Month of Information Security

Although most people do not know (even I didn't until now), February was the "Month of Information Security" in Japan, sponsored by NISC (the National Information Security Center).

In other parts of the globe, a "Month of Security Awareness" (MoBB, MoPB, MoAB) means some extremely talented hacker guy (or girl?) in his free time releases +-30 zero day exploits and vuln. information for widely deployed systems that results in quite a strong message regarding the security claimed by the vendors and reality.

In Japan, a month of security awareness means that you have seminars all of the country where people dressed up in suits who know enough about computers to operate windows xp, outlook and office get together to talk about all of these scary security issues such as winny, botnets, viruses, keyloggers, etc... No, there are no zero days, no hands on training, or anything of that sort.

So with large organizations and millions of yen of tax money, how do we fight for better information security, you ask???

With this!

Yes, that's right. The "Information Security Rangers" will save the day! Right now they still do not have any reverse engineering, penetration testing, malware analysis, or networking skills but they can sing a cute song that informs the world about spam, viruses, firewalls and the monsters living in the internet trying to get your personal information!

You can check out the music video here. Hopefully this year it will win a pwnie for best song of 2009.

Although I feel much more aware of the dangers of computers and the internet thanks to that minute and a half song, security is a very serious issue and we really need one more layer of awareness if we really want to be certain that the entire public is fully concious of informaiton security issues.

So that is why METI (the Ministry of Economy, Trade, and Industry) invested a heavy sum of tax money into creating CHECK PC!.

CHECK PC! is a site where Securina, two anime/doll like girls, teach you about the dangers of IT security such as phishing and viruses. They also have a music video here.

Although personally if I was in charge of the METI and had millions to spend on security awareness, I would probably prioritize marketing to a wider audience instead of just to Japanese girls age 6-9.
However, I suppose that is just as an important group that needs security education as much as everyone else.


Cybercrime cases hit record high

"Police across Japan uncovered 6,321 cases of Internet-related crime last year, and increase of 15.5 percent and the highest number since comparable data were first kept in 2000, the National Police Agency said Thursday.

The figure represented a threefold jump from 2,081 cases recorded in 2004.

There were 112 cases of threats made over the Internet in 2008, up 53 from the preceding year, the NPA said. In one instance, a woman was referred to prosecutors in connection with posts she made on an entertainer's blog. The comedian was forced to close his blog due to a flood of abusive messages from other Net users.

There were 61 libel cases involving the Net, down 18. However, police received a record 11,516 requests from the public to look into potential libel cases, up 29.8 percent.

Police unearthed 1,740 cases of illegal access involving the use of stolen passwords, up 20.7 percent. The cases involved 137 people, up 11.

Fraud cases mainly involving Internet auctions inched down 0.3 percent to 1,508.

Offenses against a law restricting Net-based dating services jumped threefold to 367, while offenses against an ordinance aimed at protecting youths soared 90.0 percent to 437.

Police across the nation were asked by the public to check up on 81,994 potential cybercrimes in 2008, up 12.0 percent.

An NPA official said the agency will step up its efforts to crack down on cybercrime by boosting its investigative ability in light of increasing offenses using the Internet."

Source: Japan Times

The Internets Are Scary!

Earlier this month (Feb.6th?), the Ministry of Health Labour and Welfare announced a ministerial ordinance that will make it illegal to sell medicine over the Internet starting June 1st, this year. This includes medicine such as pain relievers for headaches like Tylenol, medicine for colds, athlete's foot cream, any herbal supplements and even devices to tell if you are pregnant or not! Yahoo and Rakuten are very angry at this as they sell much of the aforementioned goods online and have tried everything they could do to get this foolish law reversed, but have probably failed to convince these stubborn bureaucrats otherwise.

However, the thing that I find interesting about this is that there is now much speculation that the people who decided this law are ignorant misinformed people who are prejudice against the net and the real reason why this was passed was because behind the scenes they decided that "the Internets are scary and things like drugs should not be sold there!".



Beware of the Barcode!

So there has recently been talk of possible phishing attempts using QR barcodes. (I was hoping that someone actually tried this but I have still not heard of this being used in the wild...)

For those of you who do not know, QR codes are two dimensional barcodes created by a Japanese company in 1994 and are found EVERYWHERE in Japan since around 2003. Japanese cellphones started having built-in cameras since 1999 and by 2003 they became so popular and necessary by the public that you can not find a phone without a built in camera since then. Also, in 2003 they gained the ability to read these QR barcodes. They are mainly found on flyers and advertisements to get people to visit the restaurant/store's website for coupons, etc... These things are great because instead of having to waste time typing a long URL, you can just scan the barcode and off you go.

So having an easy mechanism to get people to blindly access URLs is a phishers/hackers dream, right?

Even in the U.S., even before these 2D barcodes have become widespread, (which they probably will in the next couple years now that cellphones there are finally high tech enough to read barcodes), there is talk about the dangers of phishing with these evil codes! If you do a google search for "qr code phishing" you will already find people talking about this.

However, there are no inherent dangers in these barcodes at all.

After scanning the QR code, the URL is displayed and confirmation by the user is required to continue. So even if a malicious person replaces the QR code on a flyer or even the whole flyer itself with a different QR code and URL written, the problem lies with people trusting the URL and the mechanism itself for inputting the URL quickly has nothing to do with anything.

This is still the classic problem of users that are not trained in security issues.

However, this is even less of a problem because even if you get someone to access a URL of your choice on a Japanese cellphone, chances are you are not going to be able to profit much from it.

That is, there are no remote exploits available, nobody does their banking through their cellphone and no one would put their credit card information into a cellphone site they got from a flyer or advertisement.
I am sure someone with enough time could think of a way to profit from someone going to your malicious site, but if you wanted a high number of users to connect to a URL via cellphones you would get 10,000 more hits by just posting a link to a hot topic in 2 channel, and you wouldn't even have to spend time and money printing out things and posting them!

I really don't know what the fuss is all about.



Penetration Testing through Amazon!

No, unfortunately there is not a new wacky way to conduct penetration tests using one of Amazon's services.

However, there is a new wacky way to try to sell penetration tests/vulnerability assessments!
By trying to sell them on Amazon!

Because we all know when a company is looking for a security assessment, Amazon is the first place they go looking, right? That way you can compare prices easy, get a discount with your Amazon card, and even get it gift wrapped if you like! (Perhaps you can even get a used pen test that some 3rd party is selling for a fraction of the price!)

LAC (the Little eArth Corporation), one of the biggest security vendors in Japan has started selling web security assessments via amazon.jp yesterday. (2009/2/18)

The prices start out at around $500USD for a basic scan to make sure your site is not vulnerable to SQL Injection and XSS.

This is actually not the first time some crazy people had a go at this.
Two years ago, an organization got my company to do the exact same thing on Rakuten, the "Japanese version" of Amazon. (Well, Amazon.jp is actually the Japanese version of Amazon but it is kind of similar, its a huge online shopping mall.) We knew no one in their right mind would buy a pen test from a place like that but figured it wouldn't do any harm so we let the organization do as they pleased.

Needless to say, no one came knocking on our doors for a gift wrapped pen test.



Personal information is now worth $1200

Privacy laws are very strict in Japan and since 2004, punishment for leaking private information has become stricter and stricter. In February 2004, Softbank BB/Yahoo! BB(Broadband provided jointly by Softbank and Yahoo Japan) leaked private information (name, address, email, and phone number) of many of their customers. I am not sure if any court mandated this, but Softbank/Yahoo paid 500 Yen (about $5) to all of their customers including those who stopped using their services, those on a free trial period and even to people who they didn't even leak their personal information!

"Five dollars!! That's nothing!", you say?

Well, it sort of is when you have to pay that to 4,517,039 customers...

Until then there was no real ruling on how much private information was worth and it was not really brought up as an issue. After this incident, however, things changed completely and every company's worst nightmare here is definitely leaking personal information no matter how trivial it might be. When talking to companies requesting security assessments, they tell us straight up that they don't really care about if their website gets defaced or their servers crash, just as long as they don't loose a single piece of personal information. That usually gets highly publicized, is bad for the reputation and now is resulting in financial losses which is definitely the biggest fear.

When I was in training for my company 3 years back, they told me that it is unacceptable to leave anything in a public area that could be traced back to an individual. So say somebody calls for Taro but he is not at his desk. I can not write down a name and number on a sticky note and put it on his computer telling him to call that person back because somebody else could walk by and see that said person called for Taro. This would be considered a personal information leakage and while I would probably not be fired I would be highly reprimanded. If I knew for sure that Taro would be back in say 10 minutes, I could write him a note and place it face down on his desk. If not, I would have to wait for him to come back to tell him. Also, after Taro sees the note I gave him, he can not throw it away but has to shred it because it could lead to personal information leakage followed by a lawsuit if someone happened to be dumpster diving and found even just a person's name. (well, in theory at least.)

Another interesting story I heard about is a salesman of a company accidently CC'd an email to all of their clients instead of BCC'ing it resulting in all of the clients finding out who that company's other client's emails are.... They did not suffer any legal punishment but they lost an entire day of productivity because they had all of their 100 employees stop their project for the day to call and apologize to every client personally over the phone. In the U.S., a simple apology email or even just ignoring the issue may work but in Japan doing so would be considered as an extreme insult. There is no doubt that many lost trust in that company due to the incident.

Fast forward to January 2009.
For the past 5 years, Japan has been dealing with personal information leakage almost daily from individuals and companies large and small mostly through the anonymous P2P network Winny. The courts are getting tired of dealing with all of these incidents and each time they get a case the punishment gets harsher. This month, the courts decided to fine a person 120,000 Yen (about $1200) for merely posting the name, address and phone number of an individual on the supposed anonymous infamous forum Channel 2 (or "2 Channel" in Japanese).
The victim is still not satisfied with this and is appealing the case for more money as "unless the fines are not more severe no one will take this matter seriously" he claims.

So imagine you are the CEO or the person responsible for the security of a company with millions of customers and if you leak that informaiton you now have to pay $1200 for each person instead of $5...
I am sure there are many people here that do not sleep well at night...

P.S. The picture at the top is the notorious typical shot of the executives of a company at the press release after a personal information leakage incident bowing their heads in shame apologizing to the world.




RSS feed should be up. =)



Hidden Obsessions

For whatever reason, many "bad guys" in Japan LOVE hidden recording devices. Typically it has been mainly for audio, mainly for corporate espionage and occasional perverts, and video, obviously mostly used by perverts.

(Can you spot the hidden cameras?)

They have specials on TV every now and then interviewing these bad people and yes they are certainly out there, they have no morals, and they are experts at what they do. It definitely surprised me. I do not think there is any other culture out there that takes to this hobby as much as in Japan, but please let me know if you see this happening rampantly in other places of the world.
While you won't hear it on the news so much (and I probably shouldn't be writing about this in public...), almost all big companies in Japan have had incidents with illegal bugging for whatever reasons. It is seen as the norm here. What happens is that they do not want it to go public and they just cover it up... sweep it under the mat, no harm done, right?

Last September, a TV crew accidentally found a wiretap disguised as an extension plug in the Osaka education board while shooting a series on wiretapping in Japan. (kind of ironic, eh?)
Eventually one employee admitted he planted the bug but before that Osaka's Governor Hashimoto was interviewed to get this thoughts on this. I watched this on TV.
I was naturally expecting to hear him say something like: "I am absolutely outraged by this! We are going to track whoever did this down and take appropriate action..."

However, as everything in Japan is 180 degrees backwards from Western thinking, he said something approximately to:
"Hey, it wasn't me guys, I swear! I don't know who did this but look, I wouldn't even use an old model bug like that. But hey, this happens all of the time. No biggie, let's just forget about it, ok? I swear it wasn't me..."

So yeah, some keen people picked up on the little statement about how he wouldn't use an "old model" like that... I see. Well, in order to make a statement like that you must be pretty familiar with the different types and latest models of bugging equipment, which means that you probably have experience using them, which means..... oh well, as you say, its commonplace in Japan anyways, so lets just forget about it!

So this incident made the news for one day and then people forgot about it.

(Here comes the culture reference! Get ready for it....)

Yes, if something is commonplace in Japan, unless the act results in something ridiculously bad, people will not make efforts to rectify it. And even if they do, there is a strong chance that it won't change anything. This happens all of the time and I can probably cite a hundred different examples that occurs in various aspects of life here. Sticking to tradition or doing something one way for the sole reason of "well, its always been done that way so we shouldn't change it" thinking is certainly not particular to Japan and happens all over the world in every culture every day. The only reason I mention this is because this kind of thinking is much more prominent among Japanese compared to elsewhere in the world. This is naturally changing with the younger generation but the younger generation does not have the power to change anything here because in order to succeed and be in a position to change things you have to pass one qualification above all others first. That is, you have to be older then everyone else. (Which usually means you are at least in your mid-50's). And by the time you reach that age your mind gets pretty warn out from the 30 years of 20-hour work days and become brain-washed into thinking what your elder tries to force you to think for those 30 years... So yea, it is going to be a little while before this type of thinking starts to filter out..

Anyways, I have only seen this "reasoning" result in something negative and often times this includes security.

Kind of like the familiar story of "Hey, we found a vulnerability in this software because they had old code that was there because nobody knew why it was there or they figured it was bad but they just left it be because that's how it was."

Lesson to learn: If there is a tradition to do something a certain way but everyone has forgotten why it was done that way in the first place or if people are starting to find problems with doing it that way, you should quickly question why it is that way and change it to fit the present day.

Ok, so this post originally was a tangent I went off from the previous post that I decided to make it into a separate post to be clearer to understand, but then went on another culture tangent which is sort of unrelated in a way but in another way everything is related.. So I am ending up with random unrelated but related thoughts everywhere... which I guess is how I think...

Anyways, the last point I want to make is actually the starting point of what inspired me to write about this topic in the first place...

As mentioned in the two previous posts, people are now becoming interested in recording what is going on in the computer. (i.e. key logging). While these are just two examples and I can not give solid statistics as all of this is happening underground, they are certainly signs that bad guys are realizing the "benefits" of moving to more sophisticated means of the much loved hobby/full-time job of illegal wiretapping/filming. While I can say for certain that backdoors/key loggers have been and are still used much more widely in other countries, as Japan is years behind in the hacking scene, I would predict that once people catch up it will be included as one of the obsessions here in the future.

(Hopefully my prediction is wrong...)


Getting a little more high tech...

Until quite recently we have mostly seen low tech hacks in Japan.
Things like knocking over ATMs physically with a crane or social engineering through the telephone are still by far the most dangerous and prominent attacks in Japan.
It's so bad that when I attended a seminar a couple months ago of probably the most famous computer forensic company in Japan, the lecturer was even complaining about how pathetic and low tech the criminals are here and that he wished they would wise up and do more high tech crimes so that their work was actually interesting.

However, as anyone could have predicted, things are starting to change and bad guys are realizing that there is a whole world of potential for online theft just sitting there waiting for them.

January 29, 2009 was the first time in Japan that anyone has been caught for physically breaking into a private house to install malware. (Yes, your mailbox is actually NOT a good place to put the key to your house.) The intruder installed a backdoor/keylogger in which he used it to steal personal information and transfer about 9,000,000 yen (About $98,000USD) to fictional bank accounts that he created with passports, etc... stolen from people's houses.
This guy was apparently not too sneaky as he has been arrested 3 times for fraud. Hopefully this will be his last.

I am sure we will see more of this to come.


Hacking Back is Illegal in Japan Too!

"Hacking Back" is apparently commonplace and accepted in some developing countries so I have heard, but it is not in others. Japan has, as you would expect, taken the stance against hacking even if it is for righteous revenge.

A 15 year old kid in junior high school had criminal charges filed against him for illegally accessing the yahoo mail account of someone that previously stole his yahoo mail credentials.
That person is a 20 year old guy who he met via an online game. This guy apparently had the habit of trying to trick others into installing a program that would "make their character uber elite" which in fact it only just logged their key strokes and emailed the logs back to him.
This kid was apparently pretty smart (well, if you discount the part about him blindly running code from someone he met online...) and realized that this program just made his computer run slower. He realized it was malware so he uninstalled it, analyzed it and found out the email address of the guy. He then somehow inferred his password in which he illegally accessed his account, etc...

The guy was caught a couple months later using the same trick on other people and during the police investigation they found out that this kid had been illegally accessing his account which he had no idea about.

They tracked the kid down and now they both face criminal charges.

Original Article:
Asahi News


Started to blog..

I have started to blog about security/IT related issues in Japan.
There seems to be a fair amount of people interested in what is going on in Japan but can not get information because they either don't live here or don't know the language.
I can tell there is a ton of people at least somewhat interested in Japanese culture as I can probably name about over 300 different names of tools or presentation titles off the top of my head that are taken from Japanese(that is, has "ninja" or "samurai" in the name or is taken from the name of a sushi roll), from anime, etc... and yes, Japanese people make fun of all of you guys for using wrong/weird Japanese just as much as you make fun of them for using wrong/wierd Engrish. -=] (Just, they are a little bit nicer and don't go out of their way to make websites and businesses out of it....)

There are many sites in Japanese about what is going on in Japan but none that I know of in English from an outsiders perspective. So I hope to fill in that gap.

I have been thinking about doing this for a little while but finally decided now is the time as there is finally enough security-related news today for me to actually have something to write about... (At least enough for maybe once a month..)

I do not want to limit myself to cyber issues only but a more wide range of topics and hopefully include bits of what I am interested in the most-> the culture. That is, how culture affects security. How do they handle things differently, etc...

Please feel free to add comments/questions.

      /      \
   /         \
  /   ⌒   ⌒   \
  |  /// (__人__) /// |
  \            /