How to change information security over the last 20 years
Material posted: Publication date: 06-05-2019
Head of Department of the analysis of the applications of Positive Technologies Dmitry Sklyarov shares his view of the history of development of the industry of information security for the past 20 years.

If you look at the program of any modern conference on information security, you can see what important topics is researchers. If you look at the list of these important topics, technologies and trends, it appears that twenty years ago the vast majority of them simply did not exist.

For example, some themes from the conference OFFZONE 2018:

  • non-cash payments,
  • the bypass WAF
  • software defined radios,
  • speculative execution
  • search VPO for Android,
  • HTTP/2,
  • mobile OAuth 2.0
  • exploitation of XSS Exploiting,
  • cybergroove Lazarus,
  • attacks on the web application with a layered architecture,
  • attack Fault Injection on ARM processors.

Of these, only two problems exist for a long time. The first features the ARM processor architecture, which appeared in the mid 80-ies. The second problem is speculative execution (speculative execution), which originates in the processor of Intel of Pentium Pro, released in 1995.

In other words, from these topics really "ancient" are those associated with iron. Basically, those studies that today are conducted by specialists, inspired by the events of one, two, three years ago. For example, the technology for HTTP/2 appeared only in 2015, it is in principle possible to study not more than four years.

Going back 20 years ago. In 1998 has ended the so-called First browser war, in which competed the two biggest at that time Internet Explorer and Netscape Navigator. In the end, Microsoft won the war, a major competitor left the market. Then similar programs were few, many of them were paid, such as Opera: it was considered normal. The most popular browsers Safari, Mozilla and Chrome were invented much later, and the idea that browser may be applicable in our days no one comes to mind.

The penetration of the Internet 20 years ago was significantly lower than today, and therefore the demand for many associated with web services was formed much after the browser war.

The situation is different in the field of cryptography. She began to develop decades ago, the nineties years there was a number of time-tested encryption standards (DES, RSA) and digital signatures, and in the following years many new products, algorithms, and standards, including those developed in the free format OpenSSL; Russia was declassified by the standard GOST 28147-89.

Almost all related to cryptography technology that we use today, existed already in the nineties. The only widely discussed event in this region since the discovery of a backdoor in a supported NSA Dual_EC_DRBG algorithm from 2004.

Sources of knowledge

In the early nineties came a cult book by Bruce Schneier Applied Cryptography, it was very interesting, but was devoted to cryptography, not information security. In Russia in 1997 was published the book "Attack through the Internet" Ilya Medvedovskaya, Paul Semenova and Vladimir Platonov. The emergence of such a practical material, based on personal experience of the Russian experts gave impetus to the development of IB in our country.

If earlier researchers were only able to buy books-reprints of foreign studies, which are often poorly translated and without reference to the sources, after the "Attack through the Internet" new practical manuals began to appear more often. For example, in 1999 he published "the Technique and philosophy of hacker attacks" of Chris Kasperski. The "Attack through the Internet" got two sequels — "the attack on the Internet" (1999) and "Attack from Internet" (2002).

In 2001 he published a book of the Microsoft secure development of code — Writing Secure Code. It was then that the giant software industry realized the fact that software security is very important: it was a very serious moment in the development of information security. Thereafter, corporations began to think about security, previously, these issues had not been given enough attention: the code is written, the product is sold, it was considered that this is sufficient. Since Microsoft invests heavily in safety, and despite the existence of vulnerabilities in the company's products, overall their defense is good.

In the US information security industry has evolved quite actively with the 70-ies. As a result, in the nineties in this country, there were several large conferences on the topic of IB. One of them was organized by RSA, Black Hat appeared in the same years and held the first competition of hackers in CTF format.

In our country the situation was different. Many of today's leaders of the information security market in Russia in the nineties did not exist. The researchers were not many employment options: there was the "Kaspersky Lab", "Dialognauka", "Aquarius" and a few companies. Yandex, Positive Technologies, Digital Security Group-IB and even "Doctor Web" appeared after 1998.

A similar situation exists with conferences to exchange knowledge and explore current trends. Abroad that all was well: from 1984 he held Chaos Communication Congress, in 1991 there were RSA conference, in 1993, appeared DEF CON (in 1996 they held the first CTF), from the mid-nineties carried out a Black Hat. In our country, the first significant event in this field was the conference "RusCrypto", first held in 2000. The experts in Russia who were unable to travel to overseas events, it was hard to find like-minded people and share ideas.

Since then, the number of decent domestic interventions has expanded significantly: there are Positive Hack Days, ZeroNights, OFFZONE.

Personal experience: first steps in information security

In 1998 I graduated at the Department of "computer aided design" in the MSTU. Bauman, where I was taught to develop complex software. It was interesting, but I realized that I could do something else. From school I liked to use the debugger to understand how it works; first experiments in this direction, I conducted programs "Agat-debugger" and "Agat-DOS" when I wanted to find out why the first was loaded five times faster although occupied the same space.

As we have seen, at the time of completion of my training of web in the modern sense did not exist. So I would not be disturbed from reverse engineering. One of the important areas of reverse engineering — the restoration of the logic of the code. I know that there are many products that protect against piracy, as well as solutions to encrypt data in their study also used reverse-engineering. There was the development of anti-virus, but it somehow did not involve me ever, as well as work in military or governmental organizations.

By 1998, I was pretty good at programming (for example, created a software for computer-aided design), to use the debugger, was fond of solving tasks like keygen-me, crack-me, interested in cryptography (once even managed to recover a forgotten password from the familiar Excel base on indirect evidence — "Russian female name in the English layout").

Next, I continued training, even wrote a thesis on "Methods of analysis and software methods to protect electronic documents", although it never came to her defense (but understand the importance of the topic of copyright protection).

In the area of is I completely immersed after coming to work in the company Elcomsoft. This was also an accident: a friend asked me to help him with the restoration of lost access to the MS Access database, which I did by creating an automated password recovery tool. This tool is I tried to sell at Elcomsoft, but instead I got a job offer and have been in this company for 12 years. At work I mostly dealt just with issues of access recovery, data recovery and computer forensics.

During the first years of my career in the world of cryptography and password protection have been several breakthroughs — for example, in 2003, introduced the concept of rainbow tables, and in 2008 began using graphics cards to recover passwords.

The situation in industry: the struggle of black and white hats

During the career inside the sphere of information security, I met and corresponded with lots of people. In the course of this conversation, I began to understand that the division between "black hats" and "white hats" in the industry, does not reflect the real situation. Of course, the colors and shades are much greater.

If we turn to the origins of the Internet and information security and to read the stories of the hackers of those times, it becomes clear that the main incentive for people then it was their curiosity, desire to learn something new. They are not always used legitimate methods — it is enough to read about the life of Kevin Mitnick.

Today, the range of motivation of researchers expanded: idealists want to make the whole world safer; who else wants to become famous by creating a new technology or examining a popular product; others try as soon as possible to make money and there are many opportunities of varying degrees of legality. In the end, the latter often find themselves in the "dark side" and opposed to their own colleagues.

As a result, today there are several areas for development within is. You can become a researcher, compete in the CTF, to make a vulnerability scanning to help businesses with cyber security.

The development of bug bounty programs

A major impetus for the development of the information security market in 2000-ies was the spread of the bug bounty. Under these programs, developers of complex systems to reward researchers discovered in their products vulnerability.

The basic idea here is that it is beneficial primarily to developers and their users, because the damage from successful cyber attacks can in tens and hundreds times higher than possible benefits, researchers. Specialists in information security can do my favorite thing — finding vulnerabilities — and thus to remain completely within the law and get rewarded. As a result companies get a loyal researchers who follow responsible disclosure practices and helping to make software products safer.

Approaches to disclosure of information

Over the past twenty years, there were several approaches to how it should look like the disclosure of the results of research in the field of information security. There are companies like Zerodium who buy zero-day vulnerabilities and working exploits for popular software — such as 0-day iOS is worth about $ 1 million. USA. However, it is more correct for a self-respecting researcher's course of action after the detection of vulnerability to refer first to the manufacturer of software. Manufacturers are not always willing to admit their mistakes and cooperate with researchers, but many companies protect reputation, trying to quickly fix the vulnerabilities, and I thank researchers.

In case the vendor is active enough, a common practice is to give it time to release patches, and then to publish information about the vulnerability. The researcher should first think about the interests of users: if there is a possibility that the developers never fix the bug, its publication will give the attacking tool for regular attacks.

The evolution of legislation

As mentioned above, at the dawn of the Internet the main motive of hackers have a thirst for knowledge and trivial curiosity. To meet it, the researchers often did questionable from the point of view of the authorities things, but in those years there were very few laws regulating the field of information technology.

As a result, laws often appeared already "traces" of high-profile hacks. In Russia, the first legislative initiative in the field of IB appeared in 1996 then adopted three articles of the criminal code, concerning unauthorized access to information (article 272), the development of malicious code (article 273) and the violation of rules of maintenance of computer systems (article 274).

However, clearly defined in the laws of all the nuances of the interactions is quite difficult, resulting in discrepancies in the interpretations. This also complicates the work of researchers of information security: often it is unclear where the end of good faith from the point of view of the law, research activities and begins a crime.

Even within programs bug bounty software developers can ask the researchers to demonstrate the exploit, proof of concept. In the end, the specialist is forced to create, in fact, malicious code, or during its shipment has already begun "broadcasting".

In the future, the laws were improved, but not always, it makes life easier for researchers. So, in 2006 appeared the article of the civil code relating to the protection of copyright and technical protection measures. Attempt to bypass such protection even in the course of research may be considered a violation of the law.

All this creates risks for the researchers, therefore, before conducting certain experiments it is better to consult a lawyer.

IB-cycle technology development

In today's world technology is evolving according to certain cycles. After the emergence of some good ideas it is commercialized, you receive the finished product, which allows you to earn money. If this product is successful, it attracts the attention of cybercriminals who seek independent earnings or its users. The business is forced to respond to these threats and to protect. Begins the confrontation of attacking and bezopasnikov.

In recent years there have been several revolutionary technological advances, from the advent of mass broadband access to the Internet, social networks to the spread of mobile phones and Internet of things. Today, with the help of smartphones, users can do almost the same thing using computers. But the security level "mobile" is radically different.

To steal the computer, you need to get into the room where it is stored. To steal the phone in the street. However, many people still do not understand the scope of the security risks incurred by the development of technology.

Similar situation with data deletion from SSD (i.e. flash drives). Standards deletion of data from magnetic drives have been around for many years. With flash memory the situation is different. For example, these drives support the TRIM operation: it tells the SSD controller that the deleted data no longer need to keep, and they become readable. However, this command works at the operating system level, and if you go down below the level of the physical memory chips, to data access will be possible using a simple programmer.

Another example of modems 3G and 4G. Early modems were slaves, they were controlled by a computer. Modern modems have themselves become computers, they contain their own OS inside them are independent computational processes. If an attacker modifies the firmware of the modem, will be able to intercept and monitor any data being transmitted and the user never will know. To detect such attacks need to be able to analyze 3G/4G traffic, and such opportunities are available only to intelligence agencies and mobile operators. So convenient and such modems are untested devices.

The findings of 20 years in IB

I linked to the information security field for twenty years, and during that time my interests within it have varied in parallel with the development of the industry. Today information technologies are at a level of development that know everything even within individual small niches, such as reverse-engineering, is simply impossible. Therefore, the creation of truly effective tools for protection today is possible only for teams, bringing together experienced experts with a diverse set of knowledge and competencies.

Another important conclusion: at the moment the problem of information security is not to make any attack impossible, and to risk management. The confrontation of specialists in defense and attack is to make an attack too expensive and reduce possible financial losses in the event of a successful attack.

And third, more global conclusion: information security is only needed as long as there is a need of the business. Even the execution of complex penetration tests that require specialists of extra-class — essentially a support function of the sales process of products for information security.

Security is the tip of the iceberg. We protect the information system that is created only because it is necessary for business, designed for its tasks. But this fact kompensiruet the importance of the sphere of information security. If there's a security issue, it can disrupt the functioning of information systems, and this will directly affect the business. So the security depends very much.


Today in the field of information technology is not all rosy, there are serious problems. Here are the three main, in my opinion:

Unwanted attention of the authorities. Governments increasingly trying to control and regulate the Internet and information technology.
The Internet becomes a platform for information warfare. Twenty years ago, no one blamed all the problems of the world "Russian hackers", but today it is in order.
New technologies do not make people better or smarter. People need to explain why you need a decision, teach them to use it to tell about potential risks.

With all these cons of information security today is clearly one area where you should do. Just here every day you will encounter the latest technologies, interesting people to inspect themselves in confrontation with the "black hats". Each new day will be a challenge, and it will never be boring.


Tags: assessment , security , information war , information Society