4 Infrastructure Security *2 For example, the Hackmageddon.com site below provides an overview of attacks made as part of OpIsrael. “Timeline of Opisrael” (http://hackmageddon. Opisrael” of “Timeline OpIsrael. of part as made attacks of a overview with an provides traffiassociated below c site concentrated highly Hackmageddon.com including the example, For problems, security with associated directly not incidents and information, *2 Security-related Other: against attacks DDoS malware; other and worms network of propagation wide as such responses related and incidents Unexpected Incidents: Security a with connection in attacks to related etc., response, in taken measures incidents, of detection warning/alarms, signifidates; cant Historically History: international as such events international and circumstances foreign and domestic to related incidents to Responses Situations: Social and Political in or Internet the over used commonly software or equipment server equipment, network with associated vulnerabilities to Responses other. or Vulnerabilities: incidents security history, situations, social and political vulnerabilities, as categorized are report this in discussed Incidents *1 period* this during handled incidents of distribution the shows 1 31, 2012. Figure December 1and October between occurred that incidents to response and handling IIJ the discuss we Here, 1.2 incidents. security-related many experience to continues Internet the above, seen As continuing. also are Japan in institutions government-related at infections Malware news. big became it to related incidents of a series and Virus” Control “Remote the Japan, In (ccTLDs). Domains Top-level country-code with involved organizations of number a on attacks to due scale anational on alterations and hijackings domain widespread been also have There discovered. were institutions government-related and companies on attacks targeted of aseries and Anonymous, by out carried again once were attacks hacktivism-based of anumber period 31, this 2012. In December 1through October from time of period the covers volume This relationships. cooperative has IIJ which with organizations and companies from obtained and information services, our through acquired information incidents, of observations from information Internet, the of operation stable the to related itself IIJ by obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 technology. cryptographic use that implementations and protocols affecting issues of aspate examine and year, last of half latter the in fi Japanese institutions of users nancial attack to used was that malware ZeuS the of variant Citadel the at look communications, anonymous for used Tor the system discuss we report this In Tor Technology Security Infrastructure 1. Figure 1: Incident Ratio by Category Category by 1: Ratio Figure Incident History 0.8% Other 29.5% Security Incidents39.0% Social Situation0.8% Political and Introduction com/2012/11/25/timeline-of-opisrael/). notable event. websites. certain fact. historical past disputes. international in originating attacks and VIPs by attended conferences user environments. Incident Summary Incident (October 1 to December 31, 2012) December 1to (October Vulnerabilities 29.9% 1 . uproar surrounding a decree published by the president president the by published adecree surrounding uproar the to due continuing is demonstrations violent including on Palestine from Israel (OpIsrael)* Israel from Palestine on attacks reprisal as well army, as Israeli the by out carried Palestine in Strip Gaza the of blockades and bombing aerial against protest in government Israeli the to related sites on attacks included activities main The causes. and incidents of avariety from stemming countries of number large a in sites company and government-related at occurred leaks information and attacks DDoS period. this during continued Anonymous as such hacktivists by Attacks Hacktivists Other and Anonymous of Activities I The 2 . In Egypt, unrest unrest Egypt, . In During this period fi xes were released for Microsoft’s Windows* Microsoft’s fi for period this released During were xes I Vulnerabilities and their Handling period. this during observed were acceptance was deposited on October 5* October on deposited was acceptance of instrument the approval, cabinet 2012. Following 6, September on session plenary House Lower Japanese the at passed was countries European in protests heated to led that treaty Trade Agreement) ACTA (Anti-Counterfeiting the Additionally, stolen. had they etc. records, account 1.6 million approximately leaked and December, in countries different in agencies government and corporations multiple to access unauthorized gained also TeamGhostShell published. was information account stolen including data and TeamGhostShell, themselves calling someone by out carried world the around countries other and Japan in universities at servers to access unauthorized of incidents were there October, In Anonymous. than other groups by caused incidents of anumber also were There active. very be to continues Anonymous demonstrates, this As (OpWestBoro). Connecticut in school elementary an at rampage a shooting of victims of funerals and vigils the picket would it announced had that views extreme with group areligious on made were attacks December, In (OpRIP). released was suicide her caused and Canada in SNS over girl ayoung bullied who aman of name the October, In Anonymous. for symbol trademark the become has who Fawkes, Guy from names its takes day Day.This Fawkes Guy of anniversary British the 5, November on world the around place took attacks Other Brazil. and Sweden, Kingdom, United the in agencies government on attacks also were There (OpEgypt). movement this of support in government Egyptian the to related sites on made were Attacks constitution. draft their on areferendum and *11 PKNIC (http://www.pknic.net.pk/) made an initial statement regarding this incident. The details can now also be confi rmed in other reports. confiother be in also rmed now can details The incident. this regarding statement initial an made (http://www.pknic.net.pk/) PKNIC *11 (http://technet.microsoft.com/en-us/ (2761465)” Explorer Internet for Update Security Cumulative -Critical: MS12-077 Bulletin Security “Microsoft *10 (http://technet.microsoft.com/en-us/ (2761451)” Explorer Internet for Update Security Cumulative -Critical: MS12-071 Bulletin Security “Microsoft (http://technet. *9 (2780642)” Execution Code Remote Allow Could Word Microsoft in Vulnerability - Critical: MS12-079 Bulletin Security “Microsoft (http://technet. (2742319)” *8 Execution Code Remote Allow Could Word Microsoft in Vulnerabilities -Critical: MS12-064 Bulletin Security “Microsoft (2758857)” Execution Code *7 Remote Allow Could Component Handling File Windows in Vulnerability -Critical: MS12-081 Bulletin Security (http:// “Microsoft (2783534)” Execution Code Remote Allow Could *6 Drivers Kernel-Mode Windows in Vulnerabilities -Critical: MS12-078 Bulletin Security “Microsoft (http:// (2761226)” Execution Code Remote Allow Could *5 Drivers Kernel-Mode Windows in Vulnerabilities -Critical: MS12-075 Bulletin Security “Microsoft *4 (http://www.mofa.go.jp/policy/economy/i_ Japan” by (ACTA) Agreement Trade Anti-Counterfeiting the of “Conclusion Affairs, Foreign of Ministry *3 registry for Pakistan were hacked by exploiting a SQL injection vulnerability. As a result, 284 domains were hijacked* were domains 284 aresult, As vulnerability. injection aSQL exploiting by hacked were Pakistan for registry domain .pk the manages that PKNIC the for servers November, In Yahoo.ie. and Google.ie as such domains of hijacking the to leading vulnerability, aCMS of use through authorization without accessed was Ireland for registry domain .ie the manages that IEDR the October, in First, incidents. hijacking domain related and ccTLD on attacks of a number were there period this During ccTLD on I Attacks language. fi also was programming Ruby the in xed vulnerability function a hash and Rails, on Ruby framework fiapplication and Web found popular was the in xed injections SQL allowed that A vulnerability fi also was codes xed. resource certain of use the through stoppages server abnormal caused that servers DNS BIND in Avulnerability vulnerabilities. fi released, was server of database number a xing Oracle the for update aquarterly applications, server Regarding released. were patches before wild the in exploited were vulnerabilities these of Several fi that Java for vulnerabilities. update many xed ascheduled released Oracle Player. Shockwave and Player Flash as such fiproducts and Systems’ discovered also Adobe in xed were vulnerabilities of security/bulletin/ms12-077). security/bulletin/ms12-071). microsoft.com/en-us/security/bulletin/ms12-079). microsoft.com/en-us/security/bulletin/ms12-064). (http://technet.microsoft.com/en-us/security/bulletin/ms12-081). technet.microsoft.com/en-us/security/bulletin/ms12-078). technet.microsoft.com/en-us/security/bulletin/ms12-075). property/acta_conclusion_1210.html). 3 . Japan is the fi rst country to ratify the ACTA treaty. However, no attacks of note note of attacks no However, treaty. ACTA the fi the is ratify to . Japan country rst 4 * 5 * 6 Off e* c fi f O , 7 * 8 , and Internet Explorer* Internet , and 9 * 10 . A large number number . A large 11 . Two Two .

5 Infrastructure Security 6 Infrastructure Security October Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O O V V V V V V V V V S S S (http://www.bunka.go.jp/chosakuken/24_houkaisei.html) (inJapanese). Agency forCulturalAffairs,“2012RegularDietSession-RegardingCopyrightActAmendments” 1st: SomeregulationsregardingtheincorporationofcriminalpunishmentillegaldownloadingcameintoeffectduetoamendedCopyrightAct. See thefollowingWASForumpostregardingHardeningProjectformoreinformation (http://wasforum.jp/hardening-project/)(inJapanese). 27th: The“HardeningOne”securityeventwheretheoveralloperationalcapabilitiesofIT systemsarecontestedwasheld. when discovered,astheycouldbeinterpretedtoallowinformationprovided thirdparties,andtheyalsorequestedexcessivepermissions. 23rd: “Oracle JavaSECriticalPatchUpdateAdvisory-October2012”(http://www.oracle.com/technetwork/topics/security/javacpuoct201 2-1515924.html). execution ofarbitrarycode. 17th: OraclereleasedtheirquarterlyscheduledupdateforJavaSEJDKandJRE,fixing30vulnerabilitiesincludingthosethatallowed (http://www.nisc.go.jp/press/pdf/5th_aseanj_meeting_result_press.pdf) (inJapanese). National InformationSecurityCenter,“OutcomeoftheFifthJapan-ASEANPolicyMeeting” countries washeldinJapan. 10th: The“FifthJapan-ASEANInformationSecurityPolicyMeeting”aimedatbolsteringinternationalcooperationandinitiativeswithASEAN Internet SystemsConsortium,“CVE-2012-5166:SpeciallycraftedDNSdatacancausealockupinnamed”(https://kb.isc.org/article/AA-00801/0). and fixed. 10th: Avulnerability(CVE-2012-5166)inBIND9.xthatcouldallowexternalpartiestocauseacrashusingspeciallycrafteddatawasdiscovered “Microsoft SecurityBulletinSummaryforOctober2012”(http://technet.microsoft.com/en-us/security/bulletin/ms12-oct). 10th: MicrosoftpublishedtheirSecurityBulletinSummaryforOctober2012,andreleasedtheMS12-064criticalupdateaswellsiximportantones. “Security updatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb12-22.html). discovered andfixed. 9th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere (http://www.enisa.europa.eu/media/press-releases/europe-joins-forces-in-cyber-europe-2012). ENISA, “EuropejoinsforcesinCyberEurope2012” 4th: ENISAhostedalarge-scalecyberattackexercise,“CyberEurope2012,”inwhichapproximately300companiesparticipated. at OurUniversity”(http://www.u-tokyo.ac.jp/public/public01_241005_02_j.html)(inJapanese). information suchasIDsandemailaddresseswereleaked.TheUniversityofTokyo“RegardingInformationLeaksDuetoUnauthorizedAccess For example,thefollowingstatementfromUniversityofTokyothatmultipleWebserverstherewereaccessedwithoutauthorization,and Several Japaneseuniversitieswerealsoaffectedbythisincident. 2nd: TeamGhostShellaccessedserversatanumberofuniversitiesaroundtheworldwithoutauthorization,andpublishedstoleninformation. “Security updateavailableforAdobeShockwavePlayer”(http://www.adobe.com/support/security/bulletins/apsb12-23.html). 24th: AnumberofvulnerabilitiesinAdobeShockwavePlayerthatcouldallowarbitrary code executionwerediscoveredandfixed. (http://technet.microsoft.com/en-us/security/advisory/2661254). “Microsoft SecurityAdvisory(2661254)UpdateForMinimumCertificateKeyLength” length thatwaspublishedinAugust. 10th: MicrosoftbeganautomaticupdatesfortheWindowsupdateprogramrestrictinguseofcertificatesusingRSAkeyslessthan1024bitsin (http://technet.microsoft.com/en-us/security/advisory/2749655). “Microsoft SecurityAdvisory(2749655)CompatibilityIssuesAffectingSignedMicrosoftBinaries” attributes, adverselyaffectingtheabilitytoinstalloruninstallsecurityupdateprograms,etc. 9th: Microsoftre-releasedupdateprogramsbecausesomeofthedigitalcertificatesusedtosignbinariesdidnotcontainpropertimestamp the “RemoteControlVirus”. 7th: Reportsrevealedthatthewrongpeoplehadbeenarrestedinmultipleincidentswhichabusivemessageswerepostedtowebsitesusing “anti-Malware engineeringWorkShop2012 (MWS2012)”(http://www.iwsec.org/mws/2012/index.html)(inJapanese). cultivating humanresourcesforanti-malware activitieswasheld. 30th: The“anti-MalwareengineeringWorkShop 2012(MWS2012)”forpresentingtheresultsofresearchonmalwarecountermeasures and US-CERT “Multi-vendorIPcamerawebinterfaceauthenticationbypass”(http://www.kb.cert.org/vuls/id/265532). screen ofnetworkcamerasfromanumbervendors. 11th: AvulnerabilitythatcouldallowremotethirdpartiestogaincontrolbybypassingauthenticationwasdiscoveredintheWebmanagement (https://www.iedr.ie/wp-content/uploads/2012/12/IEDR-Statement-D-issued-8Nov.pdf). See thefollowingIEDRstatementformoreinformation.“IEDRSecurityStatement” 9th: TheIEDRdomainregistryforIrelandwasaccessedwithoutauthorization,leadingtothehijackingofGoogle.ieandYahoo.ie. 25th: MicrosoftreleasedtheirnewWindows8OS,whichincludesanimproveduserinterface andsecurityfunctions. Vulnerabilities A numberofinappropriateitemsinthetermsuseanddeviceaccesspermissions forafreecallappsmartphonesbecameanissue S Security Incidents P Political andSocialSituation H History O Other a function that automatically adds friends failed to work correctly after an update to the Android version of the application* the of version Android the to update an after correctly work to failed friends adds automatically that for a function setting “Off” the when information contact from added automatically be to friends LINE causing app, communication LINE Agency (JAXA) had been infected by a computer virus, and rocket-related information had possibly been leaked externally* leaked been possibly had information rocket-related and virus, acomputer by infected been had (JAXA) Agency in September, and on the status of initiatives for information security measures at government agencies* government at measures security information for initiatives of status the on and September, in place took that agencies government against attacks cyber on made also were Reports RSA1024. and SHA-1 of compromise the to due on worked being are These agencies. government at algorithms cryptographic covering guidelines transition for defi to made were specifine revisions dates c assembly this At agencies. government for measures security promotes which Measures, Security Information of Promotion for Council the of assembly 8th the included activities agency Government function for Facebook accounts was used* was accounts Facebook for function integration friend the when correctly sync not would which function, integration Facebook its with issues also were There computer virus also occurred* also virus computer a by infected was Agency Energy Atomic Japan the of employee an by used acomputer which in incident an Similarly, A vulnerability in the Skype communication app’s web-based password reset function was discovered and fi and discovered was function xed* reset password web-based app’s communication Skype the in A vulnerability I Smartphone Applications and Service Integration it. of aware being them without users of number alarge affect can this because continue, will ccTLD manage that organizations on attacks similar make to attempts believe we illustrates, this As notice. to likely not is user average the DNS, Public Google as such trustworthy be to thought server DNS external an querying when even returned are addresses IP fake because such as cancelling unnecessary integration services* integration unnecessary cancelling as such countermeasures summarized and specifithis, of contained examples It c functions. integration service app of exploitation to due knowledge user’s the without SNS on made are posts which in kind this of incidents about astatement released IPA adevice. from information personal collect or intention, user’s the without comments post or actions perform that those identifi been also including ed, have intent malicious with apps integration however, hand, other the On rise. the on is integration of kind this so SNS, external with integration through convenience more offer can smartphones on apps Individual including those accessed by a large number of people. Additionally, as shown in cases reported on the Kaspersky Lab blog* Lab Kaspersky the on reported cases in shown as Additionally, people. of number alarge by accessed those including once, at all domains many hijack to possible is it succeeds, ccTLD manages that registrar or a registry on attack an When sites. fraudulent to redirected were users and targeted, were PayPal and Yahoo!, Google, as such global corporations for domains well-known incidents, these of each In attacked. was domains .rs Serbian for registrar the after hijackings domain more were there December, In (.ro). domains Romanian at occurred had incidents similar that reported was it later, days *21 National Information Security Center, “8th Assembly of the Council for Promotion of Information Security Measures (Liaison Conference for CISO, etc.) etc.) CISO, for Conference (Liaison Measures Security Information of Promotion for Council the of Assembly “8th Center, Security Information National *21 (http://www.jaea.go.jp/02/press2012/ Infection” Virus aComputer to due Leaks Information Potential “Concerning Agency, Energy Atomic Japan *20 (http://www.jaxa.jp/ Leaks” Information Potential and JAXA at Infection Virus Japanese). (in aComputer “Regarding (JAXA), Agency Exploration Aerospace Japan Offi (http://www.cao.go.jp/press/20121011notice.html) ce” Cabinet the *19 from being as Misrepresented Emails Offi“Regarding ce, Cabinet *18 -“(http://www.ipa.go.jp/security/ YourKnowledge Without Used Be Can -YourName SNS!’ on Integration Service ‘Beware (http://en.lineblog.naver.jp/archives/20505343.html). LINE.” of Address 2012 version “October Android IPA, the on friends Japanese). (in Facebook for *17 function integration the stopped “We’ve LINE, NAVER (http://lineblog.naver.jp/archives/20587620.html) 3.3.0” LINE of *16 Version Android the in a Bug for a Fix of News and “An Apology LINE, NAVER *15 (http://jp.trendmicro.com/jp/threat/security_news/monthlyreport/ 2012]” [Oct. Infections Virus on Report -Monthly Micro *14 “Trend Micro, Trend (http://www.securelist.com/en/blog/208193933/New_ account” your of hijacking allows vulnerability Skype “New Blog, SECURELIST Lab Kaspersky attack” *13 hijacking DNS apossible of victims domains, RO other and “Google.ro details. more for post Blog SECURELIST Lab Kaspersky following the See *12 spread of a worm that propagates through Skype instant messages has also been reported* been also has messages instant Skype through propagates that aworm of spread incident in April* in incident similar a echoing Offi Cabinet the from distributed, were being ce as misrepresented emails which in occurred incident an October, In period. this during discussion of a topic become again once agencies government on attacks of A number I Government Agency Initiatives (Oct. 26, 2012)” (http://www.nisc.go.jp/conference/suishin/index.html#2012_5) (in Japanese). Japanese). (in (http://www.nisc.go.jp/conference/suishin/index.html#2012_5) 2012)” 26, (Oct. Japanese). (in Information Personal (http://www.jaea.go.jp/02/press2012/p13011801/index.html) Potential Infection” Virus “Concerning a Computer leaked. to due been have Leaks may addresses email that announced later was It Japanese). (in p12120501/index.html) press/2012/11/20121130_security_j.html) (in Japanese). txt/2012/10outline.html) (in Japanese). Japanese). (in article/20121105073724.html) Skype_vulnerability_allows_hijacking_of_your_account). (http://www.securelist.com/en/blog/208194028Google_ro_and_other_RO_domains_victims_of_a_possible_DNS_hijacking_attack). 18 . Additionally, it was announced that the computer of an employee at the Japan Aerospace Exploration Exploration Aerospace Japan the at employee an of computer the that announced was it . Additionally, 20 . 16 . 17 . 14 . An issue occurred with the the with occurred issue . An 21 . 13 . The . The 15 19 12 . . ,

7 Infrastructure Security 8 Infrastructure Security November Incidents *Dates areinJapanStandardTime [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O V V V V V V V S S S S S S S S (http://www.dekyo.or.jp/pmark/sinsei/data/tyuikanki.pdf) (inJapanese). “Important NoticeRegardingtheUseofProviderServicessuchasDataCenters[Alert]” Centers [Alert]”inresponsetodatalossissuesathostingserviceproviders. 20th: TheJapanDataCommunicationsAssociationpublishedan“ImportantNoticeRegardingtheUseofProviderServicessuchas system-time-rollback-to-the-year-2000.aspx). Rollback totheYear2000”(http://blogs.technet.com/b/askpfeplat/archive/2012/11/26/fixing-when-your-domain-traveled-back-in-time-the-great- See thefollowingMicrosoftblogpostformoreinformation.“FixingWhenYourDomainTraveledBackInTime,GreatSystemTime 20th: AfaultoccurredonNTPserversattheUnitedStatesNavalObservatory,causingsystemtroubleduetowrongtimesbeingreported. “Safely NavigatingSNS-SecurityandPrivacyIssuesCountermeasures”(http://www.jnsa.org/result/2012/SNS-WG_ver0.7.pdf)(inJapanese). 19th: JNSApublishedareportcalled“SafelyNavigatingSNS,”whichsummarizesproblemsrelatedtoSNSsecurityandprivacy. The FreeBSDProject.,“SecurityIncidentonInfrastructure”(http://www.freebsd.org/news/2012-compromise.html). leak ofadeveloper’sSSHkey. 18th: JVN, “JVN#74829345MultipleAndroiddevicesvulnerabletodenial-of-service(DoS)”(http://jvn.jp/en/jp/JVN74829345/). accessed iftheLinuxkernelsettingswereincorrectwasdiscoveredandfixed. 15th: AbuginanumberofAndroiddevicesthatcausedcrashesthroughaccessinganimpropermemoryregionwhenspecificsystemfilesare “Microsoft SecurityBulletinSummaryforNovember2012”(http://technet.microsoft.com/en-us/security/bulletin/ms12-nov). as oneimportantupdateandwarningupdate. 14th: MicrosoftpublishedtheirNovember2012securitybulletin,andreleasedfourcriticalupdatesincludingMS12-071MS12-075,aswell (http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/). Ruby Community,“Hash-floodingDoSvulnerabilityforruby1.9(CVE-2012-5371)” 10th: Avulnerability(CVE-2012-5371)inRuby1.9thatcouldcausecrashesthroughhashing-floodingattackswasdiscoveredandfixed Twitter, “Passwordresetemails”(http://status.twitter.com/post/35275426563/password-reset-emails). Twitter users,causedconfusionforthem. 9th: Emailsstatingthatuserpasswordshadbeenresetduetothepossibilityaccountshackedweresentbymistakemany (http://www.group-ib.com/index.php/7-novosti/672-group-ib-us-zero-day-vulnerability-found-in-adobe-x). not beenprovided,andtheycannotconfirmthevulnerability.“Group-IBUS:Zero-dayvulnerabilityfoundinAdobeX” The followingGroup-IBannouncementcontainsmoreinformation,butAdobestatesthatnofixcanbemadebecausedetailedinformationhas 8th: 7th: TheUnitedStatespresidentialelectionwasheld. “Security updatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb12-24.html). discovered andfixed. 7th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere Information ofInternetBankingUsers,etc.”(www.npa.go.jp/cyber/warning/h24/121106.pdf)(inJapanese) For example,theNationalPoliceAgencyissuedfollowingalert.“RegardingMeasuresforCasesofNewTechniquesTargetingthePersonal institution. Theseinvolvedisplayingafraudulentpop-upmessagethatpromptsuserstoenterdetailsaftertheyloginlegitimatesite. 6th: Financialinstitutionsandotherorganizationsissuedanalertafterthediscoveryofnewfraudtechniquesforposingasafinancial Internet Works”(http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about). More detailedinformationhasbeenreportedonthefollowingCloudFlareBlog.“WhyGoogleWentOfflineTodayandaBitaboutHow 6th: ABGProutinganomalyoccurredatanIndonesianISPduetoahardwarefault,affectingGoogle’sGoogleAppsamongothers. (in Japanese). “Publication of‘TipsforGeneralUserstoUseWirelessLANSafely’”(http://www.soumu.go.jp/menu_news/s-news/01ryutsu03_02000029.html) bare minimummeasuresthatusersshouldtaketousewirelessLANwithpeaceofmind. 2nd: TheMinistryofInternalAffairsandCommunicationspublished“TipsforGeneralUserstoUseWirelessLANSafely,”whichdescribesthe Ministry ofForeignAffairs,“ConventiononCybercrime”(http://www.mofa.go.jp/mofaj/gaiko/treaty/treaty159_4.html)(inJapanese). 1st: The“ConventiononCybercrime”ratifiedinJuly2011cameintoeffect. (in Japanese). “Regarding aComputerVirusInfectionat JAXAandPotentialInformationLeaks”(http://www.jaxa.jp/press/2012/11/20121130_security_j.html) as aresultrocket-relatedinformationmay haveleaked. 30th: TheJapanAerospaceExplorationAgency (JAXA)announcedthatanemployee’scomputerhadbeeninfectedwitha virus,and as GoogleandYahoo!werehijacked. 28th: TheregistryforRomania’s.rodomainswasaccessedwithoutauthorization,andmultiple domainsincludingwell-knownexamplessuch (http://www.kb.cert.org/vuls/id/281284). US-CERT, “VulnerabilityNoteVU#281284SamsungPrinterfirmwarecontainsahardcoded SNMPcommunitystring” administrative functionstobeenabledevenwhendisabledinsettings. 27th: AvulnerabilitywasdiscoveredinmultipleSamsungprinters,whichcontainedahardcoded SNMPcommunitystringthatcaused cash cardandusingittowithdrawmoney. 26th: Vulnerabilities A vulnerabilityinAdobeReaderX/XIwithnofixavailablethatcircumventsthesandboxprotectionfunctiontoexecutearbitrarycodewasdisclosed. It wasannouncedthatunauthorizedaccesshadtakenplaceatFreeBSD.orgsinceSeptember.Thisisthoughttohavebeencausedbythe An employeeofanoutsourcingcontractorworkingonthedevelopmentasystem forafinancialinstitutionwasarrestedforging S Security Incidents P Political andSocialSituation H History O Other commands written on another message board* message another on written commands using control remote via PC that from board a message to posted threats criminal and application, a freeware of guise the under party athird of PC the on installed is avirus which in virus, aself-authored via control remote was method Another organization. corresponding the to threats post unintentionally to link this clicked who users board message causing Japan, in board message a large to posted was body public alocal of website the on form aposting to threats criminal URL an posted that which in (CSRF), forgery request cross-site was One crimes. these for used were methods attack multiple Secondly, Tor. about information Tor” more for of “1.4.1 Overview See An user. the identify to harder it make to used was sent emails and postings board message as such routes communication anonymizing Tor for the tool that believed is it Firstly, characteristics. major two have incidents These person. this by made been have might postings and comments threatening the of anumber that possibility the raising culprit, true the be to claiming someone by stations radio as fi law such to sent were outlets news and rms responsibility emails claiming Furthermore, a virus. with infected were which PCs, suspects’ arrested the using party a third by committed been have may crimes these that light to came it October in However, scare. a fl of a bomb to due cancellation progress in the ight including events, of cancellation or security of tightening the as such responses to led this cases, of a number In individuals. as well as events, and companies multiple authorities, local and agencies government targeting warnings and threats involved incidents These boards. message and email via made were threats bomb and threats death of number a large 2012, June around From attention. attracted Virus” Control “Remote the to related incidents of aseries period, this During I The “Remote Control Virus” attacks and malware infections targeting control systems have also been identifi been also ed* have systems control targeting infections malware and attacks by caused issues of Anumber aproblem. become has systems control to related software and devices in vulnerabilities of discovery the progresses, technology telecommunications integrate that systems control of use the as Meanwhile, facilities. energy atomic and gas, and fi energy electricity the as such eld management, system supply water as such activities social and lives our in services key includes This management. of level ahigh requires that for equipment systems infrastructure as role increasing an play systems control factories, at equipment production in use to addition In Systems Control for Measures and I Threats security. information on collaborations enhancing further and contact, of points checking security, information to related data sharing for systems evaluating security, information of awareness raising as such initiatives promoted It October. in held was Japan in Meeting Policy Security Information Japan-ASEAN Fifth the and continue, collaboration international for Initiatives *24 Details of this series of incidents and appeals for information appeared on the Metropolitan Police Department website and Facebook page until the the until page Facebook and website Department Police Metropolitan the on appeared information (http://www.ipa.go.jp/security/fy24/reports/ics_ for systems” appeals and control for incidents of systems series this of management Details security building for *24 guide apractical of “Publication IPA, 2010. in discovered was which systems, ICS-CERT, “ICS-CERT Newsletterthe Monthly ‘ICS-CERT control Monitor,’*23 October-December 2012” industrial (http://www.us-cert.gov/control_systems/pdf/ICS-CERT_ targeted that malware Stuxnet the example, For *22 System), which specifi es requirements related to security management for control systems when constructing them”* constructing when systems control for management security to related specifi which requirements es System), Management Security Cyber (CSMS: IEC62443-2-1 to guide “A practical IPA published response, In increasing. is systems Japan in control of management security for need the circumstances, these Under rise. the on are systems control to threats that confi also systems rmed control in specializes that organization CSIRT ICS-CERT U.S. the by published regularly A newsletter suspect was arrested in February 2013. 2013. February in arrested was suspect (in Japanese). management/index.html) (http:// Overview” 2012) (October-December Monitor (in Japanese). Monthly www.ipa.go.jp/security/controlsystem/pdf/MonthlyReport_201210-12_r3.pdf) “ICS-CERT Japanese in asummary released IPA Monthly_Monitor_Oct-Dec2012.pdf). 24 . 22 . 23 .

9 Infrastructure Security 10 Infrastructure Security December Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 V O O O O V V V V V V V V S S S S S Telecommunication Regulations(ITR). proposals forrevisionbecameatopicofconversationthere,includingthetighteningInternetregulations,withrevisionstoInternational 3rd: TheITUWorldConferenceonInternationalTelecommunications(WCIT-12)washeldinDubai,UnitedArabEmirates.Anumberof Security UpdateforInternetExplorer(2799329)” (http://technet.microsoft.com/en-us/security/bulletin/ms13-008)inJanuary. (https://technet.microsoft.com/en-us/security/advisory/2794220). Thisissuewasfixedwith“MicrosoftSecurityBulletinMS13-00 8 -Critical: “Microsoft SecurityAdvisory(2794220)Vulnerability inInternetExplorerCouldAllowRemoteCodeExecution” 31st: AvulnerabilityinMicrosoft’sInternetExplorer thatcouldallowarbitrarycodeexecutionthroughviewingamaliciouswebsite was disclosed. (http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-001006.html) (inJapanese). JVN, “JVNDB-2013-001006AnSQLinjectionvulnerabilityintheAuthlogicgemfor RubyonRails” vulnerability wasinitiallyassignedtoCVE-2012-5664,butlatersplitintoCVE-2012-6496 andCVE-2012-6497. 22nd: Avulnerability(CVE-2012-6496)inRubyonRailsmethodsthatcouldallowremote SQLinjectionattackswasdiscoveredandfixed.This (2783534)” (http://technet.microsoft.com/en-us/security/bulletin/ms12-078). “Microsoft SecurityBulletinMS12-078-Critical:VulnerabilitiesinWindowsKernel-Mode DriversCouldAllowRemoteCodeExecution arbitrary codeexecutionthroughviewingamaliciouswebsitethatweredisclosed on the12th. 21st: Microsoftre-releasedaproblematicupdate(MS12-078)relatedtonumberofWindows vulnerabilities,includingthosethatcouldallow “Publication ofthe‘2011SurveyonDamagesRelatedtoInformationSecurityEvents’” (http://www.ipa.go.jp/about/press/20121220.html) (inJapanese). fact thatmeasuresforprotectingdataondevicessuchassmartphonesarecurrently insufficient. countermeasures forinformationsecuritydamages.Itpointsouttheimpactofdamages causedbythefraudulentactivityofinsiders,and 20th: IPApublishedtheir“2011SurveyonDamagesRelatedtoInformationSecurityEvents” report,whichsummarizestrendsand (http://www.xda-developers.com/android/dangerous-exynos-4-security-hole-demoed-and-plugged-by-chainfire/). XDA Developers,“DangerousExynos4SecurityHoleDemoedandPluggedbyChainfire” mobile phoneCPU. 17th: AvulnerabilitythatcouldallowrootprivilegestobeobtainedwasreportedindevicescontainingtheSouthKoreanSamsung’sExynos their passwordwasexploitedtoobtainpasswords. Access byobtainingfreeemailpasswordswithoutauthorizationandspyingonemail.Inthisincident,afeatureforuserswhohadforgotten 14th: AjuniorhighschoolstudentwasreferredtoprosecutorsonsuspicionofviolatingtheActProhibitionUnauthorizedComputer “APSB12-27: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb12-27.html). discovered andfixed. 12th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere “Microsoft SecurityBulletinSummaryforDecember2012”(http://technet.microsoft.com/en-us/security/bulletin/ms12-dec). MS12-079, aswelltwoimportantupdates. 12th: MicrosoftpublishedtheirSecurityBulletinSummaryforDecember2012,andreleasedfivecriticalupdatesincludingMS12-077and (https://kb.isc.org/article/AA-00828). Internet SystemsConsortium,“CVE-2012-5688:BIND9serversusingDNS64canbecrashedbyacraftedquery” 5th: on InternationalTelecommunications(WCIT-12)”(http://www.soumu.go.jp/menu_seisaku/ictseisaku/cyberspace_rule/wcit-12.html)(inJapanese). Communications reportformoreinformationondiscussionsattheconference.MinistryofInternalAffairsandCommunications,“ITUWorldConference An amendedversionoftheITRwasadoptedatconference,butJapandidnotsignit.SeefollowingMinistryInternalAffairsand (http://spider.io/blog/2012/12/internet-explorer-data-leakage/). See thefollowingblogpostfromUK-basedspider.iowhodiscoveredvulnerabilityformoreinformation.“InternetExplorerDataLeakage” using JavaScriptonanywebsitewasdisclosed. 12th: AvulnerabilityinMicrosoftInternetExplorerversions6to10thatallowedthepositionofmousecursoronscreenbedetected pieces ofstolenaccountinformation,etc.(#ProjectWhiteFox). 10th: TeamGhostShellaccessedanumberofaerospace-relatedcompaniesaroundtheworldwithoutauthorization,andreleased1.6million (http://www.rnids.rs/en/what-s-new/%D1%82he-official-statement-from-ninet-company-given-on-05-december/id/4035). See thefollowingRNIDSreportformoreinformation.“TheofficialstatementfromNiNetCompanygivenon05December” Google andYahoo!werehijacked. 5th: TheregistrarforSerbia’s.rsdomainswasaccessedwithoutauthorization,andmultipleincludingwell-knownexamplessuchas (http://www.antiphishing.jp/report/pdf/consumer_antiphishing_guideline.pdf) (inJapanese). Council ofAnti-PhishingJapan,“Consumer-OrientedGuidelinesforPreventingPhishingFraud” examples ofthedamagescausedbyphishingfraud,andindicateshowitcanbeprevented. 5th: TheCouncilofAnti-PhishingJapanpublishedtheir“Consumer-OrientedGuidelinesforPreventingPhishingFraud,”whichgives (http://www.nisc.go.jp/active/infra/pdf/ciirex2012_2_press.pdf) (inJapanese). NISC, “SummaryofInterdisciplinaryExerciseforCriticalInfrastructure[CIIREX2012]” 11th: TheNationalInformationSecurityCenterheldthe“CIIREX2012”interdisciplinaryexerciseforcriticalinfrastructure. (http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html). Details canbefoundinthefollowingFireeyeblogpost.“ToRussiaWithTargetedAttack” 11th: ItwasreportedthattargetedattackshadbeenmadeonmultipleRussiancompaniesfromKorea. 16th: The46thLowerHousegeneralelectionwasheld. 12th: NorthKorealaunchedasatelliteastheyhadpreviouslyannounced. Vulnerabilities A vulnerability(CVE-2012-5688)inBIND9.xthatcouldallowexternalpartiestocauseacrashusingspeciallycrafteddatawasdiscoveredandfixed. S Security Incidents P Political andSocialSituation H History O Other information on ZeuS variants. more for ZeuS” of Variant Citadel The “1.4.2 See attacks. these in used were ZeuS and SpyEye of variants as such malware multiple Supposedly, confiof were number at a institutions. rmed techniques ancial n similar on fi based attacks after issued were Alerts banking. Internet using are they when tables number random and passwords as such information authentication secondary their steal and malware, with PC user’s the infect to attempts are These site. alegitimate to in logs user the after displayed is details enter to users prompts that message pop-up identififraudulent a been had which in ed technique a new fi to relating institutions, nancial incidents in Furthermore, occur. to continue also SNS and email utilizing incidents Phishing June, and some have suggested that this may have been government regulation of information* of regulation government been have may this that suggested have some and June, in blackouts Internet faced also Syria issue. the caused had facility transmission apower at afault that explained was it and re-established, were connections later days two but terrorists, by cables of severing the be to announced initially was cause In November, Syria made news when its Internet and mobile phone connections were almost completely shut down* shut completely almost were connections phone mobile and Internet its when news made Syria November, In I Other defi software nition date. to up anti-virus les and fi applications, OS, your keeping always is taken be must that measure basic Another links. accessing when caution using by and functions, useful have supposedly they when even precautions, fi using taking or without downloading not origin unknown of les by crime, of kind this to prey falling avoid to taken be must Care boards. message on mentioned application a freeware install to tried they when installed was avirus after theft identity to victim fell incidents these in accused those of Some In Germany, a power grid operator made news when it was the target of a DDoS attack* aDDoS of target the was it when news made operator grid apower Germany, In censorship. as well as content, Internet for regulations of atightening to lead could adopted resolutions and revisions draft the because signing, off put that countries 55 among were Nations Union European and States, United the Japan, but conference, the at amended was ITR The attention. attracted December in Dubai in (WCIT-12)held Telecommunications International on Conference World ITU the at years 24 in (ITR) Regulations Telecommunication International the fito the revisions rst regulations, Internet Regarding meters and smart grid* smart and meters smart with but itself, grid power the on attack an than rather email, and servers Web as such systems communication based control viruses include Back Orifi Back ce* include viruses control remote of Examples example. for site, a SNS on URL an clicked who users of entries diary the of posting unintentional the over 2005 in afuror was CSRF, there Regarding past. the in often used been have they as new, are methods these of Neither *31 FBI, “Florida Man Convicted in Wiretapping Scheme Targeting Celebrities Sentenced to 10 Years in Federal Prison for Stealing Personal Data” (http:// Data” Personal Stealing for Prison Federal in 10 Years to Sentenced Celebrities Targeting Scheme Wiretapping in Convicted Man “Florida FBI, well as *31 functions communication/control featuring meters power utilizing effi ciently transmission power adjust and blackouts prevent that grids Power *30 (http://www.us-nesco.org/tac-diary/news- 50Hertz” on attack of reports “News (NESCO), Organization Cybersecurity Sector Electric National The *29 Renesys Blog, “Syrian Internet Shutdown” (http://www.renesys.com/blog/2011/06/syrian-internet-shutdown.shtml). *28 CloudFlare Blog, “How Syria Turned the Off Internet” (http://blog.cloudflare.com/how-syria-turned-off-the-internet). *27 for more information. See McAfee’s “Revealed: Operation Shady RAT” (http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf) *26 that functions and running, is it that fact the conceal to itself hides it which in mode a has it because but software, control remote Orificalled Back is ce *25 was sentenced to 10 years in prison* in 10 to years sentenced was celebrities, and actresses Hollywood of accounts email the as such information private of leaking and theft the to 2011, relating October in access unauthorized including crimes felonious nine of suspicion on arrested aperpetrator States, United the In future. the in increase may grids as Shady RAT that attracted interest last year, which has a remote control function* control aremote has year, which last interest attracted RAT that Shady as prison-for-stealing-personal-data). www.fbi.gov/losangeles/press-releases/2012/fl orida-man-convicted-in-wiretapping-scheme-targeting-celebrities-sentenced-to-10-years-in-federal- meters. smart as reports-of-attack-on-50hertz/). vendors. software anti-virus by malware classifias is ed it noticing, users without installed be to it allow 30 technology becoming more prevalent, it has been said that attacks on network-connected power power network-connected on attacks that said been has it prevalent, more becoming technology 25 31 , which attracted interest as far back as 1998, and attacks made by the malware known known malware the by made attacks and 1998, as back far as interest attracted , which . 26 . 29 . This was an attack on Internet- on attack an was . This 28 . 27 . The . The

11 Infrastructure Security 12 Infrastructure Security accounted for by the use of IP spoofi IP of use the by for ng* accounted is this We believe foreign. or domestic whether addresses, IP of number large extremely an observed we cases, most In 10 minutes). and hours (28 10 minutes and hours, day, four one for lasted that attack aserver was attack sustained longest The hours. 24 over lasted 1.0% and hours, 24 and minutes 30 between lasted 14.5% commencement, of minutes 30 within ended 84.5% attacks, all Of packets. 38,000pps to up using bandwidth of in 212Mbps resulted and attack, classifi was compound as a ed study under period the during observed attack largest The 20.0%. remaining the for accounted attacks compound and 79.7%, for accounted attacks server 0.3% for incidents, all of accounted attacks capacity Bandwidth report. prior our to compared attacks of number daily average the in increase an day, indicating per attacks 9.79 to averages This attacks. DDoS 901 with dealt IIJ study, under months three the During time). same the at conducted target asingle on attacks of types (several attacks *35 A “bot” is a type of malware that institutes an attack after receiving a command from an external C&C server. A network constructed of a large number number alarge of constructed Anetwork server. C&C external an from acommand receiving after attack an institutes that malware of atype is A“bot” the of *35 address IP actual the than other address an given been has that packet attack an sends and Creates address. IP asender’s of Misrepresentation *34 TCP of start the signal that packets SYN of volumes mass send fl SYN TCP attacks flood GET fl attacks. HTTP ood fl and SYN ood, TCP connection TCP The ood, fragments. and packets IP *33 larger-than-necessary of volumes massive sending by a target of capacity bandwidth network the overwhelms that Attack *32 capacity* bandwidth on attacks types: three into attacks DDoS 2categorizes impact. of Figure degree the determine largely will performance) server and (bandwidth attacked environment the of capacity the and attack, aDDoS out carry to used be can that methods many are There situation. each of facts the ascertaining fi the from excluded diffi are the to due accurately gure incidents in these culty but attacks, DDoS other to responds also IIJ standards. Service Defense DDoS IIJ on based attacks be to traffi shows judged anomalies c December information 31, 1and 2012. This October between Service Defense DDoS IIJ the by handled attacks DDoS of circumstances the 2shows Figure I Direct Observations services. hindering of purpose the for processes server or bandwidth network traffioverwhelm to c unnecessary of large volumes cause rather but vulnerabilities, of that as such knowledge advanced utilize that type the not are attacks these of most However, widely. vary involved methods the and occurrence, adaily almost are servers corporate on attacks Today, DDoS 1.3.1 1.3 Figure 2: Trends in DDoS Attacks DDoS in Trends 2: Figure 2012.10.1 (No. ofAttacks) 10 15 20 25 30 0 5 of bots acting in concert is called abotnet. called is concert in acting bots of individuals. of number alarge from or location, adifferent from coming is attack the if as appear it make to attacker memory. and capacity processing mass wasting send then and commands, server, aWeb on protocol GET HTTP of connections TCP volumes establish fl GET attacks connection HTTP ood TCP memory. and connections. TCP capacity actual of volumes processing of mass wastage the establish fl causing attacks ood connections, incoming major for prepare to target the forcing connections, fl ICMP an called ood. is packets ICMP of fl use aUDP the while called is ood, packets UDP of use Incident Survey Incident DDoS Attacks DDoS 34 2012.11.1 and botnet* and 35 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage 2012.12.1 32 , attacks on servers* on , attacks Server Attacks Capacity AttacksBandwidth Compound Attacks 33 , and compound compound , and (Date) observation project operated by IIJ* by operated project observation *37 The mechanism and limitations of this observation method as well as some of the results of IIJ’s observations are presented in Vol.8 of this report under under report this of Vol.8 in presented are observations IIJ’s of results the of some as well as method observation Activities.” this of Malware “1.3.2 limitations also and See IIJ. by mechanism The operated project observation *37 activity amalware MITF, the by established Honeypots *36 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 4: Figure According Targets Attack DDoS of 3: Figure Distribution honeypots* the using backscatter attack DDoS of observations our present we Next I Backscatter Observations On this day, attacks on the Web servers for a number of hosting providers in the United States and Russia were also observed. also were Russia and States United the in providers hosting of anumber for servers Web the on day, attacks this On observed. was organization religious States United a and fi aLebanese institution from nancial 21, backscatter December On Turkey. in site adult an and States, United the in provider aserver States, United the in provider agame-related for those and Netherlands, the in servers Web on attacks indicating servers, Web multiple from observed was 19, backscatter November On 24. November and 23 November between States United the in provider service for a search-related and registrar (80/TCP) a domain servers Web the on attacks were there observed, packets backscatter of numbers large particularly Regarding order. in following countries other with respectively, 19.5%, and 37.3% at proportions large for accounted Singapore and States United 3, the Figure in country by attacks DDoS by targeted addresses IP indicate to thought backscatter of origin the at observed. also Looking were SSH for used 22/TCP and etc., chat, video for used 5100/TCP HTTPS, for used on 443/TCP as such Attacks ports period. target the during total the of 44.8% for accounting services, Web for used port 80/TCP the was observed attacks DDoS the by targeted commonly most port The port. by numbers packet in trends 4shows Figure and country, by classified addresses IP sender’s the 3shows 31, 2012, Figure December 1and October between observed backscatter the For interposition. any without party athird as networks external on KR 1.2% CN 8.9% TR 4.9% DE 4.2% FR 2.8% NL 2.7% RU 1.9% TW 1.5% Other 15.1% (No. ofPackets) 10,000 15,000 20,000 25,000 30,000 5,000 2012.10.1 ”1.4.2 Observations on Backscatter Caused by DDoS Attacks” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf). Attacks” DDoS by Caused Backscatter on Observations ”1.4.2 0 Period under Study) under Period Entire Country, (by Observations Backscatter to 37 . By monitoring backscatter it is possible to detect some of the DDoS attacks occurring occurring attacks DDoS the of some detect to possible is it backscatter monitoring . By (57,968 2012.11.1 (66,110 ) ) (49,693 (42,711 SG 19.5% US 37.3% ) ) applications, so the purpose of the attacks is not known. known. not is attacks the of purpose the so applications, standard by used normally not are ports These China. in servers on observed also were attacks 5114/TCP of number 19, alarge December On China. in servers on observed were attacks 5100/TCP 10,000 over of 15, a total November 12 and November Between sizable. quite was attack the that thought is it and servers, some from times 10,000 over observed was backscatter attacks these In Singapore. in provider ahosting for servers Web of anumber on attacks to linked were These 8. November and 30 October between observed were (443/TCP) servers Web on attacks Many 2012.21.1 36 set up by the MITF, a malware activity activity MITF, amalware the by up set (Date) 80/TCP 443/TCP 5100/TCP 22/TCP 6005/TCP 53/TCP 5114/TCP 3389/TCP 3724/TCP 25565/TCP Other

13 Infrastructure Security 14 Infrastructure Security MITF uses honeypots* uses MITF Figure 6: Communications Arriving at Honeypots (by Date, by Target Port, per Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 6: Figure Period Entire Country, (by 5: Figure Distribution Sender MITF* the of observations the of results the discuss will we Here, 1.3.2 behavior. radical exhibits that group areligious on attacks behind been have to believed is Anonymous December, In Hacker. Kosovo the of work the be to considered Interpol on attacks and AnonymousZeiko, by out carried be to thought sites torrent of anumber on attacks were there November, In Police. Federal and Finance of Ministry Brazil’s on detected were Brazil Boat Wiki The of work the be to thought attacks October, in Also Anonymous. by made been have to thought October in agencies government Swedish multiple on included attacks backscatter of observations IIJ’s via detected were that period survey current the during attacks DDoS Notable *39 A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed Asystem *39 malware observing 2007, May in activities began (MITF) Force Task Investigation Malware The Force. Task Investigation Malware of abbreviation An *38 as attacks on MSRPC. on attacks as aspecifi to such port, c connections multiple involved attack the when attack asingle as connections TCP multiple count to data corrected we observations these in Additionally, study. to subject period entire the over ten) (top types packet incoming for trends the showing honeypot, per average the taken We have observation. of purpose the for honeypots numerous up set has MITF The packets). (incoming volumes total the in trends 6shows 31, 2012. Figure December 1and October between honeypots the into coming communications for country by addresses IP sender’s of distribution the 5shows Figure of RandomI Status Communications attack. for atarget locate to attempting scans or random, at atarget selecting malware by communications be to appear Most Internet. the over arriving 1,000 1,200 1,400 (No. ofPackets) 200 400 600 800 2012.10.1 CN US 7.9% TW HK RU KR BR 2.1% DE TH IN Other 26.1% Outside Japan 83.3% 0 network activity through the use of honeypots in an attempt to understand the state of malware activities, to gather technical information for for information technical countermeasures. fi gather to actual to these link to ndings and activities, malware of countermeasures, state the understand to attempt an in honeypots of use the through activity network Malware Activities 26.2% 5.9% 3.8% 3.3% 2.5% 1.9% 1.8% 1.8% under Study) 39 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar amanner in Internet the to connected 2012.11.1 Within Japan 16.7% Other 3.5% 0.4% ISP I 0.5% ISP H 0.6% ISP G 0.6% ISP F 0.6% ISP E 0.6% ISP D 0.9% ISP C 1.5% ISP B 3.0% ISP A IIJ 4.5% 38 common applications, such as 38327/UDP. by used not ports on observed were purpose unknown an of communications Additionally, requests. echo ICMP and telnet, for used 23/TCP SSH, for used 22/TCP Windows, for function login remote RDP the by used 3389/TCP Server, SQL Microsoft’s by used 1433/TCP targeting behavior scanning observed We also systems. operating Microsoft by utilized ports TCP targeting behavior scanning demonstrated honeypots the at arriving communications the of Much , a malware activity observation project operated by IIJ. The The IIJ. by operated project observation activity , amalware 2012.12.1 (Date) 445/TCP 22/TCP 1433/TCP ICMP Echorequest 135/TCP 139/TCP 3389/TCP 38327/UDP 3306/TCP 23/TCP Other shows trends in the total number of malware specimens acquired. Figure 9 shows trends in the number of unique specimens. specimens. unique of number the in trends 9shows Figure acquired. specimens malware of number total the in trends shows 8 Figure while study, under period the during malware for source acquisition specimen the of distribution the 7shows Figure Activity Network I Malware done. was harm actual no because taken not was action but honeypot, aspecifi to addresses IP two from c communications involved mainly This 8. December after intermittently increased also requests echo ICMP 2. December on Singapore 16, and 11, November on China November Turkey on and Thailand 1, November on China 29, October on Germany in addresses IP individual from coming observed were communications concentrated example, For period. current the during occurred also attacks dictionary SSH be to thought Communications *41 This fi gure is derived by utilizing a one-way function (hash function) that outputs a fi xed-length value for various input. The hash function is designed to designed is function hash The input. various for value a outputs xed-length that fi function) (hash function one-way a utilizing by fi This derived is gure *41 honeypots. by acquired malware the indicates This *40 Conficker) (Excluding Specimens Unique of Number the in Trends 9: Figure Conficker) (Excluding Acquired Specimens Malware of Number Total the in Trends 8: Figure Malware of Number the 7: of Figure Distribution (Total No.ofSpecimens Acquired) (No. ofUniqueSpecimens) 200 300 250 100 150 2012.10.1 2012.10.1 50 20 25 30 35 40 45 15 TH US 12.9% BR ID TW BG IN RU UA RO Other 28.5% Outside Japan 91.2% 10 0 5 0 fact into consideration when using this methodology as a measurement index. this take to ameasurement as efforts methodology best this its using when expended has MITF the consideration values, into hash fact different having that given malware same value, the of hash by specimens in specimens of result may uniqueness padding the and guarantee cannot obfuscation we While inputs. different for possible as outputs different many as produce 13.4% 6.2% 6.0% 5.6% 4.9% 4.9% 3.9% 2.5% 2.4% Specimens Acquired Specimens 2012.11.1 2012.11.1 Within Japan 8.8% Other 0.5% ISP H ISP G ISP F ISP E ISP D IIJ 1.7% ISP C 1.7% ISP B 3.4% ISP A 0.1% 0.1% 0.1% 0.3% 0.3% 0.6% a hash function* of digest their to according categorized variants specimen of number the is specimens unique of number the while show the total number of specimens acquired per day* per acquired specimens of number total the show specimens acquired of number the 9, Figure 8and Figure In 2012.12.1 2012.12.1 41 . (Date) (Date) NotDetected Trojan.Dropper-18535 Empty file Trojan.Mybot-5073 Trojan.Spy-78857 Trojan.Agent-173287 Trojan.Dropper-20397 Worm.Agent-194 Trojan.Agent-71068 Exploit.Shellcode Other NotDetected Trojan.Dropper-18535 Trojan.Spy-78857 Trojan.Mybot-5073 Trojan.SdBot-9861 Trojan.Agent-71049 Worm.Allaple-2 Worm.Agent-194 Trojan.Dropper-20397 Trojan.Agent-71068 Other 40 ,

15 Infrastructure Security 16 Infrastructure Security it demonstrates that infections are still widespread. still are infections that demonstrates it 2011, but November in observed PCs million 3.2 the to compared 47% approximately of adrop is This infected. are addresses According to the observations of the Confi the of Group* Working cker observations the to According 6%. about by down also were specimens Unique period. survey previous the for than lower 10% about was acquired specimens of number fitotal The from it report. omitted have this in we far, so by gures malware prevalent Confi that most the remains cker demonstrates This specimens. unique of 97.3% and acquired, specimens of number total Confi the fi of 99.7% While periods, for malware. short accounts over fall cker and rise different gures 899 representing report, this by covered period the during day per acquired Confiwere Including specimens of 41,898 average cker,an I Conficker Activity servers* C&C botnet of 15 confi MITF the presence the rmed addition, In downloaders. were 2.9% and bots, were 25.4% worms, were acquired specimens 71.7% malware of observation under period current the during analysis, independent MITF’s the Under past. the in as just active, been had servers IRC by bots* controlled of types two that learned we closely, more specimens undetected these investigating After period. survey current the during appeared also Indonesia and Thailand from specimens Undetected halved. acquired specimens of number the period, current the during active remained it while and period, survey previous the during active comparatively was family Trojan-Dropper the because be may This report. previous the to compared halved has acquired specimens of number The malware. different 24 representing study, under period the during day per acquired were 131 specimens average, On data. totaling when Confi any results removed and cker packages, software anti-virus Confi multiple using detected cker have 9we Figure 8 and Figure for report, previous our with As name. malware by coded color displayed is variants top 10 the of breakdown a and software, identifi also anti-virus are using ed Specimens *44 An abbreviation of Command & Control Server. A server that provides commands to a botnet consisting of a large number of bots. of number alarge of consisting Confi abotnet ckerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking). to (http://www.confi ckerObservations Group Working commands provides *45 that Aserver Server. &Control Command of abbreviation An *44 (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fHamweq). Win32/Hamweq *43 Trojan:Win32/Ircbrute (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3AWin32%2FIrcbrute). *42 44 and 7 malware distribution sites. distribution 7malware and 45 , as of December 31, 2012, a total of 1,787,998 unique IP IP unique 1,787,998 of 31, 2012, atotal December of , as 42 * 43 43 As previously shown, attacks of various types were properly detected and dealt with in the course of service. However, attack ongoing attention. requiring continue, attack attempts However, service. of course the in with dealt and detected properly were types various of attacks shown, previously As server. fi to ona Web attempts vulnerabilities nd been have to thought all are attacks specifiThese at directed targets. c China in specifisources from attack c attacks were there 17, December On 26. October on scale larger on a made also were attacks Similar 10. October on place took specifi targets c at directed Netherlands the and Germany, States, United the in specifi from sources attacks attack c period, this During days. certain on occurred that specifi at targets c directed attacks to due place, 3rd to rose Germany from those and place, second to rose States United the from Attacks report. previous the to compared servers Web against made were attacks injection SQL Fewer order. in following countries other with respectively, 14.2%, and 24.6% for accounted Germany and States United the while observed, attacks of 33.6% for source the was Japan Managed IPS Service. IIJ the on signatures by detected attacks of asummary are These attacks. of numbers the in trends 1131, shows 2012. Figure December 1and October between detected servers Web against attacks injection SQL of distribution the 10 shows Figure content. Web rewrite to attempt that those and servers, database to overload attempt that those data, steal to attempt that those patterns: attack three of one in occur to known are injections SQL security. Internet the in topics major the of one remaining past, the in times fl have numerous attacks frequency in up ared Of the types of different Web server attacks, IIJ conducts ongoing surveys related to SQL injection attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web different of types the Of 1.3.3 *46 Attacks accessing a Web server to send SQL commands, thereby manipulating an underlying database. Attackers access or alter the database content content database the alter or access Attackers database. underlying an manipulating thereby commands, SQL send to server a Web accessing Attacks *46 Type) Day, Attack by (by Attacks Injection SQL in 11: Trends Figure Source by Attacks Injection SQL of Distribution 10: Figure DE 14.2% CN 8.7% NL 5.6% TW 1.0% UA 1.0% SE 0.8% AU 0.5% UK 0.3% Other 9.7% (No. Detected) 1000 1500 2000 500 2012.10.1 0 without proper authorization, and steal sensitive information or rewrite Web content. Web rewrite or information sensitive steal and authorization, proper without SQL Injection Attacks Injection SQL (7,025) (6,954) 2012.11.1 US 24.6% JP 33.6% 2012.12.1 (Date) SQL_Injection HTTP_GET_SQL_UnionSelect MySQL_Check_Scramble_Auth_Bypass URL_Data_SQL_1equal1 HTTP_POST_SQL_UnionSelect HTTP_GET_SQL_UnionAllSelect URL_Data_SQL_char_CI URL_Data_SQL_char HTTP_Oracle_WebCache_Overflow HTTP_PHPNuke_Admin_Overwrite Other 46 . SQL injection injection . SQL

17 Infrastructure Security 18 Infrastructure Security continued following this, and the third generation* third the and this, following continued Research necessary. information of amount minimum the read only can through routed are they node relay each that so onion, an of layers the like encryption of layers multiple in wrapped are packets the that fact the for named routing, onion called was method This these. traffiof number routing a and through c anetwork, on nodes relay installing by asource of anonymity the securing for amethod with up came They connections. anonymous achieving for methods into looked facility research Navy States United a and communications, analyzing by who with confi to possible communicating was who rm Arab Spring became more heated* more became Spring Arab the as known protests 2011, the around when from dramatically Tor of increased users of number the example, For there. living people the for important extremely is these like places in connections anonymous use to able being and monitored, apparently are communications all which in countries some actually are There government. their of critical statements making by danger in lives their put even may individuals speech, of freedom without countries In communications. conducting and intelligence gathering for them use also agencies enforcement law and Navy States United The overseas. working while detected being without websites own their to connect to staff NGO by and dissidents, and informants with communication safe for journalists by used are they Tor The Project, to According people. of variety awide by used be to appear connections Tor anonymous individuals. and groups other of assortment an and NGOs, organizations, government from sponsorship with continues Tor The Project of development Currently, organizations. of a variety from funding with continued development and license, MIT the under published was this for code Tor. source the name the Later, to prevent abusive behavior, as well as excessive load on the network due to fi le sharing. It is also possible to completely completely to fi to due possible also is It network the on load sharing. le excessive as well as behavior, abusive prevent to measures fi the but apparently are policies, lters own their under communications these allow course of can operators Node Tor is an overlay network* Tor overlay an is 1.4.1 they should be handled. how consider and technology, cryptographic on based implementations and protocols plaguing been have that issues the on reflwe Finally, fiJapan. in of users ect from institutions nancial authentication for tables number random steal to used was which malware, ZeuS the of variant Citadel the discuss we Next, communications. anonymizing for Tor the of tool overview an give we First, themes. three covering period this during undertaken have we survey the from information present we Here, incidents. prevalent of analyses and surveys independent perform to continuing by countermeasures implementing toward works IIJ Accordingly, next. the to minute one from scope and type in change Internet the over occurring Incidents 1.4 *49 For example, looking at the graph for Egypt, we can see that users increased from 2010. The graph also shows that users declined to almost zero on on zero almost to declined users that shows also graph The 2010. from increased users that see can we implementation. fi Egypt, the routing for onion graph include rst the you at if looking generation example, third For the to equivalent is it but *49 generation, second called was project the time the At *48 network. another of top on built network Alogical *47 standard settings as shown below. shown as settings standard the under restricted are ports of anumber node, exit an as communications allows operator anode when Even permit. will they communications of kind the sets operator node each as unique, slightly is node exit The Internet. the to back node exit an and node, amiddle Tor the to Network, node entry an of consist These nodes. relay these of three selects then client The nodes. relay of list the updates and it, within contained services directory of list on a based server directory fi a accesses Torrst The client parties. other and volunteers by world the around operated are nodes relay 3,000 approximately Currently, users. to available are connections anonymous which in fito environment an maintaining lter, harder it make to implementation its updated has The Project Tor case, each In use. its prevent to fi of technology variety ltering TCP/6881-6999 (BitTorrent) TCP/4661-4666 (eDonkey),TCP/6346-6429(Gnutella),TCP/6699(Napster,WinMX), TCP/445 (Microsoft-DS),TCP/563(NNTPS),TCP/1214(Kazaa), TCP/25 (SMTP),TCP/119(NNTP),TCP/135-139(RPC/NetBIOS), January 28, 2011 because Internet communications were shut down, but later recovered. The Tor Project, Inc., “Directly connecting Tor users” (https:// Tor users” connecting “Directly Inc., Tor Project, The metrics.torproject.org/users.html?graph=directusers&start=2010-04-01&end=2013-01-31&country=eg&events=off#direct-users). recovered. later but down, shut were communications Internet 2011 because 28, January Focused Research Focused An Overview of Tor of Overview An 47 built to anonymize communication routes. In around 1995, there were concerns that it was was it that concerns were there 1995, around In routes. communication anonymize to built 49 . These governments also know of the existence of Tor, and have attempted to implement a a implement to Tor, of attempted have and existence the of know also governments . These 48 implementation of onion routing developed in about 2002 was given given was 2002 about in developed routing onion of implementation Figure 13: An Overview of Tor of Overview An 13: Figure ofFigure Tor 12: Encryption Communications 13). (Figure servers directory and nodes entry to relays as nodes bridge these Tor using by through connections anonymous utilize and blocks circumvent can Users referenced. being from list entire the prevents that asystem under managed are nodes bridge but provided, been have nodes bridge of number asmall identify to methods Some blocking. avoid to lists public off left are they is, difference The nodes. entry as function same the have and advertised, not are that nodes relay are These nodes. bridge called system a Tor implemented response, In networks. some for implemented been actually have Blocks them. to access blocking and nodes, entry and servers directory of addresses IP the up looking as such methods Tor of include use the inhibit to Attempts amessage. of anonymity the guarantee to want they when SSL as such protocol encryption end-to-end aseparate utilize must user the so text, plain via server the with communicates node exit The communications. anonymous achieves routing onion how is This 12). (Figure node exit the from come has request acommunication that see only can server target The source. the about more anything know not does it but node, middle the via come has server target the with communicate to a request that knows node exit The node. exit and node entry the between place taking are communications that knows only node middle The communications. fi the of know doesn’t destination it so nal node, middle the to this relays merely it but from, originating are communications client which knows node entry the process this fiDuring the to server. connect to target nal node exit the notifying by server the with communicate to able is client the node, exit the to node entry the from line virtual this up setting After node. exit the to node middle the from and node, middle the to node entry the from communications encrypted establishes Next, it selected. nodes three the among from node entry initial the with communications encrypted establishes client The node. exit the as selected is out carry to want you communications the permits that anode so node, each by allowed are communications node exit of kind what determine can client The node. exit an on communications external disallow is blockedbyathirdparty When accesstopublicnodes Regulated User other thanTor,suchasemailortheWeb Bridge nodeinformationisobtainedusing methods Access viaunlistedbridgenodes User Normal User Access viaapublicnode (othernodescannotdothis). 3. Onlytheexitnodethatcommunicateswithservercanconfirmcontentofcommunications 2. Eachnodedecryptsthedatareceivedusingitsprivatekey,thensendsittonextnode. 1. Theuserencryptsdatausingthepublickeyforeachnode,thensendsit. Entry Node F irewall During thisprocess,nodesunsuitableas exit nodes(BadExit)areexcludedfromnodeselection. The userdeterminestheroleofeachnode (entry/middle/exit)basedontheinformationobtained. obtained fromtheauthority. For thefirsttimeonly,informationoneach node(IPaddress/publickeyBadExitflags,etc.)is flags afteridentifyingthestatusofeachnode Some nodeshaveanauthorityflag,andattach Middle Node Tor Network Tor Network are onlyusedasrelays Nodes thataltercontent,etc., Exit Node Public Node(Authority) Public Node(BadExit) Bridge Node Public Node Target Server Server

19 Infrastructure Security 20 Infrastructure Security of variants that exist* that range variants of wide the is characteristics its of Another communications. POP3 or FTP from information authentication and clients, banking Trojan. Like SpyEye* Like Trojan. banking *54 For example, a ZeuS variant operating in tandem with smartphone-based malware was used to break the two-factor authentication called mTAN (mobile mTAN (mobile called authentication two-factor the break to used was malware smartphone-based with tandem in operating variant aZeuS example, For *54 a user prompts that HTML inserting by stolen is information example, For content. Web HTTPS or HTTP altering by information stealing for A system *53 Sights its Setting Now “Zeus discovered. been SpyEye. had on Japan in information fi more for institutions targeting nancial variants ZeuS that reported ZeuS. blog on Symantec the information more for example, For *52 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol13_EN.pdf) report Vol.13 in this of SpyEye” “1.4.2 See *51 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol16_EN.pdf) report Vol.16 this in of Variants” its and ZeuS “1.4.3 See *50 ZeuS* well-known the on based is 2012. It 2011 early and late between appeared that malware new arelatively is Citadel 1.4.2 society. Internet a better achieve to strive fi research and and elds, implementations these in trends investigate to continue will IIJ world. the around people many for now tool essential an also is It rights. human and privacy, expression, of freedom protect to Tor developed of was feature fl connection fl connection in anonymous GET or The used oods being it of remains. oods chance the although Tor Network, the through fl SYN as fl executed UDP such be and oods cannot methods oods attack typical connections, TCP legitimate relay only nodes relay because DDoS, as such attacks for stone astepping as it using for potential the Regarding etc. spam, for it diffiit makes use to cult structure for its Tor, and fi of implemented anumber been also have previously lters mentioned As things.” bad their doing from them stop will world the Tor from away taking that unlikely seems it and options, better have already use they Tor,but theory in could fi to criminals need we yes, and now, ...So right that. x privacy have criminals Only law. the follow to want who people ordinary for protection provide to “Tor aims states, Tor The Project this, to response In diffi it criminals. makes trace to Tor,cult system this and require who users general as way same the in anonymity have they case, this In criminals. by used be Tor also may course, Of users. to connections anonymous Tor how is provides This content. the identify to possible even not is it communications, encrypted utilized user the If from. communicating is user the where identify cannot they communications, of content and target the see can nodes exit although and information, meaningful any to access have not do nodes Middle communications. of target the learn to possible not is it identifinode, be can entry the via ed address IP source user’s the although chance, by user the by node relay as a selected if Even specificommunications. intercept c to impossible it makes system this so used, are nodes which determines client The communications. intercept to operated are nodes relay if even users identify to hard is It related. is each diffihow is it trace to cult monitored, are communications all if even Torof users, number the and nodes, relay of fldistribution the traffi network Internet, the on current little the ow,very given volumes c is there Unless server. the and node exit the and node, exit the and node middle the node, middle the and node entry the node, entry the and client the between place taking be to appear Tor communications standpoint, operator’s anetwork From of an infected computer* infected an of browser the on content Web of alteration the are functions make main Its gain. ultimately and nancial fifi institutions, for nancial information authentication steal to designed is that SpyEye like kit acrimeware is on, based is Citadel which ZeuS, Citadel of Overview I An incidents. Citadel-related investigating also while changed, been has it how see institutions in Japan that occurred in 2012* in occurred that Japan in institutions vs Zitmo: Banking Trojans Target Android” (http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android). There are a wide awide are There abot. as attacks DoS conducting for functions with those as such variants, other of variety “Spitmo details. more for post blog (http://blogs.mcafee.com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android). McAfee Android” Target Trojans following the See Banking Europe. in Zitmo: vs banking Internet for used often is which number), authentication transaction decrypted. is it after the stealing directly or data altering by incoming made the or are attacks encrypted, is it HTTPS, before using data outgoing encrypted are etc. communications banking, When money. Internet steal to for page information this use authentication later the on can Attackers authentication two-factor as provided table number random the on listed numbers the all enter to on Japanese Online Banking Customers” (http://www.symantec.com/connect/blogs/zeus-now-setting-its-sights-japanese-online-banking-customers). The Citadel Variant of ZeuS of Variant Citadel The 54 . 53 , as well as the theft of authentication information saved to or entered into browsers or FTP FTP or browsers into entered or to saved information authentication of theft the as well , as 51 , it is said that Citadel may have been used in incidents of money-related theft from fi from theft nancial money-related of incidents in used been have may Citadel that said is , it 52 . IIJ obtained Citadel specimens itself, and compared it with the original ZeuS to to ZeuS original the with it compared and itself, specimens Citadel obtained . IIJ 50

information, without making major changes to the basic functions of ZeuS. of functions basic the to changes major making without information, authentication stealing for functions enhancing and functions expansion incorporating on focused Citadel of author the that demonstrates This functions. basic the for reused mostly was code ZeuS the that clear was it algorithms, encryption in differences minor were there although and Citadel, of characteristics mentioned previously the matched also parts newly the added analysis, code implementing After matches. perfect almost were functions the of 60% approximately ourselves, obtained we that Citadel of 1.3.5.1 version and ZeuS original the of 2.0.8.9 version for code the comparing when that found IIJ content in a browser). of Web confi the (alteration updating WebInject for g immediately for “webinjects_update” and responses, DNS altering “dns_fi modules, for lter_*” expansion reading for “module_*” mentioned previously the include These borders. red have 2.0.8.9 ZeuS since added functions The command. bot corresponding the with executed function each of alist 14 shows later supports a number of new bot commands, and a variety of other functions have been added or enhanced* or added been have functions other of avariety and commands, bot new of anumber supports later months four confiabout was rmed that 1.3.5.1 2012, version of June in released was that 1.3.4.5 Citadel to compared example, For development. active under is it and discovered, was Citadel since ayear about is it writing of time the At settings). (keyboard environments language Ukrainian or Russian in operate not to designed is it that is function interesting Another environments. sandbox or virtual in detection via analysis confipreventing for WebInject the function updating a and g, immediately for afunction has also It Chrome. Google as such environments new relatively from information stealing for a function and responses, DNS altering for a function commands, bot new of a number modules, expansion reading for afunction implements it ZeuS, original the to Compared functions. basic same the all has it ZeuS, on based is Citadel Because *58 The airport VPN hacking incident was reported in the following Trusteer Blog. “Citadel Trojan Targets Airport Employees with VPN Attack” (http://www. Attack” VPN with Employees Airport Targets Trojan “Citadel Blog. Trusteer following the in reported was incident hacking VPN airport The *58 Reveton Deliver to Continues Malware “Citadel 2012. August in installs also it that ransomware the and Citadel regarding awarning issued FBI The *57 unless data important accessing from user the preventing and hostage them taking fi all drives, or disk some or les encrypts that malware is Ransomware *56 Control -Botnet &Builder C&C 1.3.4.5 Citadel “Inside posts. blog following the in detail in explained are 1.3.5.1 and 1.3.4.5 Citadel of functions main The *55 Figure 14: Function Table Corresponding to Citadel Bot Bot Citadel to 14: Corresponding Table Figure Function trusteer.com/blog/citadel-trojan-targets-airport-employees-with-vpn-attack). trusteer.com/blog/citadel-trojan-targets-airport-employees-with-vpn-attack). ransomware-in-attempts-to-extort-money). Money”Ransomware (http://www.fbi.gov/sandiego/press-releases/2012/citadel-malware-continues-to-deliver-reveton- into Extort Attempts possible. not is decryption though even money demanding encrypted, analyzing just simply are by they that fi decrypted stating be while destroy cannot les that they so those as well methods as malware, the encryption key public use that those include varieties Malicious met. are payment for demands dontneedcoffee.com/2012/10/citadelupdate1.3.5.1.html). “Update to Citadel :Panel” 1.3.5.1 (http://malware.dontneedcoffee.com/2012/07/inside-citadel-1.3.4.5-cncNbuilder.html) Rain Edition. “(http://malware. Commands additionally by Citadel* Citadel framework, as well as ransomware* as well as framework, Citadel the regarding awarning issued FBI 2012, the August In UtilizingI Incidents Citadel harm depending on the goals of the attacker. the of goals the on depending harm of avariety cause can it and atool, merely is Citadel that see can we this From incident. interesting an it makes point this and money, steal to not was goal ultimate attacker’s the that thought fiis it than this, of Because gain. nancial rather infrastructure targeted attacker the incident, this in However, money. or information authentication stealing at aimed are kits crimeware using incidents Generally, used Citadel to hack the employee VPN at an airport* an at VPN employee the hack to Citadel used attacker an which in incident an been also has There Citadel. to added was that modules expansion reading for function the using money more steal to attempting also were attackers fi for institutions, information nancial authentication seizing 57 . This shows that in addition to to addition in that shows . This 56 installed installed 55 . Figure Figure . 58 .

21 Infrastructure Security 22 Infrastructure Security password, this should be used* be should this password, one-time a provides using are you website fithe of if First, exploitation the preventing institutions. nancial measures consider we here but attacker, the of goal the on depending impact adifferent have can Citadel previously, indicated As I Countermeasures email. or message SNS an in aURL click to users prompt that methods engineering social or content, website legitimate It is known that drive-by downloads* drive-by that known is It Vectors I Infection here. discussed incidents the to limited not are and basis, aroutine on Japan in occurring are incidents such that said be can it 2005, least at in infections spyware for Citadel. Like Gumblar* Like Citadel. for threats. As with monetary theft due to malware infections, damages caused by phishing are still being reported* being still are phishing by caused damages infections, malware to due theft monetary with As threats. with dealing for measures enhance constantly and functions, these of purpose original the on users educate to continue to fi for institutions important also nancial is It them. using when provided are that functions the of purpose the understanding by this like abnormalities catch can Users once. at numbers the all enter to required be normally never will users that means This transaction. each for entered are random at selected numbers these of several that requiring by auser of identity reaffi to possible is it as the rm stolen, is apassword when theft identity through exploitation reduces system This user. each for numbers different lists authentication two-factor fi by as provided table institutions number nancial random The damages. of detection early the help can this of use transactions, conduct or in log *67 For example, the Council of Anti-Phishing Japan issued several alerts in 2012 for fi nancial institutions in Japan. “Council of Anti-Phishing Japan - Japan Anti-Phishing of “Council Japan. in fi for 2012 in alerts institutions nancial several issued Japan Anti-Phishing of Council the example, For *67 in stolen actually was money that reported McAfee used. is authentication two-factor when even attack of type this eliminate completely diffi is to It cult *66 and (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol04_EN.pdf) report this of Vol.4 in Malware” Gumblar Stealing ID/Password “1.4.2 See *65 (http://www.xylibox. Edition” Rain 1.3.5.1 “Citadel articles. following the in explained is kit exploit Blackhole the and Citadel between relationship The *64 (http://www.iij.ad.jp/company/ Trends” Malware Infection Web (1) 2010 for Trends “Security 2010. Week Technical IIJ in explained were kits Exploit *63 is viewer the by used computer the If content. Web views auser when vulnerabilities exploiting by infections malware cause downloads Drive-by by *62 operated services banking Internet of users targeted that spyware of circulation the to due 2005 July in alert following the issued IPA example, For *61 2011 -“(http://www.ipa.go.jp/security/ -August Report Incident Access Computer Virus/Unauthorized “Computer its in 2011, reported IPA August In *60 methods. these using seized was information authentication two-factor which in incidents in used images shows page CAIS following the example. For *59 Bancos* as known malware the and sites phishing by employed were techniques these which in incidents were there example, For past. the in Brazil as such confi been places had in rmed method This card. authentication two-factor their on listed numbers the all enter to users prompted that apop-up displaying by seized was information authentication that was incidents these of characteristic 2012. The November and October between banks major including institutions fi at reported nancial were SpyEye as well as Citadel be to thought variant aZeuS using theft monetary of incidents Japan, In (Figure 15). For this reason, it is important to protect yourself against malware infections. malware against yourself protect to important is it reason, this For 15). (Figure them within content Web the alters browsers Web into injected code malware because countermeasures, phishing existing using diffiabnormalities is it notice SpyEye, to or cult Citadel as such malware with infected when However, legitimate. are confito with they that rm communicate you websites for certifi(X.509) cate server and URL the check to crucial is it always, of monetary theft using SpyEye occurring in 2011, the fact that the IPA has issued an alert* an issued IPA has the that 2011, in fact the occurring SpyEye using theft monetary of Emergency News Bulletin” (http://www.antiphishing.jp/news/alert/) (in Japanese). Emergency News Bulletin” (http://www.antiphishing.jp/news/alert/) is it tables, number random afi using by institution. provided nancial are they if authentication passwords two-factor to one-time use to compared best improved still greatly is security because However, (http://www.mcafee.com/us/resources/reports/ Roller” High rp-operation-high-roller.pdf). Operation “Dissecting Roller. High Operation in reader card asmart using environment an information more for on Gumblar. (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol06_EN.pdf) report this of Vol.6 in Activity” Gumblar “1.4.1 Renewed (http://www. Ransomware” and Zeus Packs, -Exploit “Malware SECURITY, contextis.com/research/blog/malware-exploit-packs-zeus-and-ransomware/). INFORMATION Context com/2012/10/citadel-1351-rain-edition.html), (indevelopment/tech/techweek/pdf/techweek_1119_1-3_hiroshi-suzuki.pdf) Japanese). content. Web the viewing by merely malware with infected is it vulnerable, Japanese). (in (http://www.ipa.go.jp/security/topics/170720_spyware.html) Spyware” to due Harm Preventing for “A Warning Japan. in fiinstitutions nancial of number the in “An increase Japanese), (in SpyEye viruses detected (continued)” (https://www-304.ibm.com/connections/blogs/tokyo-soc/entry/spyeye_20110817?lang=ja_jp) (in Japanese). viruses SpyEye of (https://www-304.ibm.com/connections/blogs/tokyo-soc/entry/spyeye_20110425?lang=ja) number the in detected” “An increase July Japan. and in June active was between SpyEye that stolen been mentioned having also money with Report Japan SOC in Tokyo IBM’s active was alert. an SpyEye that issued 2011,of and english/virus/press/201108/documents/summary1108.pdf) (in Portuguese). (http://www.rnp.br/ CAIS” pelo identifidivulgadas e cadas “Fraudes cais/fraudes.php?id=2261&ano=&mes=&pag=52&busca=&tag_extend=&tag=3) 2009. least at in banks Brazilian targeting sites phishing at occurred incidents The 65 , this involves a variety of techniques, such as redirecting users to a malicious site by altering altering by site amalicious to users redirecting as such techniques, of avariety involves , this 66 . Also, when a fi nancial institution provides a service for notifying users by email when you you when email by users notifying for service a provides afi when . Also, institution nancial 62 using exploit kits* 63 such as the Blackhole Exploit Kit* Exploit Blackhole the as such 64 60 are common infection vectors vectors infection common are , and money stolen* money , and 59 . With incidents incidents . With 61 due to to due 67 . As . As extensions for downloaded fimislabeled. downloaded for aren’t les extensions confi and site, correct that fithe rming from that checking downloaded being are les attachments, or links opening when care taking include methods engineering social by deception through infections preventing for measures Other Policies. Restriction Software or AppLocker, UAC or as such functions Windows standard for settings policy conducting properly and determine a policy for dealing with the attacks expected in the future from each of these perspectives. these of each from future the in expected attacks the to with dealing for attempt and apolicy users, and determine designers/implementers/operators as such stakeholders different We consider future. the in occur could that issues prevent to information this using fidiscuss to and not” actually denominators, were common nd secure been have to “thought implementations and protocols which in cases categorize and discuss we section this in this, of light In trusted. be longer no can secure as recognized once browsers or applications which in asituation to leading vendors, by provided anchors trust the and PKI in trust eroded has This scenes. the behind place taking already potentially are attacks of number alarge that noted have some reason, this For factors. operational and technological of acombination by caused attack level ahigh 2012 was May in discovered was that malware Flame the with certifi used cates obtained fraudulently of case the that learned have we certifiparticular, In cates. of issue fraudulent the as 2011 2012, such and between organizations of anumber on made were PKI targeting Attacks years. recent in occurring been have that technology cryptographic using implementations and protocols with issues of a rash discuss we section, this In 1.4.3 EMET* as such tool mitigation a vulnerability installing are infection of risk the reduce drastically that take to measures defi keeping and software, nition anti-virus Additional of date. fi to version up les latest the installing needed, aren’t plug-ins that browser and applications deleting plug-ins), browser (including applications third-party and OS the to patches applying as such thoroughly, measures security general conventional conduct to important is it infections, To prevent *68 EMET (Enhanced Mitigation Experience Toolkit) is a tool provided by Microsoft for mitigating the exploitation of vulnerabilities (http://support.microsoft.com/ vulnerabilities of exploitation the mitigating for Microsoft by provided atool is Toolkit) Experience Mitigation (Enhanced EMET *68 Malware by aBrowser Inside Content of Alteration 15: Figure Web Server Legitimate kb/2458544/). A Refl ection on Issues Plaguing Protocols and Implementations Using Cryptographic Technology, Technology, Cryptographic Using Implementations and Protocols Plaguing A Refl Issues on ection and the Way Forward the and OK (X.509) Certificate Server by checkingservercertificate Abnormality notdetectable Content Encrypted OK Processing Decryption Web BrowserInternalProcessing Content Decrypted User into WebBrowser Citadel Injected checking theURLorservercertificate(X.509). communications route,souserscannotdetectsomethingisamissby altered aftertheyhavebeendecryptedinthebrowser,ratherthanon Communications areconductedwithalegitimateserver,andcontents HTML Inserted Malicious Content Altered detectable bycheckingURL Abnormality not Web BrowserDisplayScreen https://www.example.com/ 4 3 2 1 A B C D E 68 ,

23 Infrastructure Security 24 Infrastructure Security Table 1: Classification of Vulnerabilities Using in Technology Cryptographic Protocols/Implementations and Resulting Incidents algorithm. MD5 the of compromise the is which cause, main the to addition in issues operational by caused and factors contributing multiple with case is a malware Flame the example, For cause. main the classifiunder are ed causes multiple from originate to considered classifiissues also are these, Of ed. phases design/implementation/operation the of each in issues compromises, cryptographic from originating issues to addition In years. few past the in vulnerabilities these by caused incidents as well as technology, cryptographic using implementations and Table 1classifiprotocols in vulnerabilities es Not Were Secure be to Thought Implementations and Protocols Which in Cases I Summarizing compromise cryptographic caused by Issue Design issue issue Operational issue Implementation Type ofIssue November 2009 September 2012 September 2012 July 2012 December 2011 October 2011 September 2011 October 2010 November 2012 October 2012 February 2012 May 2008 November 2008 November 2008 August 2012 August 2012 May 2012 January 2010 December 2009 March 2007 November 2011 March to December 2012 October 2012 October 2012 August 2012 September 2011 Month/Year vulnerability SSL/TLS renegotiation Oracle DB Password extractionattack in CRIME attack decryption tool Release ofMS-CHAPv2 withTLS1.2 HMAC Issue whenusingtruncated (when usingCBCmode) XML encryptionvulnerability BEAST attack IPsec Issue whenusingCBCwith of Huaweibrandwifi products Issue withtheimplementation Android apps SSL implementationissuein issue Shared publickey Debian’s OpenSSL random numbergenerationin Issue withpredictable via SSHv2eavesdropping Partial leakofencryptedtext Key recovery attack on WPA than 1024 bitsinlength Restriction ofRSAless keys PKCS#1 v1.5 encryption Padding oracleattack on Flame malware public key Factoring ofa768-bit RSA certifi cateforgery X.509 intermediateCA attack APOP passwordrecovery fraudulent certifi cates authorities andissuingof Hacking ofmultiplecertifi cate certifi cateauthority theTURKTRUST from Fraudulent issueofcertifi cates signed Microsoft binaries Compatibility issueaffecting usedwithDKIM public keys Use of512-bit RSAfor keys Adobe certifi caterevocation issuing CA from 512-bit RSA certifi cate Revocation ofcertifi cates Incident Name Vulnerability/ mechanism andalgorithmagreementwas forrefreshingkeys disclosed. A MITMattack thatallowedinjectionintoHTTPSfragmentsviatherenegotiation also recognized asanissuewithauthenticationprotocoldesign. An attack thatcouldbeusedtoobtainOracleDatabasepasswordswas disclosed. This is based onwhetherthesamecharacters areincludedinthedatabeforecompression. fact thatevenwhendataofthesamelengthiscompressed,dictionarychanges TLS was released. This methodrebuildsencrypteddatabytrialanderror. Itexploitsthe A demoforeavesdroppingcookieswhenthecompressionfunctionisenabledSSL/ reported byBruceSchneier in1999. A toolwas releasedthatcanbeusedfromthecloudinattacks onMS-CHAPv2,which was the block size. applies whentheapplicationdataforencryptionisshort andencrypteddataislessthan truncated dataasMACs insteadoftheusualHMAC asamessageauthenticator. This It was pointedoutthatplaintextdatamayleakwithextensionmethodsuse80-bit syntax validationerrors asaplaintextvalidityoraclewas disclosed. An attack thatusesa Web serverforreturningdifferent error codesaccordingtoXML usingSSL3.0/TLS1.0CBC modeofbrowsers was released. A toolthatobtainedcookieswithinabrowserthroughchosen plaintextattack onthe text datacalledanESPtrailer, which ispaddedtoblock size length. An attack was disclosedthatfocusesonthecharacteristics ofthedatastructureplain the symmetric key cryptographythe symmetrickey DESusedduringcommunications. It wasthatshouldbeselectedrandomlywerehard-codedfor revealedthatsessionkeys implementation ofSSLwas pointed out. The existenceof Android appsvulnerabletoMITMattacks duetoproblemswiththe withothersites. addresses ontheInternet,manykeys unintentionally sharedprivate scansofIPv4 TLS andSSH,DSAwerecollectedviaextensive signatures,and PGPkeys Two independentgroupsreported certifi thatwhenpublickey catesusedwithSSL/ usingOpenSSLincertain ofDebian. spacewhengeneratingkeys versions reduced key fromagreatly werederived An issuewaskeys disclosedwiththefactthatprivate rate of2 disclosed. Usingtrial-and-error withasystemforchecking packet length,ithasasuccess An attack thefi thatleaked rst 4bytesofapacket whenusingSSHv2inCBCmode was Protected Access) was disclosed. an issueinthe TKIP (Temporal Key IntegrityProtocol)updatealgorithmfor key WPA (Wi-Fi An attack andthegenerationofalteredpackets thatallowedtheleakofMICkeys dueto certifi catesusingRSAkeyslessthan 1024 bitsinlength. Updates werereleasedfortheMicrosoft familyofproductsthatrestrictedtheuse with aPKCS#11 import encryptionkey functionimplemented. disclosed. This isapracticalattack fromhardware thatappropriatestheencryptionkey An improved methodforexistingpaddingoracleattacks onPKCS#1v1.5 encryptionwas were discovered. FakeMicrosoft certifi cateswereissuedusingMD5collisionattacks. MITM attacks on Windows Updatebyusingmalware toexploitthecode-signingfunction transition to2048-bitRSA. 1024-bit RSA isstillnotarealistictargetforattacks, butthiswas atriggerinmoves to waspublic key successfullyfactoredinapproximately sixmonthsusing80machines. Breaking thepreviousrecordof663-bitencryption,itwas reported thata768-bit RSA wereissuedinincrementswasnumbers alsoidentifi ed. issue thatmadeitpossibletoinferaffected signaturedatabecausethecertifi cateserial MD5digestscollide. extension areaignoredbythebrowsertomake An operational Forgery ofX.509intermediateCAcertifi cates was carried outbyadjustingtheX.509v3 using anMD5collisionattack. It was disclosedthatidentitytheft attacks werepossiblebysendingachallenge onservers issuing systemhadbeenhacked. suspended theissuingofcertifi catesduetothediscovery ofevidencethattheircertifi cate in late August. InNovember aDutch certifi cateauthority serviceoperatedbyKPN incident inMarch, certifi andover 500 cateshadbeenissuedfraudulentlyfromDigiNotar It was discovered thatninecertifi cateshadbeenissuedfraudulentlyintheComodo been fraudulentlyissuedfromthe TURKTRUST certifi cateauthority. It was discovered thatanumberofcertifi catesfor domainssuch as*.google.comhad not containingExtendedKey Usagewithregard totimestamping. were signedbasedonincorrect procedures. This was due tothecodesigningcertifi cate It was discovered thatanumberofbinaries signedbetweenJuly 12 and August 14, 2012, of atleast1024 bitsbyspecifi cation,butit was reportedkeys hadbeenused. that512-bit withalength The DKIMsystemforauthenticatingthesender ofemailrequirestheusekeys about thecauseofincident). discovered (classifi edasanoperational issue,ascurrently therehasbeennofollow-up A codesigningcertifi cateusedby Adobe whenitsfraudulentuse was revoked was the issuingpolicyofDigiCert Sdn.Bhd. A policyofrevoking certifi catesfromintermediateCAsduetoproblemswith was taken -14 . Details *79 *80, *81 *91 *89, *90 *88 *87 *86 *85 *83, *84, *82 *96 *95 *93, *94 *92 *78 *77 *75, *76 *74 *73 *72 *71 *69, *70, *97 *102, *103 *101 *100 *99 *98 Footnote No. *87 IIJ-SECT Security Diary, “Regarding a Vulnerability When Using Truncated HMAC with TLS1.2” (https://sect.iij.ad.jp/d/2011/12/079269.html) (in Japanese). (in (https://sect.iij.ad.jp/d/2011/12/079269.html) TLS1.2” with HMAC Truncated Using When *88 aVulnerability “Regarding Diary, Security IIJ-SECT *87 CCS2011) (ACM Security Communications and Computer on Conference ACM 18th the Encryption”, XML Break to “How Somorovsky, Juraj Jager, Tibor *86 (http://www.youtube.com/watch?v=gGPhHYyg9r4). startups vs CRIME *85 MSDN Microsoft, Blogs, xing-the-beast.aspx). “Fixing the BEAST” (http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fi *84 Qualys SecurityLabs, “Mitigating the on BEAST attack TLS” (https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls). *83 Computer on conference ACM Confi 17th the gurations”, MAC-then-Encrypt in IPsec of (In)Security the “On (http://www.ietf.org/rfc/rfc5746.txt). Paterson, G. Kenneth Extension” Indication Degabriele, Paul Jean Renegotiation (TLS) *82 Security Layer “Transport Oskov, N. Dispensa, S. Ray, M. Rescorla, E. *81 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555). MITRE, (http://www.kb.cert.org/vuls/id/958563). CVE-2009-3555 vulnerability” CBC SSH *80 VU#958563 Note “Vulnerability CERT/CC, WPA”,*79 with PacSec2008. Issues Crypto Some Seconds, 900 in “Gone Tews, Erik *78 14” (http://blogs. August in released was length in bits 1024 than less keys cryptographic blocking for cient-padding-oracle-attacks/faq.html). (KB2661254) “An update Blogs TechNet Microsoft, (http://www.lsv.ens-cachan.fr/~steel/effi FAQ *77 Hardware Cryptographic on Attacks Oracle EffiPadding cient *76 Cryptographic on Attacks Oracle Padding Tsay, “Efficient Joe-Kai Steel, Graham Simionato, Lorenzo Kawamoto, Yusuke Focardi, Riccardo Bardou, Romain *75 (http://www.iij.ad.jp/en/company/development/ report Vol.16 this in of Update” Windows on Attacks MITM Launches that Malware Flame The “1.4.2 See (http://eprint.iacr.org/2010/006). modulus” RSA *74 a768-bit of “Factorization et.al, Kleinjung Thorsten *73 today” harmful considered “MD5 Weger, de Benne Osvik, Arne Dag Molnar, David Lenstra, Arjen Appelbaum, Jacob Stevens, Marc Sotirov, Alexander *72 IEICE Authentication”, Digest SIP, APOP, and against Attacks Recovery Password “Extended Kunihiro, Noboru Ohta, Kazuo Wang, Lei Yu Sasaki, *71 (www. session Rump FSE2007 APOP”, as such Challenge-Response MD5 an on Recovery Password “Practical Aoki, Kazumaro (http://fse2007.uni.lu/slides/APOP.pdf). Yamamoto, Go FSE2007 Yu Sasaki, APOP”, to Application Collisions *70 MD5 and MD4 in Freedom “Message Leurent, Gaetan *69 algorithms* cryptographic of compromise The *105 Offi cial Announcement of “List of Recommendable Cryptographic Techniques for Procurement Activities by Japan e-Government (CRYPTREC Ciphers Ciphers (CRYPTREC e-Government Japan by Activities Procurement for Techniques Cryptographic Recommendable of *105 “List of OffiAnnouncement cial (http://www.iij.ad.jp/en/company/development/iir/pdf/ report this of Vol.8 in Turkish). (in Algorithms” Cryptographic on Issues 2010 Year the in “1.4.1 Trends See *104 (http://www.turktrust.com.tr/kamuoyu-aciklamasi.html) Açıklaması” “Kamuoyu TÜRKTRUST, *103 Spoofi (http://technet.microsoft.com/en-us/security/ Allow ng” Could Certificates Digital Fraudulent (2798897): Advisory Security “Microsoft Microsoft, *102 (http://technet.microsoft.com/en-us/ Binaries” Microsoft Signed Affecting Issues Compatibility (2749655) Advisory Security “Microsoft Microsoft, *101 (http://www.kb.cert. trust” message convey Verifiinappropriately may ers (DKIM) IdentifiMail ed DomainKeys VU#268267, Note “Vulnerability US-CERT, *100 (https://blogs.adobe.com/asset/2012/09/ cate” Certifi Signing Code Adobe of Use “Inappropriate Blog, (ASSET) Team Engineering Software Secure Adobe *99 (http://www.iij.ad.jp/en/company/development/iir/pdf/ report Certifi Key this in Vol.14of Public cates” of Issuing the to Related “1.4.1 Problems See *98 (http://www.iij.ad.jp/en/company/development/iir/pdf/ report this in Vol.13of Certifi Key cates” Public of Issue Unauthorized the of (http://blog.emaze.net/2012/11/weak-password-encryption-on-huawei.html). Incidents “1.4.3 products” See Huawei on encryption *97 password “Weak Speziale, Ivan Paleari, Roberto *96 SSL Validating World: the in Code Dangerous Most “The Shmatikov, Vitaly Boneh, Dan Anubhai, Rishita Jana, Suman Iyengar, Subodh Georgiev, Martin *95 (http://www.jnsa.org/seminar/pki- 2012 Day PKI JNSA Sites, Other with Keys Private Sharing Unintentionally Keys Public Many of Issue The Suga, Yuji *94 (http://www.iij.ad.jp/ report Vol.17 in this of Sites” Other with Keys Private Sharing SSH and SSL/TLS with Used Keys Public Many of Issue “1.4.1 (http://www.debian.org/security/2008/dsa-1571). The See generator” number random *93 predictable -- openssl “DSA-1571-1 Advisory, Security Debian *92 (http://www.ekoparty.org/eng/2012/ 2012 Conference Security ekoparty protocol”, authentication Database fl Oracle in aws “Cryptographic Fayo, Esteban *91 (http://www.ekoparty.org/eng/2012/thai-duong.php). 2012 Conference Security *90 ekoparty attack”, CRIME “The Duong, Thai Rizzo, Juliano *89 the SHA-2 family* SHA-2 the to MD5 from migrating by comprehensively with dealt be can vulnerabilities These length. key short acomparatively with algorithm RSA the or MD5 function hash of use the by caused Table in 1are listed vulnerabilities the of some that see can We point. some at algorithms new to used currently algorithms the from migrate to necessary be will it and unavoidable, is time over algorithms of degradation the means This research. cryptanalysis in advancements as well as computing, cloud of use the or power processing CPU in increases through attacks of cost the in adrop by caused is It designed. were they when CRIME: Information Leakage (https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls). against Attack SSL/TLS (https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/). rate” success a100% with MS-CHAPv2 Cracking Conquer: and “Divide CloudCracker::Blog, (http://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf). (ACM CCS2010)(http://www.isg.rhul.ac.uk/~psai074/slides/CCS-2010.pdf). security and communications (in Japanese). technet.com/b/jpsecurity/archive/2012/07/30/3511493.aspx) Hardware”, CRYPTO2012 (http://www.lsv.ens-cachan.fr/~steel/slides/CRYPTO12.pdf). iir/pdf/iir_vol16_EN.pdf). (http://www.win.tue.nl/hashclash/rogue-ca/). No.1, pp.96-104. Vol.E92-A Sciences, Computer and Communications Electronics, of Fundamentals on Transactions iacr.org/workshops/fse2007/slides/rump/apop.pdf). January 2013, SHA-1 was accepted for continued use to maintain compatibility, and SHA-256/384/512 was recommended as its replacement. its as recommended was SHA-256/384/512 and compatibility, maintain to use continued for accepted was SHA-1 2013, January which was open for public comment until List)”(http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Telecommunications/130301_01.html), iir_vol08_EN.pdf). advisory/2798897). security/advisory/2749655). org/vuls/id/268267). inappropriate-use-of-adobe-code-signing-certificate.html). iir_vol14_EN.pdf). iir_vol13_EN.pdf). (http://www.cs.utexas. CCS2012) (ACM edu/~shmat/shmat_ccs12.pdf). Security Communications and Computer on Conference ACM 19th the Software”, Browser Non- in Certificates (in Japanese). day/2012/data/PM02_suga.pdf) en/company/development/iir/pdf/iir_vol17_EN.pdf). esteban-fayo.php). 105 , or shifting to the use of RSA public keys with a length of 2048 bits or more. or bits 2048 of alength with keys public RSA of use the to shifting , or 104 indicates that their security can be threatened at a lower cost than envisioned envisioned than cost alower at threatened be can security their that indicates

25 Infrastructure Security 26 Infrastructure Security specification* and making multiple trial and error attempts have been applied to SSL/TLS* to applied been have attempts error and trial multiple making and attack an in targeted server actual an from responses observing by random at text plain reconstructing for Techniques years. few past the in extensions and improvements to due threat real a presents now issue this that know we and identifi2002, in Vaudenay Serge by ed is also used in key recovery attacks on WPA* on attacks recovery key in used also is concept error identifiand as trial This by ed Vaudenay. bit-by-bit, information extract and not or data padding correct have in Debian’s OpenSSL* Debian’s in avulnerability as such incidents to applies This entropy. enough without generated being numbers random to due designed, was algorithm the when envisioned that from apart worlds is provided security the which in instances many been also have There them. using when issues fl design to due implementation and maintained aws not is system or aprotocol as security overall the which in cases been also have there However, proposed. been have performance high and security provable with algorithms cryptographic balanced excellent, Many implementers. and designers protocol to encryption of use the regarding issues and caution requiring points conveys that ascheme need we design, protocol and design algorithm cryptographic separating completely of instead reason, this For design. format or protocol to applied be can knowledge this that is a chance there future, the In methods. implementation secure of establishment the and design algorithm cryptographic on impact asignifi had has cant attacks channel side of development The concept. same the on based basically is and collected, data of scope the in only differs previously mentioned technique analysis error and trial The level. chip acryptographic on speed processing or waves, electromagnetic power, in deviations as such information secondary collecting by processing cryptographic in used keys the as such information obtains method This cryptanalysis. for atechnique is attack channel A side Alliance Academic-Industrial aNew of Formation I The implementation. for consideration into taken be should that issue an also is this that clear is It design. protocol out carry to aneed is there that see can we processing, normal than rather processing error vulnerabilities. Current attempts to quantify the impact of vulnerabilities include the Common Vulnerability Scoring System (CVSS)* System Scoring Vulnerability Common the include vulnerabilities of impact the quantify to attempts Current of vulnerabilities. impact the of visibility the enhancing on focus particular place should alliance academic-industrial new this that We believe solutions. fundamental to lead and issues, of understanding and sharing the promote will these as such activities that hoped is It 2013. March in Japan in held was earlier mentioned we that mode CBC to relating vulnerabilities the understanding correctly for scientifiworkshop A community. c right now it is used as a single reference point. For example, the BEAST attack* BEAST the example, For point. reference asingle as used is it now right *110 NIST, “CVSS Version 2 Scoring Page (CVE-2011-3389)” (http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2011-3389&vector=%28AV%3AN/AC%3AM/ (CVE-2011-3389)” Page 2 Scoring Version “CVSS NIST, *110 rst.org/cvss/cvss- (http://www.fi 2.0” Version (CVSS) System Scoring Vulnerability Common the to Guide “A Complete S.Romanosky, K.Scarfone, P.Mell, *109 in held was (http://www.nec.com/en/global/rd/event/RLCPS10.html) Standardization and Protocols Cryptographic incarnation Real-Life previous on The 2013. Workshop 1st The January in *108 held was (https://crypto.stanford.edu/RealWorldCrypto/index.php) Cryptography Real-World on Workshop The *107 (http://www.iacr.org/archive/ EUROCRYPT2002 WTLS...”, IPSEC, SSL, to Applications Padding CBC by Induced *106 Flaws “Security Vaudenay, Serge mode* CBC on attacks oracle padding particular, In error. and trial repeating when information) (external response the observing by atime at abit information internal leaking for techniques to Table in 1correspond issues design classifias ed vulnerabilities the of Many issues. implementation and design the with dealing for guidelines consider we Next, between the scientifi c and business communities. For example, workshops* example, For scientificommunities. the business between and c technology cryptographic by faced challenges real-world the share to moves been have there situation, this of light In of migration in addition to the vulnerability itself. For this reason, we believe there is a need for evaluation standards related related standards evaluation for aneed is there believe we reason, this For itself. vulnerability the to addition in migration of impact the calculate not does evaluation this that fact the from stem to thought is This confusion. of alot was there place, in with a CVSS base score of 4.3* of score base aCVSS with Au%3AN/C%3AP/I%3AN/A%3AN%29). (http://www.ipa.go.jp/ information more for (in Japanese). explanation Center security/vuln/CVSS.html) Security Japan Agency, Promotion Information-Technology following the See guide.pdf). 2011. (http://www.nec.com/en/global/rd/event/RLCPS11.html) March in held was Standardization and Protocols Cryptographic Real-Life on Workshop 2nd 2012. The and 2010, January in held was January (http://www.newton.ac.uk/programmes/SAS/sasw07.html) Relevant? Practically Theory Cryptographic Is workshop, this of eurocrypt2002/23320530/cbc02_e02d.pdf). 109 . However, the actual impact is greatly infl uenced by the prerequisites and usage environment for an attack, so so attack, an for environment usage and infl greatly is prerequisites the by impact uenced actual the . However, 86 . The basic idea behind these techniques is to see whether the responses from nodes targeted in an attack attack an in targeted nodes from responses the whether see to is techniques these behind idea basic . The 92 , the issue of public key sharing* key public of issue , the 110 , but because of factors such as not being able to connect to servers with countermeasures countermeasures with servers to connect to able being not as such factors of because , but 78 and CRIME attacks* CRIME and 93 , and the disclosure of an MS-CHAPv2 attack tool* attack MS-CHAPv2 an of disclosure the , and 89 . In view of the fact that these issues are caused by poor poor by caused are issues these that fact the of view . In 83 107 * * 83 87 108 was evaluated as a MEDIUM vulnerability vulnerability aMEDIUM as evaluated was , IPsec* , have been held due to concerns by the the by concerns to due held been have 79 , SSH* 82 and the XML Encryption Encryption XML the and 106 involve an issue issue an involve 88 . raising awareness. of cost the cover will who and themselves by anchors trust other ensure can users that concept new the spread to how about discussion be should there We believe systems. trustworthy other using communications of security the raise to users enable will and safe, are you browser in a appears icon padlock the as redefi will long as that these idea Using the ne issues. these or Convergence* with browsers no longer able to tell the difference between legitimate sites and malicious sites. Measures such as DANE* as such Measures sites. malicious and sites legitimate between difference the tell to able longer no browsers with problem, major a into certifidevelop of will it issuing cates, fraudulent the as such issues through lost is PKI in trust if and users, for anchors trust offers 2012.PKI December in certifiauthority cate TURKTRUST the from fraudulently issued been had certifi that cates discovery the as such PKI, in trust erode to serve that incidents unfortunate been also have there However, confiPKI. in restore and dence awhole, as industry the of level the raise authority, certifi each cate between requirements issuing in variation the equalize to expected are 2012. These July from effect into equivalent strength* to similar concept a use should They specifivulnerabilities. cation protocol/format to applied be can that cost migration to Offi ce of Emergency Response and Clearinghouse for Security Information, Service Operation Division, IIJ Division, Operation Service Information, Security for Clearinghouse and Response OffiEmergency of ce Masahiko Kato, MasafumiNegishi, Takahiro Haruyama, Tadashi Kobayashi, Yasunari Momoi, Seigo Saito, Hiroaki Contributors: Yoshikawa Network Engineering Section, IIJ Department, Network Service Yoshinobu Matsuzaki IIJ Division, Operation Service Information, Security for Clearinghouse and Response OffiEmergency of ce Suga Yuji Hiroshi Suzuki Hirohide Tsuchiya, Hiroshi Suzuki, Hisao Nashiwa Hirohide Tsuchiya, Hisao Nashiwa Authors: this. as such reports in responses associated and incidents publicizing and identifying by usage Internet of dangers the about public the inform to effort every makes IIJ technology. cryptographic using environments in issues of rash of a behind causes the discussed also We fi for tables institutions. code nancial steal to used was that ZeuS of variant Citadel the as well Virus”, as Control ”Remote the to connection its to due attention attracted that Tor the system examined we time, This responded. has IIJ which to incidents security of asummary provided has report This 1.5 key lengths. Due to a series of issues occurring in quick succession, a specifi cation of baseline requirements* aspecifi baseline of cation succession, quick in occurring issues of aseries to Due lengths. key short with algorithms cryptographic of use erroneous the and attributes, certifiof cate misuse systems, certifiin issuing cate vulnerabilities as such side, operational the on factors of range awide by caused are issues These PKI. to related Table issues in 1are operational as listed incidents the All users. and operators for countermeasures regarding guidelines at look we Next, I Increasing User Awareness engineering”. “transition of creation the on perspective afresh offering awellspring as serve will failures and successes of examples on information gathering and migration concerning methodology and issues common sharing that expected is It compromises. cryptographic handling of capable be also should standards These platform. or OS of independent uniformly 13 Convergence (http://convergence.io/details.html). (https://datatracker.ietf.org/wg/dane/). Group *113 Working (DANE) Entities Named of Authentication DNS-based IETF *112 Certifi2011”Nov. (http://www. v.1.0,22 cates, Publicly-Trusted of Management and Issuance the for Requirements “Baseline Forum, CA/Browser *111 cabforum.org/Baseline_Requirements_V1.pdf). Conclusion (1.4.3 A Refl ection on Issues Plaguing Protocols and Implementations Using Cryptographic Technology, and the Way Forward) Way the and Technology, Cryptographic Using Implementations and Protocols Plaguing ARefl Issues on (1.4.3 ection groups, including Telecom-ISAC Japan, Nippon CSIRT Association, and Information Security Operation providers Group Japan. Group providers Operation Security Information and Association, CSIRT Nippon industry Japan, several of member Telecom-ISAC including committee groups, asteering as IIJ- serves team, Mr. Saito CSIRTs. response of group emergency Group IIJ international an the of FIRST, in participating representative 2001, in the SECT became Mr. Saito customers, in working enterprise for After IIJ. development Division, services Operation security Service Information, Security for Clearinghouse and Response Offi the Emergency of of ce Manager Mamoru Saito (1.4.2 The Citadel Variant of ZeuS) of Variant Citadel The (1.4.2 113 (1.4.1 An Overview of Tor) of Overview (1.4.1 An that create new trust anchors to complement the existing PKI system have been proposed to deal with with deal to proposed been have system PKI existing the complement to anchors trust new create that 104 , which uses the same grading scale for different types of cryptographic algorithms so they are treated treated are they so algorithms cryptographic of types different for scale grading same the uses , which (1.2 Incident Summary) Incident (1.2 (1.3 Incident Survey) Incident (1.3 111 was put 112

27 Infrastructure Security