2014 Edition 10 Major Security Threats ~ Information Security Is Getting Increasingly Complex…
Which Threats Are YOU Facing? ~
IT SECURITY CENTER (ISEC) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN March 2014
This document is available for download at the following URL:
10 Major Security Threats 2014: ~ Information Security Is Getting Increasingly Complex… Which Threats Are YOU Facing? ~ http://www.ipa.go.jp/security/english/vuln/10threats2014_en.html Contents
INTRODUCTION ...... 2
CHAPTER 1. THREAT CATEGORY AND TREND ...... 4 1.1. Cyber Domain Issues ...... 5 1.2. Cyber Crime Through Virus and Hacking ...... 6 1.3. Internet-Based Scam and Crime ...... 7 1.4. Internal Control and Security Management ...... 8 1.5. Net Morality ...... 9
CHAPTER 2. 10 MAJOR SECURITY THREATS 2014 ...... 11 1st Espionage Operations through Targeted Attack ...... 12 2nd Unauthorized Login and Use of Services ...... 14 3rd Website Hacking ...... 16 4th Leakage of User Information from Web Services ...... 18 5th Unauthorized Online Banking Transfer ...... 20 6th Malicious Smartphone Applications ...... 22 7th Careless SNS Posting ...... 24 8th Information Leakage through Loss of Devices and Misconfiguration of Settings ...... 26 9th Fraud/Extortion with Virus Attacks ...... 28 10th Denial of Service ...... 30 Other Candidates for 10 Major Security Threats ...... 32
CHAPTER 3. EMERGING THREATS AND CONCERNS ...... 35 3.1. Growing Networked Devices ...... 36 3.2. Importance of End Point Security ...... 38 3.3. Internet Use among Increasingly Younger Ages ...... 40
APPENDIX: MAJOR SECURITY INCIDENTS AND NEWS IN 2013 ...... 42
Introduction This report ranks and explains the security threats observed through the security incidents, cyber attacks and changes in IT environment during the year 2013 selected by the vote of the 10 Major Security Threats Committee which consists of 117 information security experts. The ranks change every year depending on various factors and those factors are getting increasingly complex year by year.
Changes in Threats The table on the next page shows the changes in the things like attack trend, IT environment and government policies from 2001 to 2013. Compared to 2001, it is apparent that threat factors IT defenders should watch out have increased in numbers and complexity. Following the changes in threats, new laws and policies have been enforced, and issues like national security and cybercrime investigation have begun to be recognized as new problem domains. As just mentioned, today’s “information security” has gone beyond the traditional matters such as virus, unauthorized access or security management, and new issues have begun to be defined from different angles in different fields and domains. Trends in 2013 Overall, it can be said that 2013 was a year where problems in multiple fields and domains have become evident. One is that cyber attacks and crimes represented by targeted attacks have grown. Threats imposed by cyber attacks are also relatively growing, such as mega-leak of personal information, increasing website hacking and record-breaking large distributed denial of service (DDoS) traffic volume. Meanwhile, a number of inappropriate publications to social media like Facebook and Twitter have caused eruptions of criticism on the Internet. In these cases, not only individuals (publishers) but also their employers were accused of lack of supervision, which taught us that morality of individual Internet users can be a critical issue. Especially, the number of cases where minors are taken into custody or arrested is increasing, and criminal acts among increasingly younger ages are becoming a major social problem. Future Challenges One of the changes in IT environment is an increase of Internet-connected devices, such as office equipment and smart home devices. With that, unauthorized access to and information leak from those devices due to improper settings have emerged. Protecting PCs and servers is not enough anymore. What we need to protect is now expanding to office equipment and smart home devices. We are at the time to rethink the fundamentals of security.
As we see, IT environment is evolving in various ways and generating new problems. What is important is that one assesses whether the threats impose a risk on one’s organization, understands problems and challenges, and takes appropriate
2
countermeasures. We hope you read this report and use the threats addressed here to assess risks those threats may affect you and your organization.
Table 1: Changes in Threats
Golden Age for Internal Control / Compliance Globalization of Threats Network Virus Fever 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
★Windows XP Released ★iPhone Released ★iPad Released Cloud Computing / Mobile Devices IT Broadband Network Public Wireless LAN Environment Social Media Services
Targeted Attack Combined Attack Worm/ Network Virus Phishing Fraud Attacking Methods Botnet
Mobile Attack
Intelligence Stealing / Destruction
Attackers Pecuniary Gain / Industrial Spying
Crime for Fun Hactivism
・Nimda ・SQL Slammar ・DDoS Attack on U.S. & South Korea ・CodeRed ・MS Blaster ・Stuxnet Attack on Iran Incidents/ ・ Data Leak through P2P Software ・Attacks on Government Agencies Events ・Data Leak through Spyware ・Attacks on Financial Institutions
・NSA Suveillance Revealed
・Act on Prohibition of Unauthorized Computer Access Cyber Crime Crackdown ・Act on Electronic Signatures and Management System ・Unfair Competition Prevention Act Revised Certification Business ・Act on the Protection of ・Penal Code Revised Personal Information ・Act on Prohibition of ・Electronic Documents Act Unauthorized Computer Access Revised Laws/ ・ISO/IEC 27001 Published Policies ・Common Standards of Foreign Affairs / Information Security National Security Measures for Government Agencies Published ・National Strategy for Secure Cyberspace (U.S.) ・Public-Private Collaboration Launched ・U.S.-Japan Cooperation for Cyber Attack Response ・National Security Strategy Announced
3
Chapter 1. Threat Category and Trend Recently, terms like “cyber attack”, “cyberspace” and “cyber domain” have been often heard and many readers may feel confused about their relationship with traditional “information security”. The thing is, as seen from prevalence of internet services, changes in people’s life style such as wide used of social networking services (SNS) and smartphones, or international discussion on state-sponsored cyber attacks, challenges and environment surrounding information security are complexly evolving. If one focuses on just an attack, the overall picture of the attack or relationship between traditional information security and cyber issues, which have diversified into international politics, foreign affairs and national security and military sphere, will look very complex and be difficult to understand, making it harder to see and sort out the real problems. The word “cyber attack” could mean different things depending on individuals and organizations that use the word. It is important that one responds to threats based on the assessment - that which threats have impact on one and one’s organization in what way. Threats will not affect all individuals and organizations equally. Their impact changes depending on the attacker’s intention, organization’s operational environment and/or problem domains in which threats operate in. We recommend the readers keep this in mind and read the report thinking how each threat may affect you and your organization. In this report, we categorized problem domains into five groups shown in the figure below based on the background a threat emerges, intention and characteristics of the attacker, and property of the organization. The following sections will explain the characteristics and trend of each problem domain in more detail.
Problem Domains in Traditional Information Security New Problem Domains
Information and Telecommunication Services International Politics/ National Security Internet-based Cyber Crime through Scam and Crime Virus and Hacking Cyberspace (Domain) - InterfereIssues Military Ops - Website Hacking - Phony Invoice Scam - Interfere- National Military Secret Operation and - Unauthorized login - Social Media ID Theft - ClassifiedIntelligence-Information Stealing Stealing - Fraudulent Wire - Destruction- Destruction of Infrastructure of Social Transfer Infrastructure
Organizational Netiquette Security Management
Internal Control/ Net Morality Security Management
- Cyberbullying - Information Leak - Information Disclosure - Internal Threat on SNS - Natural Disaster - Operation Error
4
1.1. Cyber Domain Issues
Attacking/defending technologies are generally common but the implications differ
Attacking New Domain Techniques Cyber Attack Cyberspace Virus Infection (Domain)
Hacking Land, Sea, Air Space
Traditional Information Security Issues Foreign Affairs/National Security, Military Operational Issues Are Expanded
The idea of cyber domain (the fifth Cyber attacks are already a main theme domain) was defined by the U.S. in international politics and were addressed government in 2011, which suggested in the U.S.-China summit in June 2013. cyberspace was to be dealt at the level of International politics seek a way international politics and global commons, cyberspace is utilized safely by nations like just like other domains (land, sea, air and territorial lands and waters. space). It can be said that cyber attacks National Security Issues have become a matter of international In Japan’s new National Security politics since then - because cyberspace Strategy announced in December 2013, has been recognized as a domain that can cyberspace protection has been integrated be used to achieve foreign affairs and into a national strategy. It defines cyber national security, or military campaigns. attacks as “theft of national secrets and Thus, it must be considered as a different intelligence”, “destruction of social issue from traditional information security. infrastructure” and “attacks intended to Global Commons disrupt military systems” – meaning the International notion considers damages to national interests such as cyberspace as a global common1 like other stealing of classified information and domains. Today’s cyberspace is a place intellectual properties, or risks that may where everything from social to economic cause social chaos are assumed. They are to military operates. Nations have set out to now considered in the national security set the rules to ensure free access and framework as a factor that could threaten activities in cyberspace. society, economy and military operations. International Politics In the days to come, necessary
1 arrangements will be preceded in various Global, shared resources that must be accessible by all nations and no nation is allowed to exclusively possess aspects both inside and outside of Japan.
5
1.2. Cyber Crime Through Virus and Hacking
Stealing information stored on PC with smartphones and tablets. The scope of the virus or hacking a server bypassing devices we need to make sure to secure is authentication is typical cyberattack getting larger. techniques. These attacks are likely Popularization of Banking Services motivated by pecuniary gain and the scale A factor that has boosted for-profit cyber of the damage is getting bigger every year. crime can be popularization of online In one 2013 statistics 2 , 380 million banking and financial services. In 2013, people became a victim globally. In Japan, online banking fraud attracted a lot of it is said 4 million people fall into a victim attention. The number of cyber fraud annually, which means someone is cases where customers’ online banking exploited about every 10 seconds. credential is stolen and money in their Attackers operate globally on the Internet account is fraudulently wire-transferred is and target both businesses/organizations increasing. and individuals. Attackers use techniques that make full In cyber crime through virus or hacking, use of sophisticated computer science depending on the attacker, software technologies or tools available on the vulnerabilities or systems’ improper settings Internet and steal the information with are likely exploited. It is important to pecuniary value. implement appropriate security measures Expansion to Smartphone/Tablet not only to PCs and servers but also every In recent years, targets of attacks are no single computer device that is connected to longer PCs and servers but expanded to the Internet and use them safely.
2 http://www.symantec.com/content/ja/jp/about/presskits/ 2013_Norton_Report.pdf
6
1.3. Internet-Based Scam and Crime
What!? But I’d better pay as I’m told…
Well, well. We’ve got another easy mark.
Hehehe…
A scam by tricking a person to steal Social Media ID Theft money is traditional modus operandi and Aside from for-profit scams by fraudsters, still well used in so-called emergency scam there have been observed criminal (bank transfer scam) and business scam. behaviors possibly motivated by fun Now these fraudsters operate on the exploiting SNS. A major example is theft of Internet as well. social media ID, such as Twitter ID, of a Phony Invoice Scam celebrity or actual company. Especially, Since about 10 years ago, scams like a because the year 2013 was the first year person receives a letter saying “Bill unpaid. that the ban on the Internet-based election Contact us as soon as possible.” or “We’ve campaign was lifted in Japan, many filed complaint.” aiming at tricking recipients candidates actively used blogs and SNS in to pay money have been widely observed. their campaign. Meanwhile, multiple As a variant, there is a scam called vogues SNS accounts used to impersonate one-click fraud where a thank-you-for- candidates and make false statement were signing-up-for-our-service message is reported. In some cases, celebrities were shown when a person clicks a link on a impersonated. These incidents have porn/dating site or in email, and the suggested a danger that one can easily message urges to pay high-price claiming a spread false information. contract has been completed (by clicking) and the person has legal obligation to pay The best defense against a scam on the the fee. Actually, the contract is not Internet is, just like in the real physical completed yet and the fraudster takes world, not to be fooled easily. People need advantage of the people’s ignorance or to be always cautious about the information weak point to siphon money. online when using the Internet.
7
1.4. Internal Control and Security Management
Corporate accounting scandals in early to the Internet increases, such as 2000’s triggered a discussion about internal multifunction printers/copiers, webcams control and compliance in Japan. Likewise, and cloud computing services, the cases establishing an information security have been reported where information is management system has been a popular unintentionally made accessible from the move among businesses and organizations outside due to misconfiguration of these since mid 2000’s. The basics of internal devices and services. Based on the control and compliance are to protect an advancement in smart home devises and organization’s information assets (i.e. data office equipment today, users need to be and systems) from intentional or accidental aware of their Internet connectivity and use leak, falsification, deletion and/or disruption them safely. by establishing security controls. Natural Disaster and Operation Error Rules and System Controls It is rare that organizations address The Internal control and security system outage caused by natural disaster management system is established, where or operational error in their security talk. the rules are set, education is provided, and However, among the incidents, these are control mechanisms are implemented to the most frequent causes and may impose the systems. For instance, when critical damage. Preparing a response information leak through Winny and lost system, contingency operation plan and PCs occurred frequently in mid 2000’s, recovery procedure in case for an accident measures like a ban on the use of Winny or is also an important security measure. mandatory use of encryption software were widely adopted. Internal control and security Change in Data Leak Channels management play a critical role to ensure Traditionally, information leak was information security for businesses and caused mainly by accidental human errors organizations. As IT environment changes, such as through lost PC or USB memory threats and risks change as well. stick or mistakenly sent email. But as the Management system must respond and number of devices and services connected adapt to those changes.
8
1.5. Net Morality
Today, everyone, from small children to Information Disclosure on SNS the elderly, uses the Internet-based Net morality is a serious problem not only services. The Internet has become at young student generation but also at absolutely indispensable for our everyday adolescent generation. With the life. On another front, as Internet population prevalence of SNS, we now have quite glows and services diversify, morality an environment where people can easily (etiquette and literacy) and Internet share private information or things behavior have been questioned. happened at work with others to receive Education for Minors attention. However, to live in a society, As smartphones and online games we must show a certain level of morality. become popular, elementary-school and In 2013, a number of adolescents posted middle-school students are also a picture of their prank – for instance, a familiarized to the Internet. Meanwhile, young man lying inside a refrigerated ice underground social networking cream case during his part time job at a communities for young school students convenience store - and that developed have emerged, where students from the into a big social problem. In some cases, same school form a community and post in addition to the pranksters, the stores messages about their school and people were accused of employer liability and there anonymously, and cyberbullying has forced to close the stores. become a new social problem. Also, there have been the cases where middle-school When using the Internet, everyone has to and high-school students crazed with take all responsibility for his or her deed. online games to a fault hacked into other Unauthorized use of other people’s users’ account to steal their game items ID/Password will be charged under the Act and were charged with unauthorized on Prohibition of Unauthorized Computer access and/or running phishing websites. Access, and cyberbullying can be charged Criminal acts among increasingly younger with defamation. People must be well children are becoming a major social conscious of laws and morality, just like in problem. the real world, when using the Internet.
9
TOP SECRET
10
Chapter 2. 10 Major Security Threats 2014 Table 2 shows the ranking of information security threats that made a huge social impact in 2013. Selection and ranking of the threats were made by the 10 Major Security Threats Committee. This chapter describes each threat in detail and its likely targets (or, in other words, victims) are identified as “primary victim” and “secondary victim”. It should be noted that those targets may change depending on the factors, such as the attacker’s intentions and objectives, the form of the information systems and the user’s position/role expected in attack.
Table 2: The Ranking of 10 Major Information Security Threats 2014 No. Threat Category Espionage Operations through Targeted 1 Cyber Domain Issues Attack
2 Unauthorized Login and Use of Services Virus/Hacking Attack
3 Website Hacking Virus/Hacking Attack
Leakage of User Information from Web 4 Virus/Hacking Attack Services
5 Unauthorized Online Banking Transfer Virus/Hacking Attack
6 Malicious Smartphone Applications Virus/Hacking Attack
7 Careless SNS Posting Net Morality
Information Leakage through Loss of 8 Internal Control / Security Management Devices and Misconfiguration of Settings
9 Fraud/Extortion through Virus Attacks Virus/Hacking Attack
10 Denial of Service Virus/Hacking Attack
11
1st Espionage Operations through Targeted Attack ~ Both government agencies and businesses are targeted ~
Espionage Operations to steal classified information through the Internet are booming. Those attacks are targeting a wide range of organizations from government agencies to companies and becoming an issue of concern that threatens national interests and corporate management.
< Primary Victim> difficult to detect”. The impact of attacks Government agencies goes beyond information systems of Companies organizations, and the attacks become a diplomatic issue between nations.
12 of target individuals there. has become increasingly difficult to (2) Preparation prevent attacks at the initial entry phase. Prepare virus and targeted emails. For, instead of exploiting known (3) Initial Entry vulnerabilities, the recent attacks which Send targeted emails to the above send emails with an executable file individuals and infect their PC with virus. attached or exploit zero-day It is confirmed some attackers infiltrated vulnerabilities are on the increase. into organizations via websites and/or
References I. IBM Japan: 2013 First Half - Tokyo SOC Data Analysis Report http://www-935.ibm.com/services/jp/its/pdf/tokyo_soc_report2013_h1.pdf (in Japanese) II. IPA: System Design Guide for Thwarting Targeted Email Attacks https://www.ipa.go.jp/security/english/newattack_en.html
13
2nd Unauthorized Login and Use of Services ~ Secure password management is important! ~
In 2013, unauthorized login and consequent unauthorized use of services or information leakage occurred frequently. One of the causes of unauthorized login is reuse of passwords at the various websites. Users should use a different password for each website.
14 pairs. Because many people reuse the is much higher than the success rate of ID/PW pairs, it results in a number of other attack techniques like brute force successful unauthorized accesses. attack. This confirms that password reuse
References I. Awareness Survey on Password Management by Individuals and Organizations https://www.verisign.co.jp/welcome/pdf/password_management_survey.pdf (in Japanese) II. Message from Orico about Unauthorized Access to e-Orico Service (Update) http://www.orico.co.jp/information/20131115.html (in Japanese) III. Security Awareness Alert August 2013 http://www.ipa.go.jp/security/txt/2013/08outline.html#5 (in Japanese)
15
3rd Website Hacking ~ PC infected with virus without user’s knowledge~
Welcome to Safe and Secure ●● Ltd. Website
2013 witnessed the increase in Website hacking. Website hacking is used as part of attack schemes to spread virus infection. Website administrators should keep in mind that the ultimate victim of website hacking is the visitors to their website, and, thus, take necessary security measures to prevent that.
16 vulnerabilities or admin accounts. Below website hacking incidents reached over are the most popular attack techniques. 4,000 in June and July 2013 – more than Theft of login credential from Admin doubled compared to incidents from PC January to April 2013. The PC used by web administrators Hacking of Websites hosted on gets infected with virus and their admin Rental Service ServersIII credentials are stolen. The attacker logs In September 2013, a local web server in with the credentials and falsifies the rental service reported that 8,438 web contents. websites had been falsified. The attack Hacking of FTP/SSH Account exploited vulnerability in a WordPress Many websites use the FTP/SSH plugin among other things. The rental service for maintenance. However, when service vendor reported that through a using an ID/PW authentication method, malicious file uploaded by the attacker, the sites are vulnerable to attacks like the information of a configuration file password guessing and dictionary attack. (wp-config.php file) was obtained by the That vulnerability could be exploited, attacker, which allowed the attacker to which leads to unauthorized login and falsify the users’ database and websites. content hacking.
References I. Security Alert for Website Falsification ~ Website Falsification Incidents Are Increasing Dramatically ~ https://www.ipa.go.jp/security/topics/alert20130906.html (in Japanese) II. JPCERT/CC Incident Response Report [October 1, 2013 ~ December 31, 2013] http://www.jpcert.or.jp/pr/2014/IR_Report20140116.pdf (in Japanese) III. Announcement: Falsification on Lolipop Hosted Websites http://lolipop.jp/info/news/4149/ (in Japanese)
17
4th Leakage of User Information from Web Services ~ Hackers steal user data from web services ~
Account List
During the first half of 2013, a number of membership-based web services suffered hacking attacks and a large volume of user information was stolen. If information leakage occurs at web services sites where a huge amount of personal and sensitive information like credit card data is stored, the ramifications are very huge. Thus, the services need to take adequate security measures.
18 infiltrates the internal system and steals that up to 150,165 credit card data might the web site information. have been accessed by an unauthorized Exploitation of Vulnerability party who impersonated the customer(s)II. A web service is built on not just a In the latter half of 2013, Adobe Systems single software but several softwares that made headlines worldwide regarding data provide different service layers. The breach of credentials and encrypted credit attacker’s prime targets are vulnerabilities card data of 2.9 million customersIII. of the applications specially developed for Data Leakage through Targeted the service or vulnerabilities for generic Attack applications such as open source Yahoo! Japan reported that up to about software. For example, web application 1.5 million passwords (encrypted by frameworks like Apache Struts 2 and irreversible encryption algorism) and a CMS software like WordPress tend to be part of the information required to reset targeted. passwords might have leakedIV. It is said Targeted Attack a targeted attack breached a PC on the Not only a direct hacking but a targeted internal network and a malicious attack is also used where the attacker program was installed within the web sends emails to the target organization, service system through the opens a backdoor and infiltrates the compromised PC so as to steal data. internal system. After successfully
References I. Important Announcement: Customer Data Leakage through Unauthorized Access to JINS Online Shop http://www.jins-jp.com/illegal-access/news.html (in Japanese) II. 7 Net Shopping: Possible Card Data Leakage ~ Up to 1.5 Million Customers Affected http://internet.watch.impress.co.jp/docs/news/20131029_621296.html (in Japanese) III. Important Customer Security Announcement http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html IV. Unauthorized Access to Our Server (May 17) (Yahoo! Japan) http://pr.yahoo.co.jp/release/2013/0523a.html (in Japanese)
19
5th Unauthorized Online Banking Transfer ~ Attackers have their eyes on your online banking credentials ~
●● XX Bank BANK
2013 saw the largest-ever number of unauthorized online banking transfer cases and the largest-ever losses, and such transfer drew public attention. The transfer involves theft of the user’s credential with phishing scam or virus, impersonation of a bank account holder and fraudulent wire transfer.
20
Credential-Stealing Virus use of one-time password, i.e. obtaining a (1) The user who neglects to patch new password for every session by email. vulnerabilities in OS or software However, there occurred incidents where unknowingly accesses a one–time passwords were stolen. It was virus-laden website set up by the confirmed that some users of free email attacker. services had had their ID/PW for the (2) The virus is downloaded and services stolen and their email messages, infects the user’s PC automatically. including the one with one-time (3) When the user accesses a target passwords, read by a third party. There online banking service, the virus actually happened fraudulent wire displays a fraudulent login screen transfers which seem to have resulted in the browser through a from use of one-time password obtained man-in-the-browser attack and this way. Banks tell their customers in steals the user ID, password and their websites that when obtaining second PIN. one-time passwords, they should not use (4) The attacker makes a fraudulent free email services and should receive it wire transfer using the information with devices other than PCs, such as a obtained in the step (3). cell phone and a smartphone. Credential-stealing virus was used in
References I. NPA: Unauthorized online banking transfers resulted in about 1.2 billion at 25 banks in 46 prefectures – financial losses four times as many as the largest losses in the past http://www.jiji.com/jc/zc?k=201312/2013121200517 (in Japanese) II. Damage and loss caused by unauthorized online banking transfer and unauthorized access https://www.antiphishing.jp/news/pdf/apcseminar2013npa.pdf (in Japanese) III. Security alert: how to protect your bank account from unauthorized online banking transfer http://www.rakuten-bank.co.jp/info/2013/130502.html (in Japanese)
21
6th Malicious Smartphone Applications ~ Data in your smartphone is being stolen~
There have been a series of incidents where smartphone applications which seem attractive but in fact contain malicious code steals information stored in a smartphone, such as the address book data without the owner’s knowing. The secondary damage has also been confirmed in which the stolen personal information is abused in cybercrimes such as spam operations and billing frauds.
address book. They would become a
22 target of marketing calls and spams, and MalwareI the damage will creep up on them later. Juniper Networks reported the number The smartphone owners should bear in of smartphone malwares increased 614% mind that they keep personal information from March 2012 to March 2013. This of other people and take proper security means about 276,259 malicious measures. applications are at large. It also reported
References I. Marketing with malicious application: Data theft from 800,000 smartphone users - IT vendor executives arrested http://www.sponichi.co.jp/society/news/2013/07/24/kiji/K20130724006284570.html (in Japanese) II. Smartphone Security
23
7th Careless SNS Posting ~ Pranks and gaffes became a social issue ~
With the prevalence of SNS, more and more people have come to post their private information on the Internet easily. On the other hand, there were the cases where imprudent employees posted work-related information to SNS, and as a result, their employers (companies and organizations) suffered serious damage.
24 oneself to the public and make one’s store posted on Twitter some pictures of presence known to friends and himself laying inside a store’s ice cream acquaintances. However, if one has a freezerI. People who saw the pictures wrong idea about what one’s action could made comments on insanitation of the mean and how people would see it, one storeII. The similar incidents continued to could be bombarded with criticism. Once happen, and in some cases, the stores something is uploaded on the Internet, it were forced to close, the bakatters were cannot be erased completely and will sued, or a full blown damage suit was exist in some digital space semi filed against them. permanently. Before posting something, Inappropriate Tweets by Bureaucrats people need to think calmly and carefully. In June 2013, a bureaucrat was Unanticipated Diffusion of suspended for 30 days due to Information inappropriate tweets about a citizen group. With SNS like Twitter, information may He showed his real name and business spread more than the poster anticipated. career on his Twitter profile, which In most cases, the poster does not realize enabled the public to identify him. That how his or her posts may impact on the led to exposure of his pictures and videos public. It is important for the SNS users to on the Internet and subsequently wide understand the characteristics of SNS media coverageIII. In September 2013, and the possible consequences their another bureaucrat who repeatedly made posts have. rants and criticism in his private blog got Misunderstanding of Privacy Settings suspended for 2 weeks. He did not make Some SNS users are not aware that the the real name or the agency he worked privacy settings of their posts are set to for open to the public, but got himself “public”, which means everyone can view identified by his blog entries. the posts. When only fiends or regular
25
8th Information Leakage through Loss of Devices and Misconfiguration of Settings ~ IT Control by a system administrator becomes more and more difficult every year ~
Cloud Services Am I : supposed to Default setting be able to see “Public on the web” this? Public… ○Shared Privately
Internet User
Special Project
Information leakage through loss of laptop PCs or USB memory sticks continue to occur. It was and still is one of the most common security incidents. Meanwhile, due to the prevalence of smartphones and cloud computing services, the methods, media and places to store data have become diverse. Accordingly, risk of information leakage has increased.
26
Acquisition and abuse of classified settings was “Public”. They did not seem information by the third party to know that the default access level of Loss of customer confidence and Google Groups was “Public”. business opportunities, and a Internet-Accessible Multifunction negative impact on business Printers/CopiersII
References I. Government Agencies Accidentally Disclosed Internal Emails – Fail to Restrict Access to Google Groups http://www.nikkei.com/article/DGXNASDG10016_Q3A710C1CC0000/ (in Japanese) II. To Multifunction Printer/Copier Users: Comment on Reports about Security of Multifunction Printers/Copiers http://www.jbmia.or.jp/whatsnew/detail.php?id=294 (in Japanese)
27
9th Fraud/Extortion with Virus Attacks ~ Demanding Money with Fake Anti-Virus Software and Ransomware ~
To pay or not to pay... Pay ransom and I’ll free your PC!
Virus attacks with which the attacker uses ransomware that holds the user’s PC hostage and demands money to free the hostage PC have been increasing. If the PC is infected with ransomware, the user cannot access the data on his or her PC in some cases, which has a big impact on the user’s work and inflict severe psychological damage on the user.
28 business. increased rapidly and, in October 2013,
References I. More than 160 ransomware incidents confirmed http://www.sankeibiz.jp/business/news/131105/bsj1311050608002-n1.htm (in Japanese) II. What to do to avoid infection with CryptoLocker http://blog.trendmicro.co.jp/archives/8074 (in Japanese)
29
10th Denial of Service ~ Various ways to interfere services; users and organizations could become an accomplice without their knowledge ~
In 2013, the data at several Korean companies and government agencies were destroyed by virus, which rendered the systems unusable. Also, DDoS attacks that exploit open DNS resolvers to make them an attack platform have been a serious problem.
30 unresponsive. Today, there are even An open DNS resolver is a DNS server black markets for botnet business. It has that accepts recursive lookups from been observed that some criminal groups external, unspecified IP addresses. In contract for a DDoS attack or rent 2013, DNS amplification attacks were botnets. observed where the attacker exploited Data Destruction open DNS resolvers and flooded the Virus that has infected a PC may inflict target with a huge volume of DNS harm, such as preventing the PC from responses. To mitigate or prevent such starting up or deleting data on the PC. attack, the administrators need to see if Data destruction is one of the techniques their network devices are configured with the attacker may employ to hamper the recursion disabled and manage them with service continuity. proper settings. Taking countermeasures Email Bomb against attacks that exploit a The attacker sends huge volumes of misconfigured NTP (a time email to the target’s email address so as synchronization service) is also required. to overflow the mailbox. Since emails Abuse of Contact FormIII from unknown senders are sometimes In 2013, anti-nuclear citizen groups expected, it is difficult to block only suffered cyber attack. The email unwanted emails effectively. addresses of the groups were used to
References I. Cyber attacks by North Korea? Systems at South Korean broadcasters and banks simultaneously shut down http://www.yomiuri.co.jp/net/news1/world/20130320-OYT1T00480.htm (in Japanese) II. Security Alert for DDoS Attacks Exploiting Recursive Lookups https://www.jpcert.or.jp/at/2013/at130022.html (in Japanese) III. Tens of Thousands of emails sent to anti-nuclear citizen groups – Possibly cyber attacks http://www.asahi.com/special/news/articles/SEB201309190046.html (in Japanese)
31
Other Candidates for 10 Major Security Threats The following threats have not been ranked in the 10 major security threats, but are the candidates that also had a big impact on the society in 2013.
11th. Internal Threats/Rule Violation Many cases were reported where an employee/ex-employee with malicious intent obstructs business. Also, there are many cases where an employee sells information to the third party or use it personally. Malicious users already on the inside could inflict a wide range of effects without using advanced attack techniques. It is an internal control challenge to properly implement separation of duties and access controls. Osaka city employee fired : used ex-boss’s ID for unauthorized access and falsify certificates http://sankei.jp.msn.com/affairs/news/131031/crm13103113550008-n1.htm (in Japanese)
12th. Theft of Online Game Items As smartphones get popular, online games have become prevalent. Attacks (unauthorized logins) that aim for virtual currency and/or items used in online games are increasing. In 2013, prosecution of junior high school and high school students were on the rise, and criminal acts among increasingly younger children are becoming a major social problem. High School student prosecuted for unauthorized access charge / Gifu Police http://mainichi.jp/area/gifu/news/m20131114ddlk21040034000c.html (in Japanese) 40 percent of unauthorized access charge perpetrators were teens http://www.yomiuri.co.jp/net/security/goshinjyutsu/20130412-OYT8T00917.htm (in Japanese)
13th. SNS Account Spoofing/Spread of False Rumors There were reports that the attackers impersonated celebrities or big name companies on SNS and redirected viewers to specific websites such as promotional websites and online dating services. Impersonated persons and organizations would suffer from unexpected cost to appease the situation and loss from harmful rumors. In the U.S., an SNS account of a major news media was hijacked and false information on terrorism was spread, which led to drop in stock price. Be aware: fraudulent “Official Disney” tweets redirect viewers to promotional websites http://nlab.itmedia.co.jp/nl/articles/1310/29/news116.html (in Japanese) AP’s Twitter account hijacked – stock price dropped by false information http://www.nikkei.com/article/DGXNASGM2402U_U3A420C1EB1000/ (in Japanese)
14th. Cyber Defamation and Bullying Anonymity of the Internet has been abused to spread defamation, forgeries and/or obloquy through the Internet services like bulletin boards and SNS. Also, cyber bullying has become a serious social problem. Targeted individuals could suffer psychological damage
32 and loss of trust. Perpetrators arrested: Believed obloquy on the Internet and announced murder on BB http://www.saitama-np.co.jp/news/2013/12/04/07.html (in Japanese) High school student prosecuted for murder announcement on lawyer - “No grudge, just to enjoy attention” http://sankei.jp.msn.com/affairs/news/131209/crm13120913190003-n1.htm (in Japanese)
15th. Unauthorized Use/Eavesdropping of Wireless LAN Exploitation of non-password protected wireless LAN access points in crime, such as crime announcement, is becoming a serious social problem. Once the network is compromised, it is possible that devices on the network are attacked. Security-neglected wireless LAN can be eavesdropped as well. If tapped into, sensitive information can be leaked and/or credential information can be stolen. For businesses to use wireless LAN safely http://www.soumu.go.jp/main_content/000199320.pdf (in Japanese) Monthly Security Watch December 2013 – Prevent Someone from Piggybacking on Your Wireless LAN http://www.ipa.go.jp/security/txt/2013/12outline.html (in Japanese)
16th. Billing Fraud One-click billing fraud involving porn websites and online dating services does not go away. Billing fraud used to be done through postal mail, but as the Internet became prevalent, the use of IT channels, such as email, web browsers or smartphone applications has become a mainstream. In 2013, billing fraud bloomed by targeting individuals whose personal information was stolen via smartphone applications. One-click fraud applications flooding at Google Play http://www.itmedia.co.jp/enterprise/articles/1304/04/news089.html (in Japanese) How did you get my cell phone number? I thought it was free software but later charged 500,000 yen! http://www.kokusen.go.jp/mimamori/kmj_mailmag/kmj-support69.html (in Japanese)
17th. Natural Disaster/Operation Error In 2011, the Great East Japan Earthquake occurred. In 2012, the ramification of a cloud computing service outage was recognized. And in and after 2013, troubles caused by unexpected accidents and incidents continue to break out. A business continuity plan (BCP) that prepares for situations such as system outage and loss of backup data is required for IT systems. GMO cloud service outage – Caused by fire at a data center in Taiwan http://itpro.nikkeibp.co.jp/article/NEWS/20130225/458681/ (in Japanese) KDDI AU email service out of service for two and half days – Equipment failure and human errors suggested http://japan.cnet.com/news/business/35031332/ (in Japanese)
33
This page is intentionally left blank.
34
Chapter 3. Emerging Threats and Concerns Focusing on changes in our Internet environment and life style, this chapter addresses some emerging threats and concerns that are showing impact or beginning to show impact on the society. Table 3: Emerging Threats and Concerns No Title Growing Networked Devices 1 ~ Besides servers and PCs, any Internet-connected devices can be cyber attacked ~ Importance of end point security 2 ~ Keeping software up to date is a royal road to security~ Internet use among increasingly younger ages 3 ~ Minors could become both victim and perpetrator of cyber crime ~
System Administrator
Gonna use his account.
STOP! That’s a CRIME!
35
3.1. Growing Networked Devices ~ Besides servers and PCs, any Internet-connected devices can be cyber attacked ~
System Administrator
These days, devices at office and home are growingly connected to the Internet and providing convenient features like remote control and maintenance. On the other hand, new threats, such as data leak and device hijacking through the wrong settings, have emerged.
36 the storage media remotely.
References I. Wired voice from kid’s room – Man hijacked webcam and shouted abuse (U.S.) http://www.cnn.co.jp/tech/35036051.html (in Japanese) II. Japan Business Machine and Information System Industries Association: Security alert for multifunction copiers/printers http://www.jbmia.or.jp/whatsnew/detail.php?id=294 (in Japanese)
37
3.2. Importance of End Point Security ~ Keeping software up to date is a royal road to security ~
Attacks in recent years mainly target end point devices such as PCs used by end users. Following emerging security threats, the security features of OS and software running on it have continued to be enhanced. Using the latest version of OS and software can make a big difference in terms of security.
38 devices, OS and application vendors have to the newer ones. However, it is very been enhancing the security features of important to understand that using the their software as threats emerge and newer version and updating software evolve. The vendors analyze recent attack regularly is one of the easiest and most techniques and security weaknesses in the effective ways to mitigate threats. current software, and reflect the analysis
3 A security mechanism to prevent the system from being maliciously affected by running unverified programs from external entities in a tightly controlled secure area. 4 A technology to prevent the execution of malicious commands by randomizing the memory addresses for data.
39
3.3. Internet Use among Increasingly Younger Ages ~ Minors could become both victim and perpetrator of cyber crime ~
Gonna use his account.
STOP! That’s a CRIME!
As the Internet become more and more common among increasingly younger ages, there have been the cases where minors get caught in IT crimes. There have been also the cases where minors are taken into custody or arrested for IT crimes. The importance of cybersecurity education for minors is increasing.
40
The National Consumer Affairs Center of phishing website or writing virus, have been Japan reports it had more than 3,000 observed as well. Since young children hotline calls regarding online game troubles may not be mature enough to tell right from for the 2013 alone as of the end of wrong, the society needs to teach IT November 2013. In one case, a boy (high literacy on regular basis. school sophomore) bought game items Post Improper Information Online worth about 6,000 dollars. In another case, As introduced in chapter 2, minors have a grandson stole his grandfather’s credit been increasingly taken into custody or card and the grandfather received a bill of arrested for posting imprudent stuff online. almost 2,000 dollars. Some online games What is especially serious is are no fun without paid items. These cases “cyberbullying behavior” in which posting suggest that children seemed to lose bad things about or defaming pictures of themselves in games and caused damage others on bulletin boards. It is worth to their family. Parents need to understand mentioning that these acts are seen among the mechanisms of online games and elementary school students, too, and in discuss the family rules on playing online some cases, they were taken into custody. games with their children. A case in a high school resulted in a
References I. Crime Statistics Regarding Online Dating Services - First Half of 2013 http://www.npa.go.jp/cyber/statics/h25/pdf02-1.pdf (in Japanese) II. National Consumer Affairs Center of Japan: Online Games http://www.kokusen.go.jp/soudan_topics/data/game.html (in Japanese) III. IPA: Learning Materials for Elementary/Junior-High/High School Students http://www.ipa.go.jp/security/keihatsu/videos/ (in Japanese)
41
Appendix : Major Security Incidents and News in 2013
Jan 7 Bank of Tokyo-Mitsubishi UFJ issued a security alert for spam emails that try to steal credit card information.
Feb 10 Perpetrator of so called the “Remote Control Virus” hacking incidents arrested Feb 20 Trend Micro issued a security alert for cyber shill business using LINE
Mar 20 Several tens of thousands of PCs were cyber-attacked and shut down in Korea - Multiple businesses have been affected
Apr 19 Ban on the use of the Internet for election campaigning lifted
May 23 Yahoo! Japan announced the theft of 1,486,000 user records May 24 National Police Agency issued an alert for sharp increase in web hacking Jun 5 Edward Snowden disclosed NSA’s intelligence operations
Jul 10 Media reported several government agencies disclosed internal information through Google Groups
Jul 25 East Japan Railway Company apologized for not appropriately informing customers about its handling (selling) of SUICA history records Aug 1 IPA issued a security alert for increasing password list attacks
Aug 29 lollipop! server rental service hack led to hack of 8,438 websites
Sep 19 Advanced targeted zero-day attacks targeting Japan were confirmed
Oct 2 Customer information stolen through virus-infected ex-contractor’s private PC Oct 3 Japan-United States Security Consultative Committee (“2+2”) agreed on the cooperation in the cyberspace
Nov 15 Following a media report on information leak through multifunction printer/copier, manufacturers issued a security alert on the issue
Dec 12 Annual loss caused by online banking fraud added up to about 1.2 billion yen (National Police Agency) Dec 17 National security strategy endorsed by the Cabinet. Cyber space now a national domain to protect.
42
[ Produced and Copyrighted by ] Information-technology Promoting Agency, Japan (IPA)
[ Editor ] Masashi Ohmori
[Illustration] Hitachi Document Solutions Co., Ltd.
[ iAdvisor ] 10 Major Security Threats Committee
[ iiAuthori ] Masashi Ohmori Motohiro Namahishi Noriko Tanamachi
2014 Edition
10 Major Security Threats
~ Information Security Is Getting Increasingly Complex...
Which Threats Are YOU Facing? ~
March 17, 2014 First Edition
[Publication] Information-technology Promotion Agency, Japan
16F, Bunkyo Green Court Center Office,
2-28-8, Honkomagome, Bunkyo-ku,
Tokyo, 113-6591 Japan
http://www.ipa.go.jp/index-e.html
IT SECURITY CENTER (ISEC) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN
16F, Bunkyo Green Court Center Office 2-28-8 Honkomagome, Bunkyo-ku Tokyo, 113-6591 Japan TEL:03-5978-7527 FAX:03-5978-7518 http://www.ipa.go.jp/security/english/index.html