Kirill "isox" Yermakov, chief security officer of QIWI, talks about his work, about black, about anonymity and about adult information security.

It is believed that banking CISO - boring guys. They do not know how to work with their hands at all, they confer endlessly and generally engage in any nonsense. The hero of today's story, isox'a, can’t be called boring for sure. To some, he is known as the top-end bughanter of Yandex, to someone as the creator of the Vulners open base of vulnerabilities, and to someone simply as the coolest specialist in the corps box. Isox spoke very honestly about his work, about Black, about anonymity and about the information security in general. So, get acquainted - Kirill “isox” Yermakov, chief security officer of QIWI!


')

Data

• Uses nano, does not recognize vim
• Can find the path traversal even in the kettle
• Always at hand:
  • OS X
  • Sublime Text 2
  • Canvas
  • jpeg-payload from BlackFan
  • subbrute
  • pwdump
  • dedicated machine with 32 cores and 256 GB of memory for Burp Suite and FTK
  
  
• Guitar player. Plays on
  • Gibson Les Paul No. 384 Pre-Historic, purchased from a collector from Japan
  • Fender stratocaster
  • Gibson SG Standard 2000
  
  
• Fascinated race car driver. Driving a Porsche 911

In fact, I don’t really like computers. I love racing. And on the race you need to somehow earn. So I became a hacker.


I was fond of time attack races. This is a very fast ride in a circle at a time. That is, you just need to drive faster than the rest of your circle.


I had a Subaru STI, everything is like in a mobile game. In the car were custom racing brains for 3,000 euros, but in themselves they almost did not know how. At best, you just drive the car. But there was no racing functionality, such as remote telemetry removal or a system for maintaining boost pressure (Anti-Lag). In order for your car to be able to do something, you need to buy extras for it.


Brains have a unique serial. You send it to the vendor, pay the money and get the unlock code. You enter in the car, and one or another option is activated. That is, all racing features are initially sewn up in the brain, you just need to unlock them. It was then that I thought: is it possible to do without a vendor?


Machines I can program myself. If you understand how the engine works, you can configure it. Of course, while you jam it. But you are a hacker, you are stubborn, right? So, I climb into the car and see that the control system is locked with a password. I got it right there in my head: “blocked by a password” and “information security” is somewhere nearby. I pushed the firmware of these brains into OllyDbg (I could not at IDA then) and saw that the password was being verified on the client. That is, it is not sent to a remote server for review, but is checked directly in the control program on a computer made in C ++ Builder. One JMP resolved the issue. So I got into my firmware.


There remained the second task - to select the very keys that activated the additional functionality. In Subaru there were brains from one famous vendor. I was lucky to have two very steep reversers behind my back - Dima Sklyarov and Sasha Plex. I said to the guys: “Let's break the brains of my car?”


Dima quickly reversed the entire firmware of the brain, it was the Motorola 68000. But the disassembled firmware was not enough: activation codes for superfichs, naturally, lay in a protected section of memory, which was present only in the brain, and it would seem impossible to read it.


In search of at least some information, I went to the vendor site and accidentally stumbled upon an interesting bug. When you download a file with a fresh firmware from their site, the URL looks like this: /download-file?id=315 . I tried to substitute 316, 317 and quickly enumerate everything that happened. Among the merged treasure was Developer Tools, which allowed you to upgrade the bootloader! It remained to find the image of the bootloader.


Helped us got Developer Tools. Through this devkit we learned how to sew up the firmware we modified. Dima Sklyarov found the only XOR in the firmware. This code was responsible for checking the keys. Then we simply modified the field where the serial was located, so that for three flashing to subtract the entire area where magi bytes were located, and to calculate the necessary activation codes. So I got the keys and activated all the racing functions in my car.


We all told Vendor. They, however, did not care. They have not fixed this vulnerability for five years. Even a presentation on PHDays on this topic was made. We told them: “Well, fix it, please, we are ashamed,” but they did. But I felt like a real hacker. This black - poke your own car :).

How it happened

My "creative journey" began with the fact that I found money in the budget, which I correctly applied. Namely - to educate yourself. I then worked at one state enterprise and managed to get some money out of them to study. Operatively otsdaval RHCSS, RHCT and RHCE. By the way, surprisingly, this knowledge comes in handy so far. At this point, Positive Technologies found me.


I knew how to configure Nyxs secretly, Windows, heard about any Center of Internet Security, knew how to put a quotation mark somewhere and could even run a debugger. In short, they listened to me and said that I, it turns out, is a safe man and I have to go urgently to work as a safe man. Well, okay, well, let's go then :).


At first, I simply worked on MaxPatrol , but quickly found what could be called “my theme”. I wanted not to solve particular cases one by one, but to do something that could globally solve the problem of searching for vulnerabilities using versioned checks. We cooperated with Sasha Leonov (currently working at Mail.Ru) and completely figured out such a thing as OVAL . And then I podkodil framework for parsers, a database to collect information about vulnerabilities and turning it into a valid OVAL-content suitable for security scanners.


In general, I graduated from MIREA in information security. But that didn't make him safe. What we were taught at the institute was thoroughly uninteresting. Some kind of ISO, 152-FZ, PCI DSS, seemed useless nonsense. Only many years later, I realized that all these documents were written in blood and hacks. In the insta give a base that allows you to build somehow enterprise security, to understand how it all should work. This is taught at the institute, but they do not explain why this is necessary. Working as an ordinary loner or pentester in your company, you also do not understand why this is all you need. Education is trying to instill in you a systematic approach, without explaining where and how you will apply it.


Education was useful when I started working as a corporate security officer . Techies forever put a bolt on the main documentary base, but they just never tried to build security at all levels in a large company. Here comes the client to the pentester, asks him to build an IB. And gives the company for 1500 people and 5000 servers. Come on, make her safe! That's when education comes to the rescue. You understand that processes are at the head of everything, what is needed for ISO and all these safety standards.

About blacks, sins and teapots

I have never had thoughts to heal. Well, that is how it was not: I work in a company where I can draw on an ohuleard :). Do you think these thoughts go? (Isox, you are too honest. - Ed.) But at the same time there is one thing.


I love to sleep well. When you bleat, you will wake up at night simply because you realize that you have done something and that retribution will reach you sooner or later. No blek, for which it does not come, just for some a little earlier, and for some a little later.


Wight is always more skillful than blacks. The whites are moving chaotically: they have found an interesting topic, they have done a bit of trouble, they have skipped over. Blacks develop only in those areas that are effective now and make money.


Black will not skilatsya for fun. Out of interest, he will not break the kettle in order to understand how it works. No money from him. Here, for example, d0znpp . He recently had time, he went and broke the kettle. He is now our main hacker for cracking dummies, refrigerators and other IoT. Cool, pumped skill Respect! But you know, Black will never do it.





The blakes that attack QIWI every day are script kiddies. They are not skill. Although they generally understand how to, but they use someone else's tools, which other bleki have prepared for them. Of course, somewhere there is a mighty handful, which actually writes sploity, Malvar. Here they are cool, these dudes know what they are doing, and, mind you, more often than not they themselves are not engaged in black. This is my experience, these are those we meet. But, by the way, I do not deny that we can simply ignore those tough ones who break us.


You can’t call a person who wrote a malware, but does not use it. He just wrote Malware, this is a cool software. As long as he does not distribute and use it for harm, he is not faded, he is gray or the recorder. These guys are skillful, and they sleep peacefully.


Blek of minor punishment is not looking for new vulnerabilities. They are not interested in finding a new vector. For example, you have Ruby on Rails, it is occasionally fired with SQL injections, then RCE. And finding something other than an injection or RCE is not interesting. To find an absolutely new vector and unleash it - this is interesting, from my point of view. Black will not do it. What for? Any typical company breaks down once or twice. Why reinvent the wheel if you have enough old to break?


Blakes have a problem - they too believe in their impunity. They never think that the victim may be a person who is able to catch them. And they do not understand how much other companies are united in their desire to find them. No, well, do you really think that corporate security guards do not communicate? This is also a community. And it is customary to help each other.


Hoping you won't be found is the last thing. Any of your activity, even well camouflaged, can be counted. The question is the cost of searches compared to how much black is trying to steal. This is simple math: if you stole $ 10,000,000, then these people will be ready to spend at least $ 9,999,999 to find you, and still remain in the conditional plus.


In our country, some strange disregard of the management of "K" or the CIB. I do not leave the feeling that someone deliberately spread this myth. In both departments are highly qualified specialists. There are cool whitehat's who know their stuff and they know how to catch n * in [criminals]. And on their side all commercial companies and even the state itself. It is a myth that we in the special services do not have good specialists. Yes, I know firsthand.


Most hackers are distinguished by vanity. We had something to chew on and immediately run to tell everyone: “I’ve made a heck out! I'm done! You just check it out, how can I! ”We tell one, the other, the third, and the fourth works in the organs or simply turns out to be a rat. There are a huge number of people who, for little money, are ready to merge what is happening on the black front.


Blekov ex does not happen. The question is how your head works. If she ever allows you to commit a wrongful act, she will allow the second one, having found sufficient justification for this so that you do not consider yourself guilty. Those who are lame, can not get to work in large companies. A person who has sinned once, no more faith. The resources that we will have to spend to control this person will be greater than the profit that he brings, adding to our team.





Of course, there is black in stupidity. For example, broke IBM, and they have no bug bounty. Well, go and passed them. But it is not faded, it is gray: you break for fun. I found a bug, looked at it and went on. Another thing, when you broke something for profit. After that, you are denied access to any large company. All your past will be excavated, and no one will talk to you again, because you can mess this up once more.

O vulners

I said in “Positive”: we wrote a cool engine for collecting data on vulnerabilities. Let's make a free open database of bugs? The value is that the content in the database is normalized. This is not human readable format, but machine readable. It is necessary somewhere to take the original description of the bug, parse, find out where it has the description, where the version checks. My engine was able to do it all, and I wanted to give it all for free and to everyone.


However, I soon left PT, and I had to leave everything that I wrote on this topic. I really wanted to bring the project to public, but formally I could not use the code written in Positive Technologies for MaxPatrol. But a person who wrote something once will be able to write something second. I just took it from scratch and did the same thing - my framework for the parser and for the handlers - and launched the database I dreamed of. This is how Vulners.com was born.


Now the project is a year, and we already have 500 unique active users per day, who somehow use us. Well, two dozen people who ask where to hitch :). During this year, I have already copied Wullers three times, this can be seen in the API.


Of course, I did not write down Vulners alone. We had an old team from PT. The guys who went with me from PT to QIWI. They are connected. I write kernel and admin, Igor Videns writes search, Vanya Vancouver - front, Sasha Plex - robotic assemblers, and Sasha Leonov - articles and analytics. The guys know the topic firsthand and use Vulners in their daily work. It’s just our desire to make the world a better place. We would still come up with something similar in QIWI, well, so that we would not do it ourselves, paint it orange and let everyone use it for free?


I have never looked for investors. And I do not want. They came, but I do not understand why I need money in this project. Now an investor comes from the street and says to me: "I give you twenty millions for three years." And for this I have to code what earns money. Damn, I do not want to code what they want. I want to code what I'm interested in. The functionality of the knowledge base with a convenient API will remain free forever. If I suddenly decide that some additional functionality costs money, well, then I’ll have to screw up the payment button.

About programmers, hackers and security people

Breaking something, making money or making money is a normal motivation, everyone should go through it. People develop themselves in this way, AppSec. Just further there are two ways. The first is that they continue to stick in quotes wherever they go and find bullshit, these are so-called random hosts. Or they begin to understand how certain things work, and they become valuable AppSec frames. In fact, Enterprise needs both.


Randommen are also needed. We are now in a stupid situation. We have Igor Videns and Vanya Vancouver. They are both of those dudes who first read all the sources, and then go to break. And here we lack the dude who can simply wave the rabbit's foot and get where it should be.


Here are a couple of examples with Yandex. This is an old story, I think - you can tell. They have an XML API. Is there such a parameter - xmlns . Something jerked me in there to write %s , and then I saw the classic format string vulnerability . The only thing that overshadowed was that with each new request I got into a new node from the load balancer. It was not possible to bring it to the RCE, there was only a reading of the memory. Exactly the same story was with their mail for the domain. I look at the request and I understand that as a programmer, it would be just too lazy for me to write a regular program. Slap it on sqlmap - and in the database.


Feeling is what you need. It is important to understand where from the other side you can be cheeky. The person who wrote the web becomes a good pentester. Because he understands that there are such vulnerabilities, there you can mess up, he understands how the rest write the same pieces. For everyone writes exactly the same. HOWTO => Stack Overflow => Copy-Paste. For example, recently I wanted to do automatic type casting on Wullers. I open the first topic with Stack Overflow, it is advised to make an eval. Can you imagine how many projects are currently in production with eval?


It seems to us that no normal person will eval the input. Nothing like this! If you are an ordinary programmer, your task is to make it work. You just do not think that you can slip something else in the input, especially in the parking lot. Your head doesn't work this way.


The main security concept is that we consider any user input to be a priori malicious. And the developer does not count. Here is the difference between thinking safe and developer. 90% of vulnerabilities associated with input. The developer simply does not know what can be done like this, and that's all. This is the job of a corporate security specialist - to explain to the developer that user input is harmful. That's when the whole code immediately becomes secure.


Penters are not doing well either, they don’t know how to write secure code. Here comes a man like a skill to me. Naruto tells OWASP TOP-10 and methods of operation. Found an injection, told everything. Well, then what will he do with it? How does he explain to programmers how to do it right? He never wrote a backend, for him, parameterized SQL queries are an unknown phrase, he does not know about protection technology. Does not know what to do concat in a SQL query now even developers do not advise. Not because it is unsecured, but simply because you can accidentally break the request and everything will break. This is the trouble of modern pentesters - many lack a technical background. They already know how to break, but they don’t know how to defend themselves.

About work and about who comes to interview

They say that if a person does not know something, but he is burning with desire, they will take it. It doesn't work for me. There is a minimum check-list - standard twenty questions on which I drive the applicant. We give the list and offer to note honestly +, - and + -. And the pros start talking. These are such reference points for dialogue to dig knowledge. Questions from a wide variety of areas, mostly base. It allows you to communicate in one language. Not only within the team, but also with the developers and operation. If you come to admins and tell to put this kernel parameter here in such a value, then the first thing they ask you is: what does he do? And why precisely in such a value? And then, if you are swimming, you can simply be politely asked to figure out yourself first and only then give advice to others.


First we ask about ISO, about 152-FZ, about PCI DSS. You need to know the theory. Otherwise, how will you sekjurit if you do not know what information should be protected? Knowledge of compliance, even in general terms, is very important to us. But it will not be a stoplight in reality. If people are skillful, we can teach this.


Next - about the webcam. The first question is SOP, Same Origin Policy. That is, I do not need to listen to stories about XSS. First you need to figure out what the security of the web is based on, how the browser works at least in general terms :). If we have not talked about anything here, it means that we diverge further. CSRF, XSS - it's all good, but this particular.


The next question is network segmentation methods. Cool question. The model security officer who comes to me has never seen a large network at all, and he doesn’t know exactly what to do with it. This question, in truth, we can forgive. « » (: ), , , . TCP/IP — ? , . , IP-, — not really cool.


, , - . - Spring Struts? , . 19 Spring, - ? I do not think.

— . , - , , . -, — , . , .


, . , , . — Tor, , , :).


« », . . : PayPal, QIWI-. , . , . .


. — . , . , , . , , .
VPN. , -. VPN — . , IP. , . - — finita la comedia.


- «» — , intercommunications. Little Snitch . , , — OS X VPN ?


, . , , . , . — . .





— . . - , , . , , , Burp Collaborator , . , ! Burp Suite . : « , ! , , !» , - ? .


, , , — . , , ?


«f1nnix»





First published in the Hacker Magazine on # 06/2016


Subscribe to the "Hacker":

• ][ PDF
• Subscribe to iPad

UPD: «» WSO-shell. .