Matthew Buck’s Blog – Principal Engineer at RatwareUK

According to a report from IronPort called “2008 Internet Security Trends” it would appear that if 2007 was a bad year for spam – 2008 will break the record again!

One interesting statistic I found on the internet was from the European Unions Internal Market Commission, which estimates that junk email costs internet users 10billion Euros per year worldwide. For small to medium size businesses, this figure may seem like an incomprehensible fact. However, consider with me for one moment what happens in your business when just one spam email enters your company.

1. Spam email finds its way through your company’s internet gateway. At this point the rogue email will take up a small percentage of the costly bandwidth allocated to your company by your ISP. If the spam e-mail contains an attachment, it will take up even more bandwidth. This reduces the bandwidth available for incoming/outgoing emails, surfing the internet, remote workers, VPN tunnels connecting branch offices… etc.
2. The spam e-mail then penetrates your company’s mail server. If the rogue email is addressed to an invalid user, your company’s mail server will then attempt to reply to the spam sender saying the address has failed. This takes up more processing time and bandwidth. If the rogue email is addressed to a valid user, your mail server will deliver it into that user’s mailbox. Again, taking up more processing time. Remember, if your mail server is also your main domain server – it has other things to do with its time – like serve files and manage print jobs!
3. The end user eventually receives the spam in their inbox. Inevitably, the user will then delete the email. However, when deleting it, due to human error, they often miss legitimate emails because they are caught in a sea of rogue ones. Also, sifting through spam emails takes up an employee’s time and the quality of the spam email is most likely undesirable.

The above is a rather crude view summarising the knock-on effect of one spam email entering your company. However, it’s worth remembering, as imagine the human and computer processing time taken up by 500 spam emails a day, not to mention the drain on bandwidth.

At RatwareUK, we have our own mail relay server. In a nut-shell, this means that spam can be filtered off-site and legitimate emails can then be passed through to your company, thus completely saving on a company’s bandwidth and human/computer processing times. Not only will our relay server eliminate spam, it will also scan all inbound emails for viruses!

If you are receiving 500 spam emails a day, knocking those out of the equation will definitely allow your server to perform daily tasks faster and save bandwidth. For more information, visit our Anti-Spam Services page.

I’m writing this post because in the last month two security issues on our customer’s websites have come to light. Before I continue, it’s worth mentioning that neither of these issues relate to customers on RatwareUKHosting. Both customers were using different third party web hosts. For obvious reasons I’m not going to name any of the companies involved.

Security Issue 1:

RatwareUK were asked to do some general housekeeping on a client’s web space. Upon logging in we noticed an odd looking file called phishing.tar. On investigation somebody or something had uploaded a zip file to the root of the hosting package, unzipped and installed a mini Bank of Scotland login page! It became instantly apparent that a little corner of this customer’s web space was being used to collect valuable bank login details from those people foolish enough to click through from spam emails! How did it get there? We have no idea and as we didn’t have control over the server, we passed it up to the third party web hosts. Eventually they returned our call saying it was nothing to do with them and we should just deal with it. Nothing in the logs or in the permissions to be worried about then?

We removed the zip file, changed the root passwords and also made sure the file permissions were locked down. However, this is pretty basic stuff and we felt quite helpless. We are now monitoring the site for the customer and if this happens again we’ll recommend they move web hosts. Nasty files like these must get uploaded due to a generic security weakness on the web server. Totally unacceptable and I can’t believe the web hosts weren’t concerned.

Security Issue 2:

Recently a client made us aware of a strange occurrence when they accessed their corporate homepage; when they loaded the page in their browser, a small command prompt window opened and closed quickly and their Sophos AV system sent out alerts. On inspection, RatwareUK discovered that a script had been injected into their index.html which executed a download and install! Upon further inspection, the new files were running processes and attempting to open ports – typical trojan behaviour. I hadn’t seen anything like this in action before and it was particularly concerning how smooth the infection was.

For a script to be injected into an HTML file, there must be vulnerabilities in the web server’s software, enabling the remote administrator to change the permissions and upload the “cuckoo’s egg”. RatwareUK changed all the passwords, permissions and removed the script. Since then there hasn’t been a problem, but without knowing your vulnerabilities, how do you plan your security?

Similar to the issue above, we contacted the web hosts and they didn’t want anything to do with it. They wouldn’t alter the file or shed any light on the incident. Almost as if they didn’t want to admit liability or in fact confirm the issue. There certainly was an incident though and these recent events would only lead you to believe cybercrime is on the increase. Especially with web hosts not prepared to look into them.

With the new release of Back Track 3 BETA; RatwareUK now have a vast range of security auditing tools. If you are concerned about your company’s firewall, VPN, wireless or network security, please get in touch and we’d be only happy to advise.

I’ve spent most of the weekend testing out a distribution of Linux called Back Track. The latest version is a BETA release and from what I’ve seen so far, it is the most convenient and comprehensive set of security and vulnerability tools I’ve seen. Expect a full review of this distro on my blog at some point in the future.

The rest of the weekend has been dedicated to meeting an old business partner and long time friend of mine, Chris Bishop. Chris is Hotel Chocolat‘s Online Marketing Manager turned e-business guru. He’s now moving onto House of Fraser leaving behind a 200% increase in online sales at Hotel Chocolat through his affiliate marketing schemes and Google traffic engineering. Truly inspiring. Chris now undertakes Online Marketing Advice and Consultancy for various clients and will be assisting with the online marketing of RatwareUK

We spoke for a while about life-cycles and eventually touched on Microsoft’s aspirations to go virtual within the next decade, but the most surprising topic, which I knew nothing about, was the use of technology and the Internet by large corporations to categorise individuals and market their products dynamically. Chris tells me that Tesco are developing their clubcard so that their computer systems know when you are in the stores; know when you are passing the small aisle displays and know what your product choices and moods may be. Through the displays they can visually alert you to a product you were probably 50/50 on the way to buying and help you make up your mind. I guess it’s easy when you know a person’s sex, age, address and weekly buying habits. There is a lot of information an artificial intelligence system can derive. Our conversation was a timely reminder of how the Internet and technology has only just been born and we have not yet even begun to understand its potential.