Jump to content

Alisa Esage: Difference between revisions

Edit links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Controversy: "Gender identity" does not have a hyphen
Tags: Mobile edit Mobile web edit
No edit summary
Tags: Mobile edit Mobile web edit
Line 17: Line 17:
}}
}}
[[File:AlisaEsage-PHDays2014.jpg|thumb|Alisa Esage giving a technical talk at a computer security conference (2014)]]
[[File:AlisaEsage-PHDays2014.jpg|thumb|Alisa Esage giving a technical talk at a computer security conference (2014)]]
'''Alisa Esage''' ({{lang-ru|Алиса Шевченко}}), also known as Alisa Shevchenko (born 1984), is a Russian [[hacker]], recognized for working with companies to find vulnerabilities in their systems. A self-described "offensive security researcher," a 2014 profile in ''[[Forbes]]'' says of Alisa: "she was more drawn to hacking than programming."<ref>{{cite news|last1=Fox-Brewster|first1=Thomas|title=Meet The Russian Hacker Claiming She's A Scapegoat In The U.S. Election Spy Storm|url=https://www.forbes.com/sites/thomasbrewster/2016/12/30/alisa-esage-shevchenko-us-election-hack-russia-sanctions/#3628ac261bb0|work=Forbes|date=30 December 2016}}</ref><ref>{{cite news|last1=Седаков|first1=Павел|title=Контракт со взломом: как хакер построила бизнес за счет банков и корпораций|url=http://www.forbes.ru/tekhnologii/internet-i-svyaz/275355-kontrakt-na-ugrozu-kak-khaker-stroit-biznes-na-zashchite-bankov|work=Forbes Russia|date=11 December 2014|language=ru}}</ref> After dropping out of school she worked as a malware analysis expert for [[Kaspersky Lab]]s for five years. In 2009, she founded the company Esage Labs, later known as ZOR Security (the Russian acronym stands for Цифровое Оружие и Защита, "Digital Weapons and Defense.")
'''Alisa Esage''' ({{lang-ru|Алиса Шевченко}}), also known as [[Alisa Shevchenko]] (born 1984), is a Russian [[hacker]], recognized for working with companies to find vulnerabilities in their systems. A self-described "offensive security researcher," a 2014 profile in ''[[Forbes]]'' says of Alisa: "she was more drawn to hacking than programming."<ref>{{cite news|last1=Fox-Brewster|first1=Thomas|title=Meet The Russian Hacker Claiming She's A Scapegoat In The U.S. Election Spy Storm|url=https://www.forbes.com/sites/thomasbrewster/2016/12/30/alisa-esage-shevchenko-us-election-hack-russia-sanctions/#3628ac261bb0|work=Forbes|date=30 December 2016}}</ref><ref>{{cite news|last1=Седаков|first1=Павел|title=Контракт со взломом: как хакер построила бизнес за счет банков и корпораций|url=http://www.forbes.ru/tekhnologii/internet-i-svyaz/275355-kontrakt-na-ugrozu-kak-khaker-stroit-biznes-na-zashchite-bankov|work=Forbes Russia|date=11 December 2014|language=ru}}</ref> After dropping out of school she worked as a malware analysis expert for [[Kaspersky Lab]]s for five years. In 2009, she founded the company Esage Labs, later known as ZOR Security (the Russian acronym stands for Цифровое Оружие и Защита, "Digital Weapons and Defense.")


Alisa's company ZOR Security was placed on a list of US sanctioned entities after being accused of "helping Vladimir Putin bid to [[2016 United States election interference by Russia|swing the [2016] election for Trump]]". Regarding White House accusations, Alisa stated on the record that authorities either misinterpreted facts or were deceived.<ref>{{cite web|url= https://www.theguardian.com/world/2017/jan/06/russian-hacker-putin-election-alisa-shevchenko|title= Young Russian denies she aided election hackers: 'I never work with douchebags' |work=The Guardian|date=6 January 2017|accessdate=2017-01-06}}</ref> To this day, U.S. officials have not said why they believe Alisa worked with the GRU's hackers, or what she allegedly gave them.<ref>{{Cite news|last=Poulsen|first=Kevin|date=2018-08-04|title=This Hacker Party Is Ground Zero for Russia's Cyberspies|language=en|work=The Daily Beast|url=https://www.thedailybeast.com/this-hacker-party-is-ground-zero-for-russias-cyberspies-3|access-date=2021-03-05}}</ref>
Alisa's company ZOR Security was placed on a list of US sanctioned entities after being accused of "helping Vladimir Putin bid to [[2016 United States election interference by Russia|swing the [2016] election for Trump]]". Regarding White House accusations, Alisa stated on the record that authorities either misinterpreted facts or were deceived.<ref>{{cite web|url= https://www.theguardian.com/world/2017/jan/06/russian-hacker-putin-election-alisa-shevchenko|title= Young Russian denies she aided election hackers: 'I never work with douchebags' |work=The Guardian|date=6 January 2017|accessdate=2017-01-06}}</ref> To this day, U.S. officials have not said why they believe Alisa worked with the GRU's hackers, or what she allegedly gave them.<ref>{{Cite news|last=Poulsen|first=Kevin|date=2018-08-04|title=This Hacker Party Is Ground Zero for Russia's Cyberspies|language=en|work=The Daily Beast|url=https://www.thedailybeast.com/this-hacker-party-is-ground-zero-for-russias-cyberspies-3|access-date=2021-03-05}}</ref>

Revision as of 17:47, 31 July 2022

Alisa Esage
Born
Алиса Шевченко

19.05[1] 1984 (age 40–41)[2]
Russia
Other namesAlisa Shevchenko
OccupationCybersecurity researcher
OrganizationZero Day Engineering
WebsiteHomepage
File:AlisaEsage-PHDays2014.jpg
Alisa Esage giving a technical talk at a computer security conference (2014)

Alisa Esage (Template:Lang-ru), also known as Alisa Shevchenko (born 1984), is a Russian hacker, recognized for working with companies to find vulnerabilities in their systems. A self-described "offensive security researcher," a 2014 profile in Forbes says of Alisa: "she was more drawn to hacking than programming."[3][4] After dropping out of school she worked as a malware analysis expert for Kaspersky Labs for five years. In 2009, she founded the company Esage Labs, later known as ZOR Security (the Russian acronym stands for Цифровое Оружие и Защита, "Digital Weapons and Defense.")

Alisa's company ZOR Security was placed on a list of US sanctioned entities after being accused of "helping Vladimir Putin bid to swing the [2016] election for Trump". Regarding White House accusations, Alisa stated on the record that authorities either misinterpreted facts or were deceived.[5] To this day, U.S. officials have not said why they believe Alisa worked with the GRU's hackers, or what she allegedly gave them.[6]

In early 2021, Alisa officially started[7] the Zero Day Engineering project, specialized on professional training, research intelligence, and consulting in the area of advanced computer security research.

Alisa is a winner of multiple international advanced hacking competitions, including Pwn2Own.

Achievements

In 2014 Alisa was the winner of the PHDays IV "Critical Infrastructure Attack" contest (alternative name: "Hack the Smart City"), successfully hacking a fake smart city and detecting several zero-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric.[8][9]

In 2014-2018 Alisa was credited for discovery of multiple zero-day security vulnerabilities in popular software products from tech giants such as Microsoft,[10] Firefox,[11] and Google.[12] Part of those vulnerabilities were responsively disclosed via the Zero Day Initiative (ZDI) security bounty program,[13] previously owned by U.S. tech giant HP, and credited under various pseudonyms.[14]

Alisa Esage has presented her research at multiple international security conferences: RECON, Positive Hack Days,[15] Zero Nights,[16] POC x Zer0con,[17] Chaos Communications Congress.[18] In 2020 she was scheduled to give a talk at OffensiveCon, which had to be canceled due to travel constraints.[19]

Her work has been featured in various professional security industry publications such as Virus Bulletin, Secure List, and Phrack Magazine.

Pwn2Own

On 8 April 2021 Alisa Esage made history as the first woman to win in the Pwn2Own, the iconic advanced hacking competition running since 2007.[20] As part of her competition entry at Pwn2Own Vancouver 2021 Alisa targeted Parallels Desktop for Mac version 16.1.3 with a zero day exploit developed by herself, and was able to successfully demonstrate a guest-to-host virtual machine escape with arbitrary code execution on MacOS, on a fully patched system.[21] The entry was declared a partial win by the contest due to the fact that the targeted software vendor knew internally about the zero day bug that was leveraged in Alisa's exploit.

Controversy

The "partial win" naming of Alisa's Pwn2Own Vancouver 2021 exploit by the organizers raised a massive outrage in the global information security community, with many commenters on Twitter demanding that the rules of the competition be changed so that the attempt would be declared a complete win.[22] According to Pwn2Own rules of 2021,[23] a successful contest entry may be disqualified or downgraded in the competition charts if the targeted software vendor was internally aware of the respective vulnerability (while still unpatched) on the day of the contest. Alisa's participation attracted public attention to that point of the rules, with numerous reasonable arguments tweeted by prominent figures of the computer security community to support a change of rules.[24]

Alisa's status as the first woman in Pwn2Own history was also questioned, although to a lesser extent. While the competition livestream recording[25] is clear on that point, with the narrator saying at 05:08 "Alisa is our first ever female participant", and the Pwn2Own founder chiming in on Twitter,[26] the official contest tweet came with a side note: "the first female participating as an individual". This is likely because a team participant in Pwn2Own 2018 of the Ret2 Systems team[27] changed their name and gender identity in the later years. Fact-wise, public record of Pwn2Own competitions in the official blog posts[28] and livestream recordings[29] holds no mentions of female participation prior to Alisa's 2021 entry.

Motivation and personality

Alisa quotes her father as being the main inspiration to her choice of occupation and career: "He taught me to solder when I was 5 years old, I think. So I started reading books about computers and programming in early school and taught myself to code in C++ and x86 assembly language as soon as I got a PC at age 15."[30]

On her participation in the Pwn2Own competition: "It’s an essential milestone in a professional hacker’s career, and a major goal personally. I am super hyped! And relieved"[31]

Publications and exploits

  • Esage, Alisa (6 May 2016). "Self-patching Microsoft XML with misalignments and factorials". Phrack Magazine. 69 (10).
  • "Microsoft Windows Media Center CVE-2014-4060 Remote Code Execution Vulnerability". SecurityFocus. 14 August 2014.
  • "(0Day) Microsoft Word Line Formatting Denial of Service Vulnerability". Zero Day Initiative. 27 February 2015.
  • "Rootkit evolution". Secure List.
  • "Case study: the Ibank trojan". Virus Bulletin.
  • "Fuzzing everything in 2014 for 0-day vulnerability disclosure". Virus Bulletin, 2014.
  • "On cyber investigations. Case study: a money transfer system robbery". Virus Bulletin, 2014.
  • "Microsoft Security Bulletin MS14-067 - Critical".
  • "Microsoft XML Core Services CVE-2014-4118 Remote Code Execution Vulnerability".
  • badd1e on GitHub.

References

  1. ^ Shevchenko, Alisa [@alisaesage] (19 May 2018). "С днём рождения, Алиса! Мы тебя любим. Самые лучшие пожелания ⭐️ Happy Birthday, Alisa! Best wishes, Love, may God bless. 🎂 https://t.co/8C0Tuy21cU" (Tweet). Archived from the original on 19 May 2021. Retrieved 14 June 2021 – via Twitter.
  2. ^ "Alisa Esage Шевченко". Archived from the original on 31 July 2013.
  3. ^ Fox-Brewster, Thomas (30 December 2016). "Meet The Russian Hacker Claiming She's A Scapegoat In The U.S. Election Spy Storm". Forbes.
  4. ^ Седаков, Павел (11 December 2014). "Контракт со взломом: как хакер построила бизнес за счет банков и корпораций". Forbes Russia (in Russian).
  5. ^ "Young Russian denies she aided election hackers: 'I never work with douchebags'". The Guardian. 6 January 2017. Retrieved 6 January 2017.
  6. ^ Poulsen, Kevin (4 August 2018). "This Hacker Party Is Ground Zero for Russia's Cyberspies". The Daily Beast. Retrieved 5 March 2021.
  7. ^ Shevchenko, Alisa [@alisaesage] (3 February 2021). "So, this is my new personal business website: https://t.co/UpHbrZri9h. Zero Day Engineering – the project that will round up and carry on some two decades of my life and work. Still a bit rough, but it's time. More to come. /cc @zerodaytraining https://t.co/Y6ilpKMs7e" (Tweet). Archived from the original on 3 February 2021. Retrieved 14 June 2021 – via Twitter.
  8. ^ "Positive Hack Days: Smart City Hacked". Positive Hack Days. Archived from the original on 23 December 2014. Retrieved 24 January 2017.
  9. ^ "Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerabilities (Update A) | CISA". us-cert.cisa.gov. Retrieved 5 March 2021.
  10. ^ "Microsoft XML Core Services CVE-2014-4118 Remote Code Execution Vulnerability". www.securityfocus.com. Retrieved 5 March 2021.
  11. ^ "1443891 - (CVE-2018-5178) Integer overflow in nsScriptableUnicodeConverter::ConvertFromByteArray can cause a heap buffer overflow". bugzilla.mozilla.org. Retrieved 5 March 2021.
  12. ^ "825503 - chromium - An open-source project to help move the web forward. - Monorail". bugs.chromium.org. Retrieved 5 March 2021.
  13. ^ "ZDI-15-052". zerodayinitiative.com. Retrieved 5 March 2021.
  14. ^ "Zero Day Initiative — VirtualBox 3D Acceleration: An accelerated attack surface". Zero Day Initiative. Retrieved 5 March 2021.
  15. ^ "Positive Hack Days 2014, Alisa Esage: "My Journey Into 0-Day Binary Vulnerability Discovery in 2014"". Archived from the original on 15 March 2016.
  16. ^ "Speakers. ZeroNights Conference". 2012.zeronights.org. Retrieved 5 March 2021.
  17. ^ "Power of Community". www.powerofcommunity.net (in Korean). Retrieved 5 March 2021.
  18. ^ Esage, Alisa (29 December 2020), Advanced Hexagon Diag, retrieved 5 March 2021
  19. ^ offensivecon [@offensive_con] (13 February 2020). "Due to travel constraints the talk Nginx Njs Exploitation by @alisaesage has been withdrawn" (Tweet). Archived from the original on 13 February 2020. Retrieved 14 June 2021 – via Twitter.
  20. ^ "Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021". The Hacker News. Retrieved 17 April 2021.
  21. ^ Shevchenko, Alisa [@alisaesage] (8 April 2021). "Explaining to non-specialists: it's a zero day Hypervisor VM Escape exploit on Mac, one of the first in the world, I think. Developed by me. Should also affect Parallels on Apple Silicone https://t.co/4GQrlrvoPo" (Tweet). Archived from the original on 8 April 2021. Retrieved 14 June 2021 – via Twitter.
  22. ^ Shevchenko, Alisa [@alisaesage] (9 April 2021). "I am crying. It means nothing for me how exactly the ZDI names my successful exploit demonstration – I am not in this for cash or testing my luck in a lottery – but apparently it does for you Pwn2Own is an important community event. Let the people decide what is fair or not https://t.co/Iaq8SLirI3" (Tweet). Archived from the original on 11 June 2021. Retrieved 14 June 2021 – via Twitter.
  23. ^ www.zerodayinitiative.com https://www.zerodayinitiative.com/Pwn2OwnVancouver2021Rules.html. Retrieved 17 April 2021. {{cite web}}: Missing or empty |title= (help)
  24. ^ Varghese, Sam. "iTWire - Anger as woman researcher walks away empty-handed from hacking contest". itwire.com. Retrieved 17 April 2021.
  25. ^ Pwn2Own 2021 - Day Three Live Stream, retrieved 17 April 2021
  26. ^ dragosr [@dragosr] (8 April 2021). "A big congratulations to @alisaesage for making the PWN2OWN winners no longer be an all boys club. Nicely done" (Tweet). Archived from the original on 8 April 2021. Retrieved 14 June 2021 – via Twitter.
  27. ^ WELCOME TO PWN2OWN 2018: THE SCHEDULE, retrieved 27 July 2022
  28. ^ "pwn2own site:zerodayinitiative.com - Google Search". www.google.com. Retrieved 17 April 2021.
  29. ^ "Zero Day Initiative - YouTube". www.youtube.com. Retrieved 17 April 2021.
  30. ^ "A Conversation With Alisa Esage, a Russian Hacker Who Had Her Company Sanctioned After the 2016 Election". The Record by Recorded Future. 1 March 2021. Retrieved 5 March 2021.
  31. ^ Shevchenko, Alisa [@alisaesage] (8 April 2021). "Official: I won Pwn2Own competition in the Virtualisation category. It's an essential milestone in a professional hacker's career, and a major goal personally. I am super hyped! And relieved Details of the exploit that I developed are now under embargo of responsible disclosure" (Tweet). Archived from the original on 17 April 2021. Retrieved 14 June 2021 – via Twitter.


Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Alisa_Esage&oldid=1101560914"