in your home for several years before replacing or upgrading them.

Buying one now guarantees you’ll be ready to go for whatever Alexa learns to do next. And, more importantly, it’ll make sure your technology remains future-proof.

From: The Business Insider
Image: AP/Elaine Thompson

These are the Samsung Galaxy S9 and S9+

samsung_galaxy_s9_and_s9_plus

By EVAN BLASS @EVLEAKS

Having opted against what would have been an uncharacteristic debut at the recent Consumer Electronics Show in Las Vegas — in teaser capacity or otherwise — Samsung is now gearing up to launch the 2018 versions of its flagship Galaxy S lineup in a much more traditional fashion, just prior to Barcelona’s Mobile World Congress. These are the Samsung Galaxy S9 and Galaxy S9+ (pictured top, left to right).

As VentureBeat reported previously, more than screen dimensions will separate the two models this year (the Galaxy S8 and S8+, in contrast, are nearly identical save for their Super AMOLED display diagonals). However, as this year is mostly a component upgrade following a comprehensive redesign in 2017, neither the 5.8-inch S9 nor the 6.2-inch S9+ will be significant departures from their predecessors.

Even in an industry built on iterative upgrades, these stand out as adhering closely to the existing script.

Powered by Qualcomm Snapdragon 845 in the U.S. and China, and Samsung’s own Exynos 9810 systems-on-chip in the rest of the world, the first differentiator between the S9 siblings (codenamed Star and Star 2) lies in their memory configurations: 6GB of RAM and 128GB of internal storage for the S9+, but the same 4GB/64GB pairing as last generation for the standard S9. With this distribution of basic components, Samsung is making it more difficult for users, some of whom may even want a smaller screen, to choose the basic S9 without additional trade-offs.

As the Unpacked invitation suggests, the main highlight for both the Galaxy S9 and Galaxy S9+ will be refreshed imaging hardware and software — a notion confirmed by two people briefed on Samsung’s plans. Besides motion-detected, “super slow-mo” video capture (rapid movement triggers 480fps recording at 720p), both devices are said to feature variable aperture on their primary 12-megapixel cameras. It’s a mechanical adjustment that switches between f/2.4 and smallest-in-class f/1.5.

The Galaxy S9+ adds a second 12-megapixel rear module, but this one has a standard fixed aperture. In what will be important to many, all of the phones’ rear elements are aligned vertically, instead of horizontally like the S8, with the fingerprint scanner located more naturally at the bottom of the stack. Around front, both 2018 S-series models sport 8-megapixel selfie cams. On the bottom, another welcome change: stereo speakers.

Expect the Galaxy S9 and Galaxy S9+ to begin shipping, and selling through retail, on March 16 (further evidenced by that date appearing in the official press shots).

Is Your Website ADA Compliant?

ada-compliance-decided-in-the-courts

Are you aware of the regulations regarding section 508 of the American Disabilities Act and the impact it has on your business website?

Poorly designed websites can create unnecessary barriers for people with disabilities, just as poorly designed buildings prevent some people with disabilities from entering. Access problems often occur because website designers mistakenly assume that everyone sees and accesses a webpage in the same way. This mistaken assumption can frustrate assistive technologies and their users. Accessible website design recognizes these differences and does not require people to see, hear, or use a standard mouse in order to access the information and services provided.

The start of a website lawsuit trend?

Winn-Dixie recently faced, and lost an ADA compliance lawsuit for its website, and it made for some pretty sensational headlines. Website accessibility is a hot topic right now, so every case that goes wrong for someone is bound to result in some pretty fanatical headlines. But should you actually be worried? In short — maybe.

So let’s try and make ADA compliance, who needs to be worried, and what you can do about it as simple to understand as possible. Full disclosure — I am not your lawyer, and nothing in here is legal advice.

What Does ADA Compliance Mean?

ADA is short for the Americans with Disabilities Act, which became law in 1990. It prohibits discrimination against individuals with disabilities in all areas of public life. The ADA, at least for Title III (private sector businesses), only applies to companies that employ 15 or more persons.

In January 2018, some new federal regulations will take effect. All federal institutions’ websites must meet AA compliance on all items in WCAG 2.0 by this time. We’ll get into what that means a little later.

Why Is ADA Compliance Suddenly a Bigger Deal?

Legal precedent is changing, and ADA compliance related lawsuits are becoming more successful, and the courts are seeing more of them as a result. Title III of the Americans with Disabilities Act pertains to private sector businesses. Lately, those protections are more frequently expanding into digital territory as web and mobile applications become more necessary in our day-to-day lives.

Who Needs To Be Compliant?

The general consensus right now is that any business considered a “public accommodation” should have an ADA compliant web presence.

“Public accommodation” could apply to most things depending on who is making the interpretation. Generally, however, this would refer to B2C, retail, or any business the general public should be able to use, understand and access easily.

The judgment against Winn-Dixie was determined after the courts felt that the website was too heavily integrated with the physical store presence. This could have been prompted by things like placing their weekly ad on the website.

What Do I Need To Do To Be Compliant?

Why that’s simple, just follow all 61 guidelines laid out in WCAG 2.0 to either AA or AAA level!

Sound scary? It’s not as bad as it seems. Your site probably already meets many of these rules and will not take a web developer very long to bring it up to par. However, there are some items that are much more difficult to fix, depending on the situation.

  • Text must meet a minimum contrast ratio against the background, which can significantly impact your design.
  • Your site must be fully navigable via keyboard only. This usually includes things like skip navigation buttons and can involve manually setting a tabindex everywhere.
  • Your site should be navigable with screen reader software. This can be difficult to test and can involve some arduous fixes similar to what is necessary for keyboard navigation.
  • Your site must handle text scaling up to 200% without causing horizontal scrolling or content-breaking layout issues. Once again, this may be more difficult to fix in some complex designs.

How Do I Check All Of This?

A variety of software can be used to test for ADA compliance.

  • WAVE is a good start, but can produce a lot of false positives, particularly for contrast ratio issues.
  • Lighthouse from Google Developers can help generate a report on potential issues.
  • Manual testing for contrast ratio using this calculator.
  • Manual testing with screen reader software
  • Manual testing with keyboard only navigation
  • Job Access With Speech (JAWS) is the most popular screen reader used by the blind. You can download a free trial for testing.

The automated tools will catch a lot of the simple issues, but manual testing is often still going to be required for nearly all websites if you want to ensure you are meeting requirements.

Hopefully, this sheds a little light on the situation and what it means for your business. Or, if you’re a web developer, how to be proactive to help your clients.

(Excerpted from Hackernoon)

Domain Names for Sale

domain-names-for-sale

We have the following domain names for sale at our website: https://domainavailable.store:

AcneTreatmentSpa.com
BabyShowersLasVegas.com
BadHomeBuilders.com
BadHomeInspectors.com
BadMovers.com
BadRealtors.com
BahiaCabanaResort.com
BeachStorageRacks.com
BridalShowersLasVegas.com
BrowardBusinessClub.com
BrowardBusinessClub.net
BrowardBusinessClub.org
DisabledPros.com
DisabledPros.net
DixieClamp.com
ExecutiveHomeServices.net
FantasyFestHeadToToe.com
FloridaInspectors.com
FortLauderdaleWave.com
FortLauderdaleWave.link
GirlieGirlStuff.com
GlamourHats.com
HideMyScars.com
HideMyTattoos.com
Kitchenista.net
LgbtWeddingsLasVegas.com
MarineSafetyGroup.com
MarineSafetyGroup.net
MarineSafetyGroup.org
MarineSanctuary.net
MarriageInfoLasVegas.com
MirinkaPermanentCosmetics.com
MisoHawny.com
MobileBloodTesting.com
MoonandStarsNailsandSpa.com
MortgageSolutionsForYou.com
My3Realtors.com
NewStartLiving.com
OceanCentric.com
OceanCentric.net
OceanCentric.org
OceanSportsman.com
ProactiveSolutionsNetwork.com
QuinceaneraLV.com
RedsWhitesandBrews.com
SpearFishers.us
TheDivorceShop.com
TheMatingGameLV.com
TheWatersEdgeProducts.co
TheWatersEdgeProducts.com
TheWaveStreetcar.com
ToTeaseYou.com
TreasureIslandResort.net
UpdateMyPC.com
VacationPlaces.com
WaveFortLauderdale.com
WaveFortLauderdale.link
WeddingInfoLasVegas.com
Winetertainment.com

 

 

Microsoft Issues Emergency Out-Of-Band Update to Fix “Crazy Bad” Vulnerability

By 

Patched Microsoft Malware Protection Engine

In an emergency out-of-band update released late last night, Microsoft fixed a vulnerability in the Microsoft Malware Protection Engine discovered by two Google security experts over the weekend, and which the two described as “crazy bad” and “the worst Windows remote code exec in recent memory.”

While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue.

Vulnerability affects Microsoft Malware Protection Engine

As per the two sources, the bug affects the Microsoft Malware Protection Engine (MsMpEng), a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:

  • Windows Defender
  • Microsoft Security Essentials
  • Microsoft Endpoint Protection
  • Microsoft System Center Endpoint Protection
  • Windows Intune Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft Forefront Endpoint Protection 2010

According to the Google experts, the bug is a “type confusion” vulnerability in NScript, the MsMpEng component that handles “any filesystem or network activity that looks like JavaScript.”

The two experts say that NScript mishandles how it interprets some JavaScript object types, which allows them to deliver an exploit that can use the Microsoft Malware Protection Engine to execute malicious code.

Vulnerability is trivially exploitable

The researchers say the issue can be exploited with no user interaction needed.

This includes scenarios such as sending an email with the exploit included in the message’s body, hosting malicious JavaScript code inside a web page, or by delivering a JS exploit to thousands or millions on users, via ads on reputable sites.

“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, one of the Google researchers says.

This is because the service runs without sandboxing — a basic and very efficient security feature —, but also because the service runs as
NT AUTHORITY\SYSTEM, a system-level user with no limitations.

Furthermore, the service is included by default on all recent Windows operating system, exposing hundreds of millions of PCs to remote hacking.

Microsoft patches issue within days

Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue.

In just a few days, the company had prepared and already shipped a patch to fix the vulnerable MsMpEng service.

According to a Microsoft advisory, the first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0. The issue has been patched in v1.1.13704.0, released a few hours ago, and which has already reached some users (screenshot above).

Microsoft also said that on latest Windows platforms, the risk of exploitation should be lower if the user has turned on Windows CFG (Control Flow Guard), a security feature that can make exploitation of memory-based vulnerabilities much harder.

The vulnerability is tracked as CVE-2017-0290. The two Google researchers also released proof-of-concept exploit code. The entire exploit fits in a tweet. To help spread the word about this issue, US-CERT has also released an accompanying alert.

The Top 5 Reasons Why You Need To Deploy New-school Security Awareness Training In 2018

Excerpted from CyberheistNews Vol 7 #50

2017 was a dumpster fire of privacy and security screw-ups.

To start 2018 with a simple, effective, IT security strategy is an excellent New Year’s resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent… hands-down.

This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.

Here are the Top 5 reasons…

  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately, their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
  4. Legally you are required to act “reasonably” and take “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today’s social engineering risks and “scale security measures to reflect the threat”. Don’t trust me, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don’t even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
  5. Board members’ No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target’s CEO and CISO are just an example. Help your CEO to keep their job.

Former US CISO on Why Awareness Training Is Priority Number 1:

In an information technology environment where personnel are on the cyber front line at work and also at the house, the key to ensuring security is still awareness training, says former U.S. CISO Gregory Touhill, who was the Air Force General responsible for Cyber Training before he became the first US CISO.

“A congressman asked me when I took my post as the first federal CISO: ‘If I gave you an extra dollar, how would you spend it on cybersecurity?’ And I told him I would spend it on better training my people. I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk,” Touhill says in an interview with Information Security Media Group.

Training at All Levels

Touhill calls for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies.

“Board and C-suite officers are increasingly large targets for whale phishing,” Touhill says. “Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”

Touhill discusses:

  • The effectiveness of techniques such as gamification;
  • Why he believes one-and-done annual training fails;
  • Continuous phishing training;
  • His recommendations for improving training in 2018.

Touhill is now president of the Cyxtera Federal Group and teaches cybersecurity and risk management for the CISO certification program at Carnegie Mellon University’s Heinz College.

Scam of the Week: New Massive Data Breach Poses Major Threat

Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?

100 to 1 you never heard of them, but chances are good that they have heard of you. Alteryx is a data analytics company that makes its money by repackaging data that it’s collected from different sources. And it became the latest reminder of how much data little-known companies have collected on us – and how little oversight there is over the security of that data.

Companies You’ve Never Heard of Are Exposing Your Personal Data

Earlier this week, an analyst from the security firm Upguard shared that Alteryx had not properly protected detailed information it had collected on 123 million U.S. households (All told, there are about 126 million American households, according to the Census Bureau.)

This data leak was discovered by a researcher, and not (we hope) by a criminal. But the leak affects about as many people as the massive hack Equifax reported in September, which affected 145.5 million Americans, or nearly every adult.

Another Leaky AWS Bucket

The data had been left unprotected in an Amazon Web Services storage bucket available to anyone with a free AWS account. After being informed of the data breach, Alteryx secured the information, however, it had been available to identity thieves and scammers for a considerable period of time.

Alteryx and credit reporting agency Experian—which was the source of the data—both downplayed the risk of identity theft because no names were included in the data included in the data breach. This response is just PR and disingenuous as 248 data fields for every household were included in the data breach which are easy to map to the names.

This is just another example of the lack of important laws in the United States protecting people from data aggregators’ negligence and requiring these companies to employ security measures to protect our personal data. Many other countries require such measures by law, the new European GDPR is an excellent example.

What to Do About It

I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:

“There is another major data breach, that pretty much covers every living adult in the United States. At this point you have to assume that cyber criminals have highly personal information that they can use to trick you. You need to watch out for the following things:

  • Phishing emails that claim to be from your financial institution where you can “check if your data was compromised”
  • Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
  • Calls from scammers that claim they are from your bank or credit union
  • Fraudulent charges on any credit card because your identity was stolen

Here are 5 things you can do to prevent identity theft:

  1. First sign up for credit monitoring – dozens of companies do that.
  2. Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis:
    http://consumersunion.org/research/security-freeze/
  3. Check your credit reports via the free annualcreditreport.com
  4. Check your bank and credit card statements for any unauthorized activity
  5. If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself:
    www.idtheftcenter.org.

Quotes of the Week

“By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest.” – Confucius

“Wisdom comes from experience. Experience is often a result of lack of wisdom.” – Terry Pratchett

“Here is an example of a young man gaining wisdom by experience. LOL:”
http://mashable.com/2017/12/22/man-fails-slide-london-tube-escalator/#leLSSc2WJqqR