How information security has changed over the past 20 years



    Image: Unsplash

    Dmitry Sklyarov, Head of Application Analysis at Positive Technologies, shares his views on the history of the information security industry over the past 20 years.

    If you look at the program of any modern conference on information security, you can see what important topics are occupied by researchers. If you analyze the list of these important topics, technologies and directions, it turns out that twenty years ago the vast majority of them simply did not exist.

    For example, here are some topics from the OFFZONE 2018 conference:

    • non-cash payments
    • WAF bypass
    • software defined radio systems,
    • speculative execution
    • malware search for Android,
    • HTTP / 2,
    • mobile OAuth 2.0,
    • exploitation of XSS Exploiting,
    • cybergroup Lazarus,
    • attacks on web applications with a multilayer architecture,
    • Fault Injection attacks on ARM processors.

    Of these, only two problems exist for a long time. The first is the architecture features of ARM processors that appeared in the mid-80s. The second is the problem of speculative execution, which originates in the Intel Pentium Pro processor, released in 1995.

    In other words, of these topics, truly “ancient” are those associated with iron. Basically, the studies conducted by specialists today are inspired by the events of one, two, three years ago. For example, HTTP / 2 technology appeared only in 2015; in principle, it can be studied for no more than four years.

    Let's go back 20 years. In 1998, the so-called First Browser War ended, during which the two largest browsers at that time, Internet Explorer and Netscape Navigator, competed. As a result, Microsoft won this war, and the main competitor left the market. Then there were few such programs, many of them were paid, as, for example, Opera: this was considered normal. At the same time, the most popular browsers Safari, Mozilla and Chrome were invented much later, and the idea that the browser can be paid today will not occur to anyone.

    The penetration of the Internet 20 years ago was several times lower than today, so the demand for many web-related services was formed much later than the end of the browser war.

    Another situation has developed in the field of cryptography. It began to develop many decades ago, by the nineties there were a number of time-tested encryption standards (DES, RSA) and digital signature, and over the following years many new products, algorithms and standards appeared, including the openSSL free format; in Russia, the standard GOST 28147-89 was declassified.

    Almost all cryptography-related technologies that we use today existed already in the nineties. The only widely discussed event in this area since then is the discovery of a backdoor in the 2004 Dual_EC_DRBG algorithm supported by the NSA.

    Sources of knowledge


    In the early nineties, the cult book of Bruce Schneier Applied Cryptography appeared, it was very interesting, but it was devoted to cryptography, and not information security. In Russia in 1997 the book “Attack through the Internet” by Ilya Medvedovsky, Pavel Semyanov and Vladimir Platonov was published. The appearance of such practical material, based on the personal experience of Russian experts, gave impetus to the development of the information security field in our country.

    Earlier, novice researchers could only buy reprint books of foreign studies, often poorly translated and without reference to sources, after the “Attack via the Internet” new practical manuals began to appear much more often. For example, already in 1999, Chris Kaspersky's Technique and Philosophy of Hacker Attacks was released. The “Attack through the Internet” itself received two sequels - “Attack on the Internet” (1999), and “Attack from the Internet” (2002).

    In 2001, Microsoft's book on secure code development, Writing Secure Code, was released. It was then that the software industry giant realized the fact that software security is very important: it was a very serious moment in the development of information security. After that, corporations began to think about ensuring security, but earlier these issues were not given enough attention: the code is written, the product is sold, it was believed that this is enough. Since then, Microsoft has invested significant resources in security, and despite the existence of vulnerabilities in the company's products, in general, their protection is at a good level.

    In the USA, the information security industry has been developing quite actively since the 70s. As a result, in the nineties in this country there were already several major conferences on the topic of information security. One of them was organized by RSA, Black Hat appeared, and in the same years the first CTF hacker competitions took place.

    In our country, the situation was different. Many of today's leaders in the information security market in Russia in the nineties did not yet exist. Researchers did not have many employment options: there were Kaspersky Lab, DialogueScience, Informzashita, and several other companies. Yandex, Positive Technologies, Digital Security, Group-IB, and even Doctor Web appeared after 1998.

    A similar situation has developed with conferences to share knowledge and study current trends. Everything was good with this abroad: since 1984, the Chaos Communication Congress was held, since 1991 there was an RSA conference, in 1993 DEF CON appeared (in 1996 they held the first CTF), and from the mid-nineties Black Hat was held. In our country, the first significant event in this area was the RusCrypto conference, which was first held in 2000. It was hard for specialists in Russia who did not have the opportunity to go to foreign events to find like-minded people and exchange ideas.

    Since then, the number of worthy domestic events has expanded significantly: there are Positive Hack Days, ZeroNights, OFFZONE.

    Personal experience: first steps in information security


    In 1998, I graduated from the department "Computer-aided design systems" at the MSTU. Bauman, where I was taught to develop complex software. It was interesting, but I realized that I could do something else. From school I liked to use the debugger, to understand how the software works; I conducted the first experiments in this direction with the Agat-Debugger and Agat-DOS programs, when I wanted to find out why the first one loaded five times faster, although it took up the same amount of space.

    As we have already found out, at the time of the completion of my training the web in the modern sense did not exist. Therefore, nothing distracted me from reverse engineering. One of the important areas of reverse engineering is the restoration of the logic of the code. I knew that there are many products that protect against pirated copying, as well as data encryption solutions - reverse engineering was also used in their research. There was also the development of antiviruses, but for some reason this direction never attracted me, as did work in a military or government organization.

    By 1998, I was good at programming (for example, creating software for computer-aided design systems), using a debugger, was interested in solving tasks like keygen-me and crack-me, was interested in cryptography (once I even managed to recover an Excel password forgotten by my friends from indirect data - "Russian female name in the English layout").

    Then I continued my studies, even wrote a dissertation on “Methods of analysis of software methods for protecting electronic documents”, although I never came to its defense (but I realized the importance of copyright protection).

    In the field of information security, I finally plunged after joining Elcomsoft. It also happened by chance: a friend asked me to help him recover lost access to the MS Access database, which I did by creating an automated password recovery tool. I tried to sell this tool at Elcomsoft, but in return I received a job offer and spent 12 years in this company. At work, I mainly dealt with access recovery, data recovery, and computer forensics.

    During the first years of my career in the world of cryptography and password protection, several breakthroughs occurred - for example, in 2003 the concept of rainbow tables appeared, and in 2008 the use of graphic accelerators for password recovery began.

    The situation in the industry: the struggle of black and white hats


    During my career, already inside the sphere of information security, I met and corresponded with a huge number of people. In the course of such communication, I began to understand that the division into “black hats” and “white hats” adopted in the industry does not reflect the real situation. Of course, there are much more colors and shades.

    If you turn to the origins of the Internet and information security and read the stories of hackers of those times, it becomes clear that the main stimulus for people then was their curiosity, the desire to learn something new. At the same time, they did not always use legal methods - it is enough to read about the life of Kevin Mitnik.

    Today, the spectrum of motivation for researchers has expanded: idealists want to make the whole world safer; someone else wants to become famous by creating a new technology or exploring a popular product; others try to make money as soon as possible - and for this there are many possibilities of varying degrees of legality. As a result, the latter often find themselves “on the dark side” and confront their own colleagues.

    As a result, today there are several areas for development within information security. You can become a researcher, compete in CTF, earn money by searching for vulnerabilities, and help businesses with cybersecurity.

    The development of bug bounty programs


    A serious impetus for the development of the information security market in the 2000s was the spread of bug bounty. Within these programs, developers of complex systems reward researchers for vulnerabilities discovered in their products.

    The main idea here is that it is primarily beneficial to developers and their users, because the damage from a successful cyber attack can be tens and hundreds of times higher than possible payments to researchers. Information security experts can do what they love to do — look for vulnerabilities — while remaining fully within the law and still receive rewards. As a result, companies get loyal researchers who follow the practice of responsible disclosure and help make software products safer.

    Disclosure Approaches


    Over the past twenty years, several approaches to how disclosure of research results in the field of information security should have appeared. There are companies like Zerodium that buy zero-day vulnerabilities and exploits for popular software - for example, 0-day on iOS costs about $ 1 million. However, the more correct way for a self-respecting researcher to act after detecting a vulnerability is to first contact the software manufacturer. Manufacturers are not always ready to admit their mistakes and collaborate with researchers, but many companies protect their reputation, try to quickly eliminate vulnerabilities and thank the researchers.

    If the vendor is not active enough, a common practice is to give him time to issue patches, and only then publish information about the vulnerability. In this case, the researcher should first of all think about the interests of users: if there is a possibility that the developers will never correct the error at all, its publication will give attackers a tool for constant attacks.

    Legislation Evolution


    As mentioned above, at the dawn of the Internet, the main motive for hackers was a craving for knowledge and banal curiosity. To satisfy him, researchers often did things dubious from the point of view of the authorities, but in those years there were still very few laws regulating the field of information technology.

    As a result, laws often appeared already in the wake of high-profile hacks. The first legislative initiatives in the field of information security appeared in Russia in 1996 - then three articles of the criminal code were adopted regarding unauthorized access to information (Article 272), development of malicious code (Article 273) and violation of the rules for servicing computer systems (Article 274).

    However, it is quite difficult to clearly state in laws all the nuances of interactions, as a result of which there are discrepancies in interpretations. It also complicates the activities of information security researchers: it is often unclear where the law-abiding research activities end and the crime begins.

    Even within the framework of bug bounty programs, software developers can ask researchers for a demonstration of exploitation of the vulnerability, proof of concept. As a result, the information security specialist is forced to create, in fact, malicious code, and when it is sent, “distribution” already begins.

    In the future, laws were finalized, but this did not always make life easier for researchers. So, in 2006 there were articles of the civil code relating to the protection of copyright and technical means of protection. An attempt to circumvent such remedies even during research may be considered a violation of the law.

    All this creates risks for researchers, therefore, before conducting certain experiments, it is better to consult with lawyers.

    Information Technology Development Cycle


    In the modern world, technologies develop in certain cycles. After the emergence of some good idea, it is commercialized, a finished product appears that allows you to make money. If this product is successful, it attracts the attention of cybercriminals who are beginning to look for ways to earn money on it or its users. Businesses are forced to respond to these threats and engage in protection. The confrontation between attackers and security guards begins.

    Moreover, in recent years there have been several revolutionary technological breakthroughs, from the appearance of mass high-speed Internet access, social networks to the spread of mobile phones and the Internet of things. Today, using smartphones, users can do almost everything the same as using computers. But at the same time, the level of security in the "mobile" is fundamentally different.

    To steal a computer, you need to enter the room where it is stored. You can just steal a phone outside. However, many people still do not understand the scale of the security risks that technological development carries.

    A similar situation is with deleting data from SSDs (i.e. flash drives). Standards for removing data from magnetic drives have been around for many years. With flash memory, the situation is different. For example, such disks support the TRIM operation: it tells the SSD controller that the deleted data no longer needs to be stored, and they become inaccessible for reading. However, this command works at the operating system level, and if you go down to the level of physical memory chips, you will be able to access the data using a simple programmer.

    Another example is 3G and 4G modems. Previously, modems were slaves, they were completely controlled by a computer. Modern modems themselves have become computers, they contain their own OS, they run independent computing processes. If the cracker modifies the firmware of the modem, he will be able to intercept and control any transmitted data, and the user will never guess about it. To detect such an attack, you need to be able to analyze 3G / 4G traffic, and only intelligence agencies and mobile operators have such capabilities. So such convenient modems turn out to be untrusted devices.

    Conclusions on the results of 20 years in IB


    I have been associated with the field of information security for twenty years, and during this time my interests within it have changed in parallel with the development of the industry. Today, information technology is at such a level of development that it is simply impossible to know everything within even a single small niche, such as reverse engineering. Therefore, the creation of truly effective protection tools is now possible only for teams combining experienced experts with a diverse set of knowledge and competencies.

    Another important conclusion: at the moment, the task of information security is not to make any attacks impossible, but to manage risks. The confrontation between defense and attack specialists comes down to making the attack too expensive and reducing possible financial losses in the event of a successful attack.

    And the third, more global conclusion: information security is needed only as long as the business needs it. Even conducting complex penetration tests, which require extra-class specialists, is essentially an auxiliary function of the process of selling products for information security.

    Safety is the tip of the iceberg. We protect information systems that are created only because business needs it, created to solve its problems. But this fact is offset by the importance of the field of information security. If a security problem occurs, it can disrupt the functioning of information systems, and this will directly affect the business. So a lot depends on the security team.

    Total


    Today, in the field of information technology, not everything is cloudless, and serious problems exist. Here are three main ones, in my opinion:

    Excessive attention of the authorities. States around the world are increasingly trying to control and regulate the Internet and information technology.
    The Internet is turning into a platform for information warfare. Twenty years ago, no one blamed the “Russian hackers” for all the world's problems, but today it’s in the order of things.
    New technologies do not make people better or smarter. People need to explain why this or that decision is needed, teach them how to use it, and talk about possible risks.

    With all these disadvantages, information security today is clearly an area that should be addressed. Only here every day you will encounter the latest technologies, interesting people, you can test yourself in the confrontation with the "black hats". Each new day will challenge, and never will be bored.

    Posted by Dmitry Sklyarov, Head of Application Analysis, Positive Technologies

    Also popular now: