crime

38 Japanese firms' authentication data stolen amid teleworking increase

15 Comments

The requested article has expired, and is no longer available. Any related articles, and user comments are shown below.

© KYODO

©2022 GPlusMedia Inc.

15 Comments
Login to comment

High time for japan to do like the US and India ban all the chinese apps develop n use their own apps as long as the use the Chinese these kind of cyber theft will continue

-4 ( +5 / -9 )

The Pulse Secure VPN software was compromised, and 900 clients didn't install the patch.

We can blame the informatic, as always.

4 ( +4 / -0 )

Watch this being used to herd people into offices instead of the WFH they prefer.

5 ( +6 / -1 )

Pulse Secure released patches in April 2019 to fix vulnerabilities in its VPN service. Despite repeated warnings from the NISC and expert communities, however, some Japanese companies did not update their systems, leaving themselves vulnerable to hackers.

This was widely reported on IT Websites, and no doubt Pulse would have been repeatedly emailing the businesses to get themselves patched. This is just negligence, and they have no one but themselves to blame.

If valid credentials have been stolen, each of those companies should be contracting in external parties to do a thorough security audit of their various environments.

AviBajajToday  07:18 am JST

High time for japan to do like the US and India ban all the chinese apps develop n use their own apps as long as the use the Chinese these kind of cyber theft will continue

There doesn't appear to be a Chinese connection here, so I'm not sure what relevance this has.

8 ( +9 / -1 )

75% of business hacking originated from USA according to latest research. Just saying...

-4 ( +1 / -5 )

Such a waste to buy security software and equipment and not update it religiously

2 ( +2 / -0 )

As for security practices,

Stay patched

Stay on currently supported OSes

Have automatic, daily, backups that are "pulled" by a server, never "pushed" by the client.

Test the restore of those backups at least 4 times when you first setup the system to ensure that works perfectly. Best to test onto 100% new hardware, in a different room, without access to anything except the backup storage. Then test the backups at least yearly. The more practice with restoring, the better we all get doing it.

==

If you use only passwords for security, then you've already failed.

If those passwords are easily typed and less than 20 characters, you've failed doubly.

Any online password should be as long and random as possible - 65 characters. Long enough that you aren't tempted to try typing it and use a password manager instead.

Even with this long, random, password, some sort of 2-factor authentication is needed. Avoid 2FA tied to a phone. Get a $15 U2F device and use that.

Corporate logins probably need a more expensive $45 TOTP or HOTP device.

My bank provided an RSA fob just because I asked for it. The 1-time key changes every minute. Tied with a password, it is difficult for anyone to break into my accounts without using social engineering of a bank worker. I've lied on all their security questions, entering random, long, answers. These are stored in the password manager. Even with "rubber hose" decryption, I don't know the answer. Heck, I don't even know the login name used on my bank/brokerage accounts. Those usernames are long and random too.

The only passwords anyone should "memorize" are those that must be typed to unlock/log into a computing device. Many devices support using a challenge/response method to unlock a computer. Be certain you have more than 1 method to unlock the computer. Linux LUKS encryption allows 8 different decryption slots and multiple methods to unlock the storage, for example.

0 ( +0 / -0 )

@theFu,

A lot of good advice. I have one question...

Avoid 2FA tied to a phone.

Can you clarify? I use Google's authenticator app for a few sites I need to access. I don't see this as significantly different from a separate fob (it generates a code every 30 seconds), and in some ways is more practical if you need to access several places.

0 ( +0 / -0 )

High time for japan to do like the US and India ban all the chinese apps develop n use their own apps as long as the use the Chinese these kind of cyber theft will continue

Pulse Secure is an American company with its headquarters in San Jose, California.

1 ( +1 / -0 )

5% of business hacking originated from USA according to latest research. Just saying..

Prove it. Waving the bs flag on that claim. Not heresay but honest data.

0 ( +0 / -0 )

"some Japanese companies did not update their systems, leaving themselves vulnerable to hackers."

Security 101, ladies and gentlemen.

"No actual damage from the VPN data theft has been reported."

The hackers are called "low and slow" for a reason. Maintain access, cover your tracks.

1 ( +1 / -0 )

albaleoAug. 26  11:45 pm JST

Avoid 2FA tied to a phone.

Can you clarify? I use Google's authenticator app for a few sites I need to access. I don't see this as significantly different from a separate fob (it generates a code every 30 seconds), and in some ways is more practical if you need to access several places.

An MFA app on a phone is every bit as secure and has many advantages, as long as the owner takes good care of the phone (i.e. not rooting it, has good PIN/fingerprint security and applies security updates in a timely manner). The main advantage is that users will always take their phone with them wherever they go.

Using a FOB/Smartcard comes with the risk that the user sees it as just another thing they need to carry with them, and the temptation is then to leave it somewhere 'convenient', i.e. in the desk drawer next to the PC . . . which defeats the whole purpose of MFA.

A good example of this is your local cafe. How many people leave their bags on a chair in Japan when going to order, but take their phones with them. What is in the bag? Laptop with fob?

Text message codes for MFA are far less secure, but still a significant increase in security over something than can be just written down and stored anywhere.

1 ( +1 / -0 )

75% of business hacking originated from USA according to latest research. Just saying...

Where's this research?

0 ( +0 / -0 )

75% of business hacking originated from USA according to latest research. Just saying...

Where's this research?

Not sure it can be classed as research, but I found this link:

https://www.rt.com/russia/499005-beware-of-russian-hackers/

Other sites put the ranking of cyber attack origins as China (41%), USA (10%), Turkey (4.7%), Russia (4.3%), Taiwan (3.7%).

https://www.govtech.com/security/204318661.html

The original poster said "business hacking". I'm not sure how that is defined, but if it involves getting money, it might make sense that the criminals are local and clever (so that rules out my neighbourhood).

However, I'm pretty sure 99% of cyber attacks originate on the internet, so attributing to countries doesn't really offer much information. Personally, I like to think they all still originate from Nigeria.

0 ( +0 / -0 )

Login to leave a comment

Facebook users

Use your Facebook account to login or register with JapanToday. By doing so, you will also receive an email inviting you to receive our news alerts.

Facebook Connect

Login with your JapanToday account

User registration

Articles, Offers & Useful Resources

A mix of what's trending on our other sites