Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. W e b A p p interview Interview with Yury Chemerkin – Security Reseacher & Writer Yury Chemerkin graduated from RSUH in 2010 ( on the BlackBerry diploma thesis. Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. How did you get into security? I was around 10 years old and do not exactly remember how it happened but there was this one time I came upon materials discussing reverse engineering, operation systems hacks, phreaking, etc. Most of them were not up-to-date considering that was 10 years ago but something in me just clicked like clogs of clockwork started turning. Some years past but the interest lingered on. Soon after I knew I had to start some practice around reverse engineering using old Microsoft versions such as Win95SE2 or Win98. It was a strong requirement for SoftIce and I found a good manual on how to use this software on Windows XP SP1. A bit later, I found ways to use virtualization tools like Virtual Box but I still prefer to deal with real instances. First tutorials cover 10/2012(10) Page 62
  2. 2. W e b A p p ideas on how to bypass implemented registration methods in any kind of software. It was a bit strange but it was easy to crack real programs using ‘TheBat!’ rather than one of the so-called crackmes. Nowadays you won’t see or hear that except on rare web sites such as WASM.RU and CRACKL@B. RU. While I’m researching how to find serial numbers or how to make a patch to bypass security, I also learned what a (dis-)assembler looks like. I studied several programming languages such as C++ Builder and Pascal/Delphi because they have the most suitable GUI for easy developing and an ability to implement assembler instructions. Also, I studied cryptography (RSA, and other asymmetric scheme). I spent the first three years this way and then I continued to improve on my experience by getting involved in development of different areas: a security email infrastructure and RFID systems. First, my experience grew around mobile developing on.NET and refactoring the existence systems and programming. Second, I developed some improvements around drivers having access to hybrid-hardware RFID (mix Wi-Fi and serial ports like COM and USB) to release final product. It was a commercial and academic product at the same time and belonged to our “Technical and Engineering Security” sub-department of RSUH. A lyrical digression, The Russian State University for the Humanities (RSUH) is an educational institution that trains specialists in all areas of knowledge in the humanities and not only humanities. RSUH has an Institute for Information Sciences and Security Technologies (IISST). The first Infosecurity faculty was founded in Moscow State Institute of History and Archive Materials in 1985. As it was not related to any military training colleges, it was considered the faculty of specialized documents up to 1990. Nowadays it is an integrated part of the Institute of Information Sciences and Security Technologies within the RSUH. The last 1.5 years towards the Uni diploma, I had worked at several companies and I had experience in scumware, documentation, and presentation. Most known is the Kaspersky Lab that is a dynamically growing company that offers its employees a broad range of options for career development. I cannot say that in this company people come first because any much-heralded policy gives chance to everything to be known by everyone. Anyways, I gained wide experience in scumware research during several months in Kaspersky Lab only. I got missing valuables to reassemble my 10/2012(10) vision about low-level security world. With second lyrical digression, I wanted to change my mobile device and this why I used BlackBerry as a very interesting platform. BlackBerry is a unique device, although you do not have enough control to make the right security policies if you are a BES customer even. AWS (Amazon Web Service) is the best among of them because you can build your custom policy where each API-method meets the policy restriction. For example, BlackBerry blocks any attempts to extract sensitive data from the buffer while the BlackBerry Wallet or Password Keeper is running but you can just minimize these applications and data will be extracted successfully and easily! It was an idea from my report at the InfoSecurityRussia 2011 conference in Moscow where I was a Hakin9 representative. A similar idea moved to the forensics and was a key of InfoSecurityRussia 2012. Now I am involved in legal defense (EU & RU) on the Cloud Security and BlackBerry rather than technical solutions for them. The last several years, I have worked on mobile social security, cloud security and compliance; mobile security and forensics; additionally developing solutions based on exploiting, not only OS vulnerabilities but also third-party products and solutions. If security is so important, why are there so many vulnerabilities in popular products like Adobe? Unfortunately, compliance wins. It wins in banking, healthcare, and anywhere that a company is required to run semi-annual or annual penetration testing. Compliance is a minimal set of security requirements (if your application is non-compliant, it cannot be safely trusted and unlikely to be secure). Therefore, the companies rarely care about security. They care about compliance. As we all know – compliance does not equal security. Audit standards are worthless when you compare the requirements of security compliance to the common basic techniques and problems that hackers look for in applications. The basic requirements in compliance cannot cover the full range of potential security issues because there are just too many variations in applications. Compliance rarely talks about security even. Compliance regulations are frankly awful. Penetration testing may not be the answer to security either. One example is that after a penetration test where many important security holes were found, a full detailed report may be Page 63
  3. 3. W e b A p p interview a bad idea because the company might not have enough money to fix all issues and therefore become discouraged. The company might have an initial interest to be pentested for the top 10 or 20 vulnerabilities, but because these vulnerabilities change each year, and the cost of constantly fixing the vulnerabilities once reported may be too much. The company may opt to have pentesting done less frequently. Most companies do not have the immense resources of Microsoft and cannot setup a frequent critical patching system – they can only release vulnerability fixes during their regular release update cycle. You do not care about what the penetration tester reports on in this case, you are still vulnerable until the next annual release. Despite the issues, are there enough pentesting services in Russia to handle the market demand? Of course. Russia houses several professional and customized pentesting services. However, when you look deeper at the specific services offered there are fewer options when you split the audit from penetration testing services. However, it is an interesting way to advertise advanced skills and a higher pay-rate if your penetration testers can break into SAP (Systems, Applications and Products) – this becomes a full range, more valuable service. What are the main areas covered by Russian custom pentesting services? The basics are covered like PCs, networks, and web applications but when you move into much more recent technologies such as mobile, social engineering, cloud or similar, the pentesting services are much weaker. Cloud services are excluded because of the lack of experience. Audit standards are weak mainly because of the lack of knowledge of regulation outside of Russia. I know only of one company who offers security and personal data compliance in the cloud while other pentesting companies prefer to dispute what is right or wrong. Social engineering testing is also excluded for the same reason while mobile pentesting services cannot be included because rarely do you see a privately implemented MDM (a mobile device management solution that combines datadriven mobile device management and application management with smartphone and tablet security) solutions. In the absence of MDM, mobile penetration testing looks like a USB flash drive penetration 10/2012(10) testing especially when email is not used on mobile devices. Many vendors are touting this as a new problem but they do that simply to promote and sell their products. Professionals have been dealing with information security for 30-40 years that has led to the access of matrix model/control lists, public key cryptography, and more. For example, Kaspersky Labs often says that Android has many security issues but that Android has a great future. In other words, Android has a future because it is easier to build and implement security solutions for Android than for any other mobile device. Another example, mobile devices present a sandbox and other NEW SECURITY SOLUTIONS that do not work because the user has to store his data in shared folders accessed by any application (the sandbox protects only application data not user data). Not one of the users is ready to use certain applications to keep data in the sandbox’s folders for only one reason- he will likely have a problem restoring and accessing the data later. Exceptions to the rule exists, I am sure. Is pentesting worth it? Penetration testing is about someone legally trying to break into your system and help you then plug the security holes. Penetration testers may be able to demonstrate that the company’s security is awful. Sometimes the "consultant effect" takes place – no one listens to employees but they will listen to the expensive consultant who comes in from the outside and says the same thing. The company should already have security designed and implemented. Moreover, when they perform specific functions they have to validate that they perform true to their design. Penetration testing is a look into your infrastructure that was previously viewed as something that was unknown, huge, and complex. Nevertheless, the pentester reveals many previous unknown issues about potential backdoors or Wi-Fi weaknesses, infected PCs and mobiles, etc. It is a test that should be performed every week or month before and after implementation. Therefore, it works only for compilation. If a company has a poor security design then patching may make sense only for compilation again not for improving and fixing security. Page 64 by PenTest Team