This is a summary of Unauthorized
Computer Access Report Status for the 1st half (January to June)
of 2005 aggregated by IPA.
As for the current tendency
summarized from the reporting status for the first-half of 2005:
- a number
of nondiscriminatory attacks to every computers including the
computers for home use;
- damages
caused by intrusion by exploiting vulnerability of Web application
tend to increase.
Please refer to the following
sites for continual security countermeasures by conducting thorough
security set ups for your computer and operations management on
daily basis.
- “Practical
Information for Information Security Countermeasures” for end-users/home-users
(in Japanese)
http://www.ipa.go.jp/security/awareness/end-users/end-users.html
- “Practical
Information for Information Security Countermeasures” for Administrators
(in Japanese)
http://www.ipa.go.jp/security/awareness/administrator/administrator.html
1. Reported Number
The reported
number for the first-half (January to June) 2005 totaled 319 ;
the gross reported number was increased about 18% and the actual
number of damage was about 2.5 times higher.
*
The numbers in the parenthesis in the above graph show actual
reported number against the gross reported number.
2.
Classified by Type of Incident
Of 319, the gross reported number rushed
to IPA, “ access probe (attempt) ” with 223
(previous: 231) reports constituted 69.9% against the
whole. In addition, reports for actual damage
was 89 (previous: 36) which constituted 27.9%
against the whole. The total of the reports for actual damage
include “intrusion”, “unauthorized mail relay”, “worm probe”,
“DoS”, “source address spoofing” and “others (damaged).
|
Cause |
First-half 2003 |
Last-half 2003 |
First-half 2004 |
Last-half 2004 |
First-half 2005 |
Intrusion
|
36
|
17.3%
|
28
|
14.1%
|
18
|
5.5%
|
25
|
9.3%
|
46
|
14.4%
|
Unauthorized
Mail Relay |
4
|
1.9%
|
5
|
2.5%
|
3
|
0.9%
|
0
|
0.0%
|
5
|
1.6%
|
Infection
w/Worm |
1
|
0.5%
|
4
|
2.0%
|
0
|
0.0%
|
0
|
0.0%
|
3
|
0.9%
|
DoS
|
4
|
1.9%
|
4
|
2.0%
|
4
|
1.2%
|
0
|
0.0%
|
14
|
4.4%
|
Source
Address Spoofing |
7
|
3.4%
|
11
|
5.5%
|
4
|
1.2%
|
7
|
2.6%
|
2
|
0.6%
|
Others
(Damaged) |
13
|
6.3%
|
9
|
4.5%
|
7
|
2.2%
|
4
|
1.5%
|
19
|
6.0%
|
Access
Probe (Attempt) |
123
|
59.1%
|
116
|
58.3%
|
284
|
87.4%
|
231
|
85.9%
|
223
|
69.6%
|
Worm
Probe |
18
|
8.7%
|
21
|
10.6%
|
5
|
1.5%
|
2
|
0.7%
|
2
|
0.6%
|
Others
(Not Damaged) |
2
|
1.0%
|
1
|
0.5%
|
0
|
0.0%
|
0
|
0.0%
|
5
|
1.6%
|
Total
|
208
|
|
199
|
|
325
|
|
269
|
|
319
|
|
Note:
the shaded parts are the incident types actually damaged.
%s
shown above are rounded at the 2 nd place of arithmetic decimal
points, the total may not be made 100%, accordingly.
With regard to the reported
number for actual damage (89), the breakdown for the cause were:
of 13 with insufficient ID/password management ,
of 16 with use of older version/not yet applied any patches
and of 8 with insufficient settings ,
etc. .
*
As for the report that has multiple damage cause, the
report is aggregated with its main cause filed as 1 case/report.
Damage
Instances:
[Intrusion]
1. Detected
penetration to the Web server and a certain mechanism to download
malicious codes upon a user simply browses the Web pages was being
embedded. While conducting the study for the altered parts, probes
of alteration on database have been detected and eventually, the
sites should have been closed tentatively.
2. Penetrated
to the Web server by being deprived the privilege of administrator
fraudulently to set up files maliciously and/or alter the Web pages.
This was the cause of SQL Injection attack against the database
system.
3. Penetrated
to the Web server by exploiting vulnerabilities of the software
for the Web server and/or by insufficiently managed password, fake
Web contents for phishing were set.
4. Penetrated
by exploiting vulnerability in “phpBB”, the e-bulletin program
using PHP, the forum logs and the site templates were altered/deleted.
5. Penetrated
by conducting a dictionary attack against the ID and the password
for SSH (Secure Shell) and/or an attack which exploits vulnerability
in OS and administrator privileged password was changed and the
files were altered as the steppingstone to conduct attacks outsides.
[DoS]
6. The servers
have been downed since unauthorized computer access to the ports
used by SSH was repeatedly occurred.
7. Study has
been conducted in response to the communication failure; it is realized
to encounter the SYN Flood Attack with more than 1M of packets per
second at minimum. The router usage rate is reached to 100% and
communication became unavailable. It could not be completely addressed
although fully utilizes the router's countermeasures against DoS
was fully utilized: in the event, by asking providers discard all
the packets to the corresponding IP addresses: then the communication
is recovered.
[Spoofing]
8. Logged
in a certain individual's Home Page by spoofing user ID and password
hosted by service provider and its contents, images, etc. are tampered/deleted.
9. Logged
in auction site by masqueraded third person as duly user, altered
contact address by strange mail address to put up product or placed
a bid without asking.
10. Fraudulently logged
in to on-line game service provided by the Internet and money and
items used in the game were stolen.
[Others]
11. Accessed one of adult
sites and easily clicked “yes” at the inquiry screen asking permission
to download a certain code; then malicious code was installed and/or
a billing screen for the usage fee for strange sites were displayed.
4. Classification
by Reporter
As for the breakdown for
classification by reporters, the report from individual user constitutes
80% which retains higher ratio.
Note:
The %s shown above were rounded at the first place of
the arithmetic point; it may not make 100% in total.
|
Japanese