– Has the attitude of foreign information security (IS) researchers towards Russia changed after February 2022?
– Yes. I know of at least one such case. A Spanish researcher has found a vulnerability in the software of some controllers, primitive Russian-made microprocessors.
Found and posted with a buzz and booing call: “I found a vulnerability! Russia! To break!”.
Of course this is brutality – no one does that. No matter what and where, you should always remain a professional.
How does it feel to be a professional?
– Every self-respecting cybersecurity researcher should always strictly adhere to the principles of responsible disclosure, that is, responsible disclosure of information. This means that if you find any vulnerabilities or vulnerabilities, the first thing to do is to notify the manufacturer of the vulnerable system.
– What if the developer does not respond to the cybersecurity officer?
– Sometimes the manufacturer may indeed ignore such a message. Unfortunately, this happens. And not only in Russia – all over the world.
In this case, the cyber specialist should contact the so-called CERT (Computer Emergency Response Team – “computer emergency response team”, – ed.). They exist in almost all countries: private and public.
For example, in Russia there is a special Kaspersky ICS CERT. We can contact the manufacturer and they listen because we know how to communicate to make our voices heard. State-owned – FinCERT under the Central Bank of Russia, Energy CERT under the Ministry of Energy …
Government CERTs who are already in regulatory positions can contact the manufacturer and say, “Guys, you need to fix this vulnerability. You are necessary”.
– As part of etiquette, how long should a researcher wait for a response from the manufacturer before releasing a vulnerability with a clear conscience?
– Typically, companies are given 90 days to patch a vulnerability. If the producer fails to do so for various reasons, the researcher can make the information public.
The second scenario is for example, if the vulnerability has already been exploited by the attackers. Then it is important to warn other companies and users so that they can take compensatory measures as soon as possible. The first – when it is important that the manufacturer releases a patch and everyone has time to install it.
Safety is more important than exaggeration here. We are always trying to meet the needs of the seller, and if more time is needed to eliminate the vulnerability, then of course we are in no hurry to go public with a statement.
But if the vulnerability is critical and is “on the surface”, we prepare a series of compensatory measures: we set rules to detect exploits of the vulnerability, specifically inform our customers and partners so that they can protect themselves or find signs of compromise. .
– All these steps: write to the manufacturer, contact CERT, wait 90 days … Are these somehow arranged or just a verbal agreement?
“These are ethical principles. They are regulated by information security companies, but they are not laws. For example, Kaspersky Lab has a validated vulnerability disclosure policy that describes all the main steps and steps that must be performed by a researcher as part of disclosure of information about security vulnerabilities. And if the manufacturer did not respond to any communication channels, including the terms of the disclosure – spelled 90 days.
– What kind of consequences can an expert face in the future, who violates these rules?
– It’s hard to say for sure. It is unlikely that someone will call him to express everything personally. Most likely, this is a bad episode in the biography that could affect your career. For example, if he comes to get a job in a company with a good reputation, there will be little trust in him and he is unlikely to be in the first place among applicants for a responsible position.
– How does the employer learn about past incidents of unethical behavior?
– Often, researchers indicate on their resume the number of vulnerabilities they found from the CVE (Common Vulnerabilities and Exposures – “common vulnerabilities and risks”, – ed.), an international database of vulnerabilities. The researcher writes that, for example, 10 specific CVEs are recorded on the back. The employer checks if the candidate’s last name is included in the CVE description.
If so, the researcher followed ethical disclosure principles. And if not, then this is supposedly stupid.
– How did the story end with the Russophobe Spaniard?
– The story ended well. Largely because of our intervention. We saw a message from a friend from Spain, contacted the seller, looked at their analytics and saw outside links. So, maybe people reading the Spanish expert’s posts really tried to break something.
Luckily, it turned out that the researcher found a vulnerability not in industrial equipment, but in small automation systems, some kind of controller associated with elevators. No one alerted the seller that a problem had been discovered, and because the company was small and couldn’t monitor the entire Internet, they didn’t see a foreign expert’s blog post.
We helped the company unravel the story, they quickly fixed the vulnerability and informed their customers about it. By the way, we’ve recorded the finally discovered issue in the CVE. And then another condemning article was written in which they urged not to do this again.
– Have you found some security vulnerabilities in industrial facilities in other countries?
– Of course there was.
We went to a brewery.
A large, well-known organization with many brands…
“Sounds like the beginning of a great story…
– This is true! We got there. And it is precisely for the purpose of controlling the security systems in the direct production part of the enterprise. The task was to go into production and understand how to produce craft beer.
They’re calling Lunch time. Everyone goes not to a local restaurant, but to a canteen outside the perimeter of the enterprise – office workers from neighboring business centers eat there because it is cheap and tasty. we went too
We go. I see a large touchscreen with a menu on the wall. There you can see the composition of the dish, the energy value, the cost and everything like that. My eyes lit up because my hobby was to make such displays out of the so-called kiosk mode. That is, the program with food can be minified and take the usual Windows or Linux interface.
– So so…
– To a colleague, “Let’s go and see. I really feel like there’s something there.”
We approach, poke, exit kiosk mode and see both Internet access and a connection to our brewery’s corporate network. This is luck!
The fact is that the screen computer is not controlled by the enterprise, but at the same time it has a connection with it. It seems that an attacker does not need to break into the facility and bypass the protection of the corporate network to gain access to the facility. An attacker can break into a cafe, take the screen out of kiosk mode, download malware from websites, that’s all. Already at home, it connects to the screen using the installed software and enters the brewery network.
True, this access will not be to the production system, but only to the company network. But it’s only a matter of time, because once you have a place in the corporate network, you can find the computers of local IT specialists and break into the production system, exploiting one or another vulnerability through them. In fact, we were able to simulate such an attack and describe it in a report for the brewery management.
– Have you had any problems?
– Of course not. We learned about this vector as part of a company-ordered penetration test (a penetration test is a controlled hacking of a system to identify and then fix weaknesses in the protection – ed. note). We were just grateful. We found the problem and helped fix it.
– How have relations between Russian cybersecurity experts and foreign customers changed after February 24, 2022? Less called to objects?
– At first it was like this: We were excluded from various working groups, our expertise was rejected… But these were spontaneous and unconsidered decisions. So far, almost everything is back to normal.
We both had and still have clients almost all over the world: Latin America, the Asia-Pacific region, the Middle East and beyond. In these regions, there are local representatives of our company who communicate with our customers in the same language. Customers have access to infrastructure that their IT and information security professionals trust.
In many ways, we are given a high degree of trust through our so-called transparency centres. Anyone who doubts the operation of Kaspersky Lab’s systems can come to a private location and examine the source code of our products and be sure that they are reliable.