Last week, I had the opportunity to travel to Tokyo, Japan to visit the Tripwire Japan office. I also had time to tour the city a bit with my colleague Lane Thames and his wife Linda. While the flights were long, the experience was absolutely worth it. The subway system, while pretty crazy to look at via map, was easy to navigate with the help of Google Maps, and we used it almost exclusively to travel around the city. The yellow Ginza line with a station right across from our hotel was our most traveled line, as it went to many of our destinations. We took the subway to many of the popular areas of Tokyo including Asakusa, Akhibara, Yokohama, and the area around our hotel Akasaka. We spent the beginning of the week exploring Tokyo as tourists. We went to the Tsukiji Fish Market where we enjoyed sushi for breakfast, took a bus tour around the Imperial Palace, shopped for souvenirs in Asakusa, and checked out the view from the top of the nearby Skytree tower. My personal favorite, and the number one thing I wanted to do in Tokyo, was visiting the Eorzea Café, a Final Fantasy XIV-themed restaurant as I’m an avid player.
Darlene and Lane at the Tsukiji Fish Market Wednesday, we met with Izumi Kaneko, our contact in the Tripwire Japan office, and our two fantastic translators. I was nervous about how the translation would work as I’ve never done it before, but it went smoothly and was actually a lot of fun. English to Japan translations were done consecutively, while the Japanese to English translation was done live through a transmitter to headsets for me and Lane. The seminar on Wednesday, presented to a group of around 40 customers, opened with a talk from a Japanese pen tester, Tsuji Nobuhiro, who discussed his thoughts on patch priority. The main takeaway was that it can sometimes be impossible to patch every vulnerability, so the first priority for patching should be given to vulnerabilities with known exploits as they pose the greatest risk regardless of other metrics such as CVSS score. He also noted keep an eye out for exploits that come out after the initial disclosure of a vulnerability, as it could make what had been a low priority vulnerability suddenly increase dramatically in risk. This was a nice validation of IP360 scoring as it takes into consideration known exploits, as well as VERT’s work in monitoring for new exploits and updating our scores as they are released.
Darlene and Lane outside the seminar venue Lane’s talk followed, where he discussed exploit creation trends over time and noted that it’s currently on the decline. This, he hypothesized, was due to there already being so many older exploits out there that are still useable today, so there is less incentive or need to write new ones. ‘Oldies but goodies’ was a phrase he used to get across the point that. While new vulnerabilities might be important to fix, we shouldn’t ignore older vulnerabilities that may still exist on systems because the attackers certainly haven’t. I was the third speaker. For my presentation, I provided an overview of VERT and discussed our skillsets, tools, and processes. I then talked through some examples of projects we have worked on and the processes that we went through to complete them. For example, I discussed Craig Young’s work on the OpenSSL CCS Injection Vulnerability and how it resulted in publicly available script, Andrew Swoboda’s RDP work that led him to discover a new vulnerability, and my own investigation into an Oracle Database Express F+ that led to our improving our Express coverage.
Darlene and Lane at the Tripwire Japan office Thursday we spent at the Tripwire Japan office where we met the rest of the staff and discussed some of their questions about VERT and the work that we do. Afterward, we spent the remainder of the day speaking to the Japanese media. This consisted of briefly presenting the previous days' material and answering questions with the assistance of our translators. I was so impressed by the translators' work. While they asked us to stop frequently to make translation easier, they were able to keep track and relay our comments even when our answers got long. Of course, I didn’t understand what they were saying in Japanese, but it certainly sounded good to me. That evening, we went out for dinner to a nice sushi restaurant near our hotel with most of the Tripwire Japan staff. The food was delicious, but there was so much of it. By the time the main course came, I was already stuffed and couldn’t touch any of it. Most of the dinner was various cuts of tuna and included sashimi, sushi, and tuna steak that was cooked in a bone. We also had a fermented bean sushi rolls and a savory custard-like soup. Dinner finished off with a frozen pear dessert.
With Tripwire Japan staff after sushi dinner After touring around Tokyo earlier in the week followed by two days of non-stop presentations and meetings, we were pretty tired, but we still managed a visit to the National Museum of Nature and Science on Friday. Saturday our flights were later in the afternoon, so our colleague in Japan Yuji Ochiai took us on a quick visit to the Naritasan Temple, which was near the airport in the morning. Two long flights and one short one concluded my trip. While the jet lag made it difficult to adjust to the new time zone both in Japan and coming home, I wouldn’t hesitate to do it again. I hope for more fantastic opportunities like this for myself, VERT and Tripwire in the future.
