The governor of Nagano ordered an security audit of their network with a focus on the Basic Residents Registry system of the central government. I was asked to take a look at the audit and provide a 3rd party opinion. Since I am on the central government panel working on the security of the Basic Residents Registry, my letter has become a bit controversial and apparently my phone is ringing off the hook right now in Tokyo. Lucky for me I'm in the US...

I'm not looking forward to returning to Tokyo.

The central government denies security problems and I am going to have to deal with this when I return to Tokyo...

The audit is not yet completed and my audit of the audit is an opinion based on incomplete information. I will be meeting with both sides when I return to Tokyo and will probably be required to write another opinion after the final results of the audit have been submitted and I have heard the arguments from the central government.

Mainichi reports some of this in English

Here's the letter.

December 11, 2003 Governor Yasuo Tanaka

Dear Governor Tanaka:

I have reviewed in detail the security audit that your outside auditors conducted on three towns in Nagano. I reviewed their process, data and analysis. I also interviewed the key members of the team for several hours and discussed their methodology and conclusions.

Generally speaking, the security level at the sites was below average and a variety of personal information about your citizens is at risk of being stolen and modified.

The team conducted audits from the Internet and from inside the local government offices. The team was given very limited time to conduct their audits. The penetration test from the Internet was not successful. The tests from inside the government offices were quite successful. The audit was limited to computers inside the local government offices, so the Jyukinet was not attacked directly. However, the computer that connects directly to Jyukinet, the “CS server” and the “Reams server” which is inside the local government network both have databases of the Jyukinet data of the citizens living in the city. Both of these servers were vulnerable and the audit team was able to take control of them. This would theoretically allow them to edit, delete and create new citizen records. It was not tested, but it is likely that editing this database would cause these false records to be sent to the central Jyukinet system.

In addition, there were numerous files containing sensitive personal information unrelated to Jyukinet accessible on the local government network with no protection.

Although it was not possible to penetrate the local government network from the Internet, there were dialup accounts for remote offices that allowed users to connect to the local government’s network. It is possible that these dialup accounts could be exploited to allow someone to dial into the network. In addition, the library in one city was directly connected to the network. As anyone can use the library’s machines or connect their computer to the network, anyone can download the sensitive files being “shared” on the machines without any “hacker skills”.

Breaking into the CS Server and the Reams server, which contained Jyukinet data for the local citizens, was quite easy. They were running systems that had not been properly updated with security patches. The passwords were very obvious on the system as well as on the database and were quickly cracked. The software running on the server was written with “buffer overflow” vulnerabilities that show a lack of understanding of security by the developer of the code. I recommend a third party security audit of the software running on these systems. A computer engineer using freely available tools would be able to exploit any of these vulnerabilities to gain access to the Jyukinet data.

In summary, I believe that the security level of the networks were below average and any average computer network engineer could break into and steal or damage a variety of personal information including Jyukinet information. The people working in the office and in particular, the vendors providing the system security are not sensitive to security and privacy issues. The servers have not been maintained properly and the selection of passwords (many had default passwords or easily guessable passwords) was irresponsible and showed a complete lack of attention to security. I strongly urge that the priority on security for privacy purposes be increased significantly, both in local government offices and vendors providing solutions to these local governments. I believe that the citizens and the people responsible for protecting their information are significantly at risk.


Best regards,
Joichi Ito

15 Comments

Maybe you should get them to look at ISO 17799 (or BS 7799) commonly known as "Information Security Management System".

ps: Yep, I am a standard guy.

James, standards guys are never standard guys. :)

Joi, this is a pretty bold move on your part, but, I believe, a necessary one. In order for us "normal citizens" to have a chance in hell of retaining our freedoms, we must pay careful attention to the way that the governement runs. This means being able to see into the computer security, the bureaucracy, and the other activities conducted by government. When we see problems, it's our job to tell people so that they can be addressed, not in secrecy, but out in the open. Thanks!

Joi, the AVERAGE is generally AWFUL, so BELOW AVERAGE can be interpreted as a polite way of saying security is VERY BAD. Don't forget dialup lines for maintenance and the roles of trusted insiders. (I know the old belief that insiders are honest, but that is evidently not always true -- and besides they make mistakes. System administrators also have an enormous burden placed on them, and given the fundamental lack of security in most computer systems, it is unreasonable to blame them for things that go wrong.

Thus, I conclude that your analysis is quite conservative.

Peter

Joi,
It's nice to hear someone in Japan invovled with government projects being honest and refusing to cover up serious issues.
From my perspective, I was very skeptical of government agencies and officials when I was there because it seemed like their first priority was to avoid a scandal, instead of solving actual problems.
Best,
Ray

I would say that having either the data publicly shared on the local network (without any passwords), or having the local network publicly accessible through the library would constitute a BELOW AVERAGE state of security. Having both could only be described as a complete travesty.

Well done, Joi. Well done.

David, I goes from 'huh' to 'oh! doh!'. ;-)

Joi, I agreed with the Peter that average security standard in most place are *very low* so if they are "below average", erm...Based on what you say they did wrong, I say they are about average for a entity who have not look at their security before.

But since your report is meant to kick their butt to do something, maybe you can suggest to them to look at ISO 17799 / BS 7799. ISO 17799 is one of a few risk management standard which really make sense.

I think the new link is here:

http://mdn.mainichi.co.jp/news/archive/200312/16/20031216p2a00m0dm004000c.html

There are also links to previously releated articles, seems like the Government is not listening?

Thanks. Updating.

The letter is good, Joi. I'm trying to understand how that would cause any controversy, but then again, I seem to trail that sort of thing in my own wake.

As for standards, you know my opinion on those--too little, too late, too static, worse than useless.

When will they shift from "protect systems you can't protect" to "build trusted systems"?

Joi,

Good luck with this one. I'm glad someone is saying something. I'm well aware of the lack of security standards in large corporations in Japan and have a passing awareness of government networks as well.Why is it though that I expect your letter to be swept under the rug...

Wow.

Please keep us updated on this.

So, what happened?

Leave a comment

2 TrackBacks

Listed below are links to blogs that reference this entry: My letter to the governor of Nagano about his security audit.

TrackBack URL for this entry: http://joi.ito.com/MT-4.35-en/mt-tb.cgi/1210

Joi Ito wrote recently of the report he submitted to the governor of Nagano prefecture backing up the prefecture's findings that the government's Juki Net resident registration system was poorly protected against intrusion; it looks like this may have ... Read More

If you want to read some more about the results of my security audit of Japan's national ID check out Joi Ito's letter to the Governor of Nagano. His letter was the result of my test.... Read More

About this Archive

This page is an archive of recent entries in the Business and the Economy category.

Books is the previous category.

Computer and Network Risks is the next category.

Find recent content on the main index.

Monthly Archives