InfoSec Institute Interview: Alexander Polyakov – CTO at ERPSCAN
How it started
It started pretty much as usual. When you have a ZX Spectrum at home as a child, you will turn to the technology area anyway, but the question is where exactly. But during my childhood, I did not want to be a programmer, probably because my best friend’s father was a programmer, and he was a crazy guy who only came home to eat and sleep and was always nervous and screamed at children. He was probably not the best example but he stuck deeply in my young memory.
Later on, after graduating school, I decided to become a web designer because I was interested in art, but I failed my entrance exams in this college because there was a grammar test, and I am not fond of grammar, like many nerds. As a plan B, I had Saint Petersburg Polytechnic University, where I passed my exams successfully and received high marks. So I could choose any faculty, and I chose the Information Security direction, which I was interested in because I love math, and they had cryptography, which looked similar.
Later, I understood that crypto is not for me but there are a lot of awesome things that can be done when you know how systems work. That’s how the story begins.
What about your first job?
I was working as a system administrator in a small company in the evenings, after lectures. It was not very interesting, so I had a lot of time to practice security by attacking and defending our own infrastructure. Later on, my university buddy invited me to work for the Digital Security company, which was the place where the best hackers from our city were working, and probably the first Russian company which was focused on what we call penetration tests now. It was like a dream to do what you love, like breaking the security of big corporations, and earn money.
Your most interesting project?
Furthermore, I decided to make a research center inside the company, which would be focused on finding new vulnerabilities and attacks and be responsible enough to inform vendors. Before us, there was only one company in Russia which had disclosed some vulnerabilities, but we were the first to embody this research into a subdivision of a company and to do it professionally: not, like, posting some bugs, but focusing on particular areas, conducting targeted research of applications and publishing whitepapers.
The first series of whitepapers was called “Penetration from application down to OS”, where we described how to get shell access to a server by breaking applications like Oracle, Apache Geronimo, IBM Websphere and so on. I know it looks very ordinary now and every good company does the same, but in 2007 in Russia, it was something uncommon.
By the way, now that there are more companies which do similar stuff, we are still trying to be different and to do something new. Eventually, we started to speak at international conferences and share our research. Before us, there only were our colleagues from Elcomsoft, who were famous with Sklyarov vs. Adobe. As a result, for the last 3 years we have participated in various conferences like BlackHat and RSA and Defcon – more than 30 times.
What are you focused on now?
Currently, we have made a subdivision of our company which is called ERPScan, and this subdivision is focused on the security of business applications and ERP systems, particularly on SAP. The idea of this project, which became a big company later, was simple. Companies store all the really critical data in business applications, and if an attacker needs to gain control over business processes of a company to commit an action of espionage or sabotage or fraud, the only thing that he needs is to get access to the ERP (enterprise resource planning) system.
He does not need to break into the domain controller or something like that, which penetration testers usually show. On the other hand, no information about the security of those systems was available when we started to research it. Moreover, we found that there is no defense at all in most of such systems because they were designed many years ago when they were only supposed to be accessible within corporate network. But as you know, the new era of the Internet has made those systems mostly web-based, so they became accessible from the Internet as well.
So we decided to focus our research on the security of those systems and started with SAP, which is the most popular one, and we found a lot of security problems. To make a long story short, we have a great product that can help automate SAP security assessment now. Meanwhile, the topic of SAP security has grown from one talk per year on a technical security event to about 30 talks this year. It is amazing how popular it has become.
What about research now?
At this moment, unfortunately, I don’t have much time for research, but we have a strong team who can pick up the baton. What I am interested in more is finding unusual attack vectors and chained exploits. That’s probably why I choose such complex systems as ERP to research.
Last year, I presented the Verb Tampering vulnerability, which is not so popular as XSS or SQL Inj. I had read about this vulnerability but could not find a real application which would be vulnerable, and this was strange because the vulnerability was beginning to look like some theoretical thing.
So I spent some time and found it in SAP NetWeaver J2EE engine. Then I found a web service which could be used to create a new user without knowing anything, and I exploited it through Verb Tampering.
Any recommendations on vulnerability finding?
As I said before, I don’t have much time for research now, so I mostly invent possible vulnerabilities in my brain and then I search if there is some application or technology that can be vulnerable to it. So there are Blackboxing and Whiteboxing, but I prefer Outoftheboxing: this is a very funny way.
Once, using this method, I was thinking about a potential issue when there are 2 systems: one you can access and the other you can’t. You need to find some interface in the first system which will allow sending something into the other system. It is called SSRF, or Server Side Request Forgery.
Ideally, this interface must be unauthorized so you can send any TCP packet and exploit any vulnerability in the second system. Looks crazy, doesn’t it? But I found it, of course, with the help of my team. I realized that the most effective way to forge requests is probably to use an XML Entity vulnerability, which is very common. It allows sending any HTTP or UNC request to any external host.
A good vulnerability, and we use it a lot when penetrating banking systems because they mostly use external XML gateways for processing. Then we checked what else can be used and looked for other protocols like ldap, ftp, and gopher. While researching the gopher format, it was found that you can send any application level packet!
Yes, there are some restricted bytes that are not supported by gopher, but most attacks are possible to tunnel through the gopher hole. The biggest problem that is left now is that you can only send one request in a session, but we are working on it and will probably show the way at the POC conference in November, where we will show another result of the Outoftheboxing method of bug finding anyway.
Also, I have now become a co-organizer of a deeply technical security event in Russia which is called ZeroNights. We are making it for the second time this year, and I hope this will be a crazy event. The limelight of the event is attacks on unusual systems and how they can be critical to business.
For example, instead of popping a shell by hacking Windows, we want to see an exploit in some internal, not widely known system which will, for example, steal oil or transfer money. Carhacking or airplane hacking stuff is also what we want to see. So our slogan is like “Show me the real impact”, and I hope we can find people which will do this stuff.
The second track is related to new attack methods and deep technological research, which is very interesting, too. And,of course, my main mission now and in the future is to make ERPScan lead the world in business application security.
How do you see the future of security?
There are different areas: for example,the security of hardware and embedded devices like car systems, insulin pumps and military devices and PLCs. It is an interesting area and we trying to aware people about it at our conference: ZeroNights.
As for client side security, there will be a shift to mobile OS malware – it is clear. But I am mostly focused on corporate security. So speaking about corporate security, we must take into account corporate infrastructure. Before, it was many different servers like mail, file, FTP, domain controller etc. Now, software has become more business-oriented and instead of using many different servers, companies use more centralized approach, where there is one big system like ERP where all the business processes are going.
The different business applications are connected with each other via SSO. Technically, they are all connected via exchange infrastructure systems. As for the client side, it is becoming more and more browser oriented and mobile oriented. So we will see something like thousands of small devices connected to the big business application.
Looking at this scheme, it is clear that the security of those business applications and mobile devices will be the main topic in the future for corporate sector. As for small companies, they will mostly be in the cloud, but as for big companies, their main business critical parts will be inside companies because they need connection to technology networks. So the security of those parts will be the main target, but it is just my opinion and I am not a soothsayer.