– Security Reseacher & Writer
Yury Chemerkin graduated from RSUH in 2010 (http://rggu.com/)
on the BlackBerry diploma thesis. Currently in the postgraduate
program at RSUH on the Cloud Security thesis. Experience in Reverse
Engineering, Software Programming, Cyber & Mobile Security
Research, Documentation, and as a contributing Security Writer.
Also, researching Cloud Security and Social Privacy.
How did you get into
I was around 10 years old and
do not exactly remember how
it happened but there was this
one time I came upon materials discussing reverse engineering, operation systems
hacks, phreaking, etc. Most
of them were not up-to-date
considering that was 10 years
ago but something in me just
clicked like clogs of clockwork
started turning. Some years
past but the interest lingered
on. Soon after I knew I had to
start some practice around reverse engineering using old
Microsoft versions such as
Win95SE2 or Win98. It was
a strong requirement for SoftIce and I found a good manual
on how to use this software on
Windows XP SP1. A bit later,
I found ways to use virtualization tools like Virtual Box but I
still prefer to deal with real instances. First tutorials cover
ideas on how to bypass implemented registration
methods in any kind of software. It was a bit strange
but it was easy to crack real programs using ‘TheBat!’ rather than one of the so-called crackmes.
Nowadays you won’t see or hear that except on rare web sites such as WASM.RU and CRACKL@B.
RU. While I’m researching how to find serial numbers or how to make a patch to bypass security,
I also learned what a (dis-)assembler looks like.
I studied several programming languages such as
C++ Builder and Pascal/Delphi because they have
the most suitable GUI for easy developing and an
ability to implement assembler instructions. Also, I
studied cryptography (RSA, and other asymmetric
scheme). I spent the first three years this way and
then I continued to improve on my experience by
getting involved in development of different areas:
a security email infrastructure and RFID systems.
First, my experience grew around mobile developing on.NET and refactoring the existence systems
and programming. Second, I developed some improvements around drivers having access to hybrid-hardware RFID (mix Wi-Fi and serial ports like
COM and USB) to release final product. It was a
commercial and academic product at the same
time and belonged to our “Technical and Engineering Security” sub-department of RSUH. A lyrical digression, The Russian State University for the Humanities (RSUH) is an educational institution that
trains specialists in all areas of knowledge in the
humanities and not only humanities. RSUH has
an Institute for Information Sciences and Security
Technologies (IISST). The first Infosecurity faculty
was founded in Moscow State Institute of History
and Archive Materials in 1985. As it was not related
to any military training colleges, it was considered
the faculty of specialized documents up to 1990.
Nowadays it is an integrated part of the Institute
of Information Sciences and Security Technologies
within the RSUH.
The last 1.5 years towards the Uni diploma, I had
worked at several companies and I had experience in scumware, documentation, and presentation. Most known is the Kaspersky Lab that is a
dynamically growing company that offers its employees a broad range of options for career development. I cannot say that in this company people come first because any much-heralded policy
gives chance to everything to be known by everyone. Anyways, I gained wide experience in scumware research during several months in Kaspersky
Lab only. I got missing valuables to reassemble my
vision about low-level security world. With second
lyrical digression, I wanted to change my mobile
device and this why I used BlackBerry as a very interesting platform. BlackBerry is a unique device,
although you do not have enough control to make
the right security policies if you are a BES customer even. AWS (Amazon Web Service) is the best
among of them because you can build your custom policy where each API-method meets the policy restriction. For example, BlackBerry blocks any
attempts to extract sensitive data from the buffer
while the BlackBerry Wallet or Password Keeper
is running but you can just minimize these applications and data will be extracted successfully and
easily! It was an idea from my report at the InfoSecurityRussia 2011 conference in Moscow where I
was a Hakin9 representative. A similar idea moved
to the forensics and was a key of InfoSecurityRussia 2012.
Now I am involved in legal defense (EU & RU) on
the Cloud Security and BlackBerry rather than technical solutions for them. The last several years, I
have worked on mobile social security, cloud security and compliance; mobile security and forensics;
additionally developing solutions based on exploiting, not only OS vulnerabilities but also third-party
products and solutions.
If security is so important, why are
there so many vulnerabilities in popular
products like Adobe?
Unfortunately, compliance wins. It wins in banking, healthcare, and anywhere that a company is
required to run semi-annual or annual penetration
testing. Compliance is a minimal set of security requirements (if your application is non-compliant,
it cannot be safely trusted and unlikely to be secure). Therefore, the companies rarely care about
security. They care about compliance. As we all
know – compliance does not equal security. Audit standards are worthless when you compare the
requirements of security compliance to the common basic techniques and problems that hackers
look for in applications. The basic requirements in
compliance cannot cover the full range of potential
security issues because there are just too many
variations in applications. Compliance rarely talks
about security even. Compliance regulations are
frankly awful. Penetration testing may not be the
answer to security either. One example is that after a penetration test where many important security holes were found, a full detailed report may be
a bad idea because the company might not have
enough money to fix all issues and therefore become discouraged. The company might have an
initial interest to be pentested for the top 10 or 20
vulnerabilities, but because these vulnerabilities
change each year, and the cost of constantly fixing
the vulnerabilities once reported may be too much.
The company may opt to have pentesting done
less frequently. Most companies do not have the
immense resources of Microsoft and cannot setup
a frequent critical patching system – they can only
release vulnerability fixes during their regular release update cycle. You do not care about what the
penetration tester reports on in this case, you are
still vulnerable until the next annual release.
Despite the issues, are there enough
pentesting services in Russia to handle
the market demand?
Of course. Russia houses several professional
and customized pentesting services. However,
when you look deeper at the specific services offered there are fewer options when you split the
audit from penetration testing services. However,
it is an interesting way to advertise advanced skills
and a higher pay-rate if your penetration testers
can break into SAP (Systems, Applications and
Products) – this becomes a full range, more valuable service.
What are the main areas covered by
Russian custom pentesting services?
The basics are covered like PCs, networks, and
web applications but when you move into much
more recent technologies such as mobile, social
engineering, cloud or similar, the pentesting services are much weaker. Cloud services are excluded because of the lack of experience. Audit
standards are weak mainly because of the lack of
knowledge of regulation outside of Russia. I know
only of one company who offers security and personal data compliance in the cloud while other pentesting companies prefer to dispute what is right or
wrong. Social engineering testing is also excluded
for the same reason while mobile pentesting services cannot be included because rarely do you
see a privately implemented MDM (a mobile device management solution that combines datadriven mobile device management and application
management with smartphone and tablet security)
solutions. In the absence of MDM, mobile penetration testing looks like a USB flash drive penetration
testing especially when email is not used on mobile
devices. Many vendors are touting this as a new
problem but they do that simply to promote and
sell their products. Professionals have been dealing with information security for 30-40 years that
has led to the access of matrix model/control lists,
public key cryptography, and more. For example,
Kaspersky Labs often says that Android has many
security issues but that Android has a great future.
In other words, Android has a future because it is
easier to build and implement security solutions
for Android than for any other mobile device. Another example, mobile devices present a sandbox
and other NEW SECURITY SOLUTIONS that do
not work because the user has to store his data
in shared folders accessed by any application (the
sandbox protects only application data not user
data). Not one of the users is ready to use certain
applications to keep data in the sandbox’s folders
for only one reason- he will likely have a problem
restoring and accessing the data later. Exceptions
to the rule exists, I am sure.
Is pentesting worth it?
Penetration testing is about someone legally trying
to break into your system and help you then plug
the security holes. Penetration testers may be able
to demonstrate that the company’s security is awful. Sometimes the "consultant effect" takes place
– no one listens to employees but they will listen
to the expensive consultant who comes in from the
outside and says the same thing.
The company should already have security designed and implemented. Moreover, when they
perform specific functions they have to validate that
they perform true to their design. Penetration testing is a look into your infrastructure that was previously viewed as something that was unknown,
huge, and complex. Nevertheless, the pentester
reveals many previous unknown issues about potential backdoors or Wi-Fi weaknesses, infected
PCs and mobiles, etc. It is a test that should be
performed every week or month before and after
implementation. Therefore, it works only for compilation. If a company has a poor security design
then patching may make sense only for compilation again not for improving and fixing security.
by PenTest Team