Fri. Dec 13th, 2019

Software Security

In other words, one of these themes is really “ancient”, the one related to iron. Most of the research carried out today by experts is inspired by events that took place one, two or three years ago. For example, HTTP/2 technology only appeared in 2015 and can be studied for up to four years.

Let’s go back 20 years. In 1998, the so-called First Browser War ended, during which two of the largest browsers at that time, Internet Explorer and Netscape Navigator, competed. As a result, Microsoft won the war, and the main competitor left the market.

At the time, there were few such programs, many of which were paid, as, for example, Opera: it was considered normal. Safari, Mozilla and Chrome, the most popular browsers today, were invented much later, and the idea that a browser might be paid for today would never occur to anyone.

The internet penetration 20 years ago was several times lower than it is today, so the demand for many web related services was formed much later than the end of the browser war.

Another situation has developed in the field of cryptography. It began to develop many decades ago, by the nineties there was a number of time-tested standards of encryption (DES, RSA) and digital signature, and during the following years there were many new products, algorithms and standards, including those developed in the free format OpenSSL; in Russia was declassified standard GOST 28147-89.

Almost all the cryptographic technologies we use today existed as early as the 1990s. The only widely discussed event in this field since then has been the backdoor detection in the NSA-supported Dual_EC_DRBG algorithm of 2004.

Sources of knowledge

In the early nineties, the cult book by Bruce Schneier Applied Cryptography appeared, it was very interesting, but it was dedicated to cryptography, not information security.

In Russia, Ilya Medvedovsky, Pavel Semyanov and Vladimir Platonov published their book “Attack via Internet” in 1997. The appearance of such practical material, based on the personal experience of Russian experts, gave impetus to the development of the IS sphere in our country.

If earlier novice researchers could only buy reprinted books of foreign researches, often poorly translated and without references to sources, after the “Attack through the Internet” new practical manuals began to appear much more often. For example, Chris Kaspersky’s “Technique and Philosophy of Hacker Attacks” was published in 1999. The Internet Attack itself was continued two times: Attack on the Internet (1999) and Attack from the Internet (2002).

In 2001, a book by Microsoft Corporation on secure code development – Writing Secure Code – was published. It was then that the software industry giant realized the fact that software security was very important: it was a very serious moment in the development of information security.

After that, corporations began to think about security, but before these issues were not given enough attention: the code was written, the product was sold, it was believed that this was enough. Since then, Microsoft has invested significant resources in security, and despite the existence of vulnerabilities in the company’s products, their overall protection is good.

In the U.S., the information security industry has been developing quite rapidly since the 1970s. As a result, in the 1990s there were already several major conferences on information security in this country. One of them was organized by RSA, Black Hat appeared, and in the same years the first hackers’ competitions in CTF format were held.

The situation in our country was different. Many of today’s leaders of the information security market in Russia did not exist yet in the nineties. Researchers did not have so many employment options: there were Kaspersky Lab, DialogNauka, Informzaschita and several other companies. “Yandex, Positive Technologies, Digital Security, Group-IB and even Doctor Web appeared after 1998.

A similar situation exists with conferences to share knowledge and explore current trends. Abroad, everything was fine: since 1984, the Chaos Communication Congress was held, since 1991, there was a RSA conference, in 1993, there was DEF CON (in 1996, they held the first CTF), and since the mid-1990s, Black Hat.

In our country, the first significant event in this field was the RusCrypto Conference, first held in 2000. Specialists in Russia, who had no opportunity to travel to foreign events, found it difficult to find like-minded people and exchange ideas.

Personal experience: first steps in the IS

In 1998, I finished my studies at the Department of CAD Systems at Bauman Moscow State Technical University, where I was taught to develop complex software. It was interesting, but I understood that I could do something else.

Since high school I liked to use a debugger, to understand how software is organized; the first experiments in this direction I carried out with programs “Agat-debugger” and “Agat-DOS” when I wanted to find out why the first loaded in five times faster, though took the same amount of space.

As we have already figured out, at the time I completed my training the web did not exist in the modern sense. So nothing distracted me from reverse engineering. One of the important directions of reverse engineering is to restore the logic of code operation.

I knew that there are a lot of products that protect against pirated copying, as well as solutions for data encryption – their research also used reverse engineering. There was also the development of anti-virus software, but for some reason I was never attracted to this area, nor was working in a military or government organization.

By 1998 I was quite good at programming (for example, I created software for computer-aided design systems), used a debugger, was fond of solving tasks like keygen-me and crack-me, was interested in cryptography (once I even managed to recover a forgotten password from the Excel database using indirect data – “Russian female name in the English layout”).

Then I continued my studies and even wrote my dissertation “Methods of analyzing software methods of electronic document protection”, although I never came out for its protection (but I understood the importance of the topic of copyright protection).

I finally plunged into the sphere of information security after coming to work at Elcomsoft.

It was also an accident: an acquaintance asked me to help him with restoring lost access to the MS Access database, which I did by creating an automated password recovery tool. I tried to sell this tool at Elcomsoft, but in return I got a job offer and spent 12 years at the company. At work, I was mainly involved with access recovery, data recovery and computer forensics.

During the first years of my career in cryptography and password protection, there were several breakthroughs – for example, in 2003 the concept of rainbow tables was introduced, and in 2008 the use of graphics accelerators for password recovery began.