Hacking It

Companies hire Avi Rubin to break into their computer systems -- and discover how to keep the data thieves out.

August 17, 2005|By Dan Thanh Dang | Dan Thanh Dang,SUN STAFF

Avi Rubin is known for annoying large companies and important people.

Two years ago, the Johns Hopkins University professor first alerted the country to troubling vulnerabilities in electronic voting, much to the consternation of election officials and machine-maker Diebold Election Systems. Then earlier this year, Texas Instruments similarly was none too pleased when Rubin's team of what he calls "super geniuses" broke the encryption on its wireless gas payment cards and car keys - a potential threat to millions of consumers.

In both cases, Rubin and his team of graduate students publicized their findings to prove that: a. it can be done, and b. nothing is safe in this high-tech world.

Point taken. Companies around the country soon began calling.

"We had so many companies asking us to check their security that it became obvious," says Rubin, a boyish 37-year-old. "It showed me there was a real need out there for our services."

In February, Rubin launched Independent Security Evaluators (ISE), a private company with headquarters on the Hopkins campus that ferrets out the electronic flaws and weaknesses in products and systems. These days, instead of annoying companies for free, the guys of ISE are charging for their expertise.

And they couldn't have started at a better time. Data is everywhere - as is the fear that it will fall into the wrong hands.

Consider the fact that a good part of consumers' lives is stored on hard disks, backup tapes and computer caches. Medical histories, financial data and untold amounts of work and personal information are stored, accessed and transmitted every second by someone, somewhere every day.

When everything goes right, all of this happens with little disruption -people can buy lunch, visit the doctor's office, get discounts at stores and check bank accounts online without a second thought.

Of course, things don't always go right.

Even as we are repeatedly reminded to safeguard our private information from identity theft, cybercriminals are getting smarter and savvier every day. They're no longer attacking just individuals. They're also going after the companies that are supposed to be safely storing our data.

In the past year alone, computer hackers stole the personal information of about 40 million people from CardSystems Solutions, a credit card-payment processing company, and thieves accessed the records of 145,000 people from information clearinghouse ChoicePoint Inc. CitiFinancial, the consumer finance division of Citigroup, lost computer tapes containing the data of 3.9 million customers. A security breach at information broker LexisNexis may have compromised data on more than 300,000.

DSW Shoe Warehouse said a few months ago that the credit card data on 1.4 million customers had been stolen. Bank of America and Time Warner have also lost backup tapes.

The list goes on.

"Thus far in the history of the general population's relationship with computing, people tend to accept mistakes with computers the way they accept the weather," says Brian Chess, co-founder and chief technology officer of Fortify Software, a security company in Palo Alto, Calif. "`Oh. My computer crashed. Oh. Someone stole my credit card information.' Well, people should realize that those things happen because someone else made a mistake. We, as a society, need to be less tolerant about mistakes.

"All the credit card information that has been stolen this past year has really woken people up," Chess said. "That's where ISE comes in. Avi and his group are very good at finding other people's mistakes."

For the three youthful employees of ISE, it's the perfect environment to showcase skills that wowed Rubin when he hand-picked them.

"I wouldn't have done this with just anyone," Rubin says. "I found the smartest people I could find."

There's Adam Stubblefield, now 24 and a recent Ph.D. grad, who Rubin first spotted at a security conference. Then a Rice University freshman, he was giving a very technical speech about attacks on e-commerce servers to a group of computer science experts. Rubin lured Stubblefield to take a coveted summer internship at AT&T Labs where he worked at the time. When Rubin moved to Hopkins, Stubblefield followed. He helped crack the code on the voting machines project, which showed their vulnerability to tampering, and now is ISE's expert on cryptography.

Then there's 28-year-old Matt Green, another Rubin protege from AT&T Labs. Rubin says Green was the most brilliant person in the AT&T Labs building without a Ph.D. Green also followed Rubin to Hopkins, where he earned a master's in computer science and honed his knowledge in wireless network technology and security.

Rounding out the team is Steve Bono, a 24-year-old "natural," Rubin says. Bono earned the only A-plus that Rubin ever gave in more than a half-dozen years of teaching. Bono, who also holds a master's in computer science, specializes in radio frequency technology and breaking into any system.

Together, they form a formidable team.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.