W                     e                     b                     A                     p                                 ...
W                                                                                                             e           ...
W                    e                    b                    A                    p                                     ...
Interview Pentest
Upcoming SlideShare
Loading in …5

Interview Pentest


Published on


Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Interview Pentest

  1. 1. W e b A p interview pInterview withYury Chemerkin– Security Reseacher & Writer Yury Chemerkin graduated from RSUH in 2010 (http://rggu.com/) on the BlackBerry diploma thesis. Currently in the postgraduate program at RSUH on the Cloud Security thesis. Experience in Reverse Engineering, Software Programming, Cyber & Mobile Security Research, Documentation, and as a contributing Security Writer. Also, researching Cloud Security and Social Privacy.How did you get intosecurity?I was around 10 years old anddo not exactly remember howit happened but there was thisone time I came upon mate-rials discussing reverse en-gineering, operation systemshacks, phreaking, etc. Mostof them were not up-to-dateconsidering that was 10 yearsago but something in me justclicked like clogs of clockworkstarted turning. Some yearspast but the interest lingeredon. Soon after I knew I had tostart some practice around re-verse engineering using oldMicrosoft versions such asWin95SE2 or Win98. It wasa strong requirement for Soft-Ice and I found a good manualon how to use this software onWindows XP SP1. A bit later,I found ways to use virtualiza-tion tools like Virtual Box but Istill prefer to deal with real in-stances. First tutorials cover 10/2012(10) Page 62 http://pentestmag.com
  2. 2. W e b A p pideas on how to bypass implemented registration vision about low-level security world. With secondmethods in any kind of software. It was a bit strange lyrical digression, I wanted to change my mobilebut it was easy to crack real programs using ‘The- device and this why I used BlackBerry as a very in-Bat!’ rather than one of the so-called crackmes. teresting platform. BlackBerry is a unique device,Nowadays you won’t see or hear that except on ra- although you do not have enough control to makere web sites such as WASM.RU and CRACKL@B. the right security policies if you are a BES custom-RU. While I’m researching how to find serial num- er even. AWS (Amazon Web Service) is the bestbers or how to make a patch to bypass security, among of them because you can build your cus-I also learned what a (dis-)assembler looks like. tom policy where each API-method meets the poli-I studied several programming languages such as cy restriction. For example, BlackBerry blocks anyC++ Builder and Pascal/Delphi because they have attempts to extract sensitive data from the bufferthe most suitable GUI for easy developing and an while the BlackBerry Wallet or Password Keeperability to implement assembler instructions. Also, I is running but you can just minimize these applica-studied cryptography (RSA, and other asymmetric tions and data will be extracted successfully andscheme). I spent the first three years this way and easily! It was an idea from my report at the InfoS-then I continued to improve on my experience by ecurityRussia 2011 conference in Moscow where Igetting involved in development of different areas: was a Hakin9 representative. A similar idea moveda security email infrastructure and RFID systems. to the forensics and was a key of InfoSecurityRus-First, my experience grew around mobile develop- sia 2012.ing on.NET and refactoring the existence systems Now I am involved in legal defense (EU & RU) onand programming. Second, I developed some im- the Cloud Security and BlackBerry rather than tech-provements around drivers having access to hy- nical solutions for them. The last several years, Ibrid-hardware RFID (mix Wi-Fi and serial ports like have worked on mobile social security, cloud secu-COM and USB) to release final product. It was a rity and compliance; mobile security and forensics;commercial and academic product at the same additionally developing solutions based on exploit-time and belonged to our “Technical and Engineer- ing, not only OS vulnerabilities but also third-partying Security” sub-department of RSUH. A lyrical di- products and solutions.gression, The Russian State University for the Hu-manities (RSUH) is an educational institution that If security is so important, why aretrains specialists in all areas of knowledge in the there so many vulnerabilities in popularhumanities and not only humanities. RSUH has products like Adobe?an Institute for Information Sciences and Security Unfortunately, compliance wins. It wins in bank-Technologies (IISST). The first Infosecurity faculty ing, healthcare, and anywhere that a company iswas founded in Moscow State Institute of History required to run semi-annual or annual penetrationand Archive Materials in 1985. As it was not related testing. Compliance is a minimal set of security re-to any military training colleges, it was considered quirements (if your application is non-compliant,the faculty of specialized documents up to 1990. it cannot be safely trusted and unlikely to be se-Nowadays it is an integrated part of the Institute cure). Therefore, the companies rarely care aboutof Information Sciences and Security Technologies security. They care about compliance. As we allwithin the RSUH. know – compliance does not equal security. Au- The last 1.5 years towards the Uni diploma, I had dit standards are worthless when you compare theworked at several companies and I had experi- requirements of security compliance to the com-ence in scumware, documentation, and presenta- mon basic techniques and problems that hackerstion. Most known is the Kaspersky Lab that is a look for in applications. The basic requirements indynamically growing company that offers its em- compliance cannot cover the full range of potentialployees a broad range of options for career de- security issues because there are just too manyvelopment. I cannot say that in this company peo- variations in applications. Compliance rarely talksple come first because any much-heralded policy about security even. Compliance regulations aregives chance to everything to be known by every- frankly awful. Penetration testing may not be theone. Anyways, I gained wide experience in scum- answer to security either. One example is that af-ware research during several months in Kaspersky ter a penetration test where many important secu-Lab only. I got missing valuables to reassemble my rity holes were found, a full detailed report may be 10/2012(10) Page 63 http://pentestmag.com
  3. 3. W e b A p interview pa bad idea because the company might not have testing especially when email is not used on mobileenough money to fix all issues and therefore be- devices. Many vendors are touting this as a newcome discouraged. The company might have an problem but they do that simply to promote andinitial interest to be pentested for the top 10 or 20 sell their products. Professionals have been deal-vulnerabilities, but because these vulnerabilities ing with information security for 30-40 years thatchange each year, and the cost of constantly fixing has led to the access of matrix model/control lists,the vulnerabilities once reported may be too much. public key cryptography, and more. For example,The company may opt to have pentesting done Kaspersky Labs often says that Android has manyless frequently. Most companies do not have the security issues but that Android has a great future.immense resources of Microsoft and cannot setup In other words, Android has a future because it isa frequent critical patching system – they can only easier to build and implement security solutionsrelease vulnerability fixes during their regular re- for Android than for any other mobile device. An-lease update cycle. You do not care about what the other example, mobile devices present a sandboxpenetration tester reports on in this case, you are and other NEW SECURITY SOLUTIONS that dostill vulnerable until the next annual release. not work because the user has to store his data in shared folders accessed by any application (theDespite the issues, are there enough sandbox protects only application data not userpentesting services in Russia to handle data). Not one of the users is ready to use certainthe market demand? applications to keep data in the sandbox’s foldersOf course. Russia houses several professional for only one reason- he will likely have a problemand customized pentesting services. However, restoring and accessing the data later. Exceptionswhen you look deeper at the specific services of- to the rule exists, I am sure.fered there are fewer options when you split theaudit from penetration testing services. However, Is pentesting worth it?it is an interesting way to advertise advanced skills Penetration testing is about someone legally tryingand a higher pay-rate if your penetration testers to break into your system and help you then plugcan break into SAP (Systems, Applications and the security holes. Penetration testers may be ableProducts) – this becomes a full range, more valu- to demonstrate that the company’s security is aw-able service. ful. Sometimes the "consultant effect" takes place – no one listens to employees but they will listenWhat are the main areas covered by to the expensive consultant who comes in from theRussian custom pentesting services? outside and says the same thing.The basics are covered like PCs, networks, and The company should already have security de-web applications but when you move into much signed and implemented. Moreover, when theymore recent technologies such as mobile, social perform specific functions they have to validate thatengineering, cloud or similar, the pentesting ser- they perform true to their design. Penetration test-vices are much weaker. Cloud services are ex- ing is a look into your infrastructure that was pre-cluded because of the lack of experience. Audit viously viewed as something that was unknown,standards are weak mainly because of the lack of huge, and complex. Nevertheless, the pentesterknowledge of regulation outside of Russia. I know reveals many previous unknown issues about po-only of one company who offers security and per- tential backdoors or Wi-Fi weaknesses, infectedsonal data compliance in the cloud while other pen- PCs and mobiles, etc. It is a test that should betesting companies prefer to dispute what is right or performed every week or month before and afterwrong. Social engineering testing is also excluded implementation. Therefore, it works only for com-for the same reason while mobile pentesting ser- pilation. If a company has a poor security designvices cannot be included because rarely do you then patching may make sense only for compila-see a privately implemented MDM (a mobile de- tion again not for improving and fixing security.vice management solution that combines data-driven mobile device management and application by PenTest Teammanagement with smartphone and tablet security)solutions. In the absence of MDM, mobile penetra-tion testing looks like a USB flash drive penetration 10/2012(10) Page 64 http://pentestmag.com