Why Technical Translation Matters in the Cyber Security World
by Ofer Tirosh
This article is a part of free preview of one of our premium editions, which can be downloaded here: https://pentestmag.com/download/preview-active-directory-pentesting/
Technical translation is very relevant to cyber security and penetration testing. As such, anything less than a translation agency specializing in technical translation is very likely a bad idea, and potentially a very costly error. This is true not only for the pentesters but for their clients as well. Pentesting, like any technical realm, has more than its fair share of industry specific language. How it is translated can quite literally make the difference between successful (and profitable) pentesting efforts and the collapse of a conglomerate.
The technical translation of words like PyPI (the Python Package Index or repository) and Kali is going to be difficult for anyone without the relevant programming experience to accurately translate and virtually impossible with most free translation tools online. Machine translations can offer very little more than a literal translation of the words with their counterparts in another language at present. In this increasingly digital day and age with the technological revolution just now building a full head of steam, (no pun intended) cyber security and pen-testing are an increasingly important part of any corporate globalization or internationalization strategy. A failure to accurately translate the results of the penetration testing could make the difference between a successful globalization campaign and the complete collapse of the corporate client.
The Importance of Pentesting in the Digital Age
According to the Business2Community website, one out of every eight companies will be “destroyed by data breaches” and sixty percent of all companies that suffer a databreach will go bankrupt within the first six months after the data breach. Pentesting and other efforts focused on cybersecurity are a means for these corporations to avoid these challenges to begin with. Ethical hacking is all about finding out where all of the potential vulnerabilities are, preferably before the more unethical type discover them.
In this digital day and age, and with the ongoing efforts at globalization in virtually every aspect of our lives, those cyber security specialists who conduct penetration testing are quite literally on the front lines of a digital battleground. This battleground, being digital, is not restricted to the corporeal realm, and thus, not limited by borders or language. While such a point may be debatable, some of the best hackers, crackers and leets in the world are from the former Soviet Block nations, Russia and China, though there are some people in both India and the US that may argue this point insufferably.
Given these international conditions, technical translation services become even more imperative with speed and accuracy being requisite to stop any attacks once they have become. The communications between cyber security experts must be virtually instantaneous if it is to be effective in the digital age.
When, How and Where do Data Breaches Occur
2019 was a banner year for data breaches, many of which could have been stopped through the utilization of pentesting by cyber security experts and the rapid technical translations and dissemination of information required to stop these hacks before they ever got off the ground. Virtually all of them, with some notable exceptions, could have been prevented entirely with the use of cyber security experts.
One of the most common, though often overlooked sources of hacks is through what is commonly known as Social Engineering. In the case of the current situation at the time of this writing, someone may use the current coronavirus global pandemic as a means to speak to someone on a more personal level. Social engineering is, in the case of cyber security, all about getting to know someone by pretending to be interested in the same things that they are, or perhaps in the case of COVID 19 to be concerned about the same things that they are concerned about.
In a malicious play on personal psychology, the hacker would befriend someone, likely through email or perhaps on their social media accounts. In this case, using the concerns about the current global pandemic, the hacker would express the same fears and concerns and seek the confidence of the person by establishing as many common bonds as they could using the information gleaned from their social media accounts.
Eventually, and in an amazingly innocuous fashion, the social hacker will then be able to gain even more information to allow them to more accurately guess passwords and even solid information to answer security questions. While these are among the most difficult hacks to prevent, and move beyond the more traditional realm of pentesting, there are still weaknesses and vulnerabilities that will at least warn of the potential of certain employees to be high risk in such areas, and extra monitoring may prevent the loss of otherwise secured data.
Some of the More Noteworthy Hacks of 2019
1. In January of 2019 the Marriott Hotel Chain was hacked, leaking the information of what was at the time, a record-breaking three hundred and eighty-three million of their guests and all of the private information that was stored for those guests. The data included names, addresses, phone numbers, credit card numbers and virtually everything that a good hacker would need to begin earning a living just off the potential for identity theft.
2. In February of 2019 there was a very unusual hack that is noteworthy, especially given the implications. Hackers managed to gain access to the medical records of approximately fifteen thousand patients, and held this information hostage, forcing the medical providers into a very difficult situation.
3. Happy St. Patricks Day! In March of 2019, due to an unsecured database that could easily have been discovered through the services of a qualified pentester, literally hundreds of millions of Facebook and Instagram users were forced to change their login credentials as the database was hacked and their information likely sold or even shared on popular hacker sites and across the dark web.
4. In April, apparently slow on the uptake or believing it would all pass over as some great big April Fools joke gone wrong, Facebook was yet again targeted, with both unsecured databases and information even stored in plain txt files being accessed by hackers. Again, problems that would have quickly been discovered through pentesting.
5. May of 2019 was one month that at least should have been covered well, in more ways than one. First American Financial Corporation lost hundreds of millions of insurance documents containing all manner of private data, and costing the company an increased insurance rate as well.
6. In an ironic, albeit expensive moment in June of 2019, the American Medical Collection Association lost the records of twenty some million patients, resulting in the bill collection firm going bankrupt.
7. In July of 2019, in what somebody apparently believed was a “Capital” idea, Capital One lost some 100 million credit card applications, 140,000 social security numbers and 80,000 bank account numbers to hackers.
This is one of the few cases where it is uncertain that pentesting would have been an effective deterrent, as the culprit ended up being a disgruntled IT worker. Though again, this is why Pentesting should also place some focus on social engineering and any vulnerabilities within the companies they assist.
8. August of 2019 was not a good time for movie-goers as one hundred and sixty million MoviePass customers had their data stolen, again in a scenario that should have easily been detected were any comprehensive pentesting being done by the company on its systems.
9. September was not a fun time for people playing words with friends, as more than two hundred million people had their login information stolen by hackers in yet another case where pentesting could have made a significant difference, including preventing such hacks from ever being carried out to begin with.
10. October of 2019 saw Elasticsearch having a really bad bounce as the private information for more than one billion and two hundred million people was found on another unsecured server. Yet another hack that should have never been allowed and could have been easily prevented with pentesting.
11. Facebook may be fun, but they do not seem to learn very well, even from their own history. Social Engineering comes into play here again as over one hundred app developers were given access to sensitive user information.
12. We end the year with yet another case where Social Engineering and an examination of personnel may have revealed at least the potential for a leak. A former Dutch politician may have had nothing more than a calendar in mind when he decided to end December of 2019 with the release of explicit photos of around one hundred women. He hacked into their cloud accounts using information that was illegally accessed information available in private databases. While there is no guarantee that pentesting or social engineering testing or examinations would have prevented this, it is possible at least.
The Language of Black Hat and White Hat Hackers
Hacking and Hackers, like any industry and people intimately familiar with that industry, have their own language. Much of this can never be accurately or completely translated using any of the free translations online, or even machine translations as most of them will provide as close as they can to a literal translation.
1337 and g1337st*r are definitely passe and so nineties, but these still arise from time to time in every day communications. How does one translate “leet” into any language? What happens when the translations are done poorly by someone who is absolutely no knowledge about hacking or their unique industry specific vocabulary? It is easy to imagine that a lot could easily be lost in translation, and such errors could be very expensive, especially for clients.
Furthermore, not all of the penetration testing clients looking for pentesting experts are going to be hiring companies in their own homeland. Kaspersky is one of the most popular antivirus software programs on the market today, but they are also famous for testing viruses discovered around the world, and some have rumored that they may even be responsible for some of the computer viruses they have discovered, however unlikely that may be.
However, even internal information and documentation for Kaspersky likely has to be translated at least to some degree, as Kaspersky has “Headquarters” in Moscow, Russia (along with many regional units); Dubai, UAE; Istanbul, Turkey; London, England; Mexico City, Mexico; Midrand, South Africa; São Paulo, Brazil; Singapore; Woburn, Massachusetts, USA. What happens if there are miscommunications because a tech “caught a bug” gets translated as a tech caught the coronavirus or some other disease? What happens when viruses are submitted and all of the notations are in another language. Letting anyone other than a professional translator handle the document translations could have very serious and even costly implications.
The technological revolution and the digital age are no longer distant pipe dreams. These are very relevant realities that are part of everyday life in the here and now. The big trend for the year 2020 so far is globalization and localization, which means an increasing demand for the internet and its services. As more and more companies move online, more and more companies will be forced to rely on storing data on cloud servers or other internet accessible areas where they will always be prone to being hacked.
Just as penetration testing must be done by competent and capable professionals, and not just some basement hacker who lives down the way playing around with a freshly downloaded copy of Kali Linux. So too, professional translation of cyber security documentation must also be translated by translation agencies with translators who also possess an equally intimate knowledge, not only of the language, but the language of hackers and cyber security experts.