Hackers have disclosed the names of more than 100 Japanese public organizations and companies that have website vulnerabilities since February this year.
WooYun, a website operated by Chinese cybersecurity experts and others, disclosed the names of the Japanese companies on its website. The high-risk security vulnerabilities could allow black hat hackers to conduct cyber-attacks if left unattended, but the names of such websites are not made public in Japan.
Some concerned are upset, saying that disclosing the names of the websites would encourage cyber-attackers to target them. However, other experts have said that Japan’s policy of not making the risks public has resulted in a large number of vulnerabilities not being addressed.
After the hackers find vulnerabilities, details are publicized on the WooYun website after a moratorium has passed, regardless of whether the vulnerabilities have been fixed. Although the hackers who find the vulnerabilities are not given any reward, some have received job offers from major companies after their findings were validated, so the website is seen by hackers as a gateway to success.
So far WooYun has carried reports about the vulnerabilities of at least 100,000 websites, mainly in China. But since February, reports about Japanese websites have shown up.
More than 100 Japanese websites of state-run research and development institutes, independent administrative corporations, universities, hospitals, industrial associations and companies have been named in reports on the website. Most of the cases are about vulnerabilities in databases, and it is feared that if the vulnerabilities are left unattended, the websites may be unlawfully manipulated and information may be stolen.
The Japan Computer Emergency Response Team (JPCERT), a Japanese incorporated foundation that collects information about computer security, is acting as a mediator for WooYun, and has recommended that officials concerned take measures. But the number of reports on WooYun has steadily been rising.
An official at a Tokyo hospital which is famous for treating cardiovascular diseases said, “We’re grateful to Chinese hackers who found the vulnerability, but we want them to notify us privately, instead of making it public.”
In late April, the hospital received a message that it urgently needed to fix a vulnerability or the problem would be made public two days later, so it hurried to correct the problem.
“It was okay at our hospital because we fixed it by the end of the moratorium,” an official said. “But if it had been too late, our website would have been targeted by hackers.”
In Japan, there are public reporting and notification systems for online vulnerabilities.
But under the systems, the names of websites with vulnerabilities are not made public, regardless of whether administrators of the websites take necessary actions. This means there are a sizable number of websites with unaddressed vulnerabilities.
JPCERT is particularly concerned that 95 percent of vulnerabilities that have been found this time are database problems that black hat hackers can unlawfully manipulate using a method called SQL (structured query language) injection.
Analysis / Japan must mull disclosure
By Masako Wakae / Yomiuri Shimbun Senior Writer
A number of experts have said there are a large number of website security vulnerabilities in Japan, but they have not been discovered.
Because of the risk of committing an illegal act, it is difficult to search for vulnerabilities in Japan. And because vulnerabilities are not made public even if they are found, response to the weaknesses in Japan has been slow, the experts say.
One expert said it was not surprising that high-risk vulnerabilities were found in Japanese systems in a short period.
Various factors need to be reviewed to improve the situation. They include how to strike a balance between searching for vulnerabilities and the Law on Prohibition of Unauthorized Computer Access, and how to regard the responsibilities of computer-system administrators and developers.
Another question is how to make discovered vulnerabilities public. Making vulnerabilities public may encourage cyber-attacks, but it is difficult to raise awareness of the need to make websites safer under a system in which problems are not made public even if vulnerabilities are left unattended.
“Information disclosure will clarify responsibilities,” the founder of WooYun said at a lecture in Tokyo last year.
It is hoped the recent revelations will lead to progress in the reexamination of Japan’s systems.
■ Vulnerability
Security holes caused by bugs and mistakes in programming. Vulnerabilities tend to be exploited in cyber-attacks aimed at destroying computer systems and stealing information, so it is necessary to fix them as quickly as possible if they are found. Information about vulnerabilities is sometimes sold on the black market for high prices