SlideShare a Scribd company logo

Interview

STO STRATEGY
STO STRATEGY
Technology
1 of 4
Download to read offline
W e b A p p interview Interview with Yury Chemerkin – Security Reseacher & Writer Yury Chemerkin graduated from RSUH in 2010 (http://rggu.com/) on the BlackBerry diploma thesis. Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. How did you get into security? I was around 10 years old and do not exactly remember how it happened but there was this one time I came upon materials discussing reverse engineering, operation systems hacks, phreaking, etc. Most of them were not up-to-date considering that was 10 years ago but something in me just clicked like clogs of clockwork started turning. Some years past but the interest lingered on. Soon after I knew I had to start some practice around reverse engineering using old Microsoft versions such as Win95SE2 or Win98. It was a strong requirement for SoftIce and I found a good manual on how to use this software on Windows XP SP1. A bit later, I found ways to use virtualization tools like Virtual Box but I still prefer to deal with real instances. First tutorials cover 10/2012(10) Page 62 http://pentestmag.com
W e b A p p ideas on how to bypass implemented registration methods in any kind of software. It was a bit strange but it was easy to crack real programs using ‘TheBat!’ rather than one of the so-called crackmes. Nowadays you won’t see or hear that except on rare web sites such as WASM.RU and CRACKL@B. RU. While I’m researching how to find serial numbers or how to make a patch to bypass security, I also learned what a (dis-)assembler looks like. I studied several programming languages such as C++ Builder and Pascal/Delphi because they have the most suitable GUI for easy developing and an ability to implement assembler instructions. Also, I studied cryptography (RSA, and other asymmetric scheme). I spent the first three years this way and then I continued to improve on my experience by getting involved in development of different areas: a security email infrastructure and RFID systems. First, my experience grew around mobile developing on.NET and refactoring the existence systems and programming. Second, I developed some improvements around drivers having access to hybrid-hardware RFID (mix Wi-Fi and serial ports like COM and USB) to release final product. It was a commercial and academic product at the same time and belonged to our “Technical and Engineering Security” sub-department of RSUH. A lyrical digression, The Russian State University for the Humanities (RSUH) is an educational institution that trains specialists in all areas of knowledge in the humanities and not only humanities. RSUH has an Institute for Information Sciences and Security Technologies (IISST). The first Infosecurity faculty was founded in Moscow State Institute of History and Archive Materials in 1985. As it was not related to any military training colleges, it was considered the faculty of specialized documents up to 1990. Nowadays it is an integrated part of the Institute of Information Sciences and Security Technologies within the RSUH. The last 1.5 years towards the Uni diploma, I had worked at several companies and I had experience in scumware, documentation, and presentation. Most known is the Kaspersky Lab that is a dynamically growing company that offers its employees a broad range of options for career development. I cannot say that in this company people come first because any much-heralded policy gives chance to everything to be known by everyone. Anyways, I gained wide experience in scumware research during several months in Kaspersky Lab only. I got missing valuables to reassemble my 10/2012(10) vision about low-level security world. With second lyrical digression, I wanted to change my mobile device and this why I used BlackBerry as a very interesting platform. BlackBerry is a unique device, although you do not have enough control to make the right security policies if you are a BES customer even. AWS (Amazon Web Service) is the best among of them because you can build your custom policy where each API-method meets the policy restriction. For example, BlackBerry blocks any attempts to extract sensitive data from the buffer while the BlackBerry Wallet or Password Keeper is running but you can just minimize these applications and data will be extracted successfully and easily! It was an idea from my report at the InfoSecurityRussia 2011 conference in Moscow where I was a Hakin9 representative. A similar idea moved to the forensics and was a key of InfoSecurityRussia 2012. Now I am involved in legal defense (EU & RU) on the Cloud Security and BlackBerry rather than technical solutions for them. The last several years, I have worked on mobile social security, cloud security and compliance; mobile security and forensics; additionally developing solutions based on exploiting, not only OS vulnerabilities but also third-party products and solutions. If security is so important, why are there so many vulnerabilities in popular products like Adobe? Unfortunately, compliance wins. It wins in banking, healthcare, and anywhere that a company is required to run semi-annual or annual penetration testing. Compliance is a minimal set of security requirements (if your application is non-compliant, it cannot be safely trusted and unlikely to be secure). Therefore, the companies rarely care about security. They care about compliance. As we all know – compliance does not equal security. Audit standards are worthless when you compare the requirements of security compliance to the common basic techniques and problems that hackers look for in applications. The basic requirements in compliance cannot cover the full range of potential security issues because there are just too many variations in applications. Compliance rarely talks about security even. Compliance regulations are frankly awful. Penetration testing may not be the answer to security either. One example is that after a penetration test where many important security holes were found, a full detailed report may be Page 63 http://pentestmag.com
W e b A p p interview a bad idea because the company might not have enough money to fix all issues and therefore become discouraged. The company might have an initial interest to be pentested for the top 10 or 20 vulnerabilities, but because these vulnerabilities change each year, and the cost of constantly fixing the vulnerabilities once reported may be too much. The company may opt to have pentesting done less frequently. Most companies do not have the immense resources of Microsoft and cannot setup a frequent critical patching system – they can only release vulnerability fixes during their regular release update cycle. You do not care about what the penetration tester reports on in this case, you are still vulnerable until the next annual release. Despite the issues, are there enough pentesting services in Russia to handle the market demand? Of course. Russia houses several professional and customized pentesting services. However, when you look deeper at the specific services offered there are fewer options when you split the audit from penetration testing services. However, it is an interesting way to advertise advanced skills and a higher pay-rate if your penetration testers can break into SAP (Systems, Applications and Products) – this becomes a full range, more valuable service. What are the main areas covered by Russian custom pentesting services? The basics are covered like PCs, networks, and web applications but when you move into much more recent technologies such as mobile, social engineering, cloud or similar, the pentesting services are much weaker. Cloud services are excluded because of the lack of experience. Audit standards are weak mainly because of the lack of knowledge of regulation outside of Russia. I know only of one company who offers security and personal data compliance in the cloud while other pentesting companies prefer to dispute what is right or wrong. Social engineering testing is also excluded for the same reason while mobile pentesting services cannot be included because rarely do you see a privately implemented MDM (a mobile device management solution that combines datadriven mobile device management and application management with smartphone and tablet security) solutions. In the absence of MDM, mobile penetration testing looks like a USB flash drive penetration 10/2012(10) testing especially when email is not used on mobile devices. Many vendors are touting this as a new problem but they do that simply to promote and sell their products. Professionals have been dealing with information security for 30-40 years that has led to the access of matrix model/control lists, public key cryptography, and more. For example, Kaspersky Labs often says that Android has many security issues but that Android has a great future. In other words, Android has a future because it is easier to build and implement security solutions for Android than for any other mobile device. Another example, mobile devices present a sandbox and other NEW SECURITY SOLUTIONS that do not work because the user has to store his data in shared folders accessed by any application (the sandbox protects only application data not user data). Not one of the users is ready to use certain applications to keep data in the sandbox’s folders for only one reason- he will likely have a problem restoring and accessing the data later. Exceptions to the rule exists, I am sure. Is pentesting worth it? Penetration testing is about someone legally trying to break into your system and help you then plug the security holes. Penetration testers may be able to demonstrate that the company’s security is awful. Sometimes the "consultant effect" takes place – no one listens to employees but they will listen to the expensive consultant who comes in from the outside and says the same thing. The company should already have security designed and implemented. Moreover, when they perform specific functions they have to validate that they perform true to their design. Penetration testing is a look into your infrastructure that was previously viewed as something that was unknown, huge, and complex. Nevertheless, the pentester reveals many previous unknown issues about potential backdoors or Wi-Fi weaknesses, infected PCs and mobiles, etc. It is a test that should be performed every week or month before and after implementation. Therefore, it works only for compilation. If a company has a poor security design then patching may make sense only for compilation again not for improving and fixing security. Page 64 by PenTest Team http://pentestmag.com

Recommended

Network +شهادة
Network +شهادةNetwork +شهادة
Network +شهادةsaif33
 
Una sonrisa
Una sonrisaUna sonrisa
Una sonrisaJosé de María Pinto Pinto
 
SoloСolour
SoloСolourSoloСolour
SoloСolourSoloten
 
Dallas cowboys cheerleaders
Dallas cowboys cheerleadersDallas cowboys cheerleaders
Dallas cowboys cheerleadersstevewenski
 
SoloTaxi
SoloTaxiSoloTaxi
SoloTaxiSoloten
 
Institutional regulations
Institutional regulationsInstitutional regulations
Institutional regulationsgmisso33
 
Interview with yury chemerkin
Interview with yury chemerkinInterview with yury chemerkin
Interview with yury chemerkinSTO STRATEGY
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 

Recommended

Network +شهادة
Network +شهادةNetwork +شهادة
Network +شهادةsaif33
 
Una sonrisa
Una sonrisaUna sonrisa
Una sonrisaJosé de María Pinto Pinto
 
SoloСolour
SoloСolourSoloСolour
SoloСolourSoloten
 
Dallas cowboys cheerleaders
Dallas cowboys cheerleadersDallas cowboys cheerleaders
Dallas cowboys cheerleadersstevewenski
 
SoloTaxi
SoloTaxiSoloTaxi
SoloTaxiSoloten
 
Institutional regulations
Institutional regulationsInstitutional regulations
Institutional regulationsgmisso33
 
Interview with yury chemerkin
Interview with yury chemerkinInterview with yury chemerkin
Interview with yury chemerkinSTO STRATEGY
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
Gianluca & jake changes to planning
Gianluca & jake changes to planningGianluca & jake changes to planning
Gianluca & jake changes to planninggmisso33
 
Vestidos de papel
Vestidos de papelVestidos de papel
Vestidos de papelAlex Torres Florez
 
My Flippts
My FlipptsMy Flippts
My FlipptsSoloten
 
NU Research Report #2
NU Research Report #2NU Research Report #2
NU Research Report #2Drew West
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Liz Filardi
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedingsSTO STRATEGY
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedingsSTO STRATEGY
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013STO STRATEGY
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012STO STRATEGY
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012STO STRATEGY
 

More Related Content

Viewers also liked

Gianluca & jake changes to planning
Gianluca & jake changes to planningGianluca & jake changes to planning
Gianluca & jake changes to planninggmisso33
 
My Flippts
My FlipptsMy Flippts
My FlipptsSoloten
 
NU Research Report #2
NU Research Report #2NU Research Report #2
NU Research Report #2Drew West
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensicsSTO STRATEGY
 
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Liz Filardi
 

Viewers also liked (7)

Gianluca & jake changes to planning
Gianluca & jake changes to planningGianluca & jake changes to planning
Gianluca & jake changes to planning
 
Vestidos de papel
Vestidos de papelVestidos de papel
Vestidos de papel
 
My Flippts
My FlipptsMy Flippts
My Flippts
 
NU Research Report #2
NU Research Report #2NU Research Report #2
NU Research Report #2
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013
 
State of art of mobile forensics
State of art of mobile forensicsState of art of mobile forensics
State of art of mobile forensics
 
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
Digital Accessibility: Tips From the Met App Case Study @ MCN 2015
 

More from STO STRATEGY

(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedingsSTO STRATEGY
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013STO STRATEGY
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013STO STRATEGY
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013STO STRATEGY
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013STO STRATEGY
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedingsSTO STRATEGY
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013STO STRATEGY
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013STO STRATEGY
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012STO STRATEGY
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012STO STRATEGY
 
(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011STO STRATEGY
 
Pen test career. how to begin
Pen test career. how to beginPen test career. how to begin
Pen test career. how to beginSTO STRATEGY
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security ChallengesSTO STRATEGY
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesSTO STRATEGY
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 

More from STO STRATEGY (20)

(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings(Pdf) yury chemerkin _ita_2013 proceedings
(Pdf) yury chemerkin _ita_2013 proceedings
 
(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013(Pdf) yury chemerkin ita_2013
(Pdf) yury chemerkin ita_2013
 
(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013(Pdf) yury chemerkin deep_intel_2013
(Pdf) yury chemerkin deep_intel_2013
 
(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013(Pdf) yury chemerkin balccon_2013
(Pdf) yury chemerkin balccon_2013
 
(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013(Pdf) yury chemerkin _ath_con_2013
(Pdf) yury chemerkin _ath_con_2013
 
(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013(Pdf) yury chemerkin _i-society_2013
(Pdf) yury chemerkin _i-society_2013
 
(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings(Pdf) yury chemerkin _i-society-2013 proceedings
(Pdf) yury chemerkin _i-society-2013 proceedings
 
(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013(Pdf) yury chemerkin _confidence_2013
(Pdf) yury chemerkin _confidence_2013
 
(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013(Pdf) yury chemerkin _null_con_2013
(Pdf) yury chemerkin _null_con_2013
 
(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012(Pdf) yury chemerkin _icitst_2012
(Pdf) yury chemerkin _icitst_2012
 
Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012Yury chemerkin _cyber_crime_forum_2012
Yury chemerkin _cyber_crime_forum_2012
 
(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011(Pdf) yury chemerkin info_securityrussia_2011
(Pdf) yury chemerkin info_securityrussia_2011
 
Pen test career. how to begin
Pen test career. how to beginPen test career. how to begin
Pen test career. how to begin
 
AWS Security Challenges
AWS Security ChallengesAWS Security Challenges
AWS Security Challenges
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Interview

  • 1.
  • 2. W e b A p p interview Interview with Yury Chemerkin – Security Reseacher & Writer Yury Chemerkin graduated from RSUH in 2010 (http://rggu.com/) on the BlackBerry diploma thesis. Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy. How did you get into security? I was around 10 years old and do not exactly remember how it happened but there was this one time I came upon materials discussing reverse engineering, operation systems hacks, phreaking, etc. Most of them were not up-to-date considering that was 10 years ago but something in me just clicked like clogs of clockwork started turning. Some years past but the interest lingered on. Soon after I knew I had to start some practice around reverse engineering using old Microsoft versions such as Win95SE2 or Win98. It was a strong requirement for SoftIce and I found a good manual on how to use this software on Windows XP SP1. A bit later, I found ways to use virtualization tools like Virtual Box but I still prefer to deal with real instances. First tutorials cover 10/2012(10) Page 62 http://pentestmag.com
  • 3. W e b A p p ideas on how to bypass implemented registration methods in any kind of software. It was a bit strange but it was easy to crack real programs using ‘TheBat!’ rather than one of the so-called crackmes. Nowadays you won’t see or hear that except on rare web sites such as WASM.RU and CRACKL@B. RU. While I’m researching how to find serial numbers or how to make a patch to bypass security, I also learned what a (dis-)assembler looks like. I studied several programming languages such as C++ Builder and Pascal/Delphi because they have the most suitable GUI for easy developing and an ability to implement assembler instructions. Also, I studied cryptography (RSA, and other asymmetric scheme). I spent the first three years this way and then I continued to improve on my experience by getting involved in development of different areas: a security email infrastructure and RFID systems. First, my experience grew around mobile developing on.NET and refactoring the existence systems and programming. Second, I developed some improvements around drivers having access to hybrid-hardware RFID (mix Wi-Fi and serial ports like COM and USB) to release final product. It was a commercial and academic product at the same time and belonged to our “Technical and Engineering Security” sub-department of RSUH. A lyrical digression, The Russian State University for the Humanities (RSUH) is an educational institution that trains specialists in all areas of knowledge in the humanities and not only humanities. RSUH has an Institute for Information Sciences and Security Technologies (IISST). The first Infosecurity faculty was founded in Moscow State Institute of History and Archive Materials in 1985. As it was not related to any military training colleges, it was considered the faculty of specialized documents up to 1990. Nowadays it is an integrated part of the Institute of Information Sciences and Security Technologies within the RSUH. The last 1.5 years towards the Uni diploma, I had worked at several companies and I had experience in scumware, documentation, and presentation. Most known is the Kaspersky Lab that is a dynamically growing company that offers its employees a broad range of options for career development. I cannot say that in this company people come first because any much-heralded policy gives chance to everything to be known by everyone. Anyways, I gained wide experience in scumware research during several months in Kaspersky Lab only. I got missing valuables to reassemble my 10/2012(10) vision about low-level security world. With second lyrical digression, I wanted to change my mobile device and this why I used BlackBerry as a very interesting platform. BlackBerry is a unique device, although you do not have enough control to make the right security policies if you are a BES customer even. AWS (Amazon Web Service) is the best among of them because you can build your custom policy where each API-method meets the policy restriction. For example, BlackBerry blocks any attempts to extract sensitive data from the buffer while the BlackBerry Wallet or Password Keeper is running but you can just minimize these applications and data will be extracted successfully and easily! It was an idea from my report at the InfoSecurityRussia 2011 conference in Moscow where I was a Hakin9 representative. A similar idea moved to the forensics and was a key of InfoSecurityRussia 2012. Now I am involved in legal defense (EU & RU) on the Cloud Security and BlackBerry rather than technical solutions for them. The last several years, I have worked on mobile social security, cloud security and compliance; mobile security and forensics; additionally developing solutions based on exploiting, not only OS vulnerabilities but also third-party products and solutions. If security is so important, why are there so many vulnerabilities in popular products like Adobe? Unfortunately, compliance wins. It wins in banking, healthcare, and anywhere that a company is required to run semi-annual or annual penetration testing. Compliance is a minimal set of security requirements (if your application is non-compliant, it cannot be safely trusted and unlikely to be secure). Therefore, the companies rarely care about security. They care about compliance. As we all know – compliance does not equal security. Audit standards are worthless when you compare the requirements of security compliance to the common basic techniques and problems that hackers look for in applications. The basic requirements in compliance cannot cover the full range of potential security issues because there are just too many variations in applications. Compliance rarely talks about security even. Compliance regulations are frankly awful. Penetration testing may not be the answer to security either. One example is that after a penetration test where many important security holes were found, a full detailed report may be Page 63 http://pentestmag.com
  • 4. W e b A p p interview a bad idea because the company might not have enough money to fix all issues and therefore become discouraged. The company might have an initial interest to be pentested for the top 10 or 20 vulnerabilities, but because these vulnerabilities change each year, and the cost of constantly fixing the vulnerabilities once reported may be too much. The company may opt to have pentesting done less frequently. Most companies do not have the immense resources of Microsoft and cannot setup a frequent critical patching system – they can only release vulnerability fixes during their regular release update cycle. You do not care about what the penetration tester reports on in this case, you are still vulnerable until the next annual release. Despite the issues, are there enough pentesting services in Russia to handle the market demand? Of course. Russia houses several professional and customized pentesting services. However, when you look deeper at the specific services offered there are fewer options when you split the audit from penetration testing services. However, it is an interesting way to advertise advanced skills and a higher pay-rate if your penetration testers can break into SAP (Systems, Applications and Products) – this becomes a full range, more valuable service. What are the main areas covered by Russian custom pentesting services? The basics are covered like PCs, networks, and web applications but when you move into much more recent technologies such as mobile, social engineering, cloud or similar, the pentesting services are much weaker. Cloud services are excluded because of the lack of experience. Audit standards are weak mainly because of the lack of knowledge of regulation outside of Russia. I know only of one company who offers security and personal data compliance in the cloud while other pentesting companies prefer to dispute what is right or wrong. Social engineering testing is also excluded for the same reason while mobile pentesting services cannot be included because rarely do you see a privately implemented MDM (a mobile device management solution that combines datadriven mobile device management and application management with smartphone and tablet security) solutions. In the absence of MDM, mobile penetration testing looks like a USB flash drive penetration 10/2012(10) testing especially when email is not used on mobile devices. Many vendors are touting this as a new problem but they do that simply to promote and sell their products. Professionals have been dealing with information security for 30-40 years that has led to the access of matrix model/control lists, public key cryptography, and more. For example, Kaspersky Labs often says that Android has many security issues but that Android has a great future. In other words, Android has a future because it is easier to build and implement security solutions for Android than for any other mobile device. Another example, mobile devices present a sandbox and other NEW SECURITY SOLUTIONS that do not work because the user has to store his data in shared folders accessed by any application (the sandbox protects only application data not user data). Not one of the users is ready to use certain applications to keep data in the sandbox’s folders for only one reason- he will likely have a problem restoring and accessing the data later. Exceptions to the rule exists, I am sure. Is pentesting worth it? Penetration testing is about someone legally trying to break into your system and help you then plug the security holes. Penetration testers may be able to demonstrate that the company’s security is awful. Sometimes the "consultant effect" takes place – no one listens to employees but they will listen to the expensive consultant who comes in from the outside and says the same thing. The company should already have security designed and implemented. Moreover, when they perform specific functions they have to validate that they perform true to their design. Penetration testing is a look into your infrastructure that was previously viewed as something that was unknown, huge, and complex. Nevertheless, the pentester reveals many previous unknown issues about potential backdoors or Wi-Fi weaknesses, infected PCs and mobiles, etc. It is a test that should be performed every week or month before and after implementation. Therefore, it works only for compilation. If a company has a poor security design then patching may make sense only for compilation again not for improving and fixing security. Page 64 by PenTest Team http://pentestmag.com