Paul S. Ziegler points out the issues of corporate security in Eastern Asia, namely the peculiarities of an employee’s perspective upon taking responsibility.
We’re going to move on to probably one of the most fun parts of this, at least if you like stories that make your hair stand up. We’re going to talk about corporate insecurity, which means, the reason why companies that you work for, or that you may consult for, or that you may test in either country, are not that up to speed and have all these weird security flaws, we’re not quite sure how this could have happened. And any security flaw you’ll find – and this is also applicable to Korea, but this is mostly for Japan – you have to look at 2 filters, 2 conceptual filters.
Number 1 is lifetime employment. What on earth is lifetime employment? Well, it basically means the company hires you fresh out of university and they guarantee you a mediocre wage – it’s not bad, it’s not really good, it’s mediocre wage. They guarantee you mediocre raises of anywhere between 3%-5% a year. And you cannot be fired or laid off; the company is not legally allowed to. You couldn’t make this contract in Europe, for example, but you can do it in Japan.
If you survive until your retirement, until you die they’ll pay you 75% of your last wage, and if you die your spouse is going to get the same amount of money until they die. While it may not be an appealing model to the hacker community where we do everything ourselves and we want to live our lives, for people who just want to run a family this is an incredibly appealing modeling. People who run pentests often forget this motivation base behind them.
The other concept to look at is bonuses. Now, in most countries there is some form of bonus, but it’s usually either a couple of hundred dollars or a month wage. What we have in Japan is that it’s up to 50% of your annual wage, and when I say 50% I mean your bonus may be 12 months of your wage. So, if you get your bonus, you double. If you don’t get your bonus, you may not be able to pay your bills. Officially this is made to reward good work, unofficially it usually depends on who does the most overtime, and, really, it’s a tool to keep employees in line, because if you want to change something, you’re always running the risk of not getting your bonus, because even though they usually pay this to people every year, it’s not guaranteed in your contract.
So, the entire thought process of an average worker, it doesn’t matter if it’s an engineer or middle management, or even upper management, in a Japanese company boils down to: “Don’t f**k up.” And when I say: “Don’t f**k up,” -“f**k up” is a “do” word; it requires action. As long as you remain passive, you cannot be blamed.
This sounds weird from an outsider’s perspective, so let’s look at an example. You’re working on a project, and you make a judgment call, because you see the situation is totally clear, and there’s a protocol in place, but the protocol is not particularly well defined, it was defined 20 years ago and you figure: “Wow, if we just did it this way, we could save this company millions.”
But something goes wrong, something you didn’t predict, maybe the country you tried to do business with had a military putch, something like that, and your company incurs a small loss. And when I say small loss, this could be $10, it’s enough. You screwed up – your bonus is gone. You’re not going to get it; you may get fired for it, because you obviously had that audacity to act against the company.
Now, on the other hand, if you pedantically stick to protocol, even if it’s completely wrong and it’s obvious that it’s wrong, and the company loses millions over this because you refuse to budge, because this is how you do it – as long as the company doesn’t go bankrupt over it, and this is kind of hard to do in Japan because most of the companies are subsidized by the government, your promotion will be secured. It doesn’t matter how badly you screw up from a human perspective, as long as you don’t do anything to screw up, you will get promoted and you will get your bonus and you will get all your stuff handed out to you. So, in a nutshell, don’t work too fast, stay until 1 a.m. and secure that bonus, or you can become a contractor, but then you’re kind of an outcast.
So, let me give you an example of how this actually plays out. In this example I’m going to run you guys through a fictional penetration test of a fictional company, not that this has ever happened to me in person, I just want to get your feedback and how you would react.
So, you go in, you fire up nmap, you run it against the customer’s network, and you find a Windows NT4 box that runs IRC on port 31337. Now, here’s the million dollar question: how would you react? I know this may be presumptuous, but I would assume the freaking box is owned; call it intuition.
So, I told the client that I never worked for the same thing, and their response was: “Ok, we’ll check into it. That seems like a very serious issue, we acknowledge that IRC should not be running on a Windows NT4 box in our corporate network.” This was on the Internet, by the way, and dialing out to other IRC servers to get commands.
“We’ll check into it,” and two weeks pass, and nothing really happens, so I decide to kind of poke them about it and go: “You know, that IRC box, the Windows NT4 box with IRC running, whatever happened to that one?” Here’s the reply with emotion added to express my feelings at the point that I heard it: “We have decided against shutting down or altering the affected machine, because the guy who set it up no longer works here and we have no idea what it does. But it might be important, so we’ll just leave it running.”
Now, can any of you spot a flaw in this approach? I mean, it’s flawed when you look from the outside, but from a checklist of an engineer it goes like: “I didn’t touch it. It’s not obviously horribly broken from a middle management PoV” (not obviously horribly broken, from a middle management PoV, means it’s not on fire), and when I say: “It’s not on fire,” I mean it’s not physically burning. A few more items from a checklist of an engineer are: “If we get hacked, someone else did it,” and “I still get my raise and keep my job.”
So, how do we exploit that if we run pentests in Japan? Number 1: you can assume that stuff won’t be fixed. If you find it weird to find NT4 servers running secure services, then you’ve obviously not done many pentests in Eastern Asia, because it’s extremely common. Because what usually happens is someone sets them up and they work somewhere else, so no one knows what the box does and no one wants to touch it, because something bad may happen, and then you did the bad thing, and then you’re fired.
Number 2 is: if you can create a responsibility setting, then no one will disturb you. A responsibility setting is something like this: you’re running a pentest, someone walks up to you and goes: “What are you doing?” and you go: “Well, I’m here on behalf of…” (find the name of some middle manager or upper manager – anyone who outranks anyone in the building at the moment that cannot be reached because they’re on vacation). “Will you be responsible when he finds out that you disturbed me?” I’ve never been talked to after that sentence.
Read previous: Hacking in the Far East 4: Locked but Unsafe