The lack of understanding of IT-related security issues in many small-to-medium sized businesses that I encounter as a management and technology consultant often worries me.

There seems to be a mindset amongst senior managers (often at partner and director level) that security breaches are only perpetrated by external human hackers and that their firms are not sufficiently important enough to attract attention.

These senior managers miss the fact that almost all initial external attacks are automated and that although many of these attacks may be unsuccessful in compromising their organisation’s data security, they may nonetheless seriously damage their internal infrastructure, resulting in significant costs in order to rectify the damage.

It would be a lucky organisation indeed that did not have its Internet defences probed at least once every couple of minutes. The most recent log I inspected for a small organisation was receiving an attack per minute in what appeared to be an attempt to swamp instant messaging clients with spam. The log also revealed port scans and other nefarious activity once every 10 minutes. These more serious attacks are often scanning for weaknesses through which to inject malware.

We have conducted occasional exercises in assessing just how bad this type of wanton vandalism is by simply connecting an unprotected set of newly built PCs to the Internet. Our somewhat primitive research shows that it takes around 15 minutes before machines in this condition are crippled with malware. Much of the malware also seems to be aimed at stealing credit card details and the like; and could cause enormous damage to an organisation’s reputation.

I’m often confronted by SME senior managers that argue that they have nothing of value on their networks, but my immediate retort is that neither did the machines mentioned above, but the cost of putting them back together again was expensive. It is clear from the subsequent discussions with these managers just how valuable having an operating computer system actually is to their organisations.

The irony is, of course, that the sort of dubious activity I see time and time again in firewall logs is the equivalent of a criminal gang casually walking down the road trying the doors and windows of each building they encounter for weaknesses, with a view to coming back later to investigate the weaker buildings further. I have little doubt if our streets were full of such marauding gangs then there would be huge public concern. The problem for IT is that this kind of behaviour is literally “out of sight, out of mind”.

I believe, like many other observers in the profession, that there is a discernible shift away from writing viruses for the sheer devilment of it to one of seriously making money out of it.

Indeed, Joe Telafici, vice president of operations for McAfee’s Avert Labs, recently said in a BBC interview that he felt 2007 had effectively seen the extinction of young hackers who wrote viruses and other malicious programs for fun and that writing Windows malware was now all about money.

I suspect the loss of 25 million child benefit records by HM Government in the United Kingdom will have considerable, long-term ramifications. I understand that the data represents the details of all the recipients of Child Benefit in the United Kingdom and includes names, addresses, dates of birth, national insurance numbers and, in many cases, the banking details of the parents or guardians involved.

The recent caution of a man in Redditch by West Mercia Police for "dishonestly obtaining electronic communications services with intent to avoid payment" raises some interesting questions.

I read recently that laptops are becoming more popular than ever and, based on sales, are likely to overtake the humble desktop in the nearing future in terms of units shipped. Other than the fact the laptops tend to be much more expensive to run, I am increasingly concerned about how they really are often the "security backdoor" into the corporate network.

I would just like to warn business people in the United Kingdom who might have recently completed a Self-Assessment Tax Return of a particularly ingenious (if not nasty) phishing scam.

Technically, it is not much as far as phishing scams go, but its timing and content might just lull some people into acting on it.

The email advises the recipient that HM Revenue and Customs have just completed their calculation of the recipient's tax return and notifies them that they have actually overpaid some tax.

The deadline for the submission of self-assessment tax returns is the 31st January, so such an email is at least plausible in February - and who would not be pleased to receive a tax rebate?

The email lures the victim to a repayment page, which asks for their account details, and I suspect that this is where their nightmares would really start if they did provide their details...

The actual email contains absolutely no information relating to the recipient, which should ring the alarm bells of those receiving them.

My comments on another (technically much nastier) phishing scam earlier this month about looking out for and including "shared interactions" in your emails apply here, so if you think you might have been lured, then you should read that blog entry too.

You have been warned!!

There is a particularly nasty phishing scam in circulation, which has been reported on by Tom Young of Computing (6th February 2007). Apparently, the scam involves an email with a (fraudulent) link to an "as yet" un-named British bank. Most such links in this sort of scam email actually point to an address that is different to that of the bank's real web site. It may be very similar to the real thing, but nonetheless, it is different.

This morning's article on BBC News that 11 million customers of the Nationwide Building Society in the UK have had their identities put at risk is a reminder to businesses that laptop and PDA security should be high on their agendas.

Further to my blog yesterday about the VML Exploit in Internet Explorer, Microsoft have released overnight (UK time) an out-of-band patch. Early news of the release was reported by Microsoft's Craig Gehre on the Microsoft Security Response Center Blog.

Microsoft clearly consider this vulnerability to be serious, since they rarely issue patches outside the normal monthly cycle.

Microsoft are taking advantage of the need to release MS06-055 by re-releasing MS06-049, which apparently needs some alterations.

Sunbelt Software have recently (21st September 2006) discovered a serious flaw in Internet Explorer that potentially allows vulnerable machines to be completely compromised.

There seems to be a growing interest in the media of ransomware. Ransomware is malware (viruses and the like) that encrypts the victim's data so that they can't access it. The perpetrator then offers a ransom to recover it for them.

I was interested to read the BBC article highlighting the concerns of Professor Antonia Jones and her team at Cardiff University regarding the security of the HSBC Online Banking Web Site, particularly in light of my earlier blog entry.

I have been very concerned for sometime about the rather blasé attitude that banks sometimes take towards security when dealing with their customers.

I believe that a really useful administrative facility that should be built into Microsoft Windows is the ability to login as a user by using an administrator's credentials.

I remain concerned about the possibility of "taking out" a Microsoft Exchange server, especially one installed as part of Small Business Server.

According to a news article being carried by the BBC (http://news.bbc.co.uk/1/hi/technology/5041848.stm), a group of hacker have hit a web site operated by the Swedish police.

It seems that this was simply a denial of service attack, which swamped the machine with requests.

Unfortunately, denial of service (DoS) attacks seem to be becoming more prominent and I suspect we will soon need to be helping smaller clients ensure that their boundary devices are capable of withstanding such attacks.

I suspect it will also come as something of a shock to people when they learn how expensive some of these security devices are in comparison to "bog standard" equipment.