Microsoft has introduced a new Microsoft Defender for Endpoint (MDE) feature in public preview to help organizations detect weaknesses affecting Android and iOS devices in their enterprise networks.
After enabling the new Mobile Network Protection feature on Android and iOS devices you want to monitor, the enterprise endpoint security platform will provide protection and notifications when it detects rogue Wi-Fi-related threats and rogue certificates (the primary attack vector for Wi-Fi networks).
Threats it can spot include rogue hardware such as Hak5 Wi-Fi Pineapple devices which both pen-testers and cybercriminals can use to capture data shared within the network.
MDE will also alert users to switch networks if it spots a suspicious or unsecured network and push notifications when it discovers open Wi-Fi networks.
While the feature is enabled by default on mobile devices, Microsoft also provides detailed info on configuring network protection on Android and iOS devices via the Microsoft Endpoint Manager Admin center.
“As the world continues to make sense of the digital transformation, networks are becoming increasingly complex and provide a unique avenue for nefarious activity if left unattended,” the company said this week.
“To combat this, Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence.”
Disabling MDE Network Protection (Microsoft)
Cross-platform endpoint security platform
This is part of a broader effort to expand Defender for Endpoint’s capabilities across all major platforms to allow security teams to defend network endpoints via a single, unified security solution.
One month later, Microsoft announced that threat and vulnerability management support for Android and iOS reached general availability in Microsoft Defender for Endpoint.
Android and iOS vulnerability management lets admins decrease mobile endpoints’ surface attack and, in the process, increase their organization’s resilience against incoming attacks.
“With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization – spanning workstations, servers, and mobile devices,” Microsoft said.
Earlier this month, Redmond also said that a new MDE feature allows admins to “contain” unmanaged Windows devices on their network if they were compromised or are suspected to be compromised to block malware and attackers from abusing them to move laterally through the network.
Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022.
“Google is aware that an exploit for CVE-2022-2294 exists in the wild.,” the browser vendor explained in a security advisory published on Monday.
The 103.0.5060.114 version is rolling out worldwide in the Stable Desktop channel, with Google saying that it’s a matter of days or weeks until it reaches the entire userbase.
This update was available immediately when BleepingComputer checked for new updates by going into Chrome menu > Help > About Google Chrome.
The web browser will also auto-check for new updates and automatically install them after the next launch.
Attack details not revealed
The zero-day bug fixed today (tracked as CVE-2022-2294) is a high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team on Friday, July 1.
The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.
Although Google says this zero-day vulnerability was exploited in the wild, the company is yet to share technical details or a any info regarding these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
With this delayed release of more info on the attacks, Chrome users should have enough time to update and prevent exploitation attempts until Google provides additional details.
Fourth Chome zero-day fixed this year
With this update, Google has addressed the fourth Chrome zero-day since the start of the year.
The previous three zero-day vulnerabilities found and patched in 2022 are:
The one fixed in February, CVE-2022-0609, was exploited by North Korean-backed state hackers weeks before the February patch, according to the Google Threat Analysis Group (TAG). The earliest signs of in the wild exploitation was found on January 4, 2022.
It was abused by two North Korean-sponsored threat groups in campaigns pushing malware via phishing emails using fake job lures and compromised websites hosting hidden iframes to serve exploit kits.
Because the zero-day patched today is known to have been used by attackers in the wild, is it strongly recommended to install today’s Google Chrome update as soon as possible.
Microsoft has reminded customers that Windows Server 2012/2012 R2 will reach its extended end-of-support (EOS) date next year, on October 10, 2023.
Released in October 2012, Windows Server 2012 has entered its tenth year of service and has already reached the mainstream end date over three years ago, on October 9, 2018.
Redmond also revealed today that Microsoft SQL Server 2012, the company’s relational database management system, will be retired on July 12, 2022, ten years after its release in May 2012.
Once EOS reached, Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers running the two products.
“Microsoft recommends customers migrate applications and workloads to Azure to run securely. Azure SQL Managed Instance is fully managed and always updated (PaaS),” the company said.
“Customers can also lift-and-shift to Azure Virtual Machines, including Azure Dedicated Host, Azure VMware Solution, and Azure Stack (Hub, HCI, Edge), to get three additional years of extended security updates at no cost.”
Redmond also reminded admins in July 2021 that Windows Server 2012 and SQL Server 2012 will reach their extended support end dates in two years, urging them to upgrade as soon as possible to avoid compliance and security gaps.
“We understand that SQL Server and Windows Server run many business-critical applications that may take more time to modernize,” Microsoft said.
“Customers that cannot meet the end of support deadline and have Software Assurance or subscription licenses under an enterprise agreement enrollment will have the option to buy Extended Security Updates to get three more years of security updates for SQL Server 2012, and Windows Server 2012 and 2012 R2.”
Regarding the pricing scheme for Extended Security Updates, Microsoft says that they will only cost for on-premises deployments:
In Azure: Customers running SQL Server 2012 and Windows Server 2012 and 2012 R2 in Azure will get Extended Security Updates for free.
On-premises: Customers with active Software Assurance or subscription licenses can purchase Extended Security Updates annually for 75 percent of the license cost of the latest version of SQL Server or Windows Server for the first year, 100 percent of the license cost for the second year, and 125 percent of the license cost for the third year.
SQL Server 2008/R2 and Windows Server 2008/R2 Extended Security Updates (ESUs) will also reach their end support on July 12, 2022, and January 10, 2023, respectively.
Customers who will require additional time to upgrade servers may re-host them on Azure for an additional year of free Extended Security Updates (ESUs).
Shadow IT refers to the practice of users deploying unauthorized technology resources in order to circumvent their IT department. Users may resort to using shadow IT practices when they feel that existing IT policies are too restrictive or get in the way of them being able to do their jobs effectively.
An old school phenomenon
Shadow IT is not new. There have been countless examples of widespread shadow IT use over the years. In the early 2000s, for example, many organizations were reluctant to adopt Wi-Fi for fear that it could undermine their security efforts. However, users wanted the convenience of wireless device usage and often deployed wireless access points without the IT department’s knowledge or consent.
The same thing happened when the iPad first became popular. IT departments largely prohibited iPads from being used with business data because of the inability to apply group policy settings and other security controls to the devices. Even so, users often ignored IT and used iPads anyway.
Of course, IT pros eventually figured out how to secure iPads and Wi-Fi and eventually embraced the technology. However, shadow IT use does not always come with a happy ending. Users who engage in shadow IT use can unknowingly do irreparable harm to an organization.
Even so, the problem of shadow IT use continues to this day. If anything, shadow IT use has increased over the last several years. In 2021 for example, Gartner found that between 30% and 40% of all IT spending (in a large enterprise) goes toward funding shadow IT.
Shadow IT is on the rise in 2022
Remote work post-pandemic
One reason for the rise in shadow IT use is remote work. When users are working from home, it is easier for them to escape the notice if the IT department than it might be if they were to try using unauthorized technology from within the corporate office. A study by Core found that remote work stemming from COVID requirements increased shadow IT use by 59%.
Tech is getting simpler for end-users
Another reason for the increase in shadow IT is the fact that it is easier than ever for a user to circumvent the IT department. Suppose for a moment that a user wants to deploy a particular workload, but the IT department denies the request.
A determined user can simply use their corporate credit card to set up a cloud account. Because this account exists as an independent tenant, IT will have no visibility into the account and may not even know that it exists. This allows the user to run their unauthorized workload with total impunity.
In fact, a 2020 study found that 80% of workers admitted to using unauthorized SaaS applications. This same study also found that the average company’s shadow IT cloud could be 10X larger than the company’s sanctioned cloud usage.
Know your own network
Given the ease with which a user can deploy shadow IT resources, it is unrealistic for IT to assume that shadow IT isn’t happening or that they will be able to detect shadow IT use. As such, the best strategy may be to educate users about the risks posed by shadow IT. A user who has a limited IT background may inadvertently introduce security risks by engaging in shadow IT. According to a Forbes Insights report 60% of companies do not include shadow IT in their threat assessments.
Similarly, shadow IT use can expose an organization to regulatory penalties. In fact, it is often compliance auditors – not the IT department – who end up being the ones to discover shadow IT use.
Of course, educating users alone is not sufficient to stopping shadow IT use. There will always be users who choose to ignore the warnings. Likewise, giving in to user’s demands for using particular technologies might not always be in the organization’s best interests either. After all, there is no shortage of poorly written or outdated applications that could pose a significant threat to your organization. Never mind applications that are known for spying on users.
The zero-trust solution to Shadow IT
One of the best options for dealing with shadow IT threats may be to adopt zero trust. Zero-trust is a philosophy in which nothing in your organization is automatically assumed to be trustworthy. User and device identities must be proven each time that they are used to access a resource.
There are many different aspects to a zero-trust architecture, and each organization implements zero-trust differently. Some organizations for instance, use conditional access policies to control access to resources. That way, an organization isn’t just granting a user unrestricted access to a resource, but rather is considering how the user is trying to access the resource. This may involve setting up restrictions around the user’s geographic location, device type, time of day, or other factors.
Zero-trust at the helpdesk
One of the most important things that an organization can do with regard to implementing zero trust is to better secure its helpdesk. Most organizations’ help desks are vulnerable to social engineering attacks.
When a user calls and requests a password reset, the helpdesk technician assumes that the user is who they claim to be, when in reality, the caller could actually be a hacker who is trying to use a password reset request as a way of gaining access to the network. Granting password reset requests without verifying user identities goes against everything that zero trust stands for.
Strong, unique passwords are key to helping keep your personal information secure online. That’s why Google Password Manager can help you create, remember and autofill passwords on your computer or phone: on the web in Chrome, and in your favorite Android and iOS apps.
Today we’ve started rolling out a number of updates that help make the experience easier to use, with even stronger protections built in.
A consistent look and feel, across web and apps
We’re always grateful for feedback, and many of you have shared that managing passwords between Chrome and Android has been confusing at times: “It’s the same info in both places, so why does it look so different?” With this release, we’re rolling out a simplified and unified management experience that’s the same in Chrome and Android settings. If you have multiple passwords for the same sites or apps, we’ll automatically group them. And for your convenience, you can create a shortcut on your Android home screen to access your passwords with a single tap.
You can now add a shortcut to Google Password Manager to your Android homescreen.
More powerful password protections
Google Password Manager can create unique, strong passwords for you across platforms, and helps ensure your passwords aren’t compromised as you browse the web. We’re constantly working to expand these capabilities, which is why we’re giving you the ability to generate passwords for your iOS apps when you set Chrome as your autofill provider.
You can now create strong passwords on your computer or mobile, on any operating system.
Chrome can automatically check your passwords when you enter them into a site, but you can have an added layer of confidence by checking them in bulk with Password Checkup. We’ll now flag not only compromised credentials, but also weak and re-used passwords on Android. If Google warns you about a password, you can now fix them without hassle with our automated password change feature on Android.
For your peace of mind, Password Checkup on Android can flag compromised, weak and reused passwords.
To help protect even more people, we’re expanding our compromised password warnings to all Chrome users on Android, Chrome OS, iOS, Windows, MacOS and Linux.
Simplified access and password management
Google built its password manager to stay out of your way — letting you save passwords when you log in, filling them when you need them and ensuring they aren’t compromised. However, you might want to add your passwords to the app directly, too. That’s why, due to popular demand, we’re adding this functionality to Google Password Manager on all platforms.
Adding your passwords directly is now possible on all platforms.
In 2020, we announced Touch-to-Fill to help you fill your passwords in a convenient and recognizable way. We’re now bringing Touch-to-Login to Chrome on Android to make logging in even quicker by allowing you to securely log in to sites directly from the overlay at the bottom of your screen.
Touch-to-Login signs you in directly from a recognizable overlay.
Many of these features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security experts based in Munich, so Guten Tag from the team! Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification, to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.
Google this week announced that new warnings added in the Google Workspace Alert Center will keep administrators notified of critical and sensitive configuration changes.
Previously known as G Suite, Google Workspace provides secure collaboration and productivity tools for enterprises of all sizes. Accessible from anywhere in Google Workspace, the Alert Center delivers real-time security alerts and insights, to help admins mitigate threats such as phishing and malware.
With the new alerts in place, admins will also receive notifications whenever select changes are made to their Google Workspace configurations.
Specifically, warnings will be displayed when the primary admin is changed, when the password for a super admin account has been reset, and when changes are made to SSO profiles – when a third-party SSO profile has been added, updated, or deleted for the organization.
“These additional intelligent alerts will closely monitor several sensitive actions, making it easier for admins to stay on top of high-risk changes to their environment and potentially malicious actions being taken by bad actors,” Google explains.
An email notification containing key details on the event will be delivered to admins and super admins for each alert. The security investigation tool will allow admins to further investigate the reported incident.
The alerts and their associated email notifications are enabled by default and cannot be turned off.
The new capability is rolling out to all Google Workspace customers, including legacy G Suite Basic and Business customers, and is expected to become visible for everyone in the next couple of weeks.
Earlier this year, Google boosted malware and phishing protections in Workspace with updated comment notifications that now also include the commenter’s email address, so that users can better assess the legitimacy of the message.
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.
This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.
According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.
Instead, they are performing “smash-n-grab” attacks to his immediately hit with maximum force aiming for a quick payout.
From document to encryption
The lure used by the operators of AstraLocker 2.0 is a Microsoft Word document that hides an OLE object with the ransomware payload. The embedded executable uses the filename “WordDocumentDOC.exe”.
To execute the payload, the user needs to click “Run” on the warning dialog that appears upon opening the document, further reducing the chances of success for the threat actors.
Unknown publisher warning(ReversingLabs)
This bulk approach is in line with Astra’s overall “smash-n-grab” tactic, choosing OLE objects instead of VBA macros that are more common in malware distribution.
Another peculiar choice is the use of SafeEngine Shielder v2.4.0.0 to pack the executable, which is such an old and outdated packer that reverse engineering is almost impossible.
After an anti-analysis check to ensure that the ransomware isn’t running in a virtual machine and that no debuggers are loaded in other active processes, the malware prepares the system for encryption using the Curve25519 algorithm.
The preparation includes killing processes that could jeopardize the encryption, deleting volume shadow copies that could make restoration easier for the victim, and stopping a list of backup and AV services. The Recycle Bin is simply emptied instead of encrypting its contents.
AstraLocker 2.0 ransom note(ReversingLabs)
AstraLocker background
According to the code analysis of ReversingLabs, AstraLocker is based on the leaked source code of Babuk, a buggy yet still dangerous ransomware strain that exited the space in September 2021.
Additionally, one of the Monero wallet addresses listed in the ransom note is linked to the operators of Chaos ransomware.
This could mean that the same operators are behind both malware or that the same hackers are affiliates on both ransomware projects, which is not uncommon.
Judging from the tactics that underpin the latest campaign, this doesn’t seem to be the work of a sophisticated actor but rather one who is determined to deliver as many destructive attacks as possible.
At Wordfence our business is to secure over 4 million WordPress websites and keep them secure. My background is in network operations, and then I transitioned into software development because my ops role was at a scale where I found myself writing a lot of code. This led me to founding startups, and ultimately into starting the cybersecurity business that is Wordfence. But I’ve maintained that ops perspective, and when I think about securing a network, I tend to think of ports.
You can find a rather exhaustive list of TCP and UDP ports on Wikipedia, but for the sake of this discussion let’s focus on a few of the most popular ports:
20 and 21 – FTP
22 – SSH
23 – (Just kidding. You better not be running Telnet)
25 – Email via SMTP
53 – DNS
80 – Unencrypted Web
110 – POP3 (for older email clients)
443 – Web encrypted via TLS
445 – Active Directory or SMB sharing
993 – IMAP (for email clients)
3306 – MySQL
6378 – Redis
11211 – Memcached
If you run your eye down this list, you’ll notice something interesting. The options available to you for services to run on most of these ports are quite limited. Some of them are specific to a single application, like Redis. Others, like SMTP, provide a limited number of applications, either proprietary or open-source. In both cases, you can change the configuration of the application, but it’s rare to write a custom application on one of those ports. Except port 443.
In the case of port 443 and port 80, you have a limited range of web servers listening on those ports, but users are writing a huge range of bespoke applications on port 443, and have a massive selection of applications that they can host on that port. Everything from WordPress to Drupal to Joomla, and more. There are huge lists of Content Management Systems.
Not only do you have a wide range of off-the-shelf web applications that you can run on port 443 or (if you’re silly) port 80, but you also have a range of languages they might be coded in, or in which you can code your own web application. Keep in mind that the web server, in this case, is much like an SSH or IMAP server in that it is listening on the port and handling connections, but the difference is that it is handing off execution to these languages, their various development frameworks, and ultimately the application that a developer has written to handle the incoming request.
With SSH, SMTP, FTP, IMAP, MySQL, Redis and most other services, the process listening on the port is the process that handles the request. With web ports, the process listening on the port delegates the incoming connection to another application, usually written in another language, running at the application layer, that is part of the extremely large and diverse ecosystem of web applications.
This concept in itself – that the applications listening on the web ports are extremely diverse and either home-made or selected from a large and diverse ecosystem – presents unique security challenges. In the case of, say, Redis, you might worry about running a secure version of Redis and making sure it is not misconfigured. In the case of a web server, you may have 50 application instances written in two languages from five different vendors all on the same port, which all need to be correctly configured, have their patch levels maintained, and be written using secure coding practices.
As if that doesn’t make the web ports challenging enough, they are also, for the most part, public. Putting aside internal websites for the moment, perhaps the majority of websites derive their value from making services available to users on the Internet by being public-facing. If you consider the list of ports I have above, or in the Wikipedia article I linked to, many of those ports are only open on internal networks or have access to them controlled if they are external. Web ports for public websites, by their very nature, must be publicly accessible for them to be useful. There are certain public services like SMTP or DNS, but as I mentioned above, the server that is listening on the port is the server handling the request in these cases.
A further challenge when securing websites is that often the monetary and data assets available to an attacker when compromising a website are greater than the assets they may gain compromising a corporate network. You see this with high volume e-commerce websites where a small business is processing a large number of web-based e-commerce transactions below $100. If the attacker compromises their corporate network via leaked AWS credentials, they may gain access to the company bank account and company intellectual property, encrypt the company’s data using ransomware, or perhaps even obtain customer PII. But by compromising the e-commerce website, they can gain access to credit card numbers in-flight, which are far more tradeable, and where the sum of available credit among all cards is greater than all the assets of the small business, including the amount of ransom that business might be able to pay.
Let’s not discount breaches like the 2017 Equifax breach that compromised 163 million American, British and Canadian citizen’s records. That was extremely valuable to the attackers. But targets like this are rare, and the Web presents a target-rich environment. Which is the third point I’d like to make in this post. While an organization may run a handful of services on other ports, many companies – with hosting providers in particular – run a large number of web applications. And an individual or company is far more likely to have a service running on a web port than any other port. Many of us have websites, but how many of us run our own DNS, SMTP, Redis, or another service listening on a port other than 80 or 443? Most of us who run websites also run MySQL on port 3306, but that port should not be publicly accessible if configured correctly.
That port 443 security is different has become clear to us at Wordfence over the years as we have tracked and cataloged a huge number of malware variants, web vulnerabilities, and a wide range of tactics, techniques, and procedures (TTP) that attackers targeting web applications use. Most of these have no relationship with the web server listening on port 443, and nearly all of them have a close relationship with the web application that the web server hands off control to once communication is established.
My hope with this post has been to catalyze a different way of thinking about port 443 and that other insecure port (80) we all hopefully don’t use. Port 443 is not just another service. It is, in fact, the gateway to a whole new universe of programming languages, dev frameworks, and web applications.
In the majority of cases, the gateway to that new universe is publicly accessible.
Once an attacker passes through that gateway, a useful way to think about the web applications hosted on the server is that each application is its own service that needs to have its patch level maintained, needs to be configured correctly, and should be removed if it is not in use to reduce the available attack surface.
If you are a web developer you may already think this way, and if anything, you may be guilty of neglecting services on ports other than port 80 or 443. If you are an operations engineer, or an analyst working in a SOC protecting an enterprise network, you may be guilty of thinking about port 443 as just another port you need to secure.
Think of port 443 as a gateway to a new universe that has no access control, with HTTPS providing easy standardized access, and with a wide range of diverse services running on the other side, that provide an attacker with a target and asset-rich environment.
—
Footnote: We will be exhibiting at Black Hat in Las Vegas this year at booth 2514 between the main entrance and Innovation City. Our entire team of over 30 people will be there. We’ll have awesome swag, as always. Come and say hi! Our team will also be attending DEF CON immediately after Black Hat.
Written by Mark Maunder – Founder and CEO of Wordfence.
If you’re like me, you often find yourself feeling like there’s not enough time in the day—and by often, I mean pretty much every day. When there’s no time to waste and you have to nail down your priorities, adding structure and consistency becomes a necessity. That’s where time blocking apps are an excellent way to manage your schedule: they force you to plan out every minute of your day.
Connect your time-tracking app to your other tools
Some time blocking apps work better for people who are more visual, while others are better for those who need more organization. Some apps are geared towards solopreneurs and freelancers, while others are designed for folks who work as part of a corporate team. That’s why I spent several weeks testing dozens of time blocking apps—to figure out which ones were the best for which people.
Whatever your reason for time blocking, one of the time blocking calendars here should speak to you and your needs.
Time blocking is a time management technique where you schedule how you’ll spend your time during every minute of every day. Each task you need to complete gets time scheduled on your calendar, so you can make sure you have the bandwidth for every to-do list item.
Most people’s work calendars look like this:
Your meetings are there, and the rest of your time is just assumed to be open. A time blocked calendar, meanwhile, fills in all of those gaps:
Time blocking as a time management technique was popularized by Cal Newport, author of Deep Work. Newport says he dedicates 10-20 minutes every evening to time blocking his schedule for the next day, but when you choose to block your time and create your schedule depends on what works best for you. You might create your schedule every day when you get to work, at the end of every work day for the next day, or at the beginning of each week for the rest of the week.
Additionally, you can approach the time blocking method in a couple of different ways. You might schedule time blocks for specific tasks around your meetings and other commitments, or you might choose to schedule time specifically for meetings and other commitments.
For example, instead of accepting meeting invites for whenever people send them, you may block off Monday, Wednesday, and Friday for working on tasks and leave Tuesday and Thursday open for people to schedule meetings. Then, you can break those big sections for Monday, Wednesday, and Friday down into specific tasks—daily or weekly, based on your priorities.
Scheduling time for tasks forces you to think about how long each task is going to take you to complete, which, over time, can help you form more realistic estimates.
What makes a great time blocking app?
How we evaluate and test apps
All of our best apps roundups are written by humans who’ve spent much of their careers using, testing, and writing about software. We spend dozens of hours researching and testing apps, using each app as it’s intended to be used and evaluating it against the criteria we set for the category. We’re never paid for placement in our articles from any app or for links to any site—we value the trust readers put in us to offer authentic evaluations of the categories and apps we review. For more details on our process, read the full rundown of how we select apps to feature on the Zapier blog.
You could just use your calendar app to time block your schedule, or even a sheet of paper, but dedicated time blocking tools make the process a lot easier. Here are the criteria I used to determine the best time blocking software:
Integration with your current calendar. Being able to sync a calendar with a time blocking planner saves time and helps keep schedules error-free, so this is a must-have.
Ease of use. Some apps are just downright hard to figure out, so it was essential that my picks had a simple, intuitive interface that was easy to navigate.
Calendar and tasks in one place. No one wants to deal with having their projects and to-dos scattered in too many places. The purpose of a time-blocking app should be to simplify, which means being able to find and review your tasks in a central place.
Customization. While the ability to customize features like colors, themes, lists, alerts, and notifications is of varying importance, I chose apps that I felt provided enough flexibility to fit most people’s day-to-day needs.
Integration with other tools. Integrating your time block planner with your calendar is just the standard, but integration with other apps and tools is a wonderful cherry on top.
Sunsama is by far the best-designed app on this list. The app wastes no space, and after setting it up, you’ll immediately understand how to use it. There’s a task list, sorted by date, and there’s a sidebar with a calendar. You can flip this around if you want, but either way, it’s quick to drag tasks over to your calendar, making it convenient to jot down all your duties for the day and then focus on planning them all out accordingly.
Another neat feature is the ability to properly categorize all your tasks. Most time blocking apps have some kind of tagging aspect, but Sunsama takes it a little further with what they call contexts and channels. Contexts are essentially overarching categories, like Work or Personal. Within those categories, you can create sub-categorizations, like Focus Time, Creative Time, or Family Time to further drill down the organization of tasks.
Where Sunsuma really stands out is how it helps you plan out your day. Sign on in the morning, and you’ll be asked which tasks you have to work on, how long you think they are, and when you want to do them all. It really makes the process of blocking your day painless, and there’s even support for sending a summary of your plan for the day over to Slack in a single click. When nearing the end of your day, Sunsama will prompt you to jot down what you finished that day and what you didn’t get to, which I found a nice way to regroup before logging off.
The app is full of little touches like this, and the result is that time blocking your daily to-do list feels easier here than in any app we tested. And integrations with Trello, Gmail, GitHub, and Jira mean you can drag tasks over from a variety of apps. Google and Outlook calendars are both supported. The main downside: there’s no free plan.
Sunsama pricing: Starts at $20/month. No free version, though there is a 14-day free trial.
If you’re looking for a Sunsama alternative, try Timepage. It’s not a traditional time blocking app, but the sleek interface and added features, like weather reports and RSVP reminders, make it a worthy option.
HourStack is well-suited for teamwork, with the ability to add multiple users and manage an entire team’s workflow. But it also works well as a task tracker app for individual professionals who just want to keep track of their work, monitor how much time is spent on each task, and block time out to focus.
You start by blocking time for the day/week. Then, when you’re ready to start on each task, click the task, and select Start to initiate a timer. When you’re finished working on the task, you can complete it if it’s finished, or if you run out of time, you can roll the task over to work on it again later. In the Reports section, you’ll see detailed metrics for the time estimated and spent on each task. And as bonus, you can integrate HourStack with Google Sheets to export all your insights, which is very useful when you need to present or share your time spent with people who don’t use HourStack. I also personally loved how visual the platform was—you can see all your tasks and events for the week as cards on your dashboard (Sunsama actually does this similarly, too).
HourStack will pull events from Google Calendar and Outlook 365, but it doesn’t add those events directly onto your HourStack calendar. Instead, you’ll see them in a sidebar on the right side of the screen and can drag and drop them onto your HourStack calendar.
The main downside to HourStack is that it doesn’t have a place to keep a to-do list. Instead, you’re mostly using your calendar to capture your to-dos. But it does have native integrations with apps like Trello, Todoist, and Asana, so you can see your to-dos from another app within HourStack to plan and schedule in one place. There are also integrations with HubSpot, GitHub, and Google Sheets—plus basically every other app, thanks to HourStack’s Zapier integrations, which let you do things like automatically adding new calendar events to your HourStack calendar and vice versa.
Add new Google Calendar events to your HourStack week
HourStack Pricing: 14-day free trial. Personal plan starts at $9/month.
Timely is an HourStack alternative that also allows you to track billable projects within a team. One of the biggest differences is the lack of an actual timer—instead, it uses a Memory app to track time automatically, which is nice, especially if you’re working on other projects in the background.
If you use Trello or Jira as your to-do list or project management tool, Planyway lets you block time on your calendar using those tasks.
You can easily create and place all your tasks into your pre-created Trello lists (or create new lists within Planyway), and then just drag and drop them onto the Planyway calendar. Connect your existing calendar, and you’ll see those same tasks or events with the rest of your schedule. The app did take a bit of time to think about integrating with my Google Calendar, but after a few refreshes, it wound up working just fine.
Planyway also gives you the option to connect it to your Google, Outlook, or Apple calendar, so you can see your calendar appointments in context. On its Free and Basic plans, Planyway supports one-way syncing: you can see your Planyway cards in your calendar using an iCal URL, but you can’t see your calendar events in Planyway. Two-way syncing that keeps both calendars in sync is available on the Pro plan.
Planyway Pricing: The Free plan includes one-way calendar syncing; from $3.99/month for the Pro plan that includes two-way calendar syncing and recurring tasks.
TickTick Premium lets you compile your tasks in a to-do list and then block time for those tasks on your calendar. But TickTick offers a feature that the others don’t: a Pomodoro timer. So if you want to combine time blocking with the Pomodoro Technique—or if you’re looking for the best task management app with built-in time blocking—TickTick Premium may be the best option for you.
Adding tasks to your calendar in TickTick isn’t as simple as it is in some of the other apps. Instead of dragging and dropping tasks onto your calendar, you have to take a few steps. While adding a task, you can use natural language processing to add a due date—for example, you could type “walk the dog tomorrow.” Do that, and your task will have a due date. If you forget, that’s ok: you can edit a task and select a due date. It will then show up on your calendar as an all-day event—you can drag it to whatever time you want.
TickTick can also pull events from your existing calendar and display them on your TickTick calendar; or you can set it up to push TickTick events to your main calendar. You can’t manage calendar appointments in TickTick, though—the appointments from your calendar are basically only there for reference. But it’s enough to plan your day.
Another neat feature to take advantage of is the Eisenhower Matrix. The name may sound a little intimidating, but it’s actually very simple. You can use the matrix to organize your tasks according to Urgent & Important, Urgent & Unimportant, Not Urgent & Important, and Not Urgent & Unimportant. This system essentially provides a way to properly prioritize and tag your tasks with a simple drag and drop. As someone who can get overwhelmed with the number of tasks on my plate, being able to see a visual representation of my tasks prioritized was a huge help.
You can integrate TickTick with thousands of apps using Zapier’s TickTick integrations. This is great for adding tasks to your calendar or pulling in tasks from other apps like Gmail or Slack.
Create TickTick tasks from new saved Slack messages
TickTick Pricing: The free TickTick product doesn’t include a calendar view; from $2.79/month for TickTick Premium that includes the calendar view and RSS feeds to and from third-party calendars.
Best free time blocking app for Apple users (and hyper-scheduling)
Sorted^3 is the self-proclaimed app for hyper-schedulers—and as someone who self-identifies that way, I’d absolutely agree.
Sorted^3 has an excellent onboarding flow. When you sign up, you’ll be immediately directed to a tutorial showing you how to use app shortcuts and other unique features, like Magic Select (more on that in a bit). While the amount of information may seem overwhelming at first, it does a superb job of guiding you through all the features that are available to you as you start using them.
On the hyper-categorization front, there’s a tab for lists that has sections for errands, notes, links, and groceries, so you can put any tasks or information that you want to store for later—but you can also schedule out any tasks from the lists as well.
Back to Magic Select. This feature lets you quickly highlight multiple items in your schedule. This means you can delete, recategorize, retag, or reschedule multiple tasks without too much effort. Surprisingly, out of all the other apps I tested, none had this feature.
You’ll also get an auto-scheduling feature. You can add all your tasks to the schedule section, assign a certain period of time for each one, and then let Sorted^3 do the heavy lifting of blocking out time for all your tasks. You can even add an automatic buffer period between tasks, and you’re able to move things around after they’ve been scheduled.
Sorted^3 also has some nice Apple-specific features. For example, you can sync to iCloud and can take advantage of Siri to plan out tasks.
Sorted^3 pricing: Free; PRO version is $14.99
SkedPal also has great auto-scheduling capabilities, and it’s worth a look if you like the idea of Sorted^3 but don’t use Apple devices. SkedPal’s time map feature allows you to throw a task into a category, like Focus Time or Weekends, and then automatically schedules it within that task category.
Do you need a time block app?
You might decide that you don’t need a dedicated app for time blocking, and that’s fine. Here are some other ideas:
We included TickTick in the list above, but some of the other best to-do list apps also have basic time blocking features, including Any.do and Todoist.
Honestly, any of the best calendar apps could work for calendar blocking. Just add your tasks as calendar appointments.
Serene is a distraction blocking app that also works great for planning your day. It’s not exactly a time blocking app, but might be better for some people.
Also worth noting: if you already have a great to-do list app and a great calendar app, you could just connect the two using Zapier.
Google Calendar + Jira Software ServerMore details
But if you want everything in one app, one of the tools in this list should do the trick. Each app offers a free plan or free trial, so you can try them all and pick the one that works best for you.
I’m pretty much always thinking about the prospect of starting an eCommerce business. I like my job, but I do not enjoy labor, and the siren songs of any number of passive income streams call to me daily. Tragically, however, I am not cut out for entrepreneurship. I spent a few years freelancing full-time in my early 20s, and I nearly bankrupted myself—I just never did any work.
If you’re thinking about diving into eCommerce entrepreneurship, you should have a clear and thorough understanding of exactly what it takes to be successful as an online seller. So before you start loading up on craft resin or earring hooks, read on to find out exactly what it takes to start an eCommerce business.
Pros and cons of running an eCommerce store
You don’t have to search very far to see what it is that draws people to the idea of starting their own eCommerce business. No micromanaging supervisors to answer to or fat cat executives living off of the fruits of your labor, and without any physical assets or locations, you can go wherever you want and still run your operation.
In short, many people are drawn to eCommerce selling because they think it’s their key to freedom. To those people, I say: au contraire. In many ways, eCommerce sellers are more limited than regular employees.
Sure, I may have to answer to my manager, but if I mess something up, there’s no chance of her requesting a refund on my last paycheck or claiming the work I emailed her got irretrievably lost. I may not make my own hours, but since my salary is fixed, I can take days off knowing that there’s no chance of it impacting how much money I make. You need to decide for yourself whether the benefits of launching an eCommerce business outweigh the risks of flying without the safety net of job security to fall back on.
How to tell if eCommerce is right for you
In the same way that some kids are terrible at homework but are great test-takers, there are some personalities that do thrive under the pressure of relying on their business’s success for their survival. When it comes to employment vs. entrepreneurship, there is no objectively better, more flexible, more independent choice—there’s just what works better for you.
Here’s a quick self-screener you can use to determine if you’re cut out for online selling:
Do you like what you do? This is something you’re going to be spending hours on, day in and day out—and you’re going to have to work really hard to get your business off the ground. Unlike traditional small business owners, you won’t have a staff, coworkers, or a physical workplace; it’s just going to be you, likely in your home, making the thing you sell. If you’re not truly passionate about your product, you’ll be miserable within a few weeks, tops.
Are you self-disciplined? It’s not easy being your own boss, especially in an industry as isolating as eCommerce. Many other small businesses don’t have this problem—I taught piano lessons for a period of time and didn’t have a boss then, but knowing that my students were relying on me to be prepared for their lessons still kept me accountable. It’s a lot easier to stay motivated when you’re interacting with customers or a small staff.
Do you have a lot of commitments? Anyone who has ever tried to work remotely from their parents’ house can tell you that, for whatever reason, people simply do not perceive solo work on a computer as “real work,” so if you want to run a successful online store, you need strong boundaries and a close relationship with the word “no.”
Can you take on the financial risk?Starting a store on the side while you stay in a day job is one thing, but if you’re making a complete leap to entrepreneurship, you need to be able to get by for a few months or even a year without much income. If you have lots of debt or a family to feed, this might not be the career for you.
Provided you’ve given it some thought and you’re ready to make the leap—or if you’re starting your business part-time until it takes off—you’re ready to get started on launching your business.
Choose an eCommerce business model
When I think of small eCommerce businesses, I think primarily of some of my favorite niche Etsy shops selling things like taxidermied squid jewelry and D&D dice with real mushrooms inside. (I am a very fun person to know at Christmas.)
But eCommerce selling includes far more than traditional consumer retail. Depending on your needs, you may find that one of these alternatives suits you best:
Dropshipping: Dropshipping is a type of eCommerce business where you sell products without carrying any inventory. When a customer places an order on your site, you simply contact the supplier (or have the order sent automatically) and have them ship the product directly to the customer. Dropshipping is a popular eCommerce business model because you don’t need to spend a lot of money up front.
Print on demand: Print on demand is similar to dropshipping, but instead of shipping products from a supplier, you have your products printed and shipped by a print-on-demand service. This type of eCommerce business is often used for selling custom-printed products like t-shirts, mugs, and stationery.
Retail arbitrage:Retail arbitrage is the process of buying products from brick-and-mortar stores and selling them online at a higher price. This type of eCommerce business can be profitable, but it requires a bit more work than dropshipping or print on demand. You also need to identify a product niche that allows you to do this profitably, where you can be confident that customers won’t just go to the original source to make their purchase at a lower price.
Wholesaling: Wholesaling is a type of eCommerce business where you sell products in bulk to retailers. The benefit of wholesaling is that you can get discounts on the products you purchase, which allows you to sell them at a higher price and still make a profit. But this requires a large initial investment since you’ll need to stock inventory in bulk quantities.
Subscriptions: Subscription eCommerce businesses sell products or services on a recurring basis, most commonly in the form of a monthly box of curated products (or, in my dog’s case, a monthly delivery of different home-style baked treats). But there are other types of subscription businesses, such as online courses and members-only clubs.
What business model you choose will also rely heavily on the product market you want to target, since not all models will work with all types of products. Naturally, dropshipping won’t work to sell hand-knitted sweaters, while very few people are likely to buy a subscription for artisan coffee tables. The other thing that will help you decide what products to sell is your chosen target market.
A broad target market is the kiss of death for a budding eCommerce entrepreneur. There are over 9.1 million eCommerce retailers in the world, 2.5 million of which are located in the United States. Do you want to compete with between 2.5 and 9.1 million businesses? I didn’t think so.
When you choose a product market, you’re isolating a part of this larger market of retailers that you want to compete within. The more specific your product market is, the fewer competitors you have; the fewer competitors you have, the more likely you are to succeed. In eCommerce, the most successful sellers home in on extremely small, highly specific product markets—also called micro-markets or niches.
How to find your eCommerce niche
A product niche is a very small sliver of a product market that is both large enough to contain a robust customer audience but small enough that it doesn’t contain many competitors. The best way to identify your niche is to start with a product market and whittle it down from there.
To choose a product market to start with target products that:
You’re capable of creating (at high quality)
You enjoy creating (even at scale)
Have a small market/minimal competition
People want or need
Are profitable
Let’s break down each of these characteristics in detail.
Pick something you’re good at
It’s perhaps the most obvious of the five characteristics listed, but it still bears mentioning: when starting an eCommerce business, choose something that you can do or make well. If you choose something extremely unique and specific that no one else is doing, you may be fooled into believing the lack of competition will make up for poor quality. But the moment you gain some popularity, if someone else can create your product better than you can, your business will be dead in the water.
Pick something you like
Choose something you enjoy making, looking at, and thinking about. More importantly, choose something you won’t hate after the tenth, fiftieth, hundredth, or thousandth time you’ve sold it. Selling can be tedious work, especially if you make your products yourself. Don’t build your business around a product market only to find that you can’t stand working in it.
Pick a small market with limited competition
eCommerce sellers can’t use the same logic and strategy that regular companies do to choose their target markets. You’re one person, with one person’s resources and power—if you try to enter a market where you’re competing with full-sized companies and brands, you’ll be out-marketed and out-maneuvered every time.
Be specific: instead of lawn services, target the market for environmentally sustainable lawn care in one finite geographical location. Instead of publishing eBooks on finance, publish eBooks on investing for American women ages 18-24. Keep narrowing it down until you’ve found your product niche (more on that later).
Pick something people want or need
This is just common sense: you need to sell something that people will actually buy. Even the biggest brands still mess this up every once in a while (looking at you, Colgate-brand frozen dinners and the Bristol-Myers Squibb nightmare that was the “Touch of Yogurt” shampoo). Don’t wait until after you’ve launched your product to try to match it to a potential customer market. Do your research, and narrow down your target customer’s pains and gains, or the problems they need to solve and the enjoyable things they want to enhance. Make sure there’s a large enough demographic of people who are in the market for what you can provide.
Pick something profitable
There’s no surefire way to guarantee that a product or business will be profitable, but with some thorough research, you can certainly strengthen your odds. Ideally, you want to choose a product market with a strong balance between a large potential customer base and a small number of competitors. You’re also more likely to succeed if your product is truly unique in some way—if you offer a feature or element that no other competitor offers. Keep narrowing down your market until you’ve found your unique niche.
Narrowing down your product niche
Once you’ve identified a promising product market, you can start adding details to whittle your target market down to a target niche.
For example, let’s say that you make clothes in your free time, and you’re interested in figuring out how to turn that into an eCommerce business opportunity. In the broadest sense, you want to target the clothing industry, but since this is an extremely saturated market—meaning that it contains many, many competitors—it’s not one where you’re likely to succeed as an individual eCommerce seller.
You need to find a more unique product category within the larger framework of the clothing industry. One good choice might be pet clothes, since there are far fewer designers and retailers in the pet fashion industry than the human one. But “pet clothes” is still a pretty broad category, so you might narrow it further to pet clothes that are specifically for dogs.
When solo eCommerce selling was still a burgeoning market, handmade dog clothes may have been a narrow enough niche to pursue since there were so few non-corporate sellers and even fewer online marketplaces where sellers could compete. But today, you’ll want to get even more specific—perhaps by focusing on dog clothes for specific occasions, like weddings and engagements.
That’s as far as I’m taking this example, but if I were actually launching this business, I’d probably drill down even further just to really make sure that I had my unique micro-market cornered. I might narrow it down by size, theme, or even specific clothing items until I hit on my ultimate niche: floral-themed wedding bow ties for small and medium dogs. (Though there’s truly no limit to how far you drill down your niche—until, perhaps, you reach CelebriDucks levels of specificity.)
Your niche isn’t a permanent designation—if your product does well in your corner of the market, you’ll have more capital to invest in better marketing, audience targeting tools, and maybe even an employee or two. The more your company grows, the more resources and power you have to capture a larger market share.
Set up your store
You’ve found your market, honed your niche, picked your product, and you’re ready to start generating inventory and selling it to your customers. It’s time to choose a platform and set up your eCommerce store.
Choose an eCommerce platform
Talk about a crowded market—there are a ton of different platforms you can use to create a store online. You also don’t necessarily need your own online storefront; you can sell on marketplaces, crowdfunding sites, or a number of other eCommerce alternatives. If you do go with an eCommerce platform, here are a few different guides and comparisons that can help you find the right site for your business:
The platforms above fall into one of two categories, each with different setup requirements.
A standard website builder (like Wix, Weebly, Squarespace, or WordPress) will allow you to create an entire website, only part of which needs to be dedicated to your actual store’s functions. If eCommerce selling is only part of your business plan—for example, if you’re a professional photographer who sells prints and posters as a side hustle—you would want your site to be dedicated to your store as well as pages housing biographical information, your professional portfolio, booking information, recordings of photography classes or talks you’ve given, online course signups, and anything else that pertains to your career.
If your primary goal is eCommerce selling, you’re better off opting for a purpose-built eCommerce platform like Shopify or WooCommerce. Both platforms are capable of many of the same features as a general website builder, like adding about pages, forms, image displays, and blogs. These platforms also grant you access to more advanced features and integrations designed specifically for eCommerce sites, which can help supercharge your selling and help your store gain momentum early on.
Ready to build your store? Check out these step-by-step guides to building your store in the platform you want:
With your eCommerce shop all set up, it’s time to throw everything you’ve got into making sure that it succeeds. You can’t wait for your customers to come to you—you need to go out and find, reach, and convert your target audience.
Target inbound sales leads
Inbound sales strategies are designed to draw people to you, instead of the other way around—think search optimization (SEO), paid search, social media, email marketing campaigns, and content marketing.
Explore potential sales strategies in more detail with these guides:
As a small business owner, your plate is going to be full most of the time (frankly, it will often be full-on, Thanksgiving-style overflowing). If you want to keep up with it all, you need to learn to be efficient about using what you already have and drawing multiple marketing materials out of one asset.
For example:
Get into the habit of snapping and recording your day-to-day processes and behind-the-scenes moments, so you always have material for social and website visuals.
If you’re researching a topic, if it’s related to your business, consider adding an extra step to turn your research into a marketing email or SEO post.
Whenever you design a new marketing asset—an email layout, an Instagram Story, a blog structure—aim to turn it into a template that you can use again, instead of starting from scratch on your next asset.
Marketing as a small business owner is a “work smarter, not harder” game. Get as much mileage as you possibly can out of everything you create, and you’ll free up time and attention that would be better spent on business strategy and growing your company.
Automate as much as possible
There are lots of opportunities to automate parts of the eCommerce process. Invest time in setting up automations at the outset, and you’ll save far more time and energy avoiding unnecessary busywork once your store gets off the ground.
In fact, most of the risks specific to eCommerce entrepreneurship come down to the fact that it’s an overwhelming amount of work for one person to handle, so automating as much of your workload as possible can materially increase the likelihood of your business’s success.
Here are a few guides on the kinds of automation that work best for eCommerce and how to set them up:
.png)
