Why hackers issued a "breaking" fake "Du"? Talking with Egor Aushev
On the Bugcrowd platform 8 Dec started babaulti Ukrainian applications “De”, announced in his telegram.-the head of Minsitry Mikhail Fedorov. Those who find vulnerabilities in the application for the provision of public services, will be shared by 1 million (35 thousand dollars) from USAID. The nuance is that white hackers gave at the mercy of not the app itself, and a copy of it.
Why Ukraine can not be otherwise, as the state is cooperating with the white hackers and why that helps abroad, talked with the founder of cyber security Technologies Cyber Unit, and school whitehat hacking Cyber School Egor Aushev.
“We have to fix the reputation: to prove that we are not black and white”
Egor, as the cyber security industry was affected by the epidemic? Customers enough?
Customers lack, with the mass transition to udalenku the issue of security has become more urgent. The number of burglaries is constantly growing, and with it the number of calls to us. The main customers of the countries that have taken the standards and requirements of cybersecurity: South Korea, Singapore, Japan, USA, EU. If there is a leak, responsible much “hit the head” and punished with fines. In Ukraine, such regulation yet, are only the first steps.
How many in Ukraine hackers? How many of them are “white” and how many “black”?
Hackers — a few hundred. Question about the “black” is often asked. In this case I have prepared a joke that a “white” night becomes “black”. But this is a joke. If someone is caught, will answer on all severity.
Most importantly, have the “white hackers,” or white hat hackers, this is their reputation. I will never take on a project the man in the street — who don’t know, who does not pass the test. Because we see everything “inside” the systems of our clients, and I their name are responsible for the fact that no information will be gone and sold.
Requests for “non-white” hacks come you say, “and you can instagram ex-girlfriend hack”? But that’s not our clientele. We promote the idea that to make hacking possible and necessary in an honest way.
Audit of the crypto currency exchange or Bank could cost 40 thousand dollars — we officially have earned the money. You can crack “black”, but why? Usually “black hat hackers” end up either in prison or at forced work for the secret services.
Where are your “white hackers”?
One of the sources — our school where we teach hacking. Courses last three months, but we are not from scratch learn: people come to us who already know how to program or have sisadminyi experience. In the selection testing and if we see that a person is unethical intentions, you simply do not take it. Of course, 100% certainty to be impossible, but the lecturers constantly remind the audience about ethics: do not try to break, criminally responsible, “the white hacker” a couple of thousand dollars a month always work. By the way, half of the it Department in the Office of the President of Ukraine formed from our graduates, they protect the President around the clock.
In fact, we have to correct the reputation, and it is quite difficult. The Ukrainians have always been known as the “black hackers”, so you have to prove that we are not “black” and “white”. This helps work with the public sector: when we trust the Ministry and the postal and telecommunications, no longer believe the rest.
“In the spring I bet Mikhail Fedorov on TV that hackers will find in the “Da” vulnerability”
Tell me about your collaboration with the public sector.
In November, we conducted training for 20 representatives of critical infrastructure and the Ukrainian security services. It was a week-long intensive course on the basis of the Rada of national security and defense of Ukraine with the support of CRDF Global and U.S. Department of state, we talked about the methodologies which are applied by the private sector in business to hack or defend. In fact, the first case of public-private partnerships in this area — the first time the private sector has taught the public sector “white hacking”.
You have taught civil servants to protect themselves from break-ins, and cybernetically — catch the bad hackers?
Yes, that’s right. Our guys were given lectures and practical lessons is shown, as it occurs in business and how it can be used in government agencies.
In 2014, I at all conferences tell you that it is impossible to make a safe country, without involving private traders. The state has no such specialists in the private sector, not least due to the difference of salaries 5-10 times. The best specialists currently working in the private sector, and the interaction there is bound to: the owners need to train the state, and the state should serve the customer.
Five years ago, when we worked closely with the Estonians, I asked them what percentage of the orders associated with the state, which performs the state itself. It turned out, the state is the only customer, and by 100% by the private sector.
The word “hacker” there is nothing wrong or shameful. In the United States, the state holds regular testing of systems by “white hackers”, on different platforms run different barbouti programs, even my colleagues sometimes participate in them.
On the Hackerone program opened for all militarized U.S. sites — they can officially hack on the platform. And rightly so, because the other way other than bringing the hackers to protect yourself impossible to resist hacking, you need to understand how it happens.
Minsitry now holds babaulti application “Da”. Why should they?
Probably to show that they all “secure”. They came over a wave of criticism after that* leak. I also asked who you were testing? Now they will have something to say: we tested 50 hackers from around the world, no holes. This increases the level of trust. Often, companies use cybersecurity as an element of PR and marketing — see, we care about the safety of your data.
In the spring I bet Mikhail Fedorov on TV that hackers will find in the “Da” vulnerability — did this on purpose in order to stimulate and to draw attention to it. He did not respond. But six months later, and here starts this program. The Deputy Minister even tignol me on Facebook.
The “Da” for barbouti was a special testimony was a scandal with the leak of personal data. In may 2020, passport information, driver’s license, addresses, information about the property and the work of 26 million Ukrainians were freely available. Accused the developers of “D”. Minsitry then denied, saying that the app does not store data, but only uses them merged by someone else. “We have created an architecture that is impossible to crack,” said Fedorov in broadcast television channel “Inter”.
Egor Aushev said this: “in Order to tell if it was possible or not, we need to check. For my part I am ready to argue with the Minister that there is a vulnerability probably is”. These words came in the same plot of “Nara”, and even though the Minister they said nothing, in fact a challenge, it turns out, was accepted.
To check exposed not the whole platform, but only the mobile app. But there is another caveat — it’s not even the app itself, and his clone. “Da” created a replica of the system, and hackers are now hacking.
Because in Ukraine according to the law can’t be hacked directly — you will get an article and someone could go to jail.
In Ukraine there is a public procurement system Prozorro. Two years ago, I met its Director, and we had almost a year to come up with how to spend the first country babaulti program. In the end I decided to make a copy of the existing system is to test it, find problems and resolve them in the current system. Prozorro also found out that where they could not pay the money, they gave gifts — cups, baby soft, the winner got a drone.
Now the cloning mechanism is repeated with the “Da” — better than nothing, but it is very energy-intensive process. In the United States are testing the operating system directly it is enshrined in law.
When you make an innovative app for the convenience of people, it is important to pay attention to the ratio of speed and security. As for the car: it is impossible to accelerate without thinking about the quality of the rubber. And better than any of the certificate here will protect krausers-security — check from the “white hackers”.
So, you with government agencies already cooperate successfully, time tested Prozorro.
Yes, but we do not earn it. Prozorro task was to popularize the idea bigbounce. For this we invited in offline 20 hackers from all over Ukraine. The youngest was 15 years old, he came with dad to the senior 40+. They hackers were sitting in the same room was broken into while they were filming the TV we wanted to know who the white hat hackers and why they should not be afraid.
Today we have only a framework law on the basics of cybersecurity, adopted at last President in 2017. But the sector is not regulated, there are no rules. And if we, the white hackers are now going to find the vulnerability in the system of the Agency, then we will be difficult to even report it, because we can blame the break-in.
Why do you need to find vulnerabilities in gossistem without order?
It may come out accidentally. We can work with the client, which interacts with some Ministry, and see what there is “sticking out” — for example, a database. One day we organized a conference for “white hackers” in Kiev and foreign guests reported: you have such a Ministry “with holes”, they have barbouti where you can shareportal?
In the Verkhovna Rada now developing the cybersecurity act, which prescribe the liability issues. I participate in the working group. But it is a long process, at best the law will be submitted for consideration next year.
Tell us what you expect from the law.
First, the mechanisms of interaction between the private sector and the state. Need to be able to legally enter into a contract to private “white hackers” could come and adjust the state system.
Now it is illegal. Like, what if the hacker will see our inside information? My answer: nothing that your information is “sticking out”, and no one is able to tell you, and no one would fix it?
Second, Ukraine needs to receive the international safety standards and liability for non-compliance. In my understanding it should be on the CEO.
A few years ago we had some great stories of hacker break-ins. For example, during the attack of the virus NotPetya. I remember coming to the gas station and can’t pay with a credit card, because NotPetya blocked processes. Unfortunately, few then wanted to fix something. And why — still no accountability.
Even if you’re a government Agency and you leaked the database of Ukrainian citizens, can fix the vulnerabilities, and can be left as is.
In General, a mess. So now we are slowly starting to teach state agencies to the private sector, please include us for training specialists, the development of legislation.
Some changes on the state level coming. For example, we used to have state special connection service was the only center that was responsible for the entire cybersecurity, the rights of the monopoly they were given the internal Ukrainian certificates. Came a large foreign company and did not understand how to zakonektitsya for the exchange of information with the Ukrainian government Agency, our internal standard of security for them was unclear. Now established by international standards, which should be more understandable to foreign companies.
“We need a nest like UBER: there all people — taxi drivers, and there’s the hackers”
You conducted a workshop with the support of the state Department, the prize Fund for bigbounce “Da” allocated by USAID. States support the cyber security in Ukraine?
We are now seeing greater activity in this direction. US-Ukraine cyber dialogue program in millions of dollars, it takes a lot of training. For example, our company won the tender from CRDF Global, in the framework of the end of the year help to set the training system for government agencies.
Ukraine is in a state of cyberwar, as our official sources, our government agencies are constantly flying attack by a big neighbor. And here we have two support lines, one to help protect me, the second to help investigate the attack. Cybersecurity is a very geopolitical history, something between it and the defense industry.
Why you as a businessman cooperation with the government? The contractors, as a rule, little money and a lot of claims.
I lived five years in Germany, now live in Ukraine. This is my country, my industry, and I want for her not be ashamed. Want to be in this area was imposed some kind of order to me from Singapore wrote: ha ha, you have again hacked into this database.
Yes, now we pay the Americans, but something we do for free. Today, for example, we went to the cyberpolice and agreed to hold trainings. Free. It is our cyberpolice, and who they conduct trainings, as we do not? This element of social responsibility. Since the revolution he keeps us all and while.
I believe that in a healthy society needs to be close cooperation between the private sector and government. By love and not by compulsion. This should be a mass phenomenon — let it resembles an anthill.
How Uber the taxi drivers, and here all the people are hackers, everyone is checking each other. By removing barriers, we will be able to patch a leaky system.