Inside the North Baltimore company that discovered some of tech's biggest security vulnerabilities - Technical.ly Baltimore

Dev

Apr. 8, 2019 9:57 am

Inside the North Baltimore company that discovered some of tech’s biggest security vulnerabilities

The ethical hackers at Independent Security Evaluators look to find flaws so attackers don't have the chance.
Independent Security Evaluators team members.

Independent Security Evaluators team members.

(Photo courtesy of ISE/Sam Levin)

The team at North Baltimore’s Independent Security Evaluators (ISE) has long been making headlines.

The company’s first big moment came in 2005, before it was even a company. That’s when the group of then-Johns Hopkins graduate students that formed the firm — overseen by Professor Aviel Rubin and including ISE CEO Steve Bono as well as Adam Stubblefield and Matt Green — broke the encryption on Texas Instruments‘ RFID-based chips that were designed to secure car keys, and prevent theft.

“This system was considered to be unbreakable,” ISE Executive Partner Ted Harrington said recently.

A couple years later, there was the iPhone, then just a few months old. Now working under the ISE banner, a team led by Dr. Charles Miller showed how a security flaw allowed an attacker to access personal information. Apple promptly made a fix to that issue, but it was just the beginning of a series of patches Miller and team would prompt in the company’s products.

Then it was on to Android, hospitals and, just this year, password managers.

While the press may not please execs, the research is designed to help. By identifying these potential issues but bringing awareness rather than exploiting it, Harrington said the research acts as a “change agent” at the companies and firms.

Advertisement

“It prompts them to take action,” he said.

Such is the work of the ethical hacker. White hats, if you will. Based from a headquarters just outside Cylburn Arboretum and an office in San Diego, ISE’s team of 45 people looks to identify how attackers could break into software before an actual breach happens. The research that’s made publicly available is only part of its work, as most of ISE’s business involves work directly with the companies building software or setting up systems to find flaws.

Harrington points to what he calls an “objective truth” about these efforts: “We’ve never not found a vulnerability,” he said.

That’s not to say that developers and the companies they work for are completely neglecting security, but instead an acknowledgement of the challenge it presents. Not to mention the difference between the people who build the technology and those who seek to exploit it.

As Harrington puts it, “the mindset to build something is very different from the mindset to break something.” Plus, he said, there’s a difference in time constraints. Unlike developers, the attackers are spending all of their time figuring out how to break in. ISE offers insight from that perspective.

“We want to help companies on their quest for security excellence,” he said.

Independent Security Evaluators' North Baltimore office. (Photo courtesy of ISE/Sam Levin)

Independent Security Evaluators’ North Baltimore office. (Photo courtesy of ISE/Sam Levin)

These efforts involve work with firms of varying sizes, whether it’s a startup or a big enterprise. As opposed to networks, the work mostly involves assessing applications and how they’re constructed. This includes looking at, “What are different areas that attackers might launch a campaign, where are there coding errors built into it?” Harrington said. “Once we help them find issues, we’ll advise them on how to fix it.”

Being close to Baltimore’s universities — first Johns Hopkins, where the initial team that cracked the car key got started, and increasingly UMBC — has been a benefit for attracting talent, Harrington said. The company looks to give that talent a chance to be leaders in the security community, too: It created its own version of 20% time, which allows space for work on special projects, research or blogs and other content.

And it’s also looking to have a role in bringing that community together and addressing bigger challenges. ISE organizes the IoT Village, a series of events inside larger conferences (it was recently at RSA) that aims to raise awareness about security vulnerabilities in the internet of things devices that power connected homes and cities. Given how an attack on these could affect key machines and appliances that are used in every day life, it’s an area that keeps cybersecurity leaders up at night. So the company set up a place for dialogue, as well as some ethical hacking.

“We want that experience to be one that galvanizes a community that is bigger than us,” Harrington said. “This is about an entire community of researchers all collaborating, because we can achieve so much more together than we can ever achieve alone.”

You must appreciate accurate, relevant and productive community journalism.  Support this sort of work from professional reporters with seasoned editors.  Become a Technical.ly member for $12 per month -30-
CONTRIBUTE TO THE
JOURNALISM FUND

Already a contributor? Sign in here
Connect with companies from the Technical.ly community
New call-to-action

Advertisement

Baltimore bought $20M in cyber insurance. Such policies are becoming more common

Xandr, AT&T’s ad company, partners with Baltimore’s clean.io

IoT security startup ReFirm Labs raises $2M

SPONSORED

Baltimore

Get to know SmartLogic’s culture of plants, podcasts and productive client relationships

Philadelphia OR Baltimore

Technically Media

Technical.ly Editorial Intern (Spring 2019)

Apply Now

Annapolis Junction, MD

Asymmetrik

FULL-STACK DEVELOPER

Apply Now

Annapolis Junction, MD

Asymmetrik

SOFTWARE ENGINEER

Apply Now

These Howard County cybersecurity companies formed a biz partnership

How DreamPort is creating space for collaboration on cyber challenges

Annapolis’ SIXGEN grabbed the win at DEFCON 27’s Capture the Flag

SPONSORED

Baltimore

Entrepreneurs, think it’s too early to engage a legal partner? It’s not.

Annapolis Junction, MD

Asymmetrik

FRONT-END DEVELOPER

Apply Now

Philadelphia, PA

Vistar Media

QA Engineer

Apply Now

Philadelphia

Vistar Media

Sr. Software Engineer

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!