Self Introduction

I am Morino, leader of the CIO Office Security Team at KINTO Technologies.
My hobby is supporting Omiya Ardija, the soccer team from my childhood hometown Omiya (now part of Saitama City), in Saitama Prefecture.
Lately I’m into watching Mobile Suit Gundam: The Witch from Mercury, and eagerly look forward to catching it every Sunday at 5 p.m.
The other day I went to the Information Security Workshop in Echigo Yuzawa 2022 for the first time, so in this article, I'm going to talk about some of the talks that left an impression on me.

What Is the Information Security Workshop in Echigo Yuzawa?

The Information Security Workshop in Echigo Yuzawa has a long history, having been held annually since 1998.
The 2022 iteration was held on October 7 and 8 (Fri & Sat). On both days, the Yuzawa Community Center was the venue for the daytime session, and the Yuzawa Grand Hotel was the venue for the live broadcast and for the nighttime session itself.

The Night Session — The Highlight of Echigo Yuzawa

Echigo Yuzawa is famous for its delicious sake and hot springs... I meant, its night session. The battle for tickets is fierce every year and I'd given up on getting one, but then someone gave me theirs at the last minute; I was so lucky! Before COVID-19, the speakers and participants would sit in a circle for the discussions. However this time, they were placed further apart from each other, since the pandemic was still a major concern. Nevertheless, the Q&A exchanges were still very lively.

They're Back! “That Security Thing” in Echigo Yuzawa

I always look forward to seeing the members of That Security Thing do their podcast in the night session.

• Nobuhiro Tsuji, Principal Security Researcher at SB Technology Corp.
• Masafumi Negishi, General Manager at the Security Headquarters Security Information Office at Internet Initiative Japan (IIJ)
• piyokango, the security-researching parrot

Given how cyberattacks can strike out of the blue, piyokango said that he wants to do something like a weather forecast that predicts them, so that people won't be at their mercy quite so much. A general-purpose one might be tricky, but with phishing attacks for example, domains and certificates for the phishing sites are obtained before they're launched. As I listened, I was thinking that if we could detect those activities, then maybe we could to do something like a phishing weather forecast.

Mr. Negishi called our attention to an important problem—namely, that we shouldn't judge the urgency of responding to vulnerabilities based solely on their score in the CVSS (Common Vulnerability Scoring System), but should also take into account whether they're actually being used by cyberattacks. As its name suggests, CVSS is a system for quantifying the severity of vulnerabilities in information systems. Reference: IPA Common Vulnerability Scoring System CVSS Overview
As someone who collects information on vulnerabilities and evaluates their impact on my own company's systems on a daily basis, I find it extremely handy to be able to decide how urgently they should be addressed based on their calculated scores. However, even ones with a low score can be used by cyberattacks, so caution is required. The Cybersecurity & Infrastructure Security Agency (CISA) in the United States publishes information on vulnerabilities used by cyberattacks and updates it as needed, so I think adding information like that to our criteria for prioritizing them will help us provide systems that are even safer and more secure.

What about Mr. Tsuji? Well, I missed your session because I went to another one. I'm very sorry, Mr. Tsuji.

Phishing Hunters Sometimes Need to Relax in Hot Springs Too

This was a night session event by people who battle with phishing sites on a daily basis. - Self-proclaimed handsome phishing scam hunter Nyan☆Taku

• ozuma5119
• KesagataMe
• Cyber Samurai Kazumi

To prevent as many people as possible from falling victim to phishing scams, they asked us to share some slides they'd made about them on social media and so on. So I've added them to this blog article too. It's extremely hard to tell whether links on social media and in emails are phishing attempts, so don't click on them at all. Instead, go to the target site via your browser's bookmarks or a search engine.

How Young People Are Using the Internet, and What Can We Do About It

• Maiko Shichijo, ICT Usage Environment Awareness Support Office, Cyber Grid Japan, LAC Co., Ltd.

I have a child in junior high school, so I listened to this lecture with tremendous interest. Apparently, 30% of children have a smartphone of their own when they're 9, and 90% do when they're 13. These percentages are much higher than I'd imagined, so it was a real eye-opener. I've listed below the things that were news to me about how young people tend to use the Internet, but I was utterly shocked to hear that they use smartphone apps that not only share their location, but even their phone's battery levels. - They don't like wordy chat messages.

• They use images for long passages of text. (Notepad screenshots.)
• They use different accounts for different things.
• About half of all high school students use their real names on social media (because their friends won't be able to find them if they use aliases).
• They share information and video in real time.

As I listened, I was struck by how much we don’t understand about how children are using the Internet, and how dangerous it can be for them. But we mustn't tell them that we don't understand, because they'll stop listening as soon as we do, mentioned the presenter. The message was that we should accept the reality that children use the Internet in ways we don’t understand.

After the presentation, I got to discuss children's use of social media, and the takeaway was that they should be allowed to use them under parental supervision, while being shown how to do so safely instead of banning it completely. They could use it behind your back anyway, which will make things even worse.

Vulnerability Measures and Information Sharing: What We Learned From Establishing an In-house Bug Bounty System

• Ikuya Hayashi and Sakura Tsukakoshi, NTT Communications Corporation

The idea with a bug bounty system is to pay people rewards for uncovering software vulnerabilities. When someone outside the company submits a software vulnerability report, it's hard to decide whether to trust them or not. So NTT Communications Corporation decided to provide a bug bounty system to mobilize its employees. That's because if you get a bug report from a fellow employee, you can be sure of their credentials. The system really did help to strengthen their security, they said, including the disclosure of a serious vulnerability that allowed common users to have high-level privileges. As a result, voluntary study sessions were held, non-engineers got rewards, and it created the opportunity to discover new talent among employees. I thought it might a good idea for us to establish a bug bounty system, too.

In Conclusion

Taking a timeout from my daily work to meet and hear talks by people from a variety of backgrounds was a very stimulating experience. I'd like to start using the vulnerability prioritization criteria mentioned above in our company as soon as possible. I think it'd be great to have a bug bounty system, too, although it might be difficult to get one up and running straight away. Besides the hot spring workshop in Echigo Yuzawa, there are other sister ones (so to speak) all over Japan. So, how about trying those out, too?

Battlefield Symposium Atami
Shirahama Cyber Crime Symposium
Cyber Security Symposium in Dogo
Kyushu Cyber Security Symposium