If you look at the program of any modern conference on information security, you can see on what important topics researchers are working. If you analyze the list of these important topics, technologies and directions, it turns out that twenty years ago the vast majority of them simply didn’t exist.
For example, here are some topics from the OFFZONE 2018 conference:
- non-cash payments
- WAF bypass
- software defined radio systems,
- speculative execution
- malware search for Android,
- HTTP / 2,
- mobile OAuth 2.0,
- exploitation of XSS Exploiting,
- cybergroup Lazarus,
- attacks on web applications with a multilayer architecture,
- Fault Injection attacks on ARM processors.
Of these, only two problems have existed for a long time. The first is the architecture features of ARM processors that appeared in the mid-80s. The second is the problem of speculative execution, which originates in the Intel Pentium Pro processor, released in 1995.
In other words, of these topics, truly “ancient” are those related to hardware. Basically, the research conducted by specialists today is inspired by the events of one, two, three years ago. For example, HTTP / 2 technology appeared only in 2015; in general, it can be studied no more than four years.
Let’s go back 20 years. In 1998, the so-called First Browser War ended, during which the two largest browsers at that time, Internet Explorer and Netscape Navigator, competed. As a result, Microsoft won this war, and the main competitor left the market. Then there were few such programs, many of them were paid, as, for example, Opera: this was considered normal. At the same time, the most popular browsers Safari, Mozilla and Chrome today were invented much later, and the idea that the browser can be paid today looks strange to anyone.
The penetration of the Internet 20 years ago was several times lower than today, so the demand for many web-related services was formed much later than the end of the browser war.
Another situation has developed in the field of cryptography. It began to develop many decades ago, by the nineties there were a number of time-tested encryption standards (DES, RSA) and digital signatures, and over the following years many new products, algorithms and standards appeared, including the openSSL free format.
Almost all cryptography-related technologies that we use today existed already in the nineties. The only widely discussed event in this area since then is the discovery of a backdoor in the 2004 Dual_EC_DRBG algorithm supported by the NSA.
Sources of knowledge
In the early nineties, appeared the cult book of Bruce Schneier “Applied Cryptography “, it was very interesting, but devoted to cryptography, and not information security. In Russia in 1997 was published the book “Attack via the Internet” by Ilya Medvedovsky, Pavel Semyanov and Vladimir Platonov. The appearance of such practical material, based on the personal experience of Russian experts, gave a power to the development of the information security field in that country.
Earlier, novice researchers could only buy reprint books of foreign studies, often poorly translated and without reference to sources, after the “Attack via the Internet” new practical manuals began to appear much more often. For example, already in 1999, was released Chris Kaspersky’s “Technique and Philosophy of Hacker Attacks “. The “Attack via the Internet” itself received two sequels – “Attack on the Internet” (1999), and “Attack from the Internet” (2002).
In 2001, Microsoft’s was released book on safe code development – “Writing Secure Code “. It meant that the software industry giant realized the fact that software security is very important: it was a very serious moment in the development of information security. After this, corporations began to think about ensuring security, but earlier these issues were not given enough attention: the code is written, the product is sold, it was believed that this is enough. Since then, Microsoft has invested significant resources in security, and despite the existence of vulnerabilities in the company’s products, in general, their protection is at a good level.
In the USA, the information security industry has been developing quite actively since the 70s. As a result, in the nineties in this country there were already several large conferences on the topic of information security. One of them was organized by RSA, appeared Black Hat, and in the same years took place the first CTF hacker competitions.
In other countries, the situation was different. Many of today’s leaders in the information security market in the nineties did not yet exist.
The situation in the industry: black & white hats battle
During my career, already inside the sphere of information security, I met and corresponded with a huge number of people. Because of such communication, I began to understand that the division into “black hats” and “white hats” in the industry doesn’t reflect the real situation. Of course, there are much more colors and shades.
If you look at the origins of the Internet and information security and read the stories of hackers of those times, it will become clear that the main stimulus for people then was their curiosity, the desire to learn something new. They did not always use legal methods at the same time – just read about the life of Kevin Mitnik.
Today, the spectrum of motivation for researchers has expanded: idealists want to make the whole world safer; someone else wants to become famous by creating a new technology or exploring a popular product; others try to make money as soon as possible – and for this there are many possibilities of varying legality degrees. As a result, the latter often find themselves “on the dark side” and confront their own colleagues.
As a result, today there are several areas for development within information security. You can become a researcher, compete in CTF, earn on the search for vulnerabilities, help the business with cyber defense.
Development of bug bounty programs
A serious impetus for the development of the information security market in the 2000s was the spread of bug bounty. Within these programs, developers of complex systems reward researchers for vulnerabilities discovered in their products.
The main idea here is that it is primarily beneficial to developers and their users, because the damage from a successful cyber attack can be tens and hundreds of times higher than possible payments to researchers. Information security experts can do what they love to do — look for vulnerabilities — while remaining fully within the law and still receive rewards. As a result, companies get loyal researchers who follow the practice of responsible disclosure and help make software products safer.
Disclosure Approaches
Over the past twenty years, have appeared several approaches to how should look the disclosure of research results in the field of information security. There are companies like Zerodium that buy zero-day vulnerabilities and exploits for popular software – for example, 0-day on iOS costs about $ 1 million. However, the more correct way for a self-respecting researcher to act after detecting a vulnerability is to first contact the software manufacturer. Manufacturers are not always ready to admit their mistakes and collaborate with researchers, but many companies protect their reputation, try to quickly eliminate vulnerabilities and thank the researchers.
If the vendor is not active enough, a common practice is to give him time to issue patches, and only then publish information about the vulnerability. In this case, the researcher should first of all think about the interests of users: if it is possible that the developers will never correct the error at all, its publication will give attackers a tool for constant attacks.