Launched in early 2019, the Web Security Fellowship was a pilot project for eQualitie to introduce more IT professionals to the ranks of active civil society organizations. Eight fellows were selected from a public application process for a six-month placement within host organizations, comprising of human rights and independent media groups in Russia. The fellowship began with a three month intensive program on improving technical security insight and practical skills among the fellows. Thereafter, together with their host organization, fellows came up with a project or a series of tasks to improve the security of the host organization’s Web platform, mobile application or technical process. Herein we present the fellows, their projects and outcomes.
Presented by industry experts from the Runet, 10 online lectures were held within a three month period. The course material included:
- Organizational audits: technology assessment, risks & vulnerabilities, operation security
- Implementing a “security policy” within a civil society organization
- Strengthening web servers
- Cyber law, digital violence and censorship
- Latest developments in Internet censorship and its circumvention
- The theoretical and practical aspects of platform penetration testing
- Web site security: hosting and DNS, performance analysis and load testing, DDoS mitigation
- OWASP TOP 10 methodology
- Defensive programming
- Secure-by-design principles and system architectures
Meet the fellows and their projects
“I am working as a system administrator at the Memorial society’s Moscow office since 2009. My job is to administer the Windows Active Directory and Linux-based PC’s. I can design networks and configure network hardware on RouterOS and PfSense, make up html/css pages. I can provide video streaming, audio processing and editing, and technical support at public events (sound and video directing). At the basic level, I can administer *nix-based Web servers. I don’t know how to write codes (except simple Python/bash scripts), or to administer Windows-based Web servers.
In my spare time I work as several holiday schools’ manager (notably the Puschino Winter School and the Molecular and Theoretical Biology School), learn to play guitar, play video games, watch series and, last but not least, rear my daughter”.
Organization: International Memorial
Project: Improve the security of the web hosting server, making further recommendations to in-house developers
Tasks: Audit the security of base.memo.ru: develop a threat model, interview web developers, perform black box and white box penetration tests, analyze the configuration of the host site and audit the site code. Based on the results of the audit – re-configure the host server software to improve its security and set draft recommendations for the developer of the website application.
Project details: Pentest critical vulnerabilities using burp/owasp zap, sqlmap; configure monitor services (zabbix or its equivalent), harden the OS and its access interfaces (ssh, https).
“For more than a decade I have been developing applications and services. I prefer Kotlin, Java, Python; I use Sketch to draw designs and I love Material design. In my spare time I dig into engines when my Subaru would not accelerate or to switch my gear box to sport”.
Organisation: Not disclosed
Project: Make it harder to block application circuits
Tasks: Code a prototype library to identify the locker and lock them.
Project details: To block Telegram, Roskomnadzor has been using IP blocking via an Android system to lock the IPs that the application listens to when it tries to connect and masking its presence using the providers’ VPN networks. The objective of this project is to identify the locker who uses the above method; it may well stay relevant judging by the news briefs: Roskomnadzor plans to lock applications using DPI, the task being prolonged for over five years. A prototype implementation should have the same device distributing and receiving IPs as well as searching them and locking; it is to simplify the logic for a prototype. The battlefield version of this project is planned to distribute IPs from the back end using several circuits and other technologies to circumvent the locking.
“I work in the field of Information Security expertise for business software — I provide support for the SIEM system. During my work I scanned through innumerable logs and learned to scoop as much as possible; I worked with a wide range of IT systems (FW, DLP, antiviruses, hypervisors, DNS, DHCP, proxies and others) and usually know what’s happening inside and where to dig to come up with a relevant thing. I am good at problems finding and solving and I love to optimize the trivialities using Python. I am interested in many security trends but even more I love good muzak and movie from Carbon Based Lifeforms to Pearl Jam to Angerfist and from Clerks to The Good, the Bad and the Ugly to Sharknado”.
Organization: Mass Media Defence Centre
Project: An integrated Web platform
Objective: To free the organization from the multitude of difficult to maintain and ageing tools by creating a universal and easily maintained platform able to host all the current information resources and extendable to include more resources in the future and to enhance the availability. To secure the organization’s access to the external network and ensure the stability of that access.
- Project and devise a Web platform based on the state of the art tools and capable to host any of organization’s sites; develop and implement an enhanced availability (to block attacks and lockings).
- Clear up the technicalities of network communications inside the organization.
Oksana, Saint Petersburg
Project: Secure web hosting
Objective: To enhance the security of organization’s Web resources
- Restrict the free access to the organization’s main web-site from volunteers and other non-members of the staff;
- Check the volume of the critical information about our resources available from the outside;
- Develop a logins and passwords storage system for the members of the staff;
- Configure back-ups of the main Web site;
- Configure server applications to block brute force attacks;
- Configure the monitoring;
- Make corrections to the Social Worker’s Multifunctional Cabinet application;
- Update php.
“I am a Linux, Windows system administrator; work with ERP and CRM systems (Microsoft Sharepoint, Dynamics). I mostly dealt with business information systems, deployed in on demand and hybrid environments. I have extensive experience in fine tuning Linux vps to several Web tasks provided with a basic security (fail2ban, access management using ssh and so on), as well as maintaining stacks /apache/mysql/php, nginx/mysql/php. I am an activist and a coordinator of the Golos movement in Yaroslavl”.
Organization: Not disclosed
Project: Fix the major holes in the organization’s security, deploy data storage engines and policies, and perform the back-ups.
- Make VPN-only the common access to the organization’s recourses and, the first of all, to the site’s administration panel;
- Set up a single place to store the inputs and provide the access control and the data encryption. The solution must support the storage of diverse data formats and media files. The data must be stored in a neutral jurisdiction;
- Fine-tune the work flow and an engine to back up the Web application’s database regularly;
- Check the application for critical vulnerabilities in the OWASP-10 list and eliminate/accept the risks;
- Solve the problems with physical networking hardware – upgrade the router, move it to the rented facility’s boundaries, configure the local network, the firewall, the common access to the recourses. Provide a guest Wi-Fi access to the Web.
White hacker, software engineer, fullstack developer.
Organization: Horizontal Russia 7х7 interregional webzine
Project: Pentest a new Web site engine
Objective: Expose and fix security problems in a new self-made Website engine; reduce the penetration hazard.
- Scrutinize the architecture of the new Website as well as its subsystems;
- Scrutinize the source code of the engine and its modules;
- Expose actual and potential vulnerabilities of the Website; perform the penetration test;
- Come up with practical options to fix the vulnerabilities / fix them;
- Come up with options to reduce the penetration hazard / deploy them;
- Harden the server hosting the website;
- Set up the Website’s security monitoring and configure the tools to detect the penetrations;
- Develop rules for code-writing and for regular audit to maintain the Website’s security.
“For a decade I have been professionally dealing with the development and production of Web projects – makeup, design, coding (nowadays it’s called full-stack). I am skilled in the makeup with js, jquery, html, and css. I do the coding mostly in drupal, php. Currently I am studying python. I prefer to apply to projects I find interesting in the fields of science, art (music, theatre, painting, photography) and advocacy”.
Project: A preparation step to develop technical specifications for a detention monitoring database
Objective: Develop a UX matrix, User Stories. Scrutinize, analyze and select the software tools to develop the database.
Tasks: Develop a script and an interface for every role in the headquarters. Create a UX matrix. Determine the engine to develop the database as well as the technologies and systems that are updated and supported to power the project. Must communicate with every user group of a detention database (lawyers, monitors, analysts) to better understand the problems with current interfaces and take stock developing the technical specifications.
“2006 to 2008 I worked as a Web layout designer and a Web developer in a large company in the field of distance education in Russia. For more than a decade I make my living from the repair, assembly and set up of computers and peripherals as well as setting up and tuning the computer networks.
Surely I am skilled in installing all sorts of software. I have an experience of teaching the computer science at school. For many times I was an IT-volunteer for OVD-Info. For a year I did technical maintenance at the human rights organization”.
Organization: Memorial Human Rights Center
Project: Design a plan to migrate Memorial HRC to a cloud
Objective: Develop a project for Memorial HRC to switch to a cloud service: give the project rationale and describe the transition phases. Design a plan, set up a cloud infrastructure, test it, migrate the data and start it up.
- Explain the rationale for moving to a cloud to the HRC staff; make a presentation of the transition phases;
- Choose a cloud provider;
- Set up security policies for the cloud participation;
- Provide a single input point to enter the application from any environment;
- Protect IDs in local and cloud environments;
- Provide integrated management for the cloud and the security;
- Configure cloud services for back ups and disaster recovery of the local environment;
- Set up a platform for consistent data;
- Deliver the benefits of having a common database both in the local environment and in the cloud;
- Save costs with moving the local data to the cloud;
- Apply services for the consistent data storage, analysis and visualization;
- Run the state of art applications in the local environment and in the cloud;
- Fine tune the intranet and purchase the routers to ready the Internet connection for seamlessly using the cloud services.