Tokyo-based NZ IT specialist safe following quake

Kiwi IT security specialist John McDonald, who works for Symantec in Tokyo, says he and most of his colleagues are working from home following the 9.0 magnitude earthquake and 10-metre high tsunami off the coast of Japan. McDonald describes the situation as follows:

"There is a shortage of fuel and food, transport is spotty and rolling blackouts to conserve power are in effect from today (although the Tokyo CBD is not affected). Potential nuclear meltdown aside, the meteorological agency has warned there is a 70 percent change of a 7.0 hitting within the next three days. Here’s hoping they are wrong…"

McDonald manages a team of 15 as head of the security response team for Symantec. It is one of three teams around the world – the other two are based in the US and Ireland – that provide 24/7 coverage for Symantec’s international client base. " Security response operations are being covered by our other regional offices as per our BCP. It's working very well," he says.

McDonald's story featured in the print edition of Computerworld published today. A former Otago resident, McDonald has settled in Japan and married a Japanese woman. They have a daughter and both he, and his family, are safe.

McDonald first arrived in Japan in 1994 after completing a degree at Otago University. He stayed in Japan for four years teaching English. Then he decided to get serious about a career so returned to New Zealand, brushed up on his IT with a two-year diploma in data communications at AUT, and got a job at Telecom. But he missed life in Japan, so he applied for a few jobs in the country and got a place at Symantec.

“I manage the security response team here and what we do globally is threat research, analysing malware, producing signatures to combat that malware and researching threats and vulnerabilities.”

He says the process for creating a signature to combat a virus can be a complex task. “If it doesn’t get handled by automation and it gets flagged for manual analysis, then an engineer will pick it up. They will look at it, they will grab that file, and they will load it into software running in their computer that will debug and analyse software,” he explains.

“Open it up and there are lines and lines of code and they will just look inside the file and determine what it is - is it good, is it bad and if it is bad, then there is lots of different ways of adding signatures to protect customers, but one of the simplest ones is the string signature. They just take a part of the file and they’ll add that bit and stick that bit into the product, into the definitions and then the next time the product is doing its automatic scan on your computer if there’s a match on that string or that hash then it has detected that file,”

He says the biggest trend in malware is the move away from big, high-profile threats that spread rapidly across millions of computers. Instead, those who create viruses are adopting stealth like tactics that quietly target specific organisations or certain users running a particular programme. “I guess the bad guys have finally figured out that as long as they can go undetected they will be successful,” he says.

Most malware is created for financial gain. “There are a lot of botnets these days created for the purpose of controlling machines for whatever reason. It might be a big financial motive. These days it’s clicking adverts that generates revenue, so if by clicking on a certain advert a certain affiliate gets paid one cent, or whatever it may be, if a hacker can stick that on one million computers and automatically have people clicking through those computers, there is a lot of money to be made.”

A recent virus that put IT security experts worldwide on high alert was Stuxnet – a virus that appears to have been specifically targeted towards a nuclear processing plant in Iran. His boss Kevin Hogan, director of global security response operations, put three of his top experts onto the case when the story broke last year and the entire security response team become familiar with its methods.

Not because Symantec were commissioned to do so – the Iranian government, while admitting the attack had not asked for assistance – but because it was the first time a virus was designed to create “real world” damage.

The Stuxnet virus, which struck several times, is believed to have been spread initially via a USB drive and infected no more than three computers at any one time before lying dormant. It was designed to shut down a specific Siemens PLCs (Programmable Logic Controllers) at the nuclear processing plant (as well, it also shut down the program set up to monitor that system). There was industry speculation that foreign governments were involved, but nothing has been proven.

This kind of ‘James Bond’ type of activity is not everyday for McDonald. “Sometimes we are called upon to assist law enforcement, but it is not our focus,” he says.

Still, as the threat monitor located at the onsite datacentre at Symantec’s Tokyo HQ showed, on the day Computerworld visited, more than 21,000 threats had been logged that day.

It ensures McDonald stays interested in the role. He says there are plenty of IT security issues that he is interested in, and cites mobile platforms as an emerging area. “The whole technology is still relatively new compared to the PC. There are challenges, but if there weren’t it wouldn’t be fun.”

• Putt travelled to Tokyo recently as a guest of Symantec