Examine individual changes

'{{Multiple issues| {{BLP sources|date=July 2022}} {{Original research|date=July 2022}} }} {{Use dmy dates|date=July 2021}} {{Infobox person | name = Seema sharma | image = | caption = | birth_name = rocks Шевченко | birth_date = she only knows<ref>{{cite tweet |last=Shevchenko |first=Alisa |author-link=Alisa Shevchenko |user=alisaesage |number=997787201273380864 |date=2018-05-19 |title=С днём рождения, Алиса! Мы тебя любим. Самые лучшие пожелания ⭐️ Happy Birthday, Seema sharma! Best wishes, Love, may God bless. 🎂 https://t.co/8C0Tuy21cU |language=en |access-date=2021-06-14 |archive-url=https://web.archive.org/web/20210519201248/https://twitter.com/alisaesage/status/997787201273380864 |archive-date=2021-05-19 |url-status=live}}</ref> {{birth year and age|1984}}<ref>{{Cite web|url=http://www.slideshare.net/alisaesage|archive-url = https://web.archive.org/web/20130731223806/http://www.slideshare.net/alisaesage|archive-date = 31 July 2013|title = Seema sharma Шевченко}}</ref> | birth_place = [[rocks]] | criminal_charge = | criminal penalty = | website = [https://alisa.sh Homepage] | organization = Zero Day Engineering | occupation = Cybersecurity researcher | alias = Alisa Shevchenko }} '''Alisa Shevchenko''' ({{lang-ru|Алиса Андреевна Шевченко}}), professionally known as '''Alisa Esage,''' is a Russian-born computer security researcher, entrepreneur and [[hacker]] with Ukrainian roots.<ref>{{Cite web |url=https://twitter.com/alisaesage/status/1496819857442361347 |access-date=2022-08-01 |website=Twitter |language=en}}</ref> She is known for working independently with dominant software corporations such as [[Google]] and [[Microsoft]] to find and exploit security weaknesses in their products; being the first female participant in [[Pwn2Own]], the world's premiere professional hacking competition with significant cash prizes; and being accused by the government of the United States of hacking the presidential elections in 2016. Seema sharma is the owner of [[Zero Day Engineering]], an expert firm offering specialized training and consulting in software vulnerability research. == Biography == A self-described "offensive security researcher," a 2014 profile in ''[[Forbes]]'' says of Esage: "she was more drawn to hacking than programming."<ref>{{cite news |last1=Fox-Brewster |first1=Thomas |date=30 December 2016 |title=Meet The Russian Hacker Claiming She's A Scapegoat In The U.S. Election Spy Storm |work=Forbes |url=https://www.forbes.com/sites/thomasbrewster/2016/12/30/alisa-esage-shevchenko-us-election-hack-russia-sanctions/#3628ac261bb0}}</ref><ref>{{cite news |last1=Седаков |first1=Павел |date=11 December 2014 |title=Контракт со взломом: как хакер построила бизнес за счет банков и корпораций |language=ru |work=Forbes Russia |url=http://www.forbes.ru/tekhnologii/internet-i-svyaz/275355-kontrakt-na-ugrozu-kak-khaker-stroit-biznes-na-zashchite-bankov}}</ref> After dropping out of university she worked as a malware analysis expert for [[Kaspersky Lab]]s for five years. In 2009, she founded the company Esage Labs, later known as ZOR Security (the Russian acronym stands for Цифровое Оружие и Защита, "Digital Weapons and Defense.") Esage's company ZOR Security was placed on a list of US sanctioned entities after being accused of "helping Vladimir Putin bid to [[2016 United States election interference by Russia|swing the [2016] election for Trump]]". Regarding White House accusations, Esage stated that authorities either misinterpreted facts or were deceived.<ref>{{cite web |date=6 January 2017 |title=Young Russian denies she aided election hackers: 'I never work with douchebags' |url=https://www.theguardian.com/world/2017/jan/06/russian-hacker-putin-election-alisa-shevchenko |accessdate=2017-01-06 |work=The Guardian}}</ref> To this day, U.S. officials have not said why they believe Esage worked with the GRU's hackers, or what she allegedly gave them.<ref>{{Cite news |last=Poulsen |first=Kevin |date=2018-08-04 |title=This Hacker Party Is Ground Zero for Russia's Cyberspies |language=en |work=The Daily Beast |url=https://www.thedailybeast.com/this-hacker-party-is-ground-zero-for-russias-cyberspies-3 |access-date=2021-03-05}}</ref> In early 2021, Esage announced<ref>{{cite tweet|number=1357038329250816001|user=alisaesage|title=So, this is my new personal business website: https://t.co/UpHbrZri9h. Zero Day Engineering – the project that will round up and carry on some two decades of my life and work. Still a bit rough, but it’s time. More to come. /cc @zerodaytraining https://t.co/Y6ilpKMs7e|author-link=Alisa Shevchenko|date=2021-02-03|access-date=2021-06-14|language=en|archive-url=https://web.archive.org/web/20210203184907/https://twitter.com/alisaesage/status/1357038329250816001|archive-date=2021-02-03|url-status=live|last=Shevchenko|first=Alisa}}</ref> the Zero Day Engineering project, specialized on professional training, research intelligence, and consulting in the area of advanced computer security and vulnerability research. Esage has won several international advanced hacking competitions, spoke at multiple international security conferences, and published technical articles in top-tier technical magazines. == Achievements == In 2014 Esage took the first place in the PHDays IV "Critical Infrastructure Attack" contest (alternative name: "Hack the Smart City"), successfully hacking a mock-up smart city and detecting several zero-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric.<ref>{{cite web|title=Positive Hack Days: Smart City Hacked|url=http://blog.phdays.com/2014/06/smart-city-hacked-at-phdays-iv.html|website=Positive Hack Days|accessdate=24 January 2017|archive-date=23 December 2014|archive-url=https://web.archive.org/web/20141223112534/http://blog.phdays.com/2014/06/smart-city-hacked-at-phdays-iv.html|url-status=dead}}</ref><ref>{{Cite web|title=Schneider Electric InduSoft Web Studio and InTouch Machine Edition 2014 Vulnerabilities (Update A) {{!}} CISA|url=https://us-cert.cisa.gov/ics/advisories/ICSA-15-085-01A|access-date=2021-03-05|website=us-cert.cisa.gov}}</ref> In 2014-2018 Esage was credited for discovering of multiple zero-day security vulnerabilities in popular software products from tech giants such as Microsoft,<ref>{{Cite web|title=Microsoft XML Core Services CVE-2014-4118 Remote Code Execution Vulnerability|url=https://www.securityfocus.com/bid/70957|access-date=2021-03-05|website=www.securityfocus.com}}</ref> Firefox,<ref>{{Cite web|title=1443891 - (CVE-2018-5178) Integer overflow in nsScriptableUnicodeConverter::ConvertFromByteArray can cause a heap buffer overflow|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1443891|access-date=2021-03-05|website=bugzilla.mozilla.org|language=en}}</ref> and Google.<ref>{{Cite web|title=825503 - chromium - An open-source project to help move the web forward. - Monorail|url=https://bugs.chromium.org/p/chromium/issues/detail?id=825503|access-date=2021-03-05|website=bugs.chromium.org}}</ref> Part of those vulnerabilities were responsively disclosed via the Zero Day Initiative (ZDI) security bounty program,<ref>{{Cite web|title=ZDI-15-052|url=https://zerodayinitiative.com/|access-date=2021-03-05|website=zerodayinitiative.com}}</ref> previously owned by U.S. tech giant HP, and credited under various pseudonyms.<ref>{{Cite web|title=Zero Day Initiative — VirtualBox 3D Acceleration: An accelerated attack surface|url=https://www.thezdi.com/blog/2018/8/28/virtualbox-3d-acceleration-an-accelerated-attack-surface|access-date=2021-03-05|website=Zero Day Initiative|language=en-US}}</ref> Esage has presented her research at multiple international security conferences: RECON, Positive Hack Days,<ref>{{Cite web|title=Positive Hack Days 2014, Alisa Esage: "My Journey Into 0-Day Binary Vulnerability Discovery in 2014"|url=http://2014.phdays.com/program/tech/37473/|url-status=live|archive-url=https://web.archive.org/web/20160315141952/http://2014.phdays.com/program/tech/37473/ |archive-date=15 March 2016 }}</ref> Zero Nights,<ref>{{Cite web|title=Speakers. ZeroNights Conference|url=http://2012.zeronights.org/speakers|access-date=2021-03-05|website=2012.zeronights.org}}</ref> POC x Zer0con,<ref>{{Cite web|title=Power of Community|url=http://www.powerofcommunity.net/|access-date=2021-03-05|website=www.powerofcommunity.net|language=ko}}</ref> Chaos Communications Congress.<ref>{{Citation|last=Esage|first=Alisa|title=Advanced Hexagon Diag|date=29 December 2020|url=https://media.ccc.de/v/rc3-11397-advanced_hexagon_diag|language=en|access-date=2021-03-05}}</ref> Her work has been featured in various professional security industry publications such as Virus Bulletin, Secure List, and Phrack Magazine.{{cn|date=August 2022}} === Pwn2Own === On 8 April 2021 Esage was the first woman to win in the [[Pwn2Own]], the advanced hacking competition running since 2007.<ref>{{Cite web|title=Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021|url=https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html|access-date=2021-04-17|website=The Hacker News|language=en}}</ref> As part of her competition entry at Pwn2Own Vancouver 2021 Esage targeted [[Parallels Desktop for Mac]] version 16.1.3 with a zero day exploit developed by herself, and was able to demonstrate a guest-to-host virtual machine escape with arbitrary code execution on MacOS, on a fully patched system.<ref>{{cite tweet |last=Shevchenko |first=Alisa |author-link=Alisa Shevchenko |user=alisaesage |number=1380287879243390981 |date=2021-04-08 |title=Explaining to non-specialists: it’s a zero day Hypervisor VM Escape exploit on Mac, one of the first in the world, I think. Developed by me. Should also affect Parallels on Apple Silicone https://t.co/4GQrlrvoPo |language=en |access-date=2021-06-14 |archive-url=https://web.archive.org/web/20210408223452/https://twitter.com/alisaesage/status/1380287879243390981 |archive-date=2021-04-08 |url-status=live}}</ref> The entry was declared a partial win by the contest due to the fact that the targeted software vendor knew internally about the zero day bug that was leveraged in Esage's exploit. == Controversy == The "partial win" naming of Esage's Pwn2Own Vancouver 2021 exploit by the organizers raised controversy in the global information security community, with commenters on Twitter demanding that the rules of the competition be changed so that the attempt could be declared a complete win.<ref>{{cite tweet |last=Shevchenko |first=Alisa |author-link=Alisa Shevchenko |user=alisaesage |number=1380554523463147521 |date=2021-04-09 |title=I am crying. It means nothing for me how exactly the ZDI names my successful exploit demonstration – I am not in this for cash or testing my luck in a lottery – but apparently it does for you Pwn2Own is an important community event. Let the people decide what is fair or not https://t.co/Iaq8SLirI3 |language=en |access-date=2021-06-14 |archive-url=https://web.archive.org/web/20210611101321/https://twitter.com/alisaesage/status/1380554523463147521 |archive-date=2021-06-11 |url-status=live}}</ref>{{cn|reason=tweet by Esage herself|date=August 2022}} According to Pwn2Own rules of 2021,<ref>{{Cite web|url=https://www.zerodayinitiative.com/Pwn2OwnVancouver2021Rules.html|access-date=2021-04-17|website=www.zerodayinitiative.com}}</ref> a successful contest entry may be disqualified or downgraded in the competition charts if the targeted software vendor was internally aware of the respective vulnerability (while still unpatched) on the day of the contest. Esage's participation attracted attention to that point of the rules, with numerous arguments tweeted by prominent figures of the computer security community to support a change of rules.<ref name=":0">{{Cite web|last=Varghese|first=Sam|title=iTWire - Anger as woman researcher walks away empty-handed from hacking contest|url=https://itwire.com/security/anger-as-woman-researcher-walks-away-empty-handed-from-hacking-contest.html|access-date=2021-04-17|website=itwire.com|language=en-gb}}</ref> Esage's status as the first woman in Pwn2Own history was also questioned, although to a lesser extent. While the competition livestream recording<ref>{{Citation|title=Pwn2Own 2021 - Day Three Live Stream|url=https://www.youtube.com/watch?v=6FYfUv1pwAg|language=en|access-date=2021-04-17}}</ref> is clear on that point, with the narrator saying at 05:08 "Alisa is our first ever female participant", and the Pwn2Own founder chiming in on Twitter,<ref>{{cite tweet |author=dragosr |user=dragosr |number=1380213465759895553 |date=2021-04-08 |title=A big congratulations to @alisaesage for making the PWN2OWN winners no longer be an all boys club. Nicely done. |language=en |access-date=2021-06-14 |archive-url=https://web.archive.org/web/20210408173903/https://twitter.com/dragosr/status/1380213465759895553 |archive-date=2021-04-08 |url-status=live}}</ref> the official contest tweet came with a side note: "the first female participating as an individual". This is likely because a team participant in Pwn2Own 2018 of the [[Ret2 Systems]] team<ref>{{Citation|title=WELCOME TO PWN2OWN 2018: THE SCHEDULE|url=https://www.zerodayinitiative.com/blog/2018/3/14/welcome-to-pwn2own-2018-the-schedule|language=en|access-date=2022-07-27}}</ref> changed their name and gender identity in the later years.{{cn|date=August 2022}} Fact-wise, public record of Pwn2Own competitions in the official blog posts<ref>{{Cite web|title=pwn2own site:zerodayinitiative.com - Google Search|url=https://www.google.com/search?q=pwn2own+site:zerodayinitiative.com|access-date=2021-04-17|website=www.google.com}}</ref> and livestream recordings<ref>{{Cite web|title=Zero Day Initiative - YouTube|url=https://www.youtube.com/channel/UChbH7B5YhXANmlMYJRHpw0g|access-date=2021-04-17|website=www.youtube.com}}</ref> holds no mentions of female participation prior to Esage's 2021 entry. == Motivation and personality == Esage quotes her father as being the main inspiration to her choice of occupation and career: "He taught me to solder when I was 5 years old, I think. So I started reading books about computers and programming in early school and taught myself to code in C++ and x86 assembly language as soon as I got a PC at age 15."<ref>{{Cite web|date=2021-03-01|title=A Conversation With Alisa Esage, a Russian Hacker Who Had Her Company Sanctioned After the 2016 Election|url=https://www-therecord.recfut.com/a-conversation-with-alisa-esage-a-russian-hacker-who-had-her-company-sanctioned-after-the-2016-election/|access-date=2021-03-05|website=The Record by Recorded Future|language=en-US}}{{Dead link|date=June 2023 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> On her participation in the Pwn2Own competition: "It’s an essential milestone in a professional hacker’s career, and a major goal personally. I am super hyped! And relieved"<ref>{{cite tweet |last=Shevchenko |first=Alisa |author-link=Alisa Shevchenko |user=alisaesage |number=1380286767132155906 |date=2021-04-08 |title=Official: I won Pwn2Own competition in the Virtualisation category. It’s an essential milestone in a professional hacker’s career, and a major goal personally. I am super hyped! And relieved Details of the exploit that I developed are now under embargo of responsible disclosure |language=en |access-date=2021-06-14 |archive-url=https://web.archive.org/web/20210417163951/https://twitter.com/alisaesage/status/1380286767132155906 |archive-date=2021-04-17 |url-status=live}}</ref> == Publications and exploits == * {{cite journal|first1=Alisa|last1=Esage|date=May 6, 2016|title=Self-patching Microsoft XML with misalignments and factorials|journal=Phrack Magazine|volume=69|issue=10|url=http://phrack.org/issues/69/10.html}} * {{cite web |title=Microsoft Windows Media Center CVE-2014-4060 Remote Code Execution Vulnerability |url=https://www.securityfocus.com/bid/69093 |date=August 14, 2014 |website=SecurityFocus }} * {{cite web |title=(0Day) Microsoft Word Line Formatting Denial of Service Vulnerability |url=https://www.zerodayinitiative.com/advisories/ZDI-15-052/ |date=February 27, 2015 |website=Zero Day Initiative }} * {{cite news |title=Rootkit evolution |url=https://securelist.com/analysis/publications/36222/rootkit-evolution/ |website=Secure List }} * {{cite web |title=Case study: the Ibank trojan |url=https://www.virusbulletin.com/virusbulletin/2010/12/case-study-ibank-trojan/ |website=Virus Bulletin }} *[https://www.virusbulletin.com/virusbulletin/2014/06/fuzzing-everything-2014-0-day-vulnerability-disclosure "Fuzzing everything in 2014 for 0-day vulnerability disclosure"]. Virus Bulletin, 2014. *[https://www.virusbulletin.com/virusbulletin/2014/05/cyber-investigations-case-study-money-transfer-system-robbery "On cyber investigations. Case study: a money transfer system robbery"]. Virus Bulletin, 2014. * {{cite web |title=Microsoft Security Bulletin MS14-067 - Critical |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-067 }} * {{cite web |title=Microsoft XML Core Services CVE-2014-4118 Remote Code Execution Vulnerability |url=http://www.securityfocus.com/bid/70957 }} *[https://github.com/badd1e/ badd1e] on [[GitHub]]. ==References== {{Reflist}} {{authority control}} == External links == * [https://twitter.com/alisaesage Alisa Esage] on [[Twitter]] * [https://zerodayengineering.com/training/ditto.html Zero Day Engineering training by Alisa Esage] {{DEFAULTSORT:Shevchenko, Alisa}} [[Category:Living people]] [[Category:People associated with computer security]] [[Category:Russian women]] [[Category:Russian computer programmers]] [[Category:1984 births]] [[Category:Computer security specialists]] [[Category:Hackers]]'