Goto Blog Home PageRevell Research Systems: Alastair Revell's Web Log
On this page....
<January 2020>

RSS 2.0     Atom 1.0     CDF

Blog Roll
About Alastair Revell
Alastair Revell is the Managing Consultant of Revell Research Systems, a Management and Technology Consulting Practice based at Exeter in the United Kingdom.
Contact Alastair Revell
 EMail Revell Research Systems Limited Email Me
Legal & Other Notices
Sign In
The material published in this web log is for general purposes only. It does not constitute nor is it intended to represent professional advice. You should always seek specific professional advice in relation to particular issues. The information in this web log is provided "as is" with no warranties and confers no rights. The opinions expressed herein are my own personal opinions.

Web Log Home | Welcome to this Web Log | Using this Web Log | New to Blogs? | About Revell Research Systems | Contact Details

Review Entries for Day Saturday, May 13, 2017

The NHS was not targeted. It was not singled out in any meaningful way. It just had a large number of vulnerable machines. A small number of users were likely to have been lured into opening an attachment or clicking a link in a “believable” email that is being sent to 10,000s of users around the world.

Such attacks routinely happen to organisations. Single machines are constantly being held to ransom. It is very nasty.

What is so special about this attack is once opened or clicked, the malware is looking to exploit a weakness announced two months ago in all Windows machines that allows it to propagate to all susceptible machines on an internal network.

One careless click, hundreds of machines taken out.

What is sad? Many susceptible machines could have been protected by applying routine patches.

What is bad? The remaining susceptible machines were too old to protect. They should have been replaced.

Remember: Around 100 clicks brought much of the NHS to its knees. We will probably never know how much each click cost the NHS.

More about Alastair Revell

Saturday, May 13, 2017 9:44:10 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Friday, July 22, 2016

I’ve just read the BBC News article that there were nearly six million fraud and cybercrime cases in the United Kingdom in 2015.

I doubt that will surprise anyone working in cybersecurity but what is surprising is how many people still seem to believe that this is something that is unlikely to affect them, is a minor issue or something from science fiction. I also find it surprising how many SME businesses are blasé about their risk exposure to cybercrime. Their take remains that they are too small for anyone to bother attacking them. The same also goes for individuals.

The reality is that they are precisely the easy, soft target that automated tools seek out.
While the BBC article was based on figures released by the Office of National Statistics (ONS), the Cyber Crime Assessment 2016 report published by the National Crime Agency (NCA) echoes the same sentiments.

I meet a lot of people through the various roles I undertake in a national context (such as being the Director General of the Institution of Analysts & Programmers, a director of the Trustworthy Software Foundation and a member of the Information Commissioner’s Technology Reference Panel). The conversations that I am currently having frequently return time and again to the growing cybersecurity threat to the national infrastructure, business of all sizes and to individual citizens. The topic has been buzzing in the security community for a while, has broken into mainstream IT and now slowly seems to be gaining traction with the wider public.

The overview of the NCA paper asserts that the “speed of criminal capability development is currently outpacing our response as a community”. It seems we are currently losing the battle against cybercrime. Business leaders, particularly in the SME sector, must respond and get to grips with the risks they face. Individuals need to come to terms with the fact that cybercrime is a major threat to them.

More about Alastair Revell

Friday, July 22, 2016 6:23:09 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Wednesday, June 06, 2012
There are claims circulating on the Web today, which have been reported by the BBC, stating that some six million passwords from LinkedIn have been leaked on a Russian Internet site in encrypted form.
More about Alastair Revell

Wednesday, June 06, 2012 5:38:54 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Tuesday, May 10, 2011

The Information Commissioner's fining of solicitor Andrew Jonathan Crossley is interesting in several respects and contains an important message for many small businesses.

The £1,000 fine was announced by the Information Commissioner's Office (ICO) today in a press release.

Mr Crossley was the owner of the law firm ACS Law, which has recently ceased trading. The firm gained widespread exposure for its aggressive pursuit of those alleged to have infringed copyright through peer-to-peer file sharing activities in recent years. It seems that many of those pursued by the firm were probably innocent and I understand that the only successful prosecutions in this matter were won by default when the defendants failed to appear in court.

In September 2010, ACS Law's web site was seriously attacked, causing it to crash. In the subsequent aftermath, a backup file containing emails between ACS Law's employees and other parties appeared on the web site, which allowed anyone to access around 6,000 people’s sensitive personal information. These emails included credit card details as well as references to people’s sex life, health and financial circumstances.

The Information Commissioner, Christopher Graham, has made it very clear that had ACS Law still been trading then the fine could have been as much as £200,000: "Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach".

I feel this fine is important because it shows that the ICO is prepared to fine SME organisations large amounts and is also prepared to pursue their owners in cases of serious breach where the owner is a sole trader.

The Information Commissioner stated that: "The security measures ACS Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details". I am often shocked about how poor security is at SME organisations. Many SME business leaders do not listen to advice about security matters. I am also afraid to say that many IT suppliers also do not care about security, preferring to close a sale at any cost. They often fail to make their customers aware of the risks they face, taking a view that it is the customer’s problem if they don't recognise or understand the issues at stake.

Worse still, many SME firms run their IT systems on a shoestring, avoiding professional advice wherever possible, and only bring in competent support when things really become dire.

It is clear that Mr Graham takes a rather dim view of this approach to managing a company's IT infrastructure. He makes it clear that "Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law's web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure." The Information Commissioner clearly believes that if you are going to use IT systems then you should do it properly and not on a shoestring.

If anything, this fine also highlights the importance of taking proper advice and may presage a greater use of Chartered IT Professionals.

The message must be that if you use IT in your business (whatever your firm's size), you must take proper advice, you must not try to cut corners and you must not treat IT security in a cavalier fashion.

More about Alastair Revell

Tuesday, May 10, 2011 4:00:10 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Wednesday, June 02, 2010

I find it worrying that the Information Commissioner’s Office (ICO) reports that the NHS is the United Kingdom’s worst offender in terms of keeping personal data, especially in light of the Patient Summary Care Record scheme, which will eventually hold details from most people’s medical records.

The question for me is simple: Can they be trusted to look after computerised medical records?

According to a spreadsheet accompanying the ICO’s press release of 28th May 2010, the NHS has reported more breaches than any other body to date. The data shows that these losses have largely been through either lost or stolen data/hardware rather than insecure disposal or accidental disclosure.

I agree absolutely with David Smith, the Deputy Commissioner, who said: “The ICO maintains it is essential that the protection of people’s personal information is part of organisations’ culture and DNA.”

However, the issue of data protection is clearly wider in scope than our trust in the NHS’ ability to keep our data secure.

The press release actually marks the 1,000th breach reported to the ICO, with the actual number now standing at 1,007. A rough calculation suggests that between one-in-two and one-in-three people in the United Kingdom have had their personal data compromised.

The ICO have said that although more personal data has been lost by the NHS, the largest ever breach reported was the loss of 25M people’s personal data by HMRC on two CDs in November 2007.

However, the data shows that the second largest offender collectively is the private sector, which doesn’t surprise me. Worse still, I suspect that most private sector breaches probably go unreported, so this figure might be the tip of the iceberg.

The ICO is keen to remind organisations that it can now levy fines of up to £500,000 per breach.

If you would like to know more about the new powers the Information Commissioner acquired in April 2010 and what the outcome might be should you be reckless with personal data then you might like to read my recent blog on data protection!

More about Alastair Revell

Wednesday, June 02, 2010 3:56:23 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Wednesday, April 21, 2010

I imagine that 21st April 2010 will be a day that McAfee will remember for sometime to come and probably one they would much prefer to forget!

The antivirus vendor issued its daily security update DAT5958 at 06:00 PDT (GMT-7), but by 13:00 BST (GMT+1) the update was wreaking havoc on many corporate networks in the United Kingdom, let alone the rest of the world!

The update affected Windows XP machines with Service Pack 3 applied, falsely detecting the svchost.exe file as Win32/wecorl.a. The vendor’s VirusScan product essentially prevented the svchost.exe file from running, causing Windows to endlessly reboot in many cases.

McAfee acted fairly quickly by pulling the affected virus definition file (DAT5958) from their download servers, preventing more customers from becoming involved in what must be one of the worst update issues to impact corporate networks for some time.

They released DAT5959 to replace the affected virus definition file at around 10:15 PDT (GMT-7).

This incident comes on the back of reports that many modern anti-virus products are failing to detect malware. I’ve just been reviewing Cyveillance’s February 2010 Cyber Intelligence Report, which suggests McAfee detects around 37% of emerging threats on a daily basis (based on data from the last half of 2009). Kaspersky came out on top with a daily detection rate of 38%, but many were much poorer - such as Symantec on 25%.

The time for relying on straight-forward anti-virus products seems to be coming to an end…

More about Alastair Revell

Wednesday, April 21, 2010 8:34:45 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Wednesday, January 20, 2010

Just a quick update to my earlier blog regarding the problems currently being faced by the University of Exeter. It seems the virus is exploiting known flaws in the Microsoft Vista and Microsoft Server 2008 platforms.

Zack Whittacker, who blogs for ZDNet, has a source inside the university here in Exeter. Apparently, the virus is mainly targeting Vista SP2 machines and the IT staff at the university are trying to use patch MS09-050 to reduce the attack surface.

It is understood that this virus has not been seen outside of the Exeter campus, but clearly demonstrates the disruption that a carefully crafted attack can cause.

There is a suggestion in Whittacker's blog that some critical patches had not been applied (using the Microsoft System Update Service).

We strongly believe that machines should regularly be checked to ensure that patches that should have been applied, actually have been applied. If the loop is not closed in this manner then these sorts of problems are eventually inevitable.

We are concerned that many SMEs, who often do not patch properly, may be at considerable risk if this virus escapes the Exeter campus.

In addition, I remain concerned about the zero-day virus threat. A virus that spreads quickly and easily such as this one, that exploits a flaw such as the one in Internet Explorer that saw Google hacked in China, with a drive-by infection capability on a site such as any of the international versions of Google would lead to huge economic disruption across the globe.

For starters, many people set Google as their home page, so in this apocalyptic scenario, they would be infected and spreading such a virus internally inside the organisational firewall without detection or defence the moment they went online...

More about Alastair Revell

Wednesday, January 20, 2010 9:11:14 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

It seems that the University of Exeter is currently in the middle of a major virus outbreak, which has led to their IT team shutting down the entire campus network, including their telephone system in an attempt to contain the problem.

The attack appears to have started on Monday. The campus network was shutdown at around 2:00pm as a direct response to the threat. However, the problems seem to be continuing today (Wednesday).

The university’s home page suggests that staff and students are only able to access email externally using home computers and the like.

The communications advice issued by the university says that it “is currently experiencing a severe IT incident, and as a precautionary measure we’ve taken much of our network offline. Parts of the University are being brought back online today as soon as it is safe to do so. The University switchboard is online and can accept calls, but we are unable to transfer them to some affected areas of the University.”

Sources in Exeter suggest that the virus has not been identified, but it is thought that the university was deliberately targeted. Stuart Franklin, a spokesman for the university, speaking to the local evening paper, the Express & Echo, said: “We were attacked by a virus. It was a malicious attack. It is the first time I have known such an attack to succeed.”

It seems clear that this virus is extremely virulent and has managed to spread quickly and easily. This strongly suggests that it managed to circumvent the university’s antivirus systems and may have been akin to a zero-day virus.

Although a difficult decision, I believe that closing down the infrastructure in such circumstances is the right thing to do.

This incident should provide food for thought for many organisations. The cost of closing down a network is extremely expensive in terms of lost revenue and opportunities, even before the sheer amount of professional time spent checking systems and returning them to service is taken into consideration.

In fact, this sort of attack can cause immense damage to an organisation and is relatively easy to perpetrate, which has not escaped the notice of Lloyd’s of London Emerging Risks Team in their October 2009 report: ‘Digital Risks: Views of a Changing Risk Landscape’. The report states that “The value of data can vary enormously, but for some organisations it could mean bankruptcy.”

The interesting aspect to this attack is that the university believes it was “hit by the virus deliberately”.

I think we may see an increase in this sort of attack in the future. The recession has been very deep and many people with criminal intent and technical capability across the world may turn to cyber-crime.

In the first two weeks of January, we’ve seen the national governments of France and Germany warn their citizens about security flaws in Internet Explorer after an attack on Google’s site in China (along with some 20 other organisations), which Microsoft admitted late last week were part of the attack mechanism. The code that exploits these particular flaws were published on Monday, 18th January 2010 and there are already some reports of it being used maliciously.

Although the problems at the University of Exeter and the issues with Internet Explorer are probably not connected, the trend for increased, malicious attacks is clear. 

More about Alastair Revell

Wednesday, January 20, 2010 5:02:17 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Saturday, October 31, 2009
Farmers Weekly has reported that the Rural Payments Agency (RPA) has lost the payment details of every farmer in the United Kingdom that has ever claimed a farm payment. The details include names and addresses, bank details, passwords and security questions and apparently were not encrypted. The number of farmers affected is believed to be around 100,000.
More about Alastair Revell

Saturday, October 31, 2009 3:01:56 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Tuesday, May 19, 2009

I periodically battle with SME clients who argue that no one really would want to “hack” their organisation – they are simply too small or too insignificant to warrant the effort. I suspect I am not alone and that many other advisers on IT have the same trouble persuading their clients of the very real risks they face.

The argument that is often recited is that when the partner or director was employed elsewhere, their previous firm was much slacker with their IT security and had no problems whatsoever. The issue, of course, is that the goal in hacking has changed from destruction to utilisation. The aim is to take unseen control of the computing resources of an organisation and to use those resources for crime. It simply doesn’t surprise me that there never are any signs of compromise!

The BBC recently reported that security firm Finjan had tracked down a botnet with over two million machines under its control to a group of criminals working in the Ukraine. This particular botnet had even ensnared computing resources inside both the UK and US governments, which in itself raises concerns.

I suspect that firms that take few steps to lock down their workstations will have background malware undertaking all sorts of malicious activities. These infections will probably have managed to enter their sites via the web or email, which is increasingly carrying malicious content.

The so-called drive-by attacks using infected third party web sites is particularly worrying. Few organisations seem to scan inbound data over the web for vulnerabilities, partly because of the impact on browsing speeds that this would have. Those organisations that then don’t lock down their desktops so users cannot install software run very real risks of users innocently and unknowingly installing something they really don’t want. Once such software is on the inside of the firewall, most SME organisations simply have little or no defence, especially if the software is not strictly considered a “virus” and ignored by their anti-virus product.

A technical colleague in another firm drew my attention recently to Sophos’ Security Threat Report 2009, which provides examples of firms that have suffered attacks on their web sites. Some of these web sites would have posed risks to casual browsers of those sites as well as to those who had previously provided them with confidential information.

The list included such well-known names as ITV, a site selling Euro 2008 football championship tickets, the anti-virus firm Trend Micro, Cambridge University Press, Sony’s US Playstation site, the Association of Tennis Professionals’ web site as Wimbledon opened in the UK in June 2008 and the Business Week web site.

Unfortunately, I doubt few SME business leaders that have small (if any) indigenous IT staff will actually ever get to read it.

However, the difficulty simply persists that many SME organisations believe that no symptoms means no underlying problems. I can see their dilemma – a bunch of (often external) IT professionals becoming excited about dangerous threats and advocating the spending of money in a recession is far from appealing, especially when the risks from a naïve perspective seems minimal.

I was recently a guest at The Institution of Analysts and Programmers Spring Seminar in the London Docklands at which Microsoft’s Chief Security Advisor in the United Kingdom, Ed Gibson, spoke. He is an engaging speaker, an attorney in the United States and a practising solicitor in England and Wales, as well as a former FBI agent. He has for sometime been trying to raise awareness of these issues in the United Kingdom.

While listening to him and while mulling over his thoughts at the (excellent) lunch that followed, I believe that we really do need some form of reliable reporting mechanism for attacks of the sort documented by Sophos and these need to become highly publicised, even if in an anonymous form.

SME business leaders need to have independently verified facts about the IT security risks they face that are both readily available and easily digested; and in a form that brings the message home.

More about Alastair Revell

Tuesday, May 19, 2009 6:37:15 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Tuesday, September 23, 2008
I was pleased to hear recently that both IBM and PGP have between them made a grant of £57,000 towards the upkeep of Bletchley Park. The BBC has reported that the “donation will help curate and restore exhibits at the National Museum of Computing in Bletchley Park, Bucks”. However, I suspect a good deal more is needed to keep the museum going.
More about Alastair Revell

Tuesday, September 23, 2008 10:29:01 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Monday, February 11, 2008

The lack of understanding of IT-related security issues in many small-to-medium sized businesses that I encounter as a management and technology consultant often worries me.

There seems to be a mindset amongst senior managers (often at partner and director level) that security breaches are only perpetrated by external human hackers and that their firms are not sufficiently important enough to attract attention.

These senior managers miss the fact that almost all initial external attacks are automated and that although many of these attacks may be unsuccessful in compromising their organisation’s data security, they may nonetheless seriously damage their internal infrastructure, resulting in significant costs in order to rectify the damage.

It would be a lucky organisation indeed that did not have its Internet defences probed at least once every couple of minutes. The most recent log I inspected for a small organisation was receiving an attack per minute in what appeared to be an attempt to swamp instant messaging clients with spam. The log also revealed port scans and other nefarious activity once every 10 minutes. These more serious attacks are often scanning for weaknesses through which to inject malware.

We have conducted occasional exercises in assessing just how bad this type of wanton vandalism is by simply connecting an unprotected set of newly built PCs to the Internet. Our somewhat primitive research shows that it takes around 15 minutes before machines in this condition are crippled with malware. Much of the malware also seems to be aimed at stealing credit card details and the like; and could cause enormous damage to an organisation’s reputation.

I’m often confronted by SME senior managers that argue that they have nothing of value on their networks, but my immediate retort is that neither did the machines mentioned above, but the cost of putting them back together again was expensive. It is clear from the subsequent discussions with these managers just how valuable having an operating computer system actually is to their organisations.

The irony is, of course, that the sort of dubious activity I see time and time again in firewall logs is the equivalent of a criminal gang casually walking down the road trying the doors and windows of each building they encounter for weaknesses, with a view to coming back later to investigate the weaker buildings further. I have little doubt if our streets were full of such marauding gangs then there would be huge public concern. The problem for IT is that this kind of behaviour is literally “out of sight, out of mind”.

I believe, like many other observers in the profession, that there is a discernible shift away from writing viruses for the sheer devilment of it to one of seriously making money out of it.

Indeed, Joe Telafici, vice president of operations for McAfee’s Avert Labs, recently said in a BBC interview that he felt 2007 had effectively seen the extinction of young hackers who wrote viruses and other malicious programs for fun and that writing Windows malware was now all about money.

More about Alastair Revell

Monday, February 11, 2008 9:35:25 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Tuesday, November 20, 2007
I suspect the loss of 25 million child benefit records by HM Government in the United Kingdom will have considerable, long-term ramifications. I understand that the data represents the details of all the recipients of Child Benefit in the United Kingdom and includes names, addresses, dates of birth, national insurance numbers and, in many cases, the banking details of the parents or guardians involved.
More about Alastair Revell

Tuesday, November 20, 2007 9:28:24 PM (GMT Standard Time, UTC+00:00)  #
Comments [1] General | Security | Trackback

Review Entries for Day Wednesday, April 18, 2007
The recent caution of a man in Redditch by West Mercia Police for "dishonestly obtaining electronic communications services with intent to avoid payment" raises some interesting questions.
More about Alastair Revell

Wednesday, April 18, 2007 1:29:51 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Wednesday, March 28, 2007
I read recently that laptops are becoming more popular than ever and, based on sales, are likely to overtake the humble desktop in the nearing future in terms of units shipped. Other than the fact the laptops tend to be much more expensive to run, I am increasingly concerned about how they really are often the "security backdoor" into the corporate network.
More about Alastair Revell

Wednesday, March 28, 2007 6:56:07 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Tuesday, February 20, 2007

I would just like to warn business people in the United Kingdom who might have recently completed a Self-Assessment Tax Return of a particularly ingenious (if not nasty) phishing scam.

Technically, it is not much as far as phishing scams go, but its timing and content might just lull some people into acting on it.

The email advises the recipient that HM Revenue and Customs have just completed their calculation of the recipient's tax return and notifies them that they have actually overpaid some tax.

The deadline for the submission of self-assessment tax returns is the 31st January, so such an email is at least plausible in February - and who would not be pleased to receive a tax rebate?

The email lures the victim to a repayment page, which asks for their account details, and I suspect that this is where their nightmares would really start if they did provide their details...

The actual email contains absolutely no information relating to the recipient, which should ring the alarm bells of those receiving them.

My comments on another (technically much nastier) phishing scam earlier this month about looking out for and including "shared interactions" in your emails apply here, so if you think you might have been lured, then you should read that blog entry too.

You have been warned!!

More about Alastair Revell

Tuesday, February 20, 2007 4:53:22 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Wednesday, February 07, 2007
There is a particularly nasty phishing scam in circulation, which has been reported on by Tom Young of Computing (6th February 2007). Apparently, the scam involves an email with a (fraudulent) link to an "as yet" un-named British bank. Most such links in this sort of scam email actually point to an address that is different to that of the bank's real web site. It may be very similar to the real thing, but nonetheless, it is different.
More about Alastair Revell

Wednesday, February 07, 2007 3:34:53 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Saturday, November 18, 2006
This morning's article on BBC News that 11 million customers of the Nationwide Building Society in the UK have had their identities put at risk is a reminder to businesses that laptop and PDA security should be high on their agendas.
More about Alastair Revell

Saturday, November 18, 2006 11:59:15 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Wednesday, September 27, 2006

Further to my blog yesterday about the VML Exploit in Internet Explorer, Microsoft have released overnight (UK time) an out-of-band patch. Early news of the release was reported by Microsoft's Craig Gehre on the Microsoft Security Response Center Blog.

Microsoft clearly consider this vulnerability to be serious, since they rarely issue patches outside the normal monthly cycle.

Microsoft are taking advantage of the need to release MS06-055 by re-releasing MS06-049, which apparently needs some alterations.

More about Alastair Revell

Wednesday, September 27, 2006 11:33:18 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Tuesday, September 26, 2006
Sunbelt Software have recently (21st September 2006) discovered a serious flaw in Internet Explorer that potentially allows vulnerable machines to be completely compromised.
More about Alastair Revell

Tuesday, September 26, 2006 2:54:16 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Thursday, September 14, 2006
There seems to be a growing interest in the media of ransomware. Ransomware is malware (viruses and the like) that encrypts the victim's data so that they can't access it. The perpetrator then offers a ransom to recover it for them.
More about Alastair Revell

Thursday, September 14, 2006 3:46:33 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Friday, August 11, 2006
I was interested to read the BBC article highlighting the concerns of Professor Antonia Jones and her team at Cardiff University regarding the security of the HSBC Online Banking Web Site, particularly in light of my earlier blog entry.
More about Alastair Revell

Friday, August 11, 2006 5:07:06 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Tuesday, July 18, 2006
I have been very concerned for sometime about the rather blasé attitude that banks sometimes take towards security when dealing with their customers.
More about Alastair Revell

Tuesday, July 18, 2006 10:05:29 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Thursday, July 13, 2006
I believe that a really useful administrative facility that should be built into Microsoft Windows is the ability to login as a user by using an administrator's credentials.
More about Alastair Revell

Thursday, July 13, 2006 10:50:30 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Monday, June 05, 2006
I remain concerned about the possibility of "taking out" a Microsoft Exchange server, especially one installed as part of Small Business Server.
More about Alastair Revell

Monday, June 05, 2006 2:07:51 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Friday, June 02, 2006

According to a news article being carried by the BBC (, a group of hacker have hit a web site operated by the Swedish police.

It seems that this was simply a denial of service attack, which swamped the machine with requests.

Unfortunately, denial of service (DoS) attacks seem to be becoming more prominent and I suspect we will soon need to be helping smaller clients ensure that their boundary devices are capable of withstanding such attacks.

I suspect it will also come as something of a shock to people when they learn how expensive some of these security devices are in comparison to "bog standard" equipment.

More about Alastair Revell

Friday, June 02, 2006 5:08:46 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

RSS 2.0 Feed If you enjoyed reading an article on this blog, why not subscribe to the RSS 2.0 feed to receive future articles?
Revell Research Systems Logo Visit the Revell Research Systems Web Site if you want to learn more about this management and technology consulting practice.