Font Size Change

HOMEIT SecurityIPA/ISEC in JAPAN:virus and UCA incident report for June2008

PRINT PAGE

IT Security

IPA/ISEC in JAPAN:virus and UCA incident report for June2008

July 16, 2008

IT Security Center
Information-technology Promotion Agency, Japan (IPA)

This is a summary of computer virus/unauthorized computer access incident reports for June, 2008 compiled by IPA.

I. Reminder for the Month:

- Be Sure to Check with the Security Configuration for the Wireless LAN for Private Users -

Is your wireless LAN provided adequate security?

The most remarkable consultation to the IPA relevant to the wireless LAN for private users is that “the number of users feels anxious whether or not that their wireless LAN for private use is fraudulently accessed by third party/person”.  Most of all the users use such wireless LAN that does not provide sufficient security.

One of most frequently consulted instances is that: “the communication speed via the Internet was getting drastically lowered.  It is apparent once the wireless LAN was disconnected from the Internet, then the communication speed was regained.”  It is probable that the users’ wireless LAN was used by someone for unauthorized communications.

Wireless LAN is very much convenient as it serves network environment without connecting any LAN cables; however, it also carries variety of risks/damages if its security is not sufficient.  Accordingly, those users who use wireless LAN at their home should re-check its security configuration on this occasion.

(1) The Importance of the Security Measures for Wireless LAN

Wireless LAN is one of network environments which enable communications in between a wireless LAN access point and a computer which furnishes wireless LAN function (client) using radio wave.  Communication is available by enabling wireless LAN function for both the access point and the client.  The wireless LAN provides flexible accessibility far beyond any of obstacles such as physical walls, etc. wherever the radio wave can be reached.  However, the convenience can also be exposed to malicious intents.  Using invisible communication path, that is, radio wave is hardly recognizable even intruded by malicious intents which will be a great threat (See the Chart 1-1).

Chart 1-1:Threat in Wireless LAN

Following damages can be resulted from the threat relevant to wireless LAN:

- The wireless LAN environment is intruded and important information will be dropped to wrong hands.

- The wireless LAN environment will be exploited without prior consent.

- Communication data will be eavesdropped.

Most of wrongful activities will be conducted via an access point for which security is not sufficient.  Those malicious party/person always sniffs such access points by the act so called “war driving”.  There were some cases that the access point for which security is not sufficient were exploited by certain crimes.

In 2005, the offender of unauthorized computer access arrested had exploited one legitimate user’s access point to send virus mails hided from his/her source address.  In last month, there posted blackmail on the e-bulletin board via one legitimate user’s access point.  This was caused by a high-school student and the case was sent to a prosecutor’s office.

To prevent from such damages, you are to be cautious with the security measures for wireless LAN.

(2) Security Configuration for Wireless LAN

Configuring your wireless LAN adequate security requires certain professional knowledge and managerial efforts so that it must be hard for general users.  The mechanism invented to solve this issue is WPS (Wi-Fi protected Setup).  If a user’s access point and client(s) are applicable to WPS, complicated security items can be accomplished with WPS instantly which provides general user simply and safer connection to the Internet.  Accordingly, we encourage general users to use WPS upon configuring security for the wireless LAN for private use.

(i)For those users who are going to install a wireless LAN:

We recommend you to prepare the access point and client(s) supported by WPS so that adequate security can be configured automatically.

(ii)For those users who’d already been using a wireless LAN:

First of all, be sure to check that your access point and client(s) currently using are supported by WPS.  If yes, then, check that the WPS in your computer is getting effective (Chart 1-2).  If not, be sure to use WPS.  You can use WPS if your access point and more than one (1) client(s) are supported by WPS.  However, some client(s) which does not supported by WPS, you need to configure security manually.  Please refer to the “(3) The Procedure How to Configure Security Manually”.

In case both your access point and the client(s) are not supported by WPS, you may be able to use “automated configuration function” provided by a certain wireless LAN device provider.  If the “automated configuration function” is not available either, you need to configure security settings by yourself.

Chart 1-2:Configuration for WPS

(3) The Procedure How to Configure Security Manually

While configuring security, it is necessary to employ encrypting mechanism which realizes secured transformation of data by preventing from eavesdropping and alteration while communication.  If this encrypting mechanism is not strong enough, the communication will shortly be analyzed/eavesdropped which allow malicious intents misuse without prior consent as its authentication is already broken.  Therefore, it is utmost important to select adequate encryption mechanism.

The initial step is to configure access point and subsequently configure client(s) according to the configuration being set to the access point.  If a wireless LAN function is not provided in your computer, you need to configure it from your computer using a wireless LAN card, etc. as a client.  Please be noted that you may not be able to select desired encrypting mechanism for all of the access points and the client(s) upon configuring security for your wireless LAN.

To select adequate encrypting mechanism, please refer to the following procedures.  For here, we describe how to select adequate encrypting mechanism by using an access point as its example, please do for the clients with the same manner.  As for the attributes for the respective encrypting mechanisms, please refer to the following descriptions.

[i] There are several encrypting mechanisms available: please select WPA2-PSK which will provide the strongest security.  We encourage you to select “WPA2-PSK (AES)” which refers that “the method with AES encryption”.  However, some access point is not supported by WPA2-PSK.  If you are uncertain whether your access point is supported by this mechanism, you need to check with the manual or to inquire to the manufacturer.  Upon done selecting encrypting mechanism, let’s do the (4) Password Setups.

 

 

[ii] If WPA2-PSK is not available for your access point, please select WPA-PSK for the next best option.  As for WPA-PSK, there are two (2) types of options available: one is “WPA-PSK (AES)” which employs AES encryption and the other is “WPA-PSK (TKIP)” which employs TKIP engine including RC4 encryption: generally “WPA-PSK (AES)” is recommended as it provides stronger security and be sure to select “WPA-PSK (TKIP)” only when you cannot connect to your access point with your client(s) using WPA-PSK (AES).  Upon done selecting encrypting mechanism, let’s do the (4) Password Setups.  As previously described, WPA cannot provide equal security (strength) as WPA2 does, you need to use WPA “temporary” before you will transit to WPA2.

 

 

[iii] Even your access point is not supported by either WPA2-PSK or WPA-PSK; that is, your access point is supported by WEP: of some can be supported by WPA by updating internal software.  For further information, please check with the manufacturer’s homepages, etc.  If the access point cannot be supported by WPA in the event you’d updated the access point, please do not use this mechanism to strengthen your wireless LAN security purposes.

 

As we described above, the first procedure how to configure security for wireless LAN manually is to check the encrypting mechanism which support your access point and your client(s), and then select the mechanism which carries the strongest security amongst options available for your devices. Naturally, both access point and client(s) shall be supported by the desired encrypting mechanism. That is, you wish to use WPA2-PSK (AES), both your access point and your client(s) must be supported by WPA2-PSK (AES).

(4) Password Setups

In the WPA2-PSK and WPA-PSK environment, you need to setup the password to prevent from eavesdropping and/or misuse by malicious intents.  To manually setup the password, be sure to follow to the following notes to prevent from setting up of easily assumable password by third party/person.

(i) Do not use any words on an English dictionary.

(ii) The password should be the letter stream consisted of capital letters, small letters, numbers and symbols.

(iii) The letter stream should be at least 20 characters (in case of one-byte letters/numbers + symbols.  Up to 63 bytes (characters) as the maximum.).

<Reference>

Type of encrypting mechanism

Following are the attributes for the three (3) types of encrypting mechanisms for wireless LAN being used (See the Chart 1-3 below).

(i) WEP (Wired Equivalent Privacy)

WEP is the initially employed encrypting mechanism to provide security for wireless LAN.  Since following shortcomings are realized, it is not recommended for use currently.

[a]The key data generation used for encrypting is simple so that it is easily analyzable.

[b]Unless changing the password manually, the same key will continually be used for encrypting.

[c]With the reasons (a) and (b) above, the encrypting mechanism itself has already been analyzed.

[d]Alteration detection for communication data is not available.

 

 

(ii) WPA (Wi-Fi Protected Access)

WPA is the subsequent method developed in lieu of WEP that has lots of shortcomings.  Additionally, TKIP (Temporal Key Integrity Protocol) engine is employed to resolve previously mentioned shortcomings in (a), (b) and (d).  However, the encrypting engine which immediately affects to the encrypting strength has not yet been improved, it cannot provide enough security as one of the encrypting mechanisms.  As for general users, WPA-PSK which employs PSK (Pre-Shared Key) is available as one of the simplified authentication mechanisms.

 

 

(iii) WPA2 (Wi-Fi Protected Access 2)

As for WPA2, the refined version of WPA, employs AES (Advanced Encryption Standard) which provides stronger security and most of all shortcomings being realized in both WEP and WPA are resolved.  As for general users, WPA2-PSK which employs PSK (Pre-Shared Key) is available as one of the simplified authentication mechanisms.  In the general user’s environment, WPA2-PSK can provide strongest security.

 

Chart 1-3:Comparison in the Encrypting Mechanism used for Wireless LAN

 

II. Reporting Status for Computer Virus – further details, please refer to the Attachment 1 –

The detection number of virus (*1) for June was about 236T: increased from 200T (18.2%) in May.  In addition, the reported number of Virus (*2) for June was about 2,002: increased from 1,737 (15.3%) in May.

*1 Detection Number: Reported virus counts (cumulative) found by a filer.

*2 Reported Number: Virus counts are aggregated: viruses of same type and variants reported on the same day are counted as one case number regardless how many viruses or the actual number of viruses is found by the same filer on the same day.  In June, the reported number was 2,002: aggregated virus detection number was about 236T (From the May ‘08 report, we will use “T (thousand)” instead of using “M (Million)” to present the detection number of virus).

The worst detection number of virus was for W32/Netsky with about 205T, and W32/Mywife with about 14T and W32/Mytob with about 4T respectively followed.

Chart 2-1

Chart 2-2

III. Reporting Status of Unauthorized Computer Access (includes Consultations) –Please refer to the Attachment 2 for further details–

Report for unauthorized computer access and status of consultation
  Jan.'08 Feb. Mar. Apr. May Jun.
Total for Reported (a) 8 4 19 14 4 13
  Damaged (b) 7 4 13 10 4 11
Not Damaged (c) 1 0 6 4 0 2
Total for Consultation (d) 24 29 35 56 37 36
  Damaged (e) 15 10 15 31 18 15
Not Damaged (f) 9 19 20 25 19 21
Grand Total (a + d) 32 33 54 70 41 49
  Damaged (b + e) 22 14 28 41 22 26
Not Damaged (c + f) 10 19 26 29 19 23

(1) Reporting Status for Unauthorized Computer Access

Reported number of June was 13: Of the number actually damaged was 11.

(2) Accepting Status for Consultation relevant to Unauthorized Access

The total number of consultation relevant to unauthorized computer access was 36 (of 3 were counted as reported number as well): Of the number actually damaged was 15.

(3) Status of Damage

The breakdown of the damage reports consisted of intrusion with 6, DoS attack with 3, Others (Damaged) with 2.  The main damages caused by intrusion were: certain web contents were altered in the event of SQL injection attack conducted with 1, server was exploited as a steppingstone server by malicious intent to attack to the other site with 4, etc.  The intrusion activities were mainly caused by: vulnerability (in web application with 1, the other tools with 1) with 2, password cracking attack conducted to the ports used by SSH with 4 *, etc.

As for others (damaged), someone spoofed to be a legitimate user to log-in to an auction site to list items for sale without asking with 2.

*SSH (Secure Shell): One of protocols to communicate with the computer remotely via a network

*Password Cracking: An analytical activity to search legitimate user (s) password (s).  Brute force attack (exhaustive attack) and dictionary attack are renowned.  There also existed such program exclusively for cracking.

(4) Damage Instance:

[Intrusion]

(i) Database was altered caused by an SQL injection attack…
<Instance>
  • –   Study was conducted as the animated server being publicized was unavailable.  According to the study, it was realized that there embedded some scripts to run the JavaScript for a suspicious site (s) in outside.
  • –   It was also realized that the server was exploited the vulnerability in web applications and conducted SQL injection attack – as its result, the database was altered.
  • –   Vulnerability measures for web applications have not been conducted since initially conducted in 2004 upon installing database server.
(ii) Someone listed items spoofing to be myself (legitimate user) in a net auction…
<Instance>
  • –   My ID used in a net auction was getting unavailable.
  • –   According to the net auction manager, it was realized that my ID was getting disabled since there listed number of fake-brand name items under my ID.
  • –   In the event, I was billed several thousand of yen for the listing fee.

IV. Accepting Status of Consultation

The gross number of the consultation in June was 1,211.  Of the consultation relevant to One-click Billing Fraud” with 372 (May: 320), which was the thirdly worse result since IPA started to aggregate the numbers.  As for others, consultation relevant to “Hard selling of phony security measures software” with 14 (May: 1) and the consultation relevant to “ Winny ” with 4 (May: 8), etc. were also realized.

Chart 4-1: All the Consultation Number Accepted by IPA over the Past 6 Months
  Jan.'08 Feb. Mar. Apr. May Jun.
Total 408 350 654 938 1080 1211
  Automatic Response System 219 192 373 514 649 693
Telephone 151 110 214 335 379 456
e-mail 38 47 66 87 48 60
Fax, Others 0 1 1 2 4 2

*IPA consults/advises for computer viruses/unauthorized computer accesses as well as the other information concerning overall security issues

Mail: Please feel free to call at +81-3-5978-7517. for virus issues, Please feel free to call at +81-3-5978-7517.for crack issues.
Tel.: +81-3-5978-7509 (24-hour automatic response)
Fax: +81-3-5978-7518 (24-hour automatic response)

*”Automatic Response System”:    Responding numbers by automatic response
*“Telephone”:      Responding numbers by the Security Center personnel
*The Total case number includes the number in Consultation (d) column of the Chart in the “III. Reported Status for Unauthorized Computer Access” and “IV. Accepting Status of Consultation”.

Chart 4-1: One-click Billing Fraud: Number of Consultatio

The major consultation instances are as follows.

(i) Virus is infected to USB memory…?

Consultation:

I was communicated that my USB memory was infected by virus.  Accordingly, I will attempt to initialize (formatting) it as I am not comfortable.  Virus will be removed if I will format the USB memory even it may have been infected by virus?

Response:

All the files in the USB memory will be deleted if you will format it.  All files inclusive of virus will be deleted even if your USB memory may be infected by virus.

However, you will be infected by virus again immediately after the completion of formatting if you use such computer infected by virus.  Accordingly, you need to use a virus free computer with adequate anti-virus measures upon conducting any activities inclusive of formatting.

<Reference>

(ii)A bill came after I clicked the URL appended on the mail body of a spam…?

Consultation:

I had a mail for which address seemed from a female whom I do not know.  I could easily assume that it was a spam, but I sneaked to see the homepage by clicking the URL in the mail body with simple curiosity.  Subsequently, a bill came since I browsed the homepage.  In that statement, my IP address was included when I used upon browsing that homepage.  Does my private information such as my physical address, name, etc. will be assumed/guessed by the manager for the site from my IP address?

Response:

Private information will not be deviated to third party/person unless you’d directly provided private information to third party/person (the site manager, in this case) by yourself or the provider you’d been signed up with leaks your information without asking.  Since providers committed to protect private information so that your information will not be leaked to the third party/person unless it is required from police agency, etc. officially.  That is, in this case, your private information is not deviated to the site manager.

<Reference>

V. Accessing Status Captured by the Internet Monitoring (TALOT2”) in June

According to the Internet Monitoring (TALOT2), the total of unwanted (one-sided) number of access in June 2008 was 156,012 for the 10 monitoring points and the gross number for the source* was 55,589.  That is, the number of access was 520 from 185 source addresses/monitoring point/day.

*Gross number of source:

the gross number of the source accessed to TALOT2.  In addition, the source will be counted as 1 if accessed from identical source in the same day to the same point/port

Since each monitoring environment for the TALOT2 is nearly equal to the general connection environment used for the Internet; it can be considered that the same amount of unwanted (one-sided) access can be monitored for the general Internet users’ connection environment.  In another word, your computer is being accessed from 185 unknown source addresses in average/day or you are being accessed about 3 times from one source address which considered unauthorized.

Chart 5-1: Unwanted (One-sided) Number of Access and Source Number of Access/Monitoring Point/Day in Average

The Chart 5-1 shows the unwanted (one-sided) number of access and the source number of access/monitoring point/day in average from January to June 2008.  According to this chart, both unwanted (one-sided) accesses were decreased from May: it can also be said that both unwanted (one-sided) accesses were tending to be decreased gradually.

(1)The Undesirable Effect of DoS Attack (SYN Flood Attack) *1

In the last part of June, undesirable effect of DoS attack (SYN Flood attack) targeting communication providers in Hong Kong was observed in two (2) monitoring points used by our TALOT2 system.  They were the SYN+ACK packets to the destination ports 829/tcp and 881/tcp (source port was 80).

Since the address used by TALOT2 was incidentally conformed to the address used for the source address spoofed by an attacker so that the number of source access (SYN+ACK packets) from the organization being targeted by that attack was monitored.  The Chart 5-2 shows the source accesses to the ports 829/tcp and 881/tcp from time to time.

*Since this access was tentative and it did not attempt to attack to the TALOT2 system directly so that we excluded this access from our statistical purposes.

Chart 5-2: Backscatter*3 of SYN Flood Attack to Hong Kong Area

The addresses used by TALOT2 as monitoring points are changed inconstantly.  Generally, 10 monitoring points are used in the TALOT2 system: of 2 monitoring points were exploited by this SYN Flood attack indicates that there may be massive amount of addresses exploited by this type of attack other than these.

*1:DoS Attack (SYN Flood Attack)

DoS attack is standing for Denial of Service attack which halts and/or lowers certain functions in a targeted computer.  SYN Flood attack refers the one of DoS attacks which overly burdens to a targeted computer.  This mechanism is that an attacker sends quantity of SYN packet (the packet initially sent upon connection to be established in the 3 way handshake process (*2)) to a targeted computer by this attacker using spoofed source address to generate number of half-opened connections.

*2:3 Way Hand Shake

3 way hand shake refers the initial procedure to be established upon communicating with TCP. This procedure enables to acknowledge that the both sides of users get ready for communication mutually. For your further information, described below is the communication establishment in between A and B.

1. A sends B SYN packet.

2. B sends A ACK+SYN packet.

3. A sends B ACK packet.

Upon completion of 1 to 3 processes, the communication for both A and B is established.

*3:Back Scatter

This refers one of the behavioral activities of a targeted computer.  The computer returns number of SYN+ACK packets to the source address spoofed by an attacker while he/she is conducting DoS attack (SYN Flood attack).

 

For further information for the above mentioned information, please refer to the following URLs as well.

Variety of statistical Information provided by the other organizations/vendors is available in the following sites.

Contact

IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC)
Tel:+81-3-5978-7527
Fax:+81-3-5978-7518
E-mail: Please feel free to call at +81-3-5978-7517.