In his interview, Andrey Belenko, world-wide renowned password recovery expert, researcher and technical specialist from Elcomsoft, speaks on his career, likes and dislikes in the field of computer security, his research, plans and dreams.
Andrey Belenko was born in Moscow in 1984. Graduated from Moscow State Technical University in 2007 (M.Sc. in Computer Security, with honors). Currently lives in Moscow and works as full-time researcher and software engineer at Elcomsoft since 2007. Was the first to bring GPU acceleration to password recovery; have co-developed ThunderTables, an improvement to Rainbow Tables. Since 2010 became greatly involved in Apple iOS and BlackBerry forensics, have co-researched and co-developed number of company’s tools for this. A frequent traveler and a frequent speaker at international events: presented at more than 20 events since 2009. Enjoys cycling, swimming, shooting (both guns and camera) and traveling. Passionate about aviation and hopes to get pilot’s license one day.
Yuri: Andrey, please briefly describe your current occupation.
Andrey: At the present time I am a Chief Security Researcher and Software Engineer at Elcomsoft. I am involved in research and development of tools aimed at password recovery and smartphone forensics. Specifically, I am responsible for two large fields: hardware acceleration of password recovery (GPUs and FPGAs) and iOS forensics.
I also handle some of the support tickets, provide some expertise to our customers, and speak on behalf of my employer at various Computer Security- and Computer Forensics-related conferences and shows.
I quickly realized that writing security policies is quite boring
Yuri: How did you become involved in computer forensic field?
Andrey: I got here through computer security. At some point in the past I became very interested in computer security (cryptography in particular) so I got a job as an Information Security Officer. However, I have fairly quickly realized that writing security policies and auditing networks is quite boring and that I do not get enough fun (which was the the incident response part). By that time I was already doing some assignments for Elcomsoft in part-time capacity so I joined them full-time and started working on new tools. That’s how I got to computer (and later mobile phone) forensics.
Yuri: Do you have any related education? What did you major in at university? What field do you have a degree in?
Andrey: I have graduated from the Bauman Moscow State Technical University. Originally enrolled to Electrical Engineering, during my second year became very interested in computer security and transferred to Computer Security Department from which I’ve received my Master’s degree in 2007.
If you need to work very long that’s a clear indication that something went terribly wrong earlier
Yuri: Please describe your working day. When you get to, what do you do first? What do you do most of the time? Are there days when you work 14 hours or longer? If so, why?
Andrey: Working days of 14+ hours are not something I’ve never had, but I try to avoid this kind of things unless absolutely necessary. I believe that job should be done in a steadily manner. If you need to work (very) long hours to meet deadlines or to deliver something then to me that’s a clear indication that something went terribly wrong earlier in the process.
My typical office day is a late one – from 11 am till 9 pm on average. Shifting it into afternoon helps to better align business time with our customers in Europe, UK, and US (at least partially) and it also allows me to avoid (at least some of the) terrible morning and evening Moscow traffic. My working day is usually an extension of my office day: usually there are emails, calls or meetings that should be taken care of outside of office hours.
I think the best place to start a day is a swimming pool: taking 30-40 laps in the morning gives you all the energy you’ll need.
I like challenges and freedom
Yuri: What do you like about your job most?
Andrey: Challenges and freedom. Computer security is full of challenges, whether you need to build something or break something. And it is an awesome feeling to solve challenge, so I really love this part.
In my current position I also have significant amount of freedom. As a researcher I can choose research topics/areas that I like the most (well, they should be related to computer security or computer forensics, but that’s the only requirement). As a developer I am free to choose tools or technologies to use. As a speaker I can choose what countries or events I would like (not) to attend.
Yuri: You are well-known researcher. Is the research a part of your daily job or you do it outside the office?
Andrey: It is part of my job and I sometimes do it outside of the office. Some research topics – hardware acceleration, for example, – are hard to do outside of the office because you need access to special hardware and/or equipment. Others, like, say, reverse engineering or sketching some proof-of-concept code, can be done virtually anywhere.
Publishing small pieces, such as articles or blog posts, is much more valuable to the community than books
Yuri: Do you have or plan to have a book on your research? Articles?
Andrey: I do articles from time to time, but that isn’t a priority. The majority of “publications” I have are conference slides and whitepapers. When time permits I do technical posts in our corporate blog.
It would be great to have a book published, but I see some problems here. First, computer security and computer forensics are very fast-changing fields, so it is a very difficult task to release a book that, when released, will still provide new and relevant information. From this point of view I believe publishing small pieces, such as articles or blog posts, is much more valuable to the community.
Second, and this is what I’m hearing from my friends who have some experience with publishing books, the amount of time and effort you need to put into writing a quality technical book is just not worth the benefits. At least here in Russia.
That said, maybe if one day I have enough free time I will try and write something. (smiling)
Yuri: What research are you working on now or just finished?
Andrey: I have recently finished a small project to add support of password recovery on FPGAs from Pico Computing to certain Elcomsoft’s products. Right now I’m working on low-level iOS forensics project.
I first heard about Elcomsoft when Dmitry Sklyarov was arrested in the U.S.
Yuri: How did you join Elcomsoft?
Andrey: I first heard about Elcomsoft when Dmitry Sklyarov was arrested in the U.S. for alleged DMCA violation (NB: Dmitry and Elcomsoft were later found not guilty by the U.S. Court of Law). Few years later Dmitry was invited to make a speech in front of prospective students in the school where I was working so this is how we met. Few months later he introduced me to then-President of Elcomsoft and I’ve got my first assignment. That was 2004 and I was still attending University. I’ve graduated in June 2007 and been working full-time for Elcomsoft since July 2007.
Yuri: What is special about your company and tools?
Andrey: The company is always about the people. At Elcomsoft we have quite a few great folks who make the company very special to me.
As for the tools we offer, I believe they are quite technological. Many of them were the first of their kind (e.g. password cracking on GPU, iOS 4 data decryption, BlackBerry password cracking, etc), some of them still remain unique as of today (e.g. pulling iCloud backups from Apple’s cloud).
One of the most unusual “Thank you” I’ve received was a poem from Germany
Yuri: What is the most interesting/unusual thing a customer has ever said about your company or your solutions?
Andrey: Oh, we receive all sorts of customer feedback, both positive and not-so-positive. Of course we try to deal with each case individually and almost always we resolve the issue to our customers’ satisfaction. The two most unusual “Thank you” messages I’ve received were a bottle of wine from South Korea (for some help with iOS forensics) and a poem from Germany (for recovery of 12+ character PGP passphrase).
Yuri: What is about your company or tool which you are proud of?
Andrey: I am of course very proud of the tools and technologies I have developed or co-developed. Two prime examples of that would be the GPU acceleration for password cracking and tools for iOS 4 forensics.
Yuri: I remember we first met in China at the CFC conference. Does the Chinese market have any specifics you take into consideration in your tools? Do you tailor your tools to any specific requirements of a specific country market?
Andrey: Well, I’m a tech guy, not the sales one. That said, my impression is that in China (as in Middle East) it is critically important to have local partner. You won’t get anywhere without this.
Yuri: What are your immediate plans with regards to your solutions?
Andrey: My immediate plan is to complete the iOS forensic project I’m working on. In longer term I foresee some changes in my career path.
Yuri: Have you ever done any forensic or corporate security investigations yourself?
Andrey: Yes, during my days as Information Security Officer I have handled good deal of investigations, mostly data leaks. At Elcomsoft I do not do complete investigations, but I do provide expertise and support to facilitate investigations carried by our customers and partners from time to time.
I remember my first investigation in detail
Yuri: What is the most interesting or unusual investigation you or your company has ever been involved in?
Andrey: The very first investigation was easy but interesting and, unlike many investigations that followed, I do remember it in detail. I was in high school and we had an incident with our website being attacked and certain inappropriate messages posted to it. I was tasked with tracking down the person which I successfully did. The interesting part was communicating with ISP. It was the first and the only investigation when ISP cooperated without sending authorities in.
Investigators shouldn’t be afraid of encryption
Yuri: What do you think every investigator should know about password recovery?
Andrey: I think every investigator should know about encryption, at least the very basics. And she or he shouldn’t give up on particular piece of evidence simply because it is encrypted or password protected. There are still some files and passwords that are trivial to break or bypass and this knowledge is very important. Investigators shouldn’t be afraid of passwords or encryption, they should understand it. Once understood and fear is gone, it is much easier to deal with.
Yuri: In your opinion, what is the current state of computer forensic science in Russia? Of legal computer forensic practices?
Andrey: I cannot comment on legal practices because I am no expert here. On the technical side, however, I definitely see positive changes, at least here in Moscow (speaking about law enforcement). My impression is that although there is no shortage of funding to get whatever hardware/software is needed, there is a definite shortage of qualified personnel, and this is the huge problem for law enforcement. It is very difficult to retain people with the levels of pay and amount of work they have to do. This is getting better, though.
Taking 30-40 laps in a pool at morning gives you all the energy you’ll need
Yuri: Are there any obstacles to selling products like yours?
Andrey: Again, no expert here, but I don’t really think there are any. Some customers ask about the legality of the tools, but as far as I know, for the jurisdictions where our tools may be considered harmful/illegal, we have all the needed paperwork to make our customers happy.
Yuri: Cloud computing is becoming very popular now. Do you feel that forensic market for vendors, like you, is decreasing due to that?
Andrey: Not a sales or marketing person, but I don’t see how cloud computing would hurt us. Many of our applications are compute-intensive, so the cheaper cloud computing becomes, the more market we have. In fact, I believe that cloud computing should increase sales of our cloud-aware products.
We will see a product for cloud storage forensics soon
Yuri: The more data is in a cloud, the less data is on a suspect’s computer. If all data goes to a cloud, will your company disappear?
Andrey: I don’t think so. Cloud storage, like cloud computing, may present a challenge, but in the end it increases market by creating new product opportunities. I am pretty sure we will see a product for cloud storage forensics pretty soon.
And old-school tools aren’t affected by that much either: cloud storage is just a medium and may still store encrypted or password-protected documents and there will still be need for tools to deal with that. Besides, we’re not only password cracking company, we also do other things less affected by clouds.
Yuri: Do you have any support for clouds in your products?
Andrey: Yes. Our solution for distributed password recovery can utilize cloud computing platforms, although at current cloud computing pricing this doesn’t make much sense. And another our product can pull users’ data from the iCloud (cloud where Apple iOS devices can store their data).
Yuri: Do you think that forensic investigation itself is going to be much more difficult due to the cloud idea implementation?
Andrey: I don’t think it will be much more difficult. I think it will require new tools and, maybe, slightly different approach or thinking.
Social networks actually make investigations easier
Yuri: The same question about social networks, which displace usual evidence such as mailboxes, chats, etc.: does this decrease your niche and make investigations more difficult?
Andrey: Social networks is not our niche at all, but I think they actually make investigations easier in many cases. Many people tend to (over)share lot of information about their friends or themselves. In my experience social networks proved to be extremely helpful when doing background checks and I don’t see why it should be any different for an investigation.
Yuri: What do you like most about computer forensics?
Andrey: Challenges, I guess. As a R&D guy I love to break stuff and then make a tool out of that.
Yuri: What forensic resources do you regularly read? What would you recommend to others?
Andrey: Twitter (smiling). I do not read any particular resource but I do follow people from the industry and I rely on them for posting/sharing interesting materials. I also try to keep track of talks/presentations on relevant conferences as this is where new stuff is usually released.
Yuri: How old are you?
Andrey: I’m 28.
Yuri: How many kids do you have?
Andrey: None so far.
Yuri: How many hours of sleep do you usually have?
Andrey: I usually try to sleep for at least 6 hours, usually I do 8, and when on a break in some nice sunny place I can easily do 10 (smiling).
The most unusual place I’ve been to is probably China
Yuri: What is your favorite vacation spot? What is the most unusual place you have ever been to?
Andrey: Western Europe is very good for vacations: it is fairly close (to Russia) and it is diverse enough to find exactly what you’re looking for. I am love both the lakes and mountains of southern Germany and Switzerland and the sea and sunny beaches of Mediterranean (smiling).
The most unusual place I’ve been to is probably China with its mind-blowing monuments like the Great Wall and the Ming dynasty Tombs with underground palaces.
Yuri: Do you do any sports? Which one? What is your preference in watching professional sports?
Andrey: I do not do any sports professionally. I do, however, enjoy swimming, cycling, and shooting (guns and pictures).
Unlike almost everyone on this planet I do not enjoy watching football or hockey. I do enjoy watching technological sports. It could be Formula-1 or it can be Red Bull Air Race or something similar.
For me vacation means I need to work an hour or two per day
Yuri: When did you have your last vacation? A real vacation, without any Internet and calls from your colleagues or customers?
Andrey: Haven’t happened yet, I guess. For me vacation means I don’t have to be in the office and only need to work an hour or two per day. Last such vacation happened just weeks ago: I went to southern Italy for 5 days. It was awesome .
I’d love to get pilot’s license one day
Yuri: Do you have a dream?
Andrey: Yes, I’d love to get pilot’s license one day. I was pretty close to doing this earlier this year but things didn’t work out, so I hope to take another shot.
Also, although not exactly a dream, I’d love to get a Ph. D. so if any of the readers are looking for a Ph. D. student please let me know (smiling).
Yuri: Thank you too, Andrey, for your time and really interesting answers!
Andrey: Thank you, Yuri, for taking your time to do this interview.
See more : Interview with Pasquale Stirparo