Hacking It

Avi Rubin is known for annoying large companies and important people.

Two years ago, the Johns Hopkins University professor first alerted the country to troubling vulnerabilities in electronic voting, much to the consternation of election officials and machine-maker Diebold Election Systems. Then earlier this year, Texas Instruments similarly was none too pleased when Rubin's team of what he calls "super geniuses" broke the encryption on its wireless gas payment cards and car keys - a potential threat to millions of consumers.

In both cases, Rubin and his team of graduate students publicized their findings to prove that: a. it can be done, and b. nothing is safe in this high-tech world.

Point taken. Companies around the country soon began calling.

"We had so many companies asking us to check their security that it became obvious," says Rubin, a boyish 37-year-old. "It showed me there was a real need out there for our services."

In February, Rubin launched Independent Security Evaluators (ISE), a private company with headquarters on the Hopkins campus that ferrets out the electronic flaws and weaknesses in products and systems. These days, instead of annoying companies for free, the guys of ISE are charging for their expertise.

And they couldn't have started at a better time. Data is everywhere - as is the fear that it will fall into the wrong hands.

Consider the fact that a good part of consumers' lives is stored on hard disks, backup tapes and computer caches. Medical histories, financial data and untold amounts of work and personal information are stored, accessed and transmitted every second by someone, somewhere every day.

When everything goes right, all of this happens with little disruption -people can buy lunch, visit the doctor's office, get discounts at stores and check bank accounts online without a second thought.

Of course, things don't always go right.

Even as we are repeatedly reminded to safeguard our private information from identity theft, cybercriminals are getting smarter and savvier every day. They're no longer attacking just individuals. They're also going after the companies that are supposed to be safely storing our data.

In the past year alone, computer hackers stole the personal information of about 40 million people from CardSystems Solutions, a credit card-payment processing company, and thieves accessed the records of 145,000 people from information clearinghouse ChoicePoint Inc. CitiFinancial, the consumer finance division of Citigroup, lost computer tapes containing the data of 3.9 million customers. A security breach at information broker LexisNexis may have compromised data on more than 300,000.

DSW Shoe Warehouse said a few months ago that the credit card data on 1.4 million customers had been stolen. Bank of America and Time Warner have also lost backup tapes.

The list goes on.

"Thus far in the history of the general population's relationship with computing, people tend to accept mistakes with computers the way they accept the weather," says Brian Chess, co-founder and chief technology officer of Fortify Software, a security company in Palo Alto, Calif. "'Oh. My computer crashed. Oh. Someone stole my credit card information.' Well, people should realize that those things happen because someone else made a mistake. We, as a society, need to be less tolerant about mistakes.

"All the credit card information that has been stolen this past year has really woken people up," Chess said. "That's where ISE comes in. Avi and his group are very good at finding other people's mistakes."

For the three youthful employees of ISE, it's the perfect environment to showcase skills that wowed Rubin when he hand-picked them.

"I wouldn't have done this with just anyone," Rubin says. "I found the smartest people I could find."

There's Adam Stubblefield, now 24 and a recent Ph.D. grad, who Rubin first spotted at a security conference. Then a Rice University freshman, he was giving a very technical speech about attacks on e-commerce servers to a group of computer science experts. Rubin lured Stubblefield to take a coveted summer internship at AT&T Labs where he worked at the time. When Rubin moved to Hopkins, Stubblefield followed. He helped crack the code on the voting machines project, which showed their vulnerability to tampering, and now is ISE's expert on cryptography.

Then there's 28-year-old Matt Green, another Rubin protege from AT&T Labs. Rubin says Green was the most brilliant person in the AT&T Labs building without a Ph.D. Green also followed Rubin to Hopkins, where he earned a master's in computer science and honed his knowledge in wireless network technology and security.

Rounding out the team is Steve Bono, a 24-year-old "natural," Rubin says. Bono earned the only A-plus that Rubin ever gave in more than a half-dozen years of teaching. Bono, who also holds a master's in computer science, specializes in radio frequency technology and breaking into any system.

Together, they form a formidable team.

Just ask Mark O'Hare, CEO of Security First Corp. in Rancho Santa Margarita, Calif. Before launching his company's new security product, which breaks data into random pieces of a puzzle for storage, O'Hare hired ISE. For three months, Rubin's team tweaked product algorithms. They studied the system design. They pored over thousands of lines of code.

O'Hare says ISE has helped to speed up and strengthen the product's performance by finding better mathematical formulas to break up data in more random ways.

"They have a certain way of thinking through things," O'Hare says. "We think we have a world-class product. We wanted world-class people to tell us we are right."

In some cases, companies just want ISE to tell them how everything and anything can go wrong.

While there are many computer security companies that offer similar services, ISE's past headline-grabbing work and Rubin's reputation in the field have brought many clients to their door.

Fortify Software in Palo Alto is one of those companies. As a proponent of creating better, more secure software instead of relying on software that blocks spam or scans for viruses, Fortify developed a testing tool that simulates all manner of attacks on computer systems and roots out susceptible errors existing in source code. The company recently hired Bono to fly to California to help create the second version of its testing tool.

In that job, Bono's sole duty is to think like a hacker. Sounding more glamorous than it seems, he often sits at a computer terminal concocting ways to inject bad code into computer applications. The more ways he can think of to break into a system, co-founder Chess says, the stronger Fortify's testing tool will be.

"We've got a standard bag of tricks that our tool will automatically try," Chess says. "But Steve's got a depth of security knowledge that's proven useful to us. He comes up with a variety of ways to deliver attacks. He thinks about what can go wrong. He figures out what a bad guy is inclined to do. He finds your weaknesses."

It's sensitive work in a field filled with paranoid people, Rubin says.

Few companies want to talk about how ISE has strengthened their products. No one wants to talk about any mistakes ISE has uncovered. For that reason alone, ISE has to sign stringent nondisclosure forms before work begins. After that, most CEOs say they sit back and wait for the results as they hope their product stands up to the ISE test.

"If they don't find anything, you feel very good," says Seth Birnbaum, chief executive of Verdasys, a Massachusetts company that protects data from loss or misuse on laptops, desktops and servers. "If they find something major, how can companies not want to fix it? It's an expense that pays for itself in the long run. There's no security that's 100 percent effective, but what they're doing is helping you increase the strength of your product."

Since ISE's formation, eight companies have hired them. Six more are in negotiations for their services. Although much of their work is performed under contract to companies, the guys of ISE still enjoy doing research similar to what they did on voting machines and electronic payment cards. Rubin, for example, is expected to lead a new center at Hopkins that is being created with a $7.5 million grant from the National Science Foundation to study the reliability of voting machines.

"We consider it public advocacy work," Green says. "If companies make claims that their technology is unbreakable ... "

"There's nothing like a bunch of grad students showing them how to tear it apart," Bono says, finishing Green's thought.

"Yes, companies hate that," Green adds.

If that sounds a little cocky, they can't really be blamed. Rubin won't go into specifics about how much money they've made, but revenue projections for their first six months of operation are expected to hit a half-million dollars.

"I predict we'll make millions off this," Rubin says with a smile. "We'd like to do this for five years and then cash out, although I could see us continuing this if we're having a lot of fun. Right now, we're having a lot of fun."

Recommended on Baltimore Sun