FedEx cut its annual profit forecast, citing the $300m cost of a June cyberattack on its TNT Express unit.

The courier now expects to earn no more than $12.80 a share in the fiscal year ending in May after excluding certain items, FedEx said in a statement on Tuesday. That’s down from an original projection of as much as $14 and less than the $13.10 average of analysts’ estimates compiled by Bloomberg.

The global cyberattack in late June struck as the company was stepping up spending to handle more packages from the expansion of online shopping. FedEx also said results at its ground-shipment unit weighed on results, as did Hurricane Harvey, which caused flooding along the US Gulf Coast.

“The first quarter posed significant operational challenges due to the TNT Express cyberattack and Hurricane Harvey,” CEO Fred Smith said in the statement.

FedEx had no insurance to cover the attack, which forced TNT to manually process some transactions.

Shares drop

FedEx fell 2% to $211.61 after the close of regular trading in New York.

Global operations outside the TNT unit weren’t affected by the virus, which entered the unit’s systems through tax software used in the Ukraine. FedEx said it found no evidence of a data breach or information lost to third parties.

The shipper also was among companies hit by the WannaCry ransomware in May, although it said that attack didn’t cause a material disruption to its systems or raise operating costs. Companies around the world struggled to retake control of their networks after the intrusions, which cost them hundreds of millions in potential revenue.

FedEx acquired Dutch shipping company TNT Express for $4.8bn last year to gain an extensive parcel delivery system in Europe to compete with United Parcel Service and Deutsche Post’s DHL. The just-completed quarter was the first in which FedEx reported TNT results as part of its Express division. TNT primarily serves industrial, automotive, high-tech and health-care industries.

FedEx already had planned a 16% expansion in capital spending this year to $5.9bn, after delaying some projects at FedEx Ground to help it process more of the growing number of e-commerce shipments and to boost margins. Deliveries to homes generally have lower yields than to businesses because fewer items are delivered at each stop.

The shipper also said its first quarter profit fell to $2.51 a share, compared with analysts’ average expectation of $3. Sales in the period ended August 31 rose 4% to $15.3bn, compared with the average estimate of $15.35bn.

By Mary Schlangenstein for Fin24

Social media tightens its grip on SA

As data costs drop, social media use has intensified among South Africans in the past year, with Facebook now being used by 29% of the population.

This is a key finding of the SA Social Media Landscape 2018 study, conducted by brand intelligence organisation Ornico and high-tech market research consultancy World Wide Worx.

The study found that the number of South Africans using Facebook has increased by 14% since 2016, from 14 million to 16 million.

Of these, 14 million accessed the social network on mobile devices.

A big contributor to the increase was the growth in downloads of Facebook Lite, a low-intensity version of the Facebook app some mobile operators allow to be used without data charges on their networks.

The study showed that it was the fifth most downloaded app from the Google Play Store for Android phones in South Africa, with instant messaging apps WhatsApp and Facebook Messenger at numbers one and four respectively.

The Capitec app was a surprise entry into the list at number nine, making it the most downloaded banking app for Android.

“These are great examples of how tools geared towards the dynamics of a market can make a difference in uptake and penetration,” says Ornico CEO Oresti Patricios.

Mobile soon the default home of social media

“The staggering proportion of people accessing Facebook via mobile devices – no less than 87.5% – tells us that we can expect mobile to become the default home of social media.”

Twitter continues to grow at a slow rate in South Africa, in line with international trends, which have seen a small decline in the US balanced by a small increase in users outside the network’s home market.

It is now used by 8 million South Africans, up marginally from 7.7 million in 2016.

“Twitter remains the social platform of choice for engaging in public discourse,” said Arthur Goldstuck, MD of World Wide Worx.

“It is exactly half the size of Facebook, but its users get access to vastly more personalities, news sources, and opinions – and can become opinion-makers themselves.”

There were two surprise trends in the survey: the previously fastest growing app in South Africa, photo-sharing network Instagram, has seen its growth slow down dramatically, while professional network LinkedIn has maintained steady growth.

The former is now used by 3.8 million South Africans, up from 3.5 million, while LinkedIn usage has increased from 5.5 million to 6.1 million.

The study included a survey of social media use by South Africa’s biggest brands, with 118 participants providing insights into their social media practices, strategies and results.

The survey found significant shifts in each of the platforms used by brands, mostly upward. Facebook is now almost pervasive, in use by 97% of brands, from 91% the year before.

Twitter has increased marginally, from 88% to 90%, while LinkedIn and Instagram continued their relentless rises, now both standing at 72%.

YouTube has fallen slightly behind them, despite a marginal rise to 68%.

Declines were reported for Pinterest, Google+, WeChat, WhatsApp and SnapChat.

“The findings underline the lesson that widespread consumer takeup of a platform, as we have seen with WhatsApp in particular, does not lend itself readily to brands communicating with those consumers,” Patricios said.

A similar picture emerged when brands were asked whether they advertised on social media.

Facebook is by far the most popular for advertising at 86% of brands, with Twitter and Instagram in distant second and third place at 45% and 40%. LinkedIn comes in fourth, at 35%.

“It is noteworthy that most advertisers believe they see a return on investment when they advertise on social media,” Goldstuck said.

“By far the most common benefit they see is brand awareness, followed by customer insights and brands.”

Source: Fin24

The most popular operating systems

The latest figures from NetMarketShare show that Windows 7 is still the most popular desktop operating system globally.

The August 2017 statistics also reveal that iOS and Android 6.0 remain the most widely-used mobile operating systems, although an increasing number of devices are moving to Android 7.0.

Mobile OS numbers show that Android has a strong lead over iOS overall, with Windows Phone coming in third – sporting a total mobile market share of 0.81%.

NetMarketShare does not provide iOS version information, but figures from Apple’s Developer website show that 89% of iOS users were on iOS 10 and 9% were on iOS 9 as of 6 September.

The most popular operating systems on desktop and mobile platforms for August 2017 are detailed below:

Desktop operating systems

Mobile operating systems

Source: MyBroadband

Cars need software updates: just like a smartphone

In response to millions of people fleeing Florida in the face of Hurricane Irma, Tesla has “flipped a switch” in some of its cars to temporarily extend their range.

Tesla cars receive software updates much like an iPhone does — via the Internet in an update process called “over-the-air” or OTA updates. It’s one of the only car companies that can do this with their cars, regularly sending updates to fix security flaws or update autonomous driving capabilities.

Contrast this with the approach taken by Chrysler, which sent out USB sticks with a safety update to 1.4m vehicles after hackers showed they could remotely take control of a Jeep. With such USB updates, there was really no way of knowing whether the updates had been applied properly or even got to the right person.

Most people don’t realise just how much of a car’s function is controlled by computer processors. The average car has between 25 and 50 different processors, with cars from BMW and Mercedes having around 100 processors each.

These processors control everything from advanced engine features to braking, automatic parking, collision detection, entertainment, navigation and security. As cars become more intelligent, they are coming to rely on increasingly sophisticated software.

Most of these processors have software that, at the moment, can only be updated by taking the car into to an authorised dealer. Car recalls have become a multibillion-dollar expense for the car industry and a major inconvenience for owners.

For this reason, over-the-air updates will be coming to most cars soon. General Motors recently announced that it would start to deliver updates to its cars using GM’s OnStar network. Bosch, one of the leading companies delivering electronics and processing to car manufacturers, is gearing up to deliver secure over-the-air capabilities to cars through a subsidiary, Escrypt.

Malware

It is estimated that 180m cars will be built with this capability in the next five years.

Despite the recent interest, car manufacturers have been wary of updating vehicles in this way. There was concern that too many things could go wrong during the update, leaving the car not driveable.

Security has also been a concern. Hackers could potentially intervene and substitute malware during the update, for example, with potentially lethal consequences.

The process of updating a car turns out to be not that dissimilar from updating an iPhone.

In fact, the acceptance of over-the-air updates for a car starts with the fact that people are more familiar and comfortable with updating a smartphone. They understand that the process can’t be interrupted and the phone must have enough power, for example.

From the technological perspective, the update is encrypted and is accompanied with appropriate signatures that get checked and accepted by special security hardware on the car, called a hardware security module.

The updates are transmitted over secure connections and special software on the car can receive the update and apply it. If something goes wrong, the system needs to be able to roll the update back and leave the original version of the software intact and operating.

Traditional car dealers may see this as a way of cutting them out of the loop, and may resist any regulations allowing these types of updates outside of a normal service
The arrival of more autonomous driving capabilities in cars will make updates essential, as with the case of Tesla. While these updates could be done at an annual service, the demands of autonomous driving will require more frequent updates of software.

At the same time, consumers are becoming sophisticated enough to be able to manage these updates themselves.

The challenge for companies wanting to move to over-the-air updates may not just be a case of car manufacturers moving too slowly. Traditional car dealers may see this as a way of cutting them out of the loop, and may resist any regulations allowing these types of updates outside of a normal service.

Other potential barriers may come from regulators. The United Nations Economic Commission for Europe has a task force looking at cybersecurity and over-the-air updating in motor vehicles.

One area of concern for this group is that if a vehicle has been certified by a country’s motor vehicle safety standards, what happens if it receives an over-the-air update that changes how it performs? Does this render its certification invalid? This might be the case especially if the vehicle’s emissions change as a result of the software update.

Another challenge that may give car manufacturers pause is that if a car can be updated with new features using a simple software update, will customers hang onto the cars for longer and not upgrade their cars quite so often?

By David Glance published on TechCentral

Questions surround the CEO SleepOut Initiative

Profitability almost rhymes with philanthropy. It’s close, but not quite.

The for-profit CEO SleepOut Initiative took the South African philanthropy industry by storm in 2015, and now appears to have raised more than R50 million over three years for various charities.

It seemed a new fund-raising model had been born.

However, over the last three years, a few cracks appeared in the CEO SleepOut’s public edifice. A significant beneficiary abandoned a potentially lucrative three-year relationship after just one year, and the initiative interdicted the beneficiary from infringing its alleged copyright in a list of donors, claiming the beneficiary was using its intellectual property to compete with the initiative to raise money for charitable causes.

Some questions also emerged regarding financial transparency and how much money reached the destined beneficiaries.

Before this story continues any further, a few points need to be made.

Firstly, it is extremely difficult to write an article about fund-raising initiatives for charities, as it may harm future potential beneficiaries of such events. Even more so when the subject matter is a seemingly successful initiative.

Secondly, we make no allegations of financial impropriety. The information in this article comes from numerous interviews with key stakeholders and former employees, most of whom were not willing to speak on record.

Thirdly, it is concerning that the CEO SleepOut Trust has not been forthcoming with information or transparent about its finances.

The first interaction was in May this year, and despite many e-mail exchanges with the founder of the initiative, Alison Gregg, a number of questions remain unanswered.

Within this context, readers should draw their own conclusions. But first, some background.

Australian concept meets American business model

The CEO SleepOut initiative started a few years ago when Gregg brought the brainchild of Australian philanthropist Bernard Fehon to South Africa. The aim was to get C-suite executives out of their warm, luxury homes to spend a cold winter night on a pavement to reflect on those less fortunate than them and to raise funds for charity.

Gregg married this noble concept with the for-profit business model mooted by the international philanthropist Dan Pallotta who is seen as a pioneer of the for-profit philanthropy industry in the US.

Pallotta’s theory is that a business run on sound business principles with well-paid executives would do a better job at raising money than NPOs could do themselves, and his achievements are impressive.

His venture, Pallotta TeamWorks (PTW), raised a staggering $556 million in donor contributions between 1994 and 2002 through various multi-day, mass-participation events. After all expenses, a total of 55% or $305 million was paid to selected charities.

PTW, as a for-profit entity, charged 4.01% or approximately $22.8 million for its professional services. (PTW also publishes detailed information about every event showing significant transparency into how donor funds were used.)

Inaugural event a spectacular success

The first rendition of Gregg’s CEO SleepOut was in 2015, where the 58-year-old charity, Girls and Boys Town (GBT), was the sole beneficiary. It was a spectacular success.

A total of 246 CEOs of some of South Africa’s top companies camped out on the pavement next to the JSE in Sandton and raised a whopping R26 million for GBT – the single largest fund-raising event ever for a charity in South Africa.

The 2016 event was also successful. A total of 167 CEOs faced the cold tarmac of the Nelson Mandela Bridge and raised R20 million for the ASHA Trust, Columba Leadership and the Steve Biko Foundation.

The 2017 event, the SheEO SleepOut, was hosted in August at Constitution Hill where about 57 female CEOs spent a night in the cold, raising roughly R4.8 million between them for the Door of Hope. (These numbers have not been audited and confirmed.)

Overall, the three events are said to have raised more than R50 million for various charities, suggesting that a new era of charitable fund-raising has arrived.

Hairline cracks

But shortly after the 2015 event a few hairline cracks appeared.

GBT, the sole beneficiary of the 2015 event, severed ties with the initiative, despite an initial three-year understanding being in place. The break-up was less than amicable, with Gregg later taking GBT to court in 2017 for copyright infringement.

(The gist of the case was that GBT contacted several donors of the 2015 event from contact details captured during their financial administration process. The court found that this was in breach of copyright and ordered GBT to stop using the list and to delete it, and slapped the charity with a cost order. GBT strongly deny they did anything wrong, but have put an application for leave to appeal on hold due to concerns of mounting legal fees).

The relationship with media partner Primedia, which was seen as a pivotal contributor and name sponsor of the 2015 event’s success, also came to an end after the first event.

Sun International terminated its sponsorship following the 2016 event, despite previously committing to a three-year involvement, citing a strategic direction change as reason for the termination.

Several former employees of Gregg’s businesses Moneyweb spoke to, also expressed their discontent with their working environment.

One staffer, who was dismissed earlier this year, said staff turnover was close to 100% a year, and that virtually all the staff employed in 2016 had since left. Several of their replacement appointees have also been terminated or resigned.

It is important to note that there were significant structural and operational differences between the 2015 and 2016 events. The CEO SleepOut Trust could not acquire NPO certification prior to the 2015 event and could therefore not issue 18A tax certificates to donors, enabling donations to be claimed for tax.

GBT had such certification, and in 2015 GBT was in total control of the financial administration, from receiving donations to issuing 18 A certificates.

In 2016 this structure changed.

The CEO SleepOut Trust had by then received NPO certification and the financial administration moved to the Trust. The Trust took over full control of the event, including the responsibility to determine the quantum of funds to be paid out to beneficiaries after the event, and to actually pay these amounts.

The Trust was to be administered by trustees who would consult a Working Group consisting of various other stakeholders of the initiative. The 2016 event also saw Gregg’s new business The Philanthropic Collection Proprietary Limited (TPC) becoming involved. This business came about after Gregg converted her previous business Alison Gregg PR from a CC to a company. TPC was a for-profit enterprise and owned and managed all the CEO SleepOut events and trademarks. It would charge the CEO Sleepout Trust for the professional services it rendered, as Gregg’s PR business had done the previous year.

Compensation

One of the first questions asked of any philanthropic venture is how much of the donated money reaches the actual beneficiaries. This is even more so in the case of a for-profit fund-raising effort.

GBT’s audited statements for 2015 confirm that the initiative raised R26 million and that this amount was received directly into its bank account. The statements also confirm that GBT paid an amount of R1.3 million (ex Vat) to Gregg after the event, via her business Alison Gregg PR, as compensation. This amount was calculated as 5% of the R26 million raised.

Unfortunately, no audited or unaudited amounts are yet available for the 2016 event, as BDO is still busy with the audit process – six-and-a-half months after the Trust’s year-end, and more than a year after the event.

But there are unaudited amounts disclosed in the public domain. From the CEO SleepOut website it is clear that R20.2 million was raised in 2016 and R46.2 million for both 2015 and 2016.

The website also states a total of 75% of the R46.2 million was paid to beneficiaries and that this distribution “exceeds international norms of events of this nature”.

Thus, around R11 million was retained from the funds raised in 2016 to cover operational expenses and to allow for a profit for TPC. It also suggests, through the manner in which the amounts are disclosed, that a portion of the funds raised from the 2016 event was used to cover expenses related to the 2015 event. This amount excludes the R1.3 million already paid to Gregg the previous year.

In response to a question, Gregg denied that this assumption is accurate, but did not provide an explanation. This is relevant as the CEO SleepOut Trust took full administrative control of the event in 2016, and could therefore decide how much of the raised funds could be used to cover expenses.

The retained amount of R11 million is significant as it represents around 55% of the R20.2 million raised in that particular year.

How does this chime with international benchmarks for charity running costs? Research by Giving Evidence and Givewell in the UK provides the first empirical data on charity admin costs. It looked at 265 charities between 2008 to 2011 and found that charities recommended by Givewell spent an average of 11.5% of their costs on administration.

However, in response to an earlier question relating to the R11 million, Gregg said: “At the time (December 2016), we budgeted roughly R9 million in costs (over the 12-month period) and held back a further R3 million for the 2017 (and where relevant 2018) working capital requirements. This was on advice from our accountants. Depending on the reconciliation and final accounts, further payouts will be considered.”

Regarding the disclosure of the R1.3 million, Gregg stated: “It was disclosed to the 2015 Working Committee, in court papers, to Sars, to you, and would likely have been disclosed in GBT financials.”

What she will not divulge, however, is how much of the retained R11 million remains in the Trust and how much was paid to TPC, either as professional fees or to cover operational expenses or as licensing fees, and what profits were made by TPC.

Gregg wasn’t prepared to disclose unaudited amounts, but these will be confirmed once the audited statements of the Trust become available.

Trustees

The decision-making authority within the Trust is also concerning. The CEO SleepOut was registered in 2015 with four trustees. They were Gregg, Patricia Stewart, Dick Sher and Darren Olivier.

Moneyweb has been able to confirm that Stewart, Sher and Olivier have subsequently resigned as trustees, leaving Gregg as the only remaining trustee. Gregg failed to respond to several questions related to these resignations and whether any new trustees have been appointed.

It is not clear who decides on the allocation of funds to charity. In a published Q&A document on the website, it is stated that once the revenue was audited, “the allocation (net of costs and working capital requirements) is presented to the Trustees and the members of its Working Group who are comprised of Founding, Title, City, Media and Stakeholder Partner representatives and the Beneficiaries. After that process, the monies are paid out to the appointed Beneficiaries, with total transparency.”

From this, it is not clear how the decision-making process works and whether it is material that only one trustee, who is seemingly conflicted as she is also the owner of TPC, remains.

Many questions regarding the initiative are yet to be answered. Hopefully, more information will become available once BDO signs off the CEO SleepOut Trust’s financial statements. The philanthropy industry is built on a trust relationship and ultimate transparency entrenches this relationship.

By Ryk van Niekerk for MoneyWeb

 

Pick n Pay in in-store trial of bitcoin payments

In what its backers are calling “potentially a world first for a major grocery retailer”, shoppers were for a “limited time” able to pay for their groceries using bitcoin at a Pick n Pay retail store in Cape Town.

In a statement posted on its website, Cape Town-based specialist software payments development house Electrum, said customers at Pick n Pay’s campus store at its head office were able to use the bitcoin cryptocurrency to purchase groceries and services.

“The checkout process is as simple as scanning a QR code using a bitcoin wallet app on the customer’s smartphone,” the statement said. See demonstration video from Electrum below.
The checkout process is as simple as scanning a QR code using a bitcoin wallet app on the customer’s smartphoneIt quoted the retailer’s information systems executive Jason Peisl as saying that although bitcoin and other cryptocurrencies are “still relatively new payment concepts”, Pick n Pay has been able to “effectively demonstrate how we are able to accept such alternative payments”.

Pick n Pay did not say when or even if it planned to expand the pilot to other stores. However, Pick n Pay deputy CEO Richard van Rensburg has subsequently told Business Day that the retailer doesn’t expect to begin accepting bitcoin in the near term. He said the trial has since ended.
“We are unlikely to roll out the solution until the payments industry and regulatory authorities have established a framework for managing the risks associated with cryptocurrencies,” Van Rensburg is quoted as having said. “We have proved to ourselves, though, that it is technically possible to roll out a solution very quickly.”
Electrum provided the cloud-based enterprise payments platform used for the transactions, while the bitcoin infrastructure for the project was provided by Luno, a bitcoin company active in Southeast Asia and Africa, and with an office in Cape Town.

According to Electrum’s website, major major retailers and financial institutions use the company’s technology to accept payments, process loyalty transactions and provide value-added services. Its customers include two out of Africa’s top three retailers.

By Duncan Mcleod for TechCentral 

KPMG: too big to fail?

KPMG is struggling to survive and its recent restructuring and public pronouncements have not helped its cause either.

The hollow ring of the excuse proffered by KPMG interim chief operating officer, Andrew Cranston, that “we were only the doers” must be like a red rag to a bull for Pravin Gordhan and all those SARS employees besmirched by the KPMG SARS rogue unit report.

The destruction which this report has wrought on key management at SARS, its institutional reputation, and the long-term negative effects on our country’s economy might never be fully calculated. It would not be dramatic to suggest that in the long-term, KPMG’s complicity in this report might eventually cost South Africa hundreds of billions of rand.

The admission made by Cranston not only increases the culpability of KPMG in its overt contribution to state capture, but also brings into stark relief the fact that KPMG, both locally and internationally, seem unable to discern right from wrong and appear unable to grasp the concept of real contrition.

Since when was the trigger-man acting on behalf of a “client” not the “doer” in the committing of a hit and since when was the trigger-man not criminally liable?

But for the leaked Gupta emails, the partners of KPMG would have felt no guilt as they, like fat men at a smorgasbord, feasted on their annual partnership profits significantly increased by fees of dubious reports and questionable audits. And even now, as the extent of their malfeasance becomes more evident, they continue to resist with half-hearted excuses of “mistakes made and painful lessons learned”. Adding further insult to injury is the paltry R63-million in reparations which KPMG International has now offered our country.

To the partners of KPMG South Africa, that is simply not good enough. It isn’t good enough to offer a few sacrificial executive lambs and claim “but we didn’t know” and then speak of the importance of improving quality standards while hoping that the news cycle will move on.

As partners of KPMG, you cannot plead ignorance of the fact that your firm has conducted itself in an errant fashion and in breach of the Rules of Professional Conduct over a number of years – this was not a once-off mistake or an isolated error of judgement.

Perhaps it is too late now for KPMG’s South African operation, and if so, then what of its 3,400 employees and is KPMG too big to fail? Curiously, in the midst of the corporate crisis facing KPMG, the firm is clutching at every possible straw to justify its survival. Among these might possibly be the argument that they are too big to fail, which is as unconvincing an argument as the notorious “SARS Report”. The fact is that the statute requires that all companies are audited and it follows that volume of audit work will remain the same with or without KPMG. Importantly, not everyone at KPMG is unethical. If KPMG collapses then the great majority of competent and ethical staff of KPMG will find immediate and gainful opportunities in larger as well as mid-tier audit firms who will have to step up to fill the gap left by KPMG.

The collapse of KPMG might also provide a genuine opportunity to scale up a number of medium size audit firms, especially the “empowered firms”. The demise of KPMG will also help reduce the oligopolistic concentration of the large audit firms and will help promote more healthy competition within the profession.

It is true that the KPMG saga has shocked the SA business sector. But this is an interesting case of ethical destruction. After all, this is how a market economy should deal with its faulty and unethical firms. The case has also created a golden opportunity for SA corporations, and the business sector more broadly, to undertake a genuine and constructive recalibration of their ethical framework across all spheres. There is little doubt that all businesses could raise their ethical standards.

In particular, the collapse of KPMG should be a warning siren for the other audit firms to reassess their internal processes and their corporate governance mechanisms. This is vital for socio-economic development because in modern societies, underpinned by complex financial and economic structures, the audit firms play a unique and pivotal role in assuring that resources are used with probity and propriety. To this end, a number of measures need immediate consideration. For example, corporate SA should adopt the principle of “auditor rotation”, as importantly the audit companies themselves need to appoint non-executive directors with appropriate governance competencies; and external audit firms need to focus on audit work and avoid technical advisory work. Corporate finance advisory operations have no place within audit companies. The notion of “Chinese walls” within the audit firms simply does not work, as KPMG clearly demonstrates.

As often said, we should not waste a good crisis. The KPMG crisis should definitely not be wasted on the SA business and the country at large. The crisis is a stark reminder that our nation needs to re-examine the ethics of doing business, whether in the private or in the public sector. We have no time to prevaricate. Company directors, chairpersons of the boards, and members of the audit committees in particular need to act with vigilance and urgency. As Martin Luther King, Jr reminded us: “It is always the right time to do the right thing.”

By Iraj Abedian and Simon Mantell for The Daily Maverick

Ropemaker: a new email security weakness

Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this:

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!

by Matthew Gardiner for Mimecast

 

Indebted consumers stretch SA to its limits

Credit extension is growing faster than job creation, and the moribund economy cannot carry that burden forever

A 2014-15 World Bank report declared that South Africans were the world’s “biggest borrowers”. Consumer credit-use statistics — a comparison of employment and credit consumer numbers — suggest that South Africans are failing to manage their debt responsibly and that some credit providers might be missing the mark regarding their criteria in affordability assessments.

Despite tougher affordability requirements and large-scale efforts to educate consumers, credit use is outpacing employment growth, and the over-indebted gap is widening.

There were 16.9-million credit-active consumers in 2007, the national credit regulator’s Credit Bureau Report reads. At the time, 6.38-million (or 37.7%) had an impaired credit record. In 2013, there were 20.21-million credit-active consumers, of whom 9.69-million (47.9%) had impaired records.

A record is declared impaired if a debtor is three or more months in arrears on an account, if the debtor is under administration or if there are judgments against the debtor.

In the fourth quarter of 2016, there were 24.31-million credit-active consumers, 9.76-million of whom had impaired records — 40%, or two out of every five credit-active consumers.

While employment has increased by only 18% since 2007-08, the number of credit consumers has grown by almost 44%. The percentage of consumers in bad standing grew from 37.75%, to 40.15%. There are now 24.31-million credit consumers — more than 8-million more people than the total number of employed people in SA.

Even allowing for the fact that some people such as financially supported students may not need a job to qualify for certain credit accounts and not all SA’s employed people will be credit active, there is a huge difference in the numbers.

The official credit statistics for 2016’s fourth quarter peg collective consumer debt at more than R1.69-trillion. A significant portion of this — R8.75bn or more than half of debt book value — comprises mortgages, which are considered a wealth-creation type of debt.

For most people, a home loan will be the largest personal debt they incur in a lifetime.

If we move from rand value to sheer number of credit facilities by type, the numbers shift significantly. Mortgages only represent 4.47% of credit accounts. Credit facilities such as credit cards, overdrafts and store cards make up 65% of credit accounts and unsecured credit 14.6%.

These figures do not account for informal debt. Credit bureaus do not list what consumers owe municipalities, in school fees or unpaid medical accounts. One estimate is that only 40% of consumer-debt information is captured by credit bureaus.

As private loans and lending granted outside the formal system, such as loan sharks or mashonisa loans, are not captured, the problem is likely to be much larger than official numbers indicate.

World Bank survey data from a sample of 1,000 people in the Global Findex Report showed that 86% of South Africans took loans in 2016, mostly from acquaintances or private microlenders.

If risk pricing is added to the picture, the poorer end of the consumer market is out in the cold. All credit on offer — from loans to store cards or hire purchase agreements — is priced for risk: the higher the perceived chance of default, the higher the interest rate charged. Low-income earners will, therefore, usually be charged more than high-income earners for the credit on offer.

Instead of excluding poor and risky consumers from credit, many providers allow access but at higher interest rates. Prohibitive rates, greater need — due to lack of generational wealth or more insecure income — and a lack of financial education collide, often overwhelming the most economically vulnerable.

Under apartheid, most South Africans were denied access to certain financial services including credit, either through direct policies or systemic barriers. When that political system was dismantled, there was a desperate need to reform the social system and the barriers to financial inclusion.

The government has been chipping away at the legislation ever since with repeals, new acts, amendments to existing legislation, patches and policy reimagining. The goal is a very narrow sweet spot — increasing financial access while limiting opportunity for abuse of the hungry-for-credit populace.

The Usury Act of 1968 was replaced by the National Credit Act of 2005. The National Credit Amendment Act in 2015 was a further tightening of the reins, especially in terms of the affordability assessments that credit providers are now required to perform. With each new piece of legislation, the government has tried to get one step closer to that dual target.

Their success is a matter of debate, depending on which side of the market you find yourself. One particularly controversial move was the credit information amnesty, or as the credit and legal fraternity know it, the Removal of Adverse Consumer Information and Information Relating to Paid-up Judgments regulations, 2014.

It compelled credit bureaus to remove information of judgments, defaults, and terms such as “delinquent” or “slow paying” from consumer credit profiles, provided that the capital amount owing had been cleared.

This became a requirement of the bureaus and the credit providers supplying payment information to them. It also meant that no matter how abysmal consumers’ track records of debt payments were, if it was paid up, they were given a clean slate by credit providers doing new assessments.

It was championed by the Department of Trade and Industry and one that caused some ructions between it and the Treasury. In 2015, the then chief director of financial sector development at the Treasury, Ingrid Goodspeed, said that the Treasury had “fought that credit information amnesty, we fought it to the last day”.

Credit providers needed “more information, not less”, she said at the time.

“The fact that you wipe it out has not … changed anything. The same people who were overindebted before are now even more overindebted.”

The Treasury was asked to update its position on the matter, but was unable to respond in time for publication.

Officially, two out of five consumers are credit-stressed, and unofficially, the picture is much worse. By omitting municipal, education, private or loan-shark debt, and education debt, our country’s credit numbers underplay a significant portion of the personal debt carried by the average consumer.

Add to that the pressure of crippling debt-recovery measures such as garnishee orders and asset attachment, insecure employment, stretched regulators, loopholes in the laws and the rising cost of living and the picture is far worse.

Economists say that the amount of consumer debt a country can support depends on the health of the underlying economy. SA may be about to find out what the limits are.

Source: Supermarket
Graphics credit: Dorothy Kgosi

Toys R Us files for bankruptcy

Toys R Us has filed for chapter 11 bankruptcy protection, the company announced Monday.

The bankruptcy filing helps the Wayne New Jersey-based toy retailer relieve itself of the debt left over from its $6.6 billion acquisition by Kohlberg Kravis Roberts, Bain Capital Partners and real estate investment trust Vornado Realty Trust in a 2005 deal valued at $6.6 billion.

The retailer has $4.9 billion in debt, $400-million of which has interest payments due in 2018 and $1.7 billion of which is due in 2019.

“Today marks the dawn of a new era at Toys”R”Us where we expect that the financial constraints that have held us back will be addressed in a lasting and effective way,” said Dave Brandon, the company’s chairman and CEO, said in a release announcing the filing.

“We are confident that these are the right steps to ensure that the iconic Toys”R”Us and Babies”R”Us brands live on for many generations,” he adds.

The toy seller also intends to seek protection in parallel proceedings for its Canadian subsidiary.

The company said it will continue to operate as usual its approximately 1,600 Toy R Us and Babies R Us stores around the world. The company’s operations outside of the U.S. and Canada are not part of the protections proceedings, it said.

The retailer said that it has already received a commitment from some lenders, including a JPMorgan-led syndicate, for over $3-billion in debtor-in-possession financing. Although that’s subject to court approval, Toys R Us said it “is expected to immediately improve the Company’s financial health and support its ongoing operations during the
court-supervised process.”

Restructuring that debt would give Toys R Us the financial flexibility to continue its turnaround. Initiatives include improving its website and revamping its Babies R Us business, by focusing on items like cribs that are less likely than diapers to be sold on Amazon.

A bankruptcy filing will also help the retailer manage the the crucial holiday season and give vendors like Mattel and Hasbro clarity into its long-term plans.

For its owners, the bankruptcy filing ends a chapter that started at a time when private equity dove into the retail industry, buoyed by low interest rates and the attraction of recognizable names. That flurry has come back to haunt many, as debt burdens have made it difficult for retailers to make the necessary investments to adjust to the rapidly changing retail industry.

Private equity-backed Payless ShoeSource and Gymboree are among those that have filed for bankruptcy over the past two years.

For Vornado, the deal was a bet on the value of Toys R Us’s real estate. It came just a year after K-Mart and Sears merged in an $11-billion deal based on the idea that combining the real estate value of the struggling stores would strengthen both.

Many retailers have over the past year shed their real estate footprint, finding the U.S. store-base too vast and too out of sync with the many American shoppers that no longer go to the mall.

By Lauren Hirsh for CNBC

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top