How has information security changed over the past 20 years?

Image: Unsplash

Dmitry Sklyarov, head of the application analysis department at Positive Technologies, has shared his view of the history of the information security industry over the past 20 years.

If you look at the program of any modern information security conference, you can see what important topics are occupied by researchers. If we analyze the list of these important topics, technologies and areas, it turns out that twenty years ago the vast majority of them simply did not exist.
')
For example, here are some topics from the OFFZONE 2018 conference:

• non-cash payments
• WAF bypass
• software defined radio systems
• speculative execution
• search for malware for Android,
• HTTP / 2,
• Mobile OAuth 2.0,
• operation XSS Exploiting,
• cybergrouping lazarus,
• attacks on multi-layer web applications,
• Fault Injection attacks on ARM processors.

Of these, only two problems exist for a long time. The first is the architecture features of ARM processors, which appeared in the mid-80s. The second is the problem of speculative execution, which originates in the Intel Pentium Pro processor, released in 1995.

In other words, of these themes, those really “ancient” are those related to iron. Basically, those studies that experts are conducting today are inspired by the events of one, two, or three years ago. For example, the HTTP / 2 technology appeared only in 2015, in principle it can be studied for no more than four years.

Let's go back 20 years. In 1998, the so-called First Browser War ended, during which the two largest at the time Internet Explorer and Netscape Navigator competed. As a result, Microsoft won this war, and the main competitor left the market. Then there were few such programs, many of them were paid, like, for example, Opera: this was considered normal. At the same time the most popular browsers today Safari, Mozilla and Chrome were invented much later, and the idea that the browser can be paid, nowadays no one will think.

The penetration of the Internet 20 years ago was several times lower than today, and therefore the demand for many web-related services was formed much later than the end of the browser war.

The situation is different in the field of cryptography. It began to develop many decades ago, by the nineties there were a number of time-tested encryption standards (DES, RSA) and digital signatures, and over the following years many new products, algorithms and standards appeared, including the OpenSSL free format; in Russia, the GOST 28147-89 standard was declassified.

Almost all technologies related to cryptography that we use today existed already in the nineties. The only widely discussed event in this area since then has been the detection of a backdoor in the 2004 NSA-supported Dual_EC_DRBG algorithm.

Sources of knowledge

In the early nineties, Bruce Schneier’s iconic book Applied Cryptography appeared, it was very interesting, but it was dedicated to cryptography, not information security. In Russia, in 1997, the book “Attack via the Internet” by Ilya Medvedovsky, Pavel Semyanov and Vladimir Platonov was published. The emergence of such practical material, based on the personal experience of Russian experts, gave impetus to the development of the information security industry in our country.

If earlier novice researchers could only buy books, reprints of foreign studies, often poorly translated and without references to sources, then after “Attacks via the Internet” new practical manuals began to appear much more often. For example, as early as 1999, Chris Kaspersky’s Technique and Philosophy of Hacker Attacks was released. The Attack via the Internet itself received two sequels - Attack on the Internet (1999), and Attack from the Internet (2002).

In 2001, Microsoft released a secure code development book, Writing Secure Code. It was then that the giant software industry realized the fact that software security is very important: it was a very serious moment in the development of information security. After that, corporations began to think about ensuring security, but earlier these issues had not been given enough attention: the code was being written, the product was being sold, it was believed that that was enough. Since then, Microsoft has invested significant resources in security, and despite the existence of vulnerabilities in the company's products, in general, their protection is at a good level.

In the US, the information security industry has been developing quite actively since the 70s. As a result, in the nineties there were already several major conferences on the topic of information security in this country. One of them was organized by the RSA company, Black Hat appeared, in the same years the first CTF hacker competitions were held.

In our country, the situation was different. Many of today's leaders in the information security market in Russia in the nineties did not yet exist. Researchers didn’t have many employment options: there were Kaspersky Lab, DialogueScience, Informzaschita and several other companies. Yandex, Positive Technologies, Digital Security, Group-IB and even Doctor Web appeared after 1998.

A similar situation exists with conferences for sharing knowledge and studying current trends. Abroad, everything was fine: the Chaos Communication Congress was held since 1984, the RSA conference existed since 1991, DEF CON appeared in 1993 (in 1996 they held the first CTF), and Black Hat was held since the mid-nineties. In our country, the first significant event in this area was the RusCrypto conference, first held in 2000. Specialists in Russia who did not have the opportunity to go to foreign events, it was hard to find like-minded people and exchange ideas.

Since then, the number of worthy domestic events has increased significantly: there are Positive Hack Days, ZeroNights, OFFZONE.

Personal experience: first steps in information security

In 1998, I completed my studies at the Department of Computer Aided Design in MSTU. Bauman, where I was taught to develop complex software. It was interesting, but I realized that I could do something else. From school I liked to use the debugger, to understand how the software works; I carried out the first experiments in this direction with the Agat-Debugger and Agat-DOS programs when I wanted to find out why the first one loaded five times faster, although it took the same amount of space.

As we have already found out, at the time of completion of my training, the web in the modern sense did not exist. Therefore, nothing distracted me from reverse engineering. One of the important areas of reverse engineering is the restoration of code operation logic. I knew that there are many products that protect against pirated copying, as well as data encryption solutions — they also used reverse engineering in their research. There was also the development of antiviruses, but for some reason this direction never attracted me, as did work in a military or government organization.

By 1998, I was good at programming (for example, creating software for computer-aided design), using a debugger, fond of solving problems like keygen-me and crack-me, interested in cryptography (once I even managed to recover a forgotten password from an Excel database using indirect data "Russian female name in the English layout").

Further, I continued my studies, even wrote my dissertation on the topic “Methods for analyzing software methods for protecting electronic documents”, although I never came to defend it (but I understood the importance of the topic of copyright protection).

In the field of information security, I finally plunged after joining Elcomsoft. It also happened by chance: a friend asked to help him recover lost access to the MS Access database, which I did by creating an automated password recovery tool. I tried to sell this tool in Elcomsoft, but in return received a job offer and spent 12 years with this company. At work, I mainly dealt with issues such as access recovery, data recovery, and computer forensics.

During the first years of my career in the world of cryptography and password protection, several breakthroughs occurred - for example, in 2003 the concept of rainbow tables appeared, and in 2008, the use of graphic accelerators for password recovery began.

Situation in the industry: the struggle of black and white hats

During my career already inside the sphere of information security, I met and corresponded with a huge number of people. In the course of such communication, I began to understand that the division into “black hats” and “white hats”, adopted in the industry, does not reflect the real state of affairs. Of course, there are much more colors and shades.

If you turn to the origins of the Internet and information security and read the stories of hackers of those times, it becomes clear that the main incentive for people then was their curiosity, the desire to learn something new. At the same time, they did not always use legal means - it’s enough to read about Kevin Mitnick’s life.

Today, the spectrum of motivation of researchers has expanded: idealists want to make the whole world safer; someone else wants to become famous by creating a new technology or exploring a popular product; others try to make money as soon as possible - and for this there are many opportunities of varying degrees of legality. As a result, the latter are often "on the dark side" and confront their own colleagues.

As a result, today there are several areas for development within the IB. You can become a researcher, compete in the CTF, earn money on finding vulnerabilities, help your business with cyber defense.

Bug bounty program development

A serious impetus for the development of the information security market in the 2000s was the spread of bug bounty. Within these programs, developers of complex systems reward researchers for the vulnerabilities found in their products.

The basic idea here is that it is primarily advantageous to developers and their users, because the damage from a successful cyber attack can exceed the possible payments to researchers by tens and hundreds of times. Information security specialists can do what they like - search for vulnerabilities - while remaining completely within the law and still receive rewards. As a result, companies get loyal researchers who follow the practice of responsible disclosure and help make software safer.

Disclosure Approaches

Over the past twenty years, several approaches have emerged on how exactly the disclosure of information security research results should look like. There are companies like Zerodium, which buy zero-day vulnerabilities and working exploits for popular software — for example, 0-day in iOS costs about $ 1 million. However, a more correct way for a self-respecting researcher to take action after a vulnerability is discovered is to contact the software manufacturer first. Manufacturers are not always ready to admit their mistakes and cooperate with researchers, but many companies protect their reputation, try to quickly eliminate vulnerabilities, and thank the researchers.

If a vendor is not active enough, a common practice is to give him time to release patches, and only then publish information about the vulnerability. At the same time, the researcher should first of all think about the interests of users: if there is a possibility that developers will never correct a mistake at all, publishing it will give the attacker a tool for constant attacks.

Evolution of legislation

As mentioned above, at the dawn of the Internet, the main motive of hackers was a craving for knowledge and a banal curiosity. To satisfy it, researchers often did doubtful things from the point of view of the authorities, but in those years there were still very few laws regulating the sphere of information technologies.

As a result, laws often appeared already “in the footsteps” of loud hacks. In Russia, the first legislative initiatives in the field of information security appeared in 1996 - then three articles of the criminal code were adopted concerning unauthorized access to information (article 272), the development of malicious code (article 273) and violation of computer system maintenance rules (article 274).

However, it is rather difficult to spell out in the laws all the nuances of interactions, as a result of which there are discrepancies in interpretations. It also complicates the activities of information security researchers: it is often incomprehensible where the conscientious research ends with the law and the crime begins.

Even within the framework of bug bounty programs, software developers can request from researchers a demonstration of the exploitation of a vulnerability, proof of concept. As a result, the information security specialist is forced to create, in fact, a malicious code, and when you send it, the “distribution” begins.

In the future, the laws were finalized, but this did not always make life easier for researchers. So, in 2006, articles of the civil code appeared relating to the protection of copyright and technical means of protection. Attempting to circumvent such remedies, even in the course of research, can be considered a violation of the law.

All this creates risks for researchers, so before conducting any experiments it is better to consult with lawyers.

IB-technology development cycle

In the modern world, technologies develop in specific cycles. After the emergence of a good idea, it is commercialized, a finished product appears, which allows you to earn money. If this product is successful, it attracts the attention of cybercriminals who are beginning to look for ways to make their own money on it or its users. Business has to respond to these threats and engage in protection. The confrontation of the attackers and the security men begins.

At the same time, in recent years several revolutionary technological breakthroughs have taken place, from the emergence of mass high-speed Internet access, social networks to the spread of mobile phones and the Internet of things. Today, with the help of smartphones, users can do almost everything the same as with computers. But at the same time, the level of security in the Mobile is completely different.

To steal a computer, you need to get into the room where it is stored. You can steal the phone just on the street. However, many people still do not understand the scope of the security risks that technology development carries.

A similar situation with the removal of data from the SSD (that is, flash drives). Standards for removing data from magnetic drives have been around for many years. With flash memory, the situation is different. For example, such disks support the TRIM operation: it informs the SSD controller that the deleted data no longer needs to be stored, and they become inaccessible for reading. However, this command works at the operating system level, and if you go down to the level of physical memory chips, you will be able to access the data using a simple programmer.

Another example is 3G and 4G modems. Previously, modems were slave devices, they were completely controlled by the computer. Modern modems themselves have become computers, they contain their own OS, and independent computational processes take place inside them. If a cracker modifies the modem's firmware, he will be able to intercept and control any transmitted data, and the user will never guess about it. To detect such an attack, you need to be able to analyze 3G / 4G traffic, and only special services and mobile operators have such opportunities. So that such convenient modems are untrusted devices.

Conclusions on the basis of 20 years in the information security

I have been involved in the field of information security for twenty years, and during this time my interests within it have changed in parallel with the development of the industry. Today, information technologies are at such a level of development that it is simply impossible to know everything within the framework of even a separate small niche, such as reverse engineering. Therefore, the creation of truly effective protection tools today is only possible for teams that unite experienced experts with a diverse set of knowledge and competencies.

Another important conclusion: at the moment the task of information security comes down not to making any attacks impossible, but to risk management. The confrontation of defense and attack specialists is to make the attack too expensive and to reduce possible financial losses in the event of a successful attack.

And a third, more global conclusion: information security is needed only as long as the business needs it. Even conducting complex penetration tests, which require top-class specialists, is in its essence an auxiliary function of the product sales process for information security.

Security is the tip of the iceberg. We protect information systems that are created only because the business needs it, created to solve its problems. But this fact is compensated by the importance of the field of information security. If a security problem occurs, it can disrupt the functioning of information systems, and this will directly affect the business. So it depends on bezopasnik very much.

Total

Today in the field of information technology is not all cloudless, there are serious problems. Here are three main ones in my opinion:

Excessive attention of the authorities. States around the world are increasingly trying to control and regulate the Internet and information technology.
The Internet is becoming a platform for information warfare. Twenty years ago, no one blamed "Russian hackers" for all the world's problems, and today it is in the order of things.
New technologies do not make people better or smarter. People need to explain why this or that solution is needed, teach them to use it, talk about possible risks.

With all these drawbacks, information security today is clearly an area that should be dealt with. Only here you will be faced every day with the latest technology, interesting people, will you be able to test yourself in opposition to “black hats”. Each new day will challenge, and never will be boring.

Author : Dmitry Sklyarov, Head of Application Analysis, Positive Technologies