Threat of unauthorized accessjamhelper
The person who worries in unauthorized loginoverview
Unjust login is rampant.
customer information unauthorized exploitation and modifications, It’s intended to defraud using the monetization and credit card information of the point
If the personal information was leaked in response to the attack , we fall a serious situation.
We have seen cases that gave a fatal impact damage in the delay of the initial motion.
We need to a thorough pre-measures against business risk is high threat.
Overview of the main attackoverview
An attacker of unauthorized login tries more than one ID and password mechanically while changing an IP.
The main method of unauthorized login is as follows.
・Brute force attack
An attacker will try by a password of combination of the expected ID and all characters.
・Reverse brute force attack
An attacker tries to fixed a password and log in by the various ID.
The ID is fixed and login is tried by the word which a password of combination.
The hit rate is low, but that is efficiency of very high until the decipherment.
・List account hacking (list type attack)
An hacker tries to attack more than one website by ID and password obtained unjustly from other websites.
The damage transition since April 2013 of the list type account hacking that is published from JPCERT/ CC.
From: to call for the unauthorized login prevention by JPCERT / CC STOP !! password reuse!! password list attack
Case of attack
This website was attacked to mechanical about 6 hours on the 1.8 request per second on average to the WordPress login screen.
91.93.127.** - - [20/Dec/2014:09:53:51 +0900] "POST /wp-login.php HTTP/1.0" 503 323 "-" "-" DoSAttack 11 1758 0 91.93.127.** - - [20/Dec/2014:09:53:52 +0900] "POST /wp-login.php HTTP/1.0" 503 323 "-" "-" DoSAttack 12 1978 0 : 91.93.127.** - - [20/Dec/2014:15:59:10 +0900] "POST /wp-login.php HTTP/1.0" 503 323 "-" "-" DoSAttack 28787 1661 0 91.93.127.** - - [20/Dec/2014:15:59:11 +0900] "POST /wp-login.php HTTP/1.0" 503 323 "-" "-" DoSAttack 28788 1770 0
It is blocking the unauthorized access in jamhelper
In a short period of time from the same IP If more than one login is requested, we are shut off it is regarded as “unauthorized access”
This will be confirmed to be an effective countermeasure
Effects of attack
Hacker will try to decipher at a short period of time mechanically at the 1 to 30 requests per second.
It isn’t uncommon that the website to fall into a high load similar as DoS attacks.
Between the sales and opportunity loss.
In addition to that …
Fines and imprisonment in the Personal Information Protection Act as the responsibility of the criminal, litigation and costs and ex gratia payment / delivery costs on civil damages cost of fictitious claims, and alimony for mental damage will occur.
Loss of non-legal
Provisional hemostasis correspondence from the effects identified as the cause investigation, countermeasure planning and mounting, take technicians of maintenance and consulting call center costs to prevent a recurrence, adjustment letter sent or apology advertising and conference expenses, social disrepute and corporate image down and management on the loss associated with occurs.
It’s also could lead problems related to the surviving of company it will be Sales decline by fall to the market value also lowering of employee morale.
Measures to attack
From the Ministry of Internal Affairs and Communications of Japan, the communication blocking of specific IP address has been presented as an effective means to prevent the damage.
Source: “for the corresponding measures to unauthorized login by list-type account hacking (website administrator, such as the Internet service provider for measures Collection)” (Ministry of Internal Affairs and Communications from Japan)
( http://www.soumu.go.jp/menu_news/s-news/01ryutsu03_02000063.html ) (Using the December 28, 2014)
Attack of measures to prevent the prevention and spread of damage,
・ Alerting of Password reuse
・ Password encryption storage and validity period setting, history save
・ Guess the use refusal of easy password
・ Two-stage introduction of authentication and account lock
・ Login history display
・ The abolition of the dormant account
Is possible to cope in a relatively application level.
But “communication cut off from a particular IP address that exceeds the threshold” because in the application level it is in a very difficult reality in terms of performance and maintenance operations, it will be the turn of the jam helper (jamhelper).
Since the jam helper (jamhelper) is a Apache module, providing a communication cut-off from a particular IP address that exceeds the threshold to high speed.