Editor's Note: In December 2016, President Barack Obama signed a decree announcing sanctions against Russian citizens and organizations in response to attempts to interfere in the elections.
The list includes several well-known hackers, as well as the Federal Security Service (FSB) and the Main Intelligence Directorate (GRU). Also on the list was a lesser-known organization that is perplexing to many: ZOR Security. The company was founded by Alisa Shevchenko, who worked as a virus analytics expert at Kaspersky Lab for several years and was passionate about building a community for hackers and computer geeks. The US Department of Homeland Security also drew attentionto help Schneider Electric find software vulnerabilities.
According to the ministry, Shevchenko's company collaborated with the GRU, which allegedly was behind the hacking of the Democratic National Committee and other political organizations. Shevchenko, also known as Alice Esage, said the US authorities were wrong and that she had already closed her company. She is currently an independent researcher and is the founder of the Zero-Day Engineering project , in which people share technical knowledge and provide training on software vulnerability research.
Shevchenko recently spoke with Recorded Future cyberthreat expert Dmitry Smilyanets about the events of 2016, her favorite vulnerabilities, and what it's like to be a hacker in Russia. We took the main thing from the interview.
Dmitry Smilyanets: How did you react when you learned that the US government imposed sanctions on your company ZOR Security?
Alice Esage: I tried to stay calm and not let the press portray me as a dangerous evil bitch who initiated the break-in of the century. Along the way, I continued to work on my projects.
DS: How did these events change your life?
AE: I think they made me an expert on prosperity under US sanctions.
DS: You said the authorities were wrong - in what way?
AE: I don't care about that anymore. People have the right to make mistakes. And the US government loves to impose sanctions on everyone in order to be able to assert its power where it does not exist - we will leave it to him.
DS: Do you still feel the pressure of the sanctions?
AE: Something is clearly happening, but I wouldn't call it pressure. If someone cannot work with me or benefit from my products due to fear of the US government, that is their own problem.
DS: How did you get into cybersecurity and hacking?
AE:It all started with my father Andrey. He was a talented electronics engineer, one of the first in Russia to start assembling personal computers based on spare parts and articles published in foreign technical journals as a hobby. In those years, computers were not yet widely available. He taught me how to solder when I was 5. I started reading books about computers and programming in early school, learned to program in C ++ and x86 assembly language as soon as I got a computer at 15 years old. Back in school, I studied reverse engineering, solved crackme problems, hacked computer games and made keygens for fun. I also participated in Russian and international hacker projects - mainly I was engaged in low-level software hacking. The beginning was like this.
DS: Do you think it becomes easier or more difficult for people to follow your path?
AE:Hard to say. When I first started out, there was very little information about computer security. The internet was slow, and only a few publications could help you figure it all out, apart from general programming books. I recall there was a website called ... something about ethical hacking, it seems to have been run by a woman. The articles published on it inspired me and got me started. Things are different these days. There is a lot of information. There are thousands of publicly available sources on all computer security topics, from beginner guides to professional technical training on advanced topics (like the ones I teach, my company, Zero Day Engineering, does it). This simplifies things a lot.
On the other hand, computer technology is becoming more and more complex, development is accelerating, learning curves are steeper, and as a result, it becomes more difficult to achieve a high level of knowledge in this area. It takes more time - years and decades. Remember the old assumption that "a hacker is a teenager" and that a hacking career must end before your 30th birthday? Things are different now. Most of the best hackers I know are in their 30s and just getting started. These are the requirements to achieve true mastery of advanced hacking of modern computer systems: it takes a lifetime of dedication.
I think reaching a really steep level along the way is more of a fate than a choice. It takes a very peculiar way of thinking, which seems to be based on genetic data as well as special life circumstances, to do the impossible every day.
There are many easier ways to succeed in today's human society than to play your brain on another system. You will understand that you are already in this environment when you feel that you cannot live without it. And when that happens - congratulations, there is no turning back.
DS: What advice do you have for young girls who want to pursue a career like yours? What are the pros and cons of hacking?
AE:Find what interests you, choose a specific problem and solve it to the end. Reflect and repeat. Solving technical problems and completing them are necessary to advance this path, while passive consumption of information mainly clogs your brain and interferes with your technical creativity. Dedicate yourself to practice, reading mostly primary sources (for example, technical specifications, classic books, and high-quality blogs from researchers whose work you enjoy). This tip will work for both men and women.
And especially for women: don't listen to anyone and keep doing what you love. Especially if you already know that technical work is your passion. Don't let anyone distract you from management, lecturing, reporting, marketing, or working in any other supporting role in the cyber industry. Men and women definitely face different challenges on this career path, although things get better over time (albeit much more slowly and to a lesser extent than is usually assumed).
Advantages and disadvantages? It's a risk-taking job, but it's fun.
DS: What do you like most about your job? And what are you not very fond of?
AE:I love uncertainty, a hostile environment, bug hunting and problem solving. I love that my work is treasured so that I can earn a high annual salary in three days with my mind alone sitting on the beach in my pajamas. I don't like the fact that I have to compete with a lot of smart guys who are the overwhelming majority in this area. Men and women are not meant to compete with each other.
DS: What's the coolest vulnerability you've ever found?
AE: Error of remote code execution via DLL in Outlook Express for Windows XP. It was long ago, when Windows XP was still used on all personal computers, not just ATMs and POS terminals, as it is now. Early in my career in vulnerability research, I developed my own methodology for detecting zero-day errors of this class and discovered many problems, including in OE. For years after I found it, I checked to see if it had been fixed - and nothing changed. This is probably "perpetual day zero" at this time as XP is no longer supported. Such long-lived and reliable feats are always pleasing.
Nowadays, DLL hijacking problems (also known as unsafe library loading) are still very common. For example, this type of bug was recently fixed in the Zoom Windows client. Such errors are easy to find and easy to exploit. The fact that the world's leading software developers continue to commit such trivial programming mistakes indicates a serious lack of vulnerability awareness in the global software industry. This is one of the reasons my company is developing specialized vulnerability analytics channels that (in addition to our training) should help fill this knowledge gap and make the Internet safer for everyone.
DS: What do you think is the easiest way to compromise an organization in 2021?
AE:Generally speaking, there is no such way. Organizations have different levels of security. What's really important to understand is that there is a range of offensive cyber technologies that can be used to compromise an organization, from simple to complex. Attackers usually pick the weakest link in the system that can be broken using the simplest technologies on the spectrum. I prefer to specialize in the most difficult of these - zero-day vulnerabilities and exploits, especially on secure systems. Once a difficult problem is solved, everything else is elementary. Besides, all this is inevitable. You can teach your employees to avoid phishing, which leads to the emergence of ransomware, you can establish proper corporate policies to block insiders,that hijack supply chains and leak your business secrets, but you can't completely insure against technology. Errors occur in technological systems that can be used to execute arbitrary code. And the game is over.
Another key point to understand is that regardless of the scenario of a security breach, its root cause is always vulnerability, either human or technical. I have noticed that many analytical publications on trade-offs in cybersecurity tend to go slightly away from this fact and do not point out the vulnerabilities / vulnerabilities of the culprit, while explaining in detail the various peripheral, secondary and final methods involved in the process. The general trend today is to eliminate the human factor from the safety equations, so purely technical errors will become increasingly important in the long term.
DS: Please tell us about your new adventure, Zero Day Engineering.
AE:Zero-day exploit engineering is my favorite esports. I cannot live without him because he gives my brain all the food it needs, which I have struggled to find in other fields of activity. I had no choice but to create a public enterprise based on this experience. Only a month has passed since I officially announced this, and this is already my favorite project. It turns out that it effectively combines all the knowledge and experience that I have gained over two decades of work, both in technical practice and in entrepreneurship.
From a business perspective, the general idea is to offer cyber threat analytics from a single source with a very specific focus: low-level vulnerabilities in computer systems for a variety of target audiences, from individual technicians to cybersecurity firms, software vendors, and governments. All of our analytics proposals should be based primarily on original deep technical research in the laboratory, not on collection from external sources. For now, I am still considering specific open source commercial proposals and projects that the industry is ready to accept at this stage.The overall idea has already proven to be very profitable at zero capital investment (through in-depth technical specialist training for individuals) and I see great potential for future development.
Next, I'll just quote the website: βNo matter how fashionable the word cyber is, there are only two possible root causes for any security breach: the vulnerability of technical systems and the vulnerability of humans. As global technology trends seek to eliminate the human factor and accelerate the development of technology, awareness of the vulnerabilities of technical systems becomes critical in all technological developments. Knowledge can help to cope with this. Instead of using our experience to create yet another defense system that we know first-hand will be attacked and bypassed, we are developing products that systematically address the knowledge gaps that make vulnerabilities and exploits possible. "
DS: Β« , Β» . ? , , ? Windows.
AE: In general, many similar vulnerabilities exist on different systems of the same class. It's not about hypervisors. For example, OS kernels and Javascript engines also show this trend. The main reason for this phenomenon is that systems of the same class are based on the same abstract models as dictated by system functions, use cases and deployment scenarios, even if they are developed independently and at different time periods. In turn, the same abstract models assume the same erroneous assumptions made by system designers and programmers, unless they have been specially trained in modern code security. This is where the intersection of vulnerability patterns comes in.
As for software security, if it is not obvious to someone, it is very important. In fact, any information about security problems in any given software system is directly related to all other systems of the same class and even to many other systems in general (albeit to a lesser extent).
For example, if you are a software developer, examining security bugs in competing software products is a powerful and trivial way to harden your own codebase, or at least avoid public shame when someone discovers a bug in your code - the obvious bug demonstrated in a competitor's product 10-20 years ago (no kidding, my courses gave many specific examples from this sad situation). In workflows, examining bugs on one system (usually an open source system) instantly uncovers vulnerability patterns on another, proprietary system, for which direct threat modeling is difficult. Generally speaking, many technical safety problems can be solved or optimized by focusing on these less obvious coincidences,if you are able to observe them systematically.
DS: You said that both systems that rarely change the codebase and those that add a lot can have a lot of exploits. Can you tell us about the relative balance between them? From the point of view, that for some, long-term exploits are written, and for others - causing more damage.
AE: The post on my blog that you mentioned has a slightly different meaning: it is about the importance of learning about the internals of systems, as they are key to creating reusable advanced exploit primitives due to their relative stability, since many peripheral subsystems depend on them ... In addition, the expiration date of an exploit does not necessarily conflict with its potential impact.
When it comes to the longevity of the exploit, there is only one key indicator: how difficult it is to find a bug. Since the vulnerability detection industry is quite hostile, competition has a major impact on the longevity of an exploit. Less competition, longer bugs live.
This metric can be expanded to include a system of variables such as the availability of information, the amount of knowledge required to solve the problem, the specialized skills required, the specialized equipment required, the availability of toolboxes, the various security features of the target software vendor, and so on - and all of these aspects. belong to different stages.
When it comes to serious strategic thinking in the field of research and development of vulnerabilities, things can be very difficult here. However, for the most common purposes, all this complexity can be reduced to a simple rule: to penetrate as deeply as possible into the most incomprehensible, but meaningful system. This aspect overlaps with, but is not limited to, the internal components of the deep system.
Unlike deep internal system components, newly added code often contains subtle critical bugs that are easy to find and use. Due to the adversarial nature of the vulnerability research industry, these bugs will be detected and fixed relatively quickly (at least on popular and critical systems), making exploits based on them short-lived. Which is not necessarily a bad thing.
Finally, the potential for damage has nothing to do with any of the above technical indicators. I always laugh at media propaganda that tries to link software exploits to murder; This is ridiculous. In fact, no computer exploit will do more damage than the good old physical weapon it usually replaces. Abstracting from ethics and emotions, any feat really has a certain "power", which is initially neutral and depends on many factors. The key factor here is who controls the exploit, not its technical properties.
DS: What is it like to work with government agencies in Russia? Are they professional? Are there strong specialists? A lot of bureaucracy?
AE:I have heard that they are competent and pay well if you are willing to sacrifice an international career.
DS: What do you think of Putin? How do Russian hackers generally view his politics and rule?
AE: I am not yet familiar with Putin. I donβt think about him and I donβt care what others think. I noticed one thing: none of my friends from Russia these days is in a hurry to flee abroad, although this was the general trend of the 2000s. My sister even returned to Russia, having lived for some time in Europe. This is the only indicator that tells me that everything is in order with my Motherland. Based on this, I assume that Putin is doing his best for Russia.
JS: Uncover the secret, what happened to the nickname @ badd1e that everyone liked so much?
AE:It's not a secret. It didn't fit my Twitter goals, so I changed it to alisaesage... However, I left it on my GitHub page - for history.