The results of the research laboratory of Digital Security for 5 years
More than five years have passed since the official opening of the Digital Security Research Laboratory (known as Digital Security Research Group or DSecRG ) research laboratory, and we decided to sum up the interim results of the division in figures, as well as note some of the most significant achievements for us.
In 2013, the head of the laboratory was Dmitry Evdokimov, who proved to be an excellent specialist with a deep approach to the study of security problems, the author of a large number of well-known research in the market.
1st Research Center in Russia
2nd place in the top 10 techniques of web-attacks in 2012
3 years of participation in international conferences
4 BlackHat appearances in 4 locations
5 years of public work
6 employees spoke at international conferences with their own reports
7 days a week
8 employees received thanks from the largest companies for the found vulnerabilities
9 main participants
10 - hit the top 10 BlackHat USA reports in 2012
')
Participated in 15 meetings Defcon Russia
Speakers in more than 20 countries
Over 30 speeches at international technical conferences
Over 40 studies
Nearly 100 published vulnerabilities in SAP
Nearly 200 vulnerabilities published in total
Bole 300 vulnerabilities detected
Since November 2007, the laboratory began a search and analysis of vulnerabilities in software products. The key feature of its activity was the principle of Responsible Disclosure: we inform the developer about the discovered vulnerability, help close it, and then post the details. Initially, the objects of analysis were simple web applications and CMS-systems, then the focus shifted to the analysis of web servers and DBMS, and gradually we came to business applications and ERP-systems. It must be emphasized that our research center has become a unique phenomenon for the Russian information security market: previously, the search for vulnerabilities was carried out haphazardly and irregularly, in the amateur format. The opening of the DSecRG laboratory brought this activity to a professional level. Over time, some market players followed the example of Digital Security, creating their own units for searching and analyzing vulnerabilities.
Number of closed vulnerabilities relative to detected
For all the time, DSecRG experts found 318 vulnerabilities, of which 199 were closed by manufacturers, the rest are being worked on. Now the main direction of our activity is Application Security, in which we will continue to work, striving to occupy leading positions not only in Russia, but also in the world.
DSecRG experts found about 0.8% of all vulnerabilities that were closed in the world for 5 years, which exceeds the similar indicators of all Russian companies in the aggregate.
Number of vulnerabilities published in different years
2007 - 2
2008 - 41
2009 - 37
2010 - 26
2011 - 42
2012 - 51
Number of published vulnerabilities in products of key manufacturers
SAP - 93
Oracle - 19
Adobe - 5
WAGO - 4
VMware - 4
IBM - 3
HP - 2
Microsoft - 1
Number of published vulnerabilities in various areas
SAP - 93
Web applications and servers - 58
ERP and business applications - 26
ACU TP (SCADA / ICS) - 7
Other - 6
DBMS - 5
RMS - 4
Vulnerability closing time
The minimum closing time for OpenSource is for Blogcms and 2z developers. Several vulnerabilities of various kinds were closed in one day!
The average time to close vulnerabilities for open source developers is 30 days.
For OpenSource developers, the longest update was prepared by the Apache consortium - 126 days (a vulnerability in the Apache Geronimo application, marked with the identifier [DSECRG-09-019]).
The minimum closing time for commercial companies from Oracle. The buffer overflow vulnerability in Oracle DBMS has been closed for 28 days.
The average time for vulnerabilities to close for commercial companies is 295 days.
The longest update was prepared by Oracle - 1214 days (a vulnerability in the Oracle Business Intelligence application marked with [DSECRG-12-040]).
During the work of DSecRG, 42 large studies were prepared, the results of which were various articles, reports and speeches at conferences.
Published studies in various fields
* Some studies fall into several categories at once.
Number of studies in different years
2008 - 2
2009 - 3
2010 - 11
2011 - 11
2012 - 15
Studies of various laboratory staff
Polyakov - 21
Sintsov - 11
Evdokimov - 4
Tyurin - 3
Chastuhin - 3
Svistunovich –2
Minozhenko - 2
Cherbov - 1
Neyolov - 1
Security of RBS systems (2009-2011)
The first study in the field of remote banking security in Russia. Previously, very little was said on this topic, but the problems raised by DSecRG experts attracted the attention of experts from various organizations of the information security industry. The popularity of the security analysis market segment has grown significantly.
Adaptation technology JIT-Spray (2010)
This study improved the Adobe Flash attack technique to circumvent DEP and ASLR. As a result of the work done, the attack time was reduced by 100 times! In addition, the study showed that not only the JIT-engine of Adobe Flash, but also the JavaScript-engine of the browser Safari is subject to a similar attack. The results of this work were subsequently used by many offensive security companies around the world.
SAP security in numbers (2007-2012)
SAP Global Security Survey 2007-2011. It was published in two languages ​​and received the InfoSecurity Product Guide award in the Advertising nomination. The study covered all aspects of SAP security - from vulnerability statistics and descriptions of the top 5 vulnerabilities to the analysis of SAP systems available via the Internet in a particular country of the world, and statistics on the most common versions and patches.
SSRF and Business Applications (2012-2013)
The study was first presented at the BlackHat conference and made popular the study of a new class of attacks. Together with other independent SSRF attacks, this publication ranked 2nd in the list of the 10 most interesting attacks on web applications in 2012.
Mobile Banking (2012-2013)
A static analysis of the client-side code of mobile payment applications for iOS and Android from more than 30 Russian banks was conducted. It turned out that all the considered applications contain at least one vulnerability that allows attacking the bank or its clients.
In 2009, the laboratory made a breakthrough in development, starting to perform research at international technical conferences. In the West, we were not the first (ElcomSoft spoke abroad 10 years ago), but Digital Security took the participation of Russian researchers to a new level, significantly increasing the presence of information security experts at key conferences. For three years, DSecRG has appeared at 36 conferences in 20 countries of Europe, Asia and the USA, and we continue to work in this direction, conquering new continents. It is gratifying that the initiative of Digital Security was supported by other companies and independent researchers. By 2013, the presence of the company reports at international conferences became the norm, just as a couple of years ago the availability of thanks from manufacturers became the norm.
Number of speeches at different conferences
CONFidence - 6
BlackHat - 5
HITB - 4
Deepsec - 2
SecurityByte - 2
HackerHalted - 2
Troopers - 1
Source - 1
t2.fi - 1
BruCON - 1
InfoSecurity Kuwait - 1
Just4Meeting - 1
Defcon - 1
RSA - 1
Nullcon - 1
HackTivity - 1
IT-SA - 1
Syscan360 - 1
SAP Security Summit - 1
Hashdays - 1
PoC - 1
The number of performances in different countries
USA - 6
Poland - 5
Germany - 3
Netherlands - 3
India - 3
China - 2
Malaysia - 2
Austria - 2
Czech Republic - 1
Spain - 1
Belgium - 1
Portugal - 1
Kuwait - 1
Hungary - 1
Switzerland - 1
Korea - 1
UAE - 1
Finland - 1
The number of performances in different years
2010 - 9
2011– 9
2012 - 19
The number of performances in various areas
The number of speeches of different speakers
Polyakov - 25
Sintsov - 5
Evdokimov - 4
Chastuhin - 4
Minozhenko - 2
Neyolov - 2
As far as possible, we try to participate in various projects and initiatives. Let us dwell on the most important of them.
ZeroNights
Organization of the annual international conference ZeroNights in Moscow and St. Petersburg. The only uncompromisingly technical conference in Russia devoted to the latest methods of hacking and protection, in 2012 gathered 600 people and more than 50 speakers and was noted by the authoritative publication SCMagazine as the most significant to attend in 2013, along with such monsters as BlackHat, HITB and Infiltrate.
Defcon Russia
The project was created by employees of the research laboratory. This is a unique platform for training young professionals, which allows them to obtain unique knowledge and skills and exchange experience during informal meetings. Collects more than 50 people a month, it is a prototype of the ZeroNights conference. To date, 15 meetings have been successfully held.
Owasp
In the OWASP project, we run an OWASP-EAS subproject dedicated to the security of business applications. The first version of the subproject was introduced in 2010 and included a description of the main threats to business applications and a methodology for assessing the security of business applications. After a long break due to the collection of information and analysis of systems, in 2013, serious work began on version 2.
Project BaseCamp
Participation in the project dedicated to the analysis of the safety of the automated process control system, namely vulnerabilities in programmable controllers We analyzed the WAGO PLC and the kingSCADA system.
Metasploit
Participation in the Metasploit project, development of exploits for the Oracle DBMS and other convenient tools to assist in the conduct of pentest.
Bounty programs
Participation in virtually all vulnerability scan programs. We regularly receive thanks and cash incentives from Google, Yandex, Nokia, and in the future we plan to support other companies offering similar programs.
Python arsenal
During the study, a database of more than 40 different tools for reverse engineering and analyzing the security of applications in the Python language was collected and structured. The result of the large-scale work was the creation of a site with a convenient search and updated base, which is visited daily by hundreds of researchers from around the world.
Alexander Polyakov
AlexandrPolyakov
Founder of the Digital Security Research Group. Author of the book Oracle Security through the Eyes of an Auditor: Attack and Defense (2009) and more than 30 articles devoted to the analysis of security systems and applications in leading Russian editions, including the Russian SAP expertise. One of the most famous security experts in the world, SAP and Oracle. Found more than 100 vulnerabilities in their software. In his spare time, he is keen on finding non-standard attack vectors and specific problems in business systems.
Alexey Tyurin, Ph.D.
Grrrndog
The security specialist for web applications and bank clients has extensive experience in testing the penetration of business systems such as Citrix, VMware and others. With it, a large number of vulnerabilities were discovered. The editor of the Easy Hack column in Xakep magazine.
Gleb Cherbov
Jrun
Specialist in analyzing the security of network and web applications. Also deals with security aspects of embedded systems. He takes an active part in the research conducted in the framework of DSecRG. Co-organizer and regular speaker at Russian Defcon Group meetings.
Dmitry Evdokimov
d1g1
He specializes in security of critical business systems (SAP) and security of mobile platforms (iOS, Windows Phone, Android). He has official thanks from SAP and Oracle companies for the vulnerabilities found in their products. In addition, the area of ​​interest includes: reverse engineering, software verification / program analysis (SMT, DBI, IR), finding vulnerabilities and writing exploits, developing programs for static and dynamic code analysis in Python. He spoke at conferences such as BlackHat and CONFidence. Heads up in Xakep magazine. He is one of the organizers of the conferences Russian Defcon Group (DCG # 7812) and ZeroNights.
Alexander Minozhenko
Jug
Leading researcher of information security. He has extensive experience in testing the penetration of business systems such as SAP, VMware and others. He spoke at CONFidence and Defcon conferences.
Nikolay Meshcherin
Ab7orbent
He is responsible for analytics and testing of ERPScan Security Monitoring Suite for SAP, and also actively participates in the search and analysis of vulnerabilities of SAP systems. He has official acknowledgments from SAP AG for vulnerabilities found in corporation products.
Dmitry Chastukhin
chipik
He is one of the leading security experts for SAP and web applications. Big Bug-Bounty fan. It has official thanks from Yandex, Google, Nokia and SAP. He has performed on BlackHat USA, HackInTheBox and BruCON, ZeroNights. Actively involved in the activities of the Russian Defcon Group.
Evgeny Neelov
His key interests are business application security, cybercrime analysis, forensic and circumvention techniques, e-commerce security, antifraud systems. He spoke at SyScan360 and other conferences, where he spoke about the methods of bypassing antifraud systems. One of the organizers of ZeroNights and the Russian Defcon Group. Has thanks for the discovered vulnerabilities from Microsoft, SAP and other companies.
Alexander Bolshev, Ph.D.
dark_k3y
He holds a PhD in the specialties “Mathematical Software for Computers” and “Information Security”, conducts scientific work at SPETU “LETI”, participates in the research of the Digital Security Laboratory, including as a consultant in applied mathematics. Wrote the SSRF DoS Relaying study (2013).
And in our team there are researchers from various cities of Russia, as well as Switzerland, India and Kazakhstan. If you want to be part of our team, write to research@dsec.ru with information about yourself, and hopefully we will find common interests.
In 2013, the head of the laboratory was Dmitry Evdokimov, who proved to be an excellent specialist with a deep approach to the study of security problems, the author of a large number of well-known research in the market.
Digital Security Research Group in numbers
1st Research Center in Russia
2nd place in the top 10 techniques of web-attacks in 2012
3 years of participation in international conferences
4 BlackHat appearances in 4 locations
5 years of public work
6 employees spoke at international conferences with their own reports
7 days a week
8 employees received thanks from the largest companies for the found vulnerabilities
9 main participants
10 - hit the top 10 BlackHat USA reports in 2012
')
Participated in 15 meetings Defcon Russia
Speakers in more than 20 countries
Over 30 speeches at international technical conferences
Over 40 studies
Nearly 100 published vulnerabilities in SAP
Nearly 200 vulnerabilities published in total
Bole 300 vulnerabilities detected
Search and detection of vulnerabilities
Since November 2007, the laboratory began a search and analysis of vulnerabilities in software products. The key feature of its activity was the principle of Responsible Disclosure: we inform the developer about the discovered vulnerability, help close it, and then post the details. Initially, the objects of analysis were simple web applications and CMS-systems, then the focus shifted to the analysis of web servers and DBMS, and gradually we came to business applications and ERP-systems. It must be emphasized that our research center has become a unique phenomenon for the Russian information security market: previously, the search for vulnerabilities was carried out haphazardly and irregularly, in the amateur format. The opening of the DSecRG laboratory brought this activity to a professional level. Over time, some market players followed the example of Digital Security, creating their own units for searching and analyzing vulnerabilities.
Number of closed vulnerabilities relative to detected
For all the time, DSecRG experts found 318 vulnerabilities, of which 199 were closed by manufacturers, the rest are being worked on. Now the main direction of our activity is Application Security, in which we will continue to work, striving to occupy leading positions not only in Russia, but also in the world.
DSecRG experts found about 0.8% of all vulnerabilities that were closed in the world for 5 years, which exceeds the similar indicators of all Russian companies in the aggregate.
Number of vulnerabilities published in different years
2007 - 2
2008 - 41
2009 - 37
2010 - 26
2011 - 42
2012 - 51
Number of published vulnerabilities in products of key manufacturers
SAP - 93
Oracle - 19
Adobe - 5
WAGO - 4
VMware - 4
IBM - 3
HP - 2
Microsoft - 1
Number of published vulnerabilities in various areas
SAP - 93
Web applications and servers - 58
ERP and business applications - 26
ACU TP (SCADA / ICS) - 7
Other - 6
DBMS - 5
RMS - 4
Vulnerability closing time
The minimum closing time for OpenSource is for Blogcms and 2z developers. Several vulnerabilities of various kinds were closed in one day!
The average time to close vulnerabilities for open source developers is 30 days.
For OpenSource developers, the longest update was prepared by the Apache consortium - 126 days (a vulnerability in the Apache Geronimo application, marked with the identifier [DSECRG-09-019]).
The minimum closing time for commercial companies from Oracle. The buffer overflow vulnerability in Oracle DBMS has been closed for 28 days.
The average time for vulnerabilities to close for commercial companies is 295 days.
The longest update was prepared by Oracle - 1214 days (a vulnerability in the Oracle Business Intelligence application marked with [DSECRG-12-040]).
Research work
During the work of DSecRG, 42 large studies were prepared, the results of which were various articles, reports and speeches at conferences.
Published studies in various fields
- Application Security - 30
- Business Applications - 15
- SAP - 11
- Other - 4
- Business Applications - 15
- Databases - 3
- Banking - 4
- Mobile - 2
- Other - 6
- Exploitation - 8
- Embedded - 2
- SCADA - 1
- Forensics - 1
* Some studies fall into several categories at once.
Number of studies in different years
2008 - 2
2009 - 3
2010 - 11
2011 - 11
2012 - 15
Studies of various laboratory staff
Polyakov - 21
Sintsov - 11
Evdokimov - 4
Tyurin - 3
Chastuhin - 3
Svistunovich –2
Minozhenko - 2
Cherbov - 1
Neyolov - 1
Security of RBS systems (2009-2011)
The first study in the field of remote banking security in Russia. Previously, very little was said on this topic, but the problems raised by DSecRG experts attracted the attention of experts from various organizations of the information security industry. The popularity of the security analysis market segment has grown significantly.
Adaptation technology JIT-Spray (2010)
This study improved the Adobe Flash attack technique to circumvent DEP and ASLR. As a result of the work done, the attack time was reduced by 100 times! In addition, the study showed that not only the JIT-engine of Adobe Flash, but also the JavaScript-engine of the browser Safari is subject to a similar attack. The results of this work were subsequently used by many offensive security companies around the world.
SAP security in numbers (2007-2012)
SAP Global Security Survey 2007-2011. It was published in two languages ​​and received the InfoSecurity Product Guide award in the Advertising nomination. The study covered all aspects of SAP security - from vulnerability statistics and descriptions of the top 5 vulnerabilities to the analysis of SAP systems available via the Internet in a particular country of the world, and statistics on the most common versions and patches.
SSRF and Business Applications (2012-2013)
The study was first presented at the BlackHat conference and made popular the study of a new class of attacks. Together with other independent SSRF attacks, this publication ranked 2nd in the list of the 10 most interesting attacks on web applications in 2012.
Mobile Banking (2012-2013)
A static analysis of the client-side code of mobile payment applications for iOS and Android from more than 30 Russian banks was conducted. It turned out that all the considered applications contain at least one vulnerability that allows attacking the bank or its clients.
Speeches at international conferences
In 2009, the laboratory made a breakthrough in development, starting to perform research at international technical conferences. In the West, we were not the first (ElcomSoft spoke abroad 10 years ago), but Digital Security took the participation of Russian researchers to a new level, significantly increasing the presence of information security experts at key conferences. For three years, DSecRG has appeared at 36 conferences in 20 countries of Europe, Asia and the USA, and we continue to work in this direction, conquering new continents. It is gratifying that the initiative of Digital Security was supported by other companies and independent researchers. By 2013, the presence of the company reports at international conferences became the norm, just as a couple of years ago the availability of thanks from manufacturers became the norm.
Number of speeches at different conferences
CONFidence - 6
BlackHat - 5
HITB - 4
Deepsec - 2
SecurityByte - 2
HackerHalted - 2
Troopers - 1
Source - 1
t2.fi - 1
BruCON - 1
InfoSecurity Kuwait - 1
Just4Meeting - 1
Defcon - 1
RSA - 1
Nullcon - 1
HackTivity - 1
IT-SA - 1
Syscan360 - 1
SAP Security Summit - 1
Hashdays - 1
PoC - 1
The number of performances in different countries
USA - 6
Poland - 5
Germany - 3
Netherlands - 3
India - 3
China - 2
Malaysia - 2
Austria - 2
Czech Republic - 1
Spain - 1
Belgium - 1
Portugal - 1
Kuwait - 1
Hungary - 1
Switzerland - 1
Korea - 1
UAE - 1
Finland - 1
The number of performances in different years
2010 - 9
2011– 9
2012 - 19
The number of performances in various areas
- Application Security - 30
- Business Applications - 15
- SAP - 11
- Other - 4
- Business Applications - 15
- Databases - 3
- Banking - 4
- Mobile - 2
- Other - 6
- Exploitation - 8
- Embedded - 2
- SCADA - 1
- Forensics - 1
The number of speeches of different speakers
Polyakov - 25
Sintsov - 5
Evdokimov - 4
Chastuhin - 4
Minozhenko - 2
Neyolov - 2
Projects and community initiatives
As far as possible, we try to participate in various projects and initiatives. Let us dwell on the most important of them.
ZeroNights
Organization of the annual international conference ZeroNights in Moscow and St. Petersburg. The only uncompromisingly technical conference in Russia devoted to the latest methods of hacking and protection, in 2012 gathered 600 people and more than 50 speakers and was noted by the authoritative publication SCMagazine as the most significant to attend in 2013, along with such monsters as BlackHat, HITB and Infiltrate.
Defcon Russia
The project was created by employees of the research laboratory. This is a unique platform for training young professionals, which allows them to obtain unique knowledge and skills and exchange experience during informal meetings. Collects more than 50 people a month, it is a prototype of the ZeroNights conference. To date, 15 meetings have been successfully held.
Owasp
In the OWASP project, we run an OWASP-EAS subproject dedicated to the security of business applications. The first version of the subproject was introduced in 2010 and included a description of the main threats to business applications and a methodology for assessing the security of business applications. After a long break due to the collection of information and analysis of systems, in 2013, serious work began on version 2.
Project BaseCamp
Participation in the project dedicated to the analysis of the safety of the automated process control system, namely vulnerabilities in programmable controllers We analyzed the WAGO PLC and the kingSCADA system.
Metasploit
Participation in the Metasploit project, development of exploits for the Oracle DBMS and other convenient tools to assist in the conduct of pentest.
Bounty programs
Participation in virtually all vulnerability scan programs. We regularly receive thanks and cash incentives from Google, Yandex, Nokia, and in the future we plan to support other companies offering similar programs.
Python arsenal
During the study, a database of more than 40 different tools for reverse engineering and analyzing the security of applications in the Python language was collected and structured. The result of the large-scale work was the creation of a site with a convenient search and updated base, which is visited daily by hundreds of researchers from around the world.
Members
Alexander Polyakov
AlexandrPolyakov
Founder of the Digital Security Research Group. Author of the book Oracle Security through the Eyes of an Auditor: Attack and Defense (2009) and more than 30 articles devoted to the analysis of security systems and applications in leading Russian editions, including the Russian SAP expertise. One of the most famous security experts in the world, SAP and Oracle. Found more than 100 vulnerabilities in their software. In his spare time, he is keen on finding non-standard attack vectors and specific problems in business systems.
Alexey Tyurin, Ph.D.
Grrrndog
The security specialist for web applications and bank clients has extensive experience in testing the penetration of business systems such as Citrix, VMware and others. With it, a large number of vulnerabilities were discovered. The editor of the Easy Hack column in Xakep magazine.
Gleb Cherbov
Jrun
Specialist in analyzing the security of network and web applications. Also deals with security aspects of embedded systems. He takes an active part in the research conducted in the framework of DSecRG. Co-organizer and regular speaker at Russian Defcon Group meetings.
Dmitry Evdokimov
d1g1
He specializes in security of critical business systems (SAP) and security of mobile platforms (iOS, Windows Phone, Android). He has official thanks from SAP and Oracle companies for the vulnerabilities found in their products. In addition, the area of ​​interest includes: reverse engineering, software verification / program analysis (SMT, DBI, IR), finding vulnerabilities and writing exploits, developing programs for static and dynamic code analysis in Python. He spoke at conferences such as BlackHat and CONFidence. Heads up in Xakep magazine. He is one of the organizers of the conferences Russian Defcon Group (DCG # 7812) and ZeroNights.
Alexander Minozhenko
Jug
Leading researcher of information security. He has extensive experience in testing the penetration of business systems such as SAP, VMware and others. He spoke at CONFidence and Defcon conferences.
Nikolay Meshcherin
Ab7orbent
He is responsible for analytics and testing of ERPScan Security Monitoring Suite for SAP, and also actively participates in the search and analysis of vulnerabilities of SAP systems. He has official acknowledgments from SAP AG for vulnerabilities found in corporation products.
Dmitry Chastukhin
chipik
He is one of the leading security experts for SAP and web applications. Big Bug-Bounty fan. It has official thanks from Yandex, Google, Nokia and SAP. He has performed on BlackHat USA, HackInTheBox and BruCON, ZeroNights. Actively involved in the activities of the Russian Defcon Group.
Evgeny Neelov
His key interests are business application security, cybercrime analysis, forensic and circumvention techniques, e-commerce security, antifraud systems. He spoke at SyScan360 and other conferences, where he spoke about the methods of bypassing antifraud systems. One of the organizers of ZeroNights and the Russian Defcon Group. Has thanks for the discovered vulnerabilities from Microsoft, SAP and other companies.
Alexander Bolshev, Ph.D.
dark_k3y
He holds a PhD in the specialties “Mathematical Software for Computers” and “Information Security”, conducts scientific work at SPETU “LETI”, participates in the research of the Digital Security Laboratory, including as a consultant in applied mathematics. Wrote the SSRF DoS Relaying study (2013).
And in our team there are researchers from various cities of Russia, as well as Switzerland, India and Kazakhstan. If you want to be part of our team, write to research@dsec.ru with information about yourself, and hopefully we will find common interests.
Source: https://habr.com/ru/post/177529/
All Articles