| This is a summary of
computer virus/unauthorized computer access incident reports for
June, 2006 and 1st Half of 2006 (January to June) compiled by IPA.
Reminder for the Month:
Manage
Your Passwords Every One of Them!!
-
My Passwords, I Don't Tell it Even to My Friends* -
*(Winning
piece of work for the Catch-Phrase solicited for Information Security
2006 by Asuka Mori, Aichi Prefecture )
Currently, frequently
reported contents for unauthorized access reports and consultations
tend to the damages caused by consulters' (users') password crack.
[Damages
Caused by Insufficient ID/Password Management
reported relevant to Unauthorized Access]
| Yr.
2004 |
About
13% (9 out of 72 cases) |
Yr.
2005 |
About
24% (42 out of 176 cases) |
Yr.
2006 |
About
34% (24 out of 71 cases) *from January to June |
You are required to sign
in with your ID (Identification) which identifies user and your
password which verifies the user's legitimacy each time when you
try to connect to the Internet, to communicate via e-mails and to
utilize certain services on the Internet. That is, in case your
ID or your password may have been stolen or known by others which
may become the causes of variety of damages by malicious
users who spoof to be legitimate user.
[Of Damages caused
by broken password among recent consultations filed by IPA]
- My free-mail
(*1)
service account (*2)
which I used to use had
been logged in and used by someone whom I do not know without
asking . Accordingly,
I tried to change my password, however, I could not even log
in as it had already been changed.
- My
net auction account was used by someone whom
I do not know to list his/her items fraudulently.
- Secret information
which communicated via e-mails has been posted on the bulletin
board on the Internet. There are some indications that the
mail server was accessed and the mails were may be read by someone
whom I do not know without asking .
Other than these, following
damages were also included in the past instances.
- Money
in my bank was automatically withdrawn by someone whom I do
not
know .
- The
contents of my Home Pages and Weblogs are being re-written .
- My
PC has been hi-jacked by someone from outsides .
The causes
that their passwords were cracked
(*3)
are there may be a password
cracking tool which automatically examines passwords
by brute-force attack [1]
or by dictionary
attack [2]
as well as the passwords were somewhat easily
assumable or you may be told it inadvertently.
To minimize
such damages, it is important to: list
all your IDs and passwords , check them whether
they follow with the methods as proper instructions how to configure
ID or password and have the
points of contact in advance before something happens .
[Methods
how to Configure/Manage Password]
- Avoid
using simple character streams (i.e. do not use same character
streams used for your ID) .
- Try
to use longer character streams .
- Try
to combine upper case letters, lower case letters, numbers and
symbols as far as possible .
- Pick
up the word which is not listed on dictionaries for your password
.
- Avoid
having your password to have certain regularity .
- Avoid
including such character streams which contains private information
such as your name, date of birth, telephone number, etc.
- Change
your password constantly (do not use the initial password as
it is) .
- Never
fail to tell your password to the others.
- Avoid
reaching even a small piece of paper for which your password is
written to someone's eyes.
<Reference>
Brute-Force
Attack: [1]
One of attacking
methods which attempts to seek out passwords by combining each
letter from A to Z by certain rules. Brute-force attack refers
to be forcibly password seeking method.
Lengthen
your password or prepare your password by combining upper case
letters, lower case letters, numbers and symbols make it robust
against the Brute-force attack. It also is very much helpful to
change your password constantly against the Brute-force attack.
Dictionary
Attack: [2]
One of attacking
methods which attempts to seek out passwords by referring each
word listed on dictionaries sequentially.
In case
you are using words, names of people and/or brand names which
are likely to be on dictionaries in the character streams for
your passwords, it is risky that your passwords are likely to
be cracked by dictionary attack. There contains about 50,000 words
in typical English-Japanese dictionary it can be said that the
word list which will be referred by dictionary attack assuming
to be about 800,000 words or 1,000,000 words, etc. nobody
explicitly knows of it.
The word
list which is used for password analysis by dictionary attack
contains name of people, geographic names and frequently used
user names, etc. as well as those words typically included in
English-Japanese dictionary. It also contains some character streams
aligned by certain rules, i.e., 12345, abcde,
etc. Dictionary attack tries to refer these from very beginning
to the end sequentially when identifing a certain password.
In addition,
the word list also contains such data employing certain conversion
rules, i.e., orat which is inversed sequentially from taro;
as in tAro which is partially capitalized; or may be taro1
to where a certain word/character added either at the beginning
or the end of the original word taro.
That
is, you are not secured enough if you are using user names, proper
nouns, etc. even your password contains numbers, upper case letters
and small case letters combination.
I.
Reporting Status for Computer Virus
for further details, please refer to the
Attachment 1
The detection number [1]
of virus for June was about 1.64M; decreased
about 7.9% from May (about 1.78M). In addition, the reported number
[2] for June was 3,547:
decreased about 2.8% from 3,651 reported in May.
| [1]Detection
number: |
Reported
virus counts (cumulative) found by a filer. |
[2]Reported
number: |
Virus counts are
aggregated: viruses of same type and variants reported on
the same day are counted as one case number regardless how
many viruses or the actual number of viruses is found by the
same filer on the same day. In March, reported number was
3,651: aggregated virus detection number was about 1.78M.
|
The worst detection
number was w32/Netsky with about 1.33M and W32/Mytob with about
0.14M and W32/Beagle with about 0.07M subsequently followed.
(Note: Numbers in parenthesis
are the Charts for the previous month)
II.
High-Pressured Selling of Software for Security Measures
Consultations for high-pressured
selling have been increasing from April 2006. The method is to prompt
user to purchase so called software for security by displaying messages
such as error is detected, your computer is infected
by virus, etc. (March: 4 cases, April: 40 cases, May: 41 cases
and June: 24 cases) They attempt user to download software for security
measures with following procedures.
[Instance
1: Fooling user by displaying error is detected]
Although such message is
displayed, most of time, actual error is not occurred in your computer.
It simply fools user to sell so called software for security measures.
In case you install the software for security measures in accordance
with the message, it then requires you to settle it with your credit
card by displaying You need to purchase this software to restore
the errors detected.
Those
legitimate manufacturers and/or vendors for security products never
urge user to purchase their products by such threatening approaches.
Least of all, they do not practice to have user
download a program (software for security measures) directly, please
be sure not to download it in haste.
In case you may have been
installed or you may have been infected by virus, please visit following
site for free scan.
Online scan (virus
check service)
Symantec security check
http://www.symantec.com/securitycheck/
Trendmicro On-line Scan
http://housecall.trendmicro.com/
McAfee Free Scan
http://us.mcafee.com/root/mfs/default.asp
Spyware Guide On-line
Spyware Detection:
http://www.spywareguide.com/onlinescan.php
<Reference>
Reminder for the Month: Be
Cautious with the High-Pressured Selling Activities of Software
for Security Measures!! Do not Believe Suspicious Alerts
Seriously!! <for April 2006>
http://www.ipa.go.jp/security/english/virus/press/200604/E_PR200604.html
Brochure for Anti-Spyware
Measures (in Japanese)
http://www.ipa.go.jp/security/antivirus/shiori.html
III.
Reporting Status for Unauthorized Computer Access (includes
consultation) Please refer Attachment 2 for further details
Report for unauthorized
computer access and Accepting Status of consultation
|
Jan.
06 |
Feb.
|
Mar.
|
Apr.
|
May |
June |
Total
for Reported (a) |
50
|
26
|
38
|
15
|
13 |
22 |
| |
Damaged
(b) |
13
|
15
|
10
|
7
|
6 |
20 |
Not
Damaged (c) |
37
|
11
|
28
|
8
|
7 |
2 |
Total
for Consultation (d) |
43
|
42
|
24
|
27
|
23 |
32 |
| |
Damaged
(e) |
23
|
24
|
12
|
15
|
11 |
19 |
Not
Damaged (f) |
20
|
18
|
12
|
12
|
12
|
13 |
Grand
Total (a + d) |
93
|
68
|
62
|
42
|
36 |
54 |
| |
Damaged
(b + e) |
36
|
39
|
22
|
22
|
17 |
39 |
Not
Damaged (c + f) |
57
|
29
|
40
|
20
|
19 |
15 |
1. Reporting
Status of Unauthorized Computer Access
The reported number
for June was 22: of 20 was
the number actually damaged .
2. Accepting Status of
Consultations relevant to Unauthorized Computer Access, etc.
Consultation counts relevant
to unauthorized computer access was 32: of 19 (of 3 was also counted
as reported number) was the actual number that some sort of damage
was reported.
3. Status for Damage
Breakdown of the damage
report included: intrusion with 12, DoS
Attack with 1 and Others
(damaged) with 3. Breakdown of the report
for intrusion included: intruded by attacks to the ports(*4)
used for SSH (*5)
with 5, set up the Web contents to exploit for phishing
(*6)
with 1, used as a steppingstone server to send phishing mail with
1, etc.
Damage
Instances:
[Intrusion]
(i)
Attacks to the Port used by SSH
<Instance>
- Computers in your
organization are conducting SSH scan
(*7)
to unspecified majority of computers outsides so communicated
from outside of organization. To that end, we have checked the logs
(*8)
for the computer and found the probe that the password was cracked
from the port used for SSH to attempt intrusion.
- Although the computer
was not actually intruded, we also have found number of probes of
password cracking attacks.
- According to the
further checkup conducted for the computer, we have found malicious
codes such as SSH scan tool, virus, etc. from the computer so that
we have deleted them.
- The possible cause
is that easily assumable password was configured for the computer.
- To limit communication
allowing log-ins via SSH from outsides of organization, we have
enhanced packet filtering.
(ii) Root-kit
(*9)
Embedding
<Instance>
- Attacking packet
to those computers outsides of organization was monitored so
communicated from one of network administrators. Accordingly, we
have checked computers in our organization and found the computer
which attacks to outsides of organization. This computer was infected
by virus.
- As the precautionary
measures, we have checked the other computers using a malicious
codes checking tool; we have detected some programs which might
be root-kit in the couple of computers in where Linux installed.
- The computer in
where root-kit embedded was immediately separated from our system
for initialization.
(iii) DoS Attack
(*10)
<Instance>
- DNS server
(*11)
has been queried recursively
(*12)
from outside the organization 50 times/minutes. This eventually
was considered to result in a DoS attack against an external server,
so indicated by the network administrator in the organization.
- Upon re-configuring
the server which was being used as mail server, the DNS server was
run to function by mistake which should have been halted. In addition,
this was caused by allowing the DNS server to receive recursive
queries from external DNS client.
- Accordingly, the
DNS server settings have been again configured to prevent from unauthorized
use in case the DNS server was run by mistake.
VI.
Accepting Status of Consultation
The gross number of consultation
for June was 773. Of the consultation relevant
to One Click Billing Fraud was for 211
(May: 210) this was the largest number which we have ever recorded
up to current. In addition, the consultation relevant to high-pressured
selling of software for security measures with
24 (May:
41) which still moves at high rate. Others are for
Winny with 15
(March: 196, April: 83, May: 28), etc.
Movement in entire number
of consultation accepted by IPA
|
Jan.
06 |
Feb.
|
Mar.
|
Apr.
|
May |
June |
Total
|
748
|
834
|
1,056
|
904
|
846
|
773 |
| |
Automatic
Response System |
425
|
479
|
659
|
510
|
484 |
423 |
Telephone
|
228
|
258
|
296
|
206
|
295 |
283 |
e-mail
|
87
|
90
|
99
|
86
|
63
|
64 |
Fax,
Others |
8
|
7
|
2
|
2
|
4 |
3 |
*IPA consults/advises
for computer viruses/unauthorized computer accesses as well as the
other information concerning overall security issues
Mail: 
for virus issues,  for
crack issues.
Tel.: +81-3-5978-7509
(24-hour automatic response)
Fax: +81-3-5978-7518
(24-hour automatic response)
*The Total case number
includes the number in Consultation (d) column of the Chart in the
III. Reported Status for Unauthorized Computer Access and
IV. Accepting Status of Consultation.
*Automatic Response
System: Accepted numbers by automatic response
*Telephone:
Accepted
numbers by the Security Center personnel
Consultation
Number for One Click Billing Fraud
Major consultations
for the month are as follows.
(i)
The ID and the password for a certain site registered having been
known by someone
?
Consultation:
I had registered my ID
and password to use services provided by a certain site. I have
not yet used any of services, I realized the probe that apparently
that someone used my ID and password. In case forget the password,
I can receive my password information through the mail address previously
registered with this site. However, I am afraid that those mails
sent to this mail address are also may have been read. What should
I do?
Response:
In this instance, there can
be considered two problems: one
is the password registered with this site has been already known
by someone while the other is both
the mail address registered with this site and the password for
receiving mails have been known by someone . As
a precautionary measure, be sure to change your passwords both for
the site and for receiving mails. In case you have secondary damage,
never fail to consult with the administrator for respective sites.
It is another good idea to consult with police department as appropriate.
<Reference>
Consultation Services for
Cyber Crimes Provided by Police Headquarters
http://www.npa.go.jp/cyber/soudan.htm
(in Japanese)
(ii) Password for my
free mail having been altered
?
Consultation:
It seems that the password
for my free mail service account I had registered has been altered
by someone so that I am getting unavailable to log in. Further,
fictitious information having been communicated by someone using
my account. I had requested the administrator for the site to delete
my account, but my request has not been accepted as I had not provided
verifiable information upon registering my account with the free
mail service provider.
Response:
The
administrator for the site cannot prove that you were the legitimate
user for the site in case you had provided fictitious information
or had you not provided information to identify individual even
the service is free of charge . However, it is also
risky to have the administrator for the site know your private information
without enough consideration: what one you can do is try to provide
them minimum information as well as to confirm if the site is surely
trustful.
(iii) What if I had one-clicked
at an adult site
?
Consultation:
When I had clicked an
image at an adult site, its bill was appeared on my computer. Since
when the bill has been appeared on and off with several intervals.
Attempted to scan using several anti-virus software, but none of
virus is detected. The last resort is to initialize my computer?
Response:
If
you can identify the name of the site, the name of the
service and the contact written on the bill, most of
malicious codes can be specified and deleted in
case nothing can be detected by anti-virus software. Never give
up and ask IPA Security Center for the consultation. If you are
a Windows XP and/or Me user, you
may be able to restore the status before you'd visited the adult
site using System Restoration function provided in your
computer as its default. i.e.: in Windows XP, you
can take following procedures:
Start All
the Programs Accessory System Tools
System Restoration.
V.
Accessing Status Captured by the Internet Monitoring (TALOT2)
in June
In the Internet Monitoring
(TALOT2), unwanted (one-sided) access in June totaled 297,445
cases using 10 monitoring points: unwanted (one-sided)
access captured at one monitoring point was about 991
accesses from about 273
sources per day.
The environment for each
monitoring point in TALOT2 is nearly equal to general users' Internet
connection; it can be considered that the same amount of unwanted
(one-sided) access may be received by the general internet users.
In another words, your computer
is being accessed 4 times which considered unauthorized accesses
from 273 unknown people (source) everyday in average .
Chart
5.1: Unwanted (One-sided) Number of Access and Source Number of
Access/1 Monitoring Point/Day in Average
The Chart 1 shows the number
of access and source number of access in average/day/monitoring
point from January to June 2006. The chart shows that the unwanted
(one-sided) accesses are tending to moderately be decreased
and it seems that the accessing status is being stabled.
Accesses to the ports 135
(TCP) and 445 (TCP) having remarkably many accesses target vulnerabilities
in Windows. In addition, accesses to the ports 1026 (UDP)/1027
(UDP) for pop-up spam messages exploiting Windows Messenger Services
are being continued.
Please refer to the sites
for further details for the information above mentioned.
Attachment3_ Observation
Status Captured by the Internet Monitoring (TALOT2)
http://www.ipa.go.jp/security/english/virus/press/200606/TALOT200606.html
Various
Statistics Information Provided by Other Organizations/Vendors
are Publicized in the Following Sites
@police: http://www.cyberpolice.go.jp/english/
Trendmicro: http://www.trendmicro.com/en/home/us/home.htm
McAfee: http://www.mcafee.com/us/
Interpretation
for Glossaries
(*1)
Free mail :
The service that user can
communicate via e-mails free of charge using the Internet.
(*2)
Account
:
The privilege that user
can utilize resources on either computer or the network.
(*3)
Password Cracking :
The approach to identify
anyone else's password by analyzing, etc. Approaches include brute-force
attack, dictionary attack, etc. and there is the code for exclusively
crack as well.
(*4)
Port :
A window interfaces each
service within a computer used for exchanging information with
outsides. Numbers from 0 to 65535 are used for the ports so that
they are also called Port Number.
(*5)
SSH
(Secure Shell)
:
A protocol or a program
used for log-in to another computer via the network, execute commands
by a computer in remote and transfer files to another computer.
Since data via the network is encrypted, a series of operations
through the Internet can be done safely.
(*6)
Phishing :
Activities which attempt
to exploit such users' IDs or their passwords who accessed to
the sites masqueraded as actual mailing address for certain groups
such as legitimate banking/financial institutions or their Web
pages. The origin of the word is fishing but there are several
theories as well: (i) f has been switched with ph
based on the hacker's naming convention, (ii) combined with the
word sophisticated and fish, (iii) the shortcut
of password harvesting fishing, etc.
(*7)
SSH Scan :
The method to check if
the SSH service is in operation in a server. It may operate to
crack password simultaneously.
(*8)
Log
:
Records for serving status
of a computer or the status of data communication. Generally,
operator's ID, time and date for the operation, contents of operation,
etc. are recorded.
(*9)
Root-kit
:
Set of software package
which is used by attacker after he/she intrudes a computer fraudulently.
Generally, the package includes log alteration tool, backdoor
tool, group of system commands being altered.
(*10)
DoS Attack (Denial of Services)
:
The attack which sends
quantity of data to have the server excessive load to lower its
performance significantly or to have the server disables its function.
(*11)
DNS (Domain Name Services) :
The system which maps
host names on the Internet and IP addresses. This is the hierarchical
and distributed type of database system for which DNS servers
on the Internet all over the globe work in coordination.
(*12)
Recursive
DNS Query :
Recursive DNS query
refers the queries from DNS clients. It is general to configure
not to respond queries from external clients. DNS server mainly
provides 2 types of functions: one is as recursive server
and the other is as authoritative server.
- Attachment
3 Observation Status by Internet Monitoring System (TALOT2)
- Attachment
4 Computer virus Incident Report for the 1st Half (January to June)
- Attachment
5 Unauthorized Computer Access Incident Report for the 1st Half
(January to June) |
Japanese