Inside the North Baltimore company that discovered some of tech's biggest security vulnerabilities - Technical.ly Baltimore

Dev

Apr. 8, 2019 9:57 am

Inside the North Baltimore company that discovered some of tech’s biggest security vulnerabilities

The ethical hackers at Independent Security Evaluators look to find flaws so attackers don't have the chance.

Independent Security Evaluators team members.

(Photo courtesy of ISE/Sam Levin)

The team at North Baltimore’s Independent Security Evaluators (ISE) has long been making headlines.

The company’s first big moment came in 2005, before it was even a company. That’s when the group of then-Johns Hopkins graduate students that formed the firm — overseen by Professor Aviel Rubin and including ISE CEO Steve Bono as well as Adam Stubblefield and Matt Green — broke the encryption on Texas Instruments‘ RFID-based chips that were designed to secure car keys, and prevent theft.

“This system was considered to be unbreakable,” ISE Executive Partner Ted Harrington said recently.

A couple years later, there was the iPhone, then just a few months old. Now working under the ISE banner, a team led by Dr. Charles Miller showed how a security flaw allowed an attacker to access personal information. Apple promptly made a fix to that issue, but it was just the beginning of a series of patches Miller and team would prompt in the company’s products.

Then it was on to Android, hospitals and, just this year, password managers.

While the press may not please execs, the research is designed to help. By identifying these potential issues but bringing awareness rather than exploiting it, Harrington said the research acts as a “change agent” at the companies and firms.

Advertisement

“It prompts them to take action,” he said.

Such is the work of the ethical hacker. White hats, if you will. Based from a headquarters just outside Cylburn Arboretum and an office in San Diego, ISE’s team of 45 people looks to identify how attackers could break into software before an actual breach happens. The research that’s made publicly available is only part of its work, as most of ISE’s business involves work directly with the companies building software or setting up systems to find flaws.

Harrington points to what he calls an “objective truth” about these efforts: “We’ve never not found a vulnerability,” he said.

That’s not to say that developers and the companies they work for are completely neglecting security, but instead an acknowledgement of the challenge it presents. Not to mention the difference between the people who build the technology and those who seek to exploit it.

As Harrington puts it, “the mindset to build something is very different from the mindset to break something.” Plus, he said, there’s a difference in time constraints. Unlike developers, the attackers are spending all of their time figuring out how to break in. ISE offers insight from that perspective.

“We want to help companies on their quest for security excellence,” he said.

Independent Security Evaluators' North Baltimore office. (Photo courtesy of ISE/Sam Levin)

Independent Security Evaluators’ North Baltimore office. (Photo courtesy of ISE/Sam Levin)

These efforts involve work with firms of varying sizes, whether it’s a startup or a big enterprise. As opposed to networks, the work mostly involves assessing applications and how they’re constructed. This includes looking at, “What are different areas that attackers might launch a campaign, where are there coding errors built into it?” Harrington said. “Once we help them find issues, we’ll advise them on how to fix it.”

Being close to Baltimore’s universities — first Johns Hopkins, where the initial team that cracked the car key got started, and increasingly UMBC — has been a benefit for attracting talent, Harrington said. The company looks to give that talent a chance to be leaders in the security community, too: It created its own version of 20% time, which allows space for work on special projects, research or blogs and other content.

And it’s also looking to have a role in bringing that community together and addressing bigger challenges. ISE organizes the IoT Village, a series of events inside larger conferences (it was recently at RSA) that aims to raise awareness about security vulnerabilities in the internet of things devices that power connected homes and cities. Given how an attack on these could affect key machines and appliances that are used in every day life, it’s an area that keeps cybersecurity leaders up at night. So the company set up a place for dialogue, as well as some ethical hacking.

“We want that experience to be one that galvanizes a community that is bigger than us,” Harrington said. “This is about an entire community of researchers all collaborating, because we can achieve so much more together than we can ever achieve alone.”

You must appreciate accurate, relevant and productive community journalism.  Support this sort of work from professional reporters with seasoned editors.  Become a Technical.ly member for $12 per month -30-
JOIN THE COMMUNITY, BECOME A MEMBER
Already a member? Sign in here

Advertisement

Congressman: ‘No evidence’ that NSA cyberweapon was used in Baltimore

Protecting passwords: Relatively simple solutions for a big cybersecurity risk

6 takeaways on the future of data privacy

SPONSORED

Baltimore

Building a data acquisition system? Don’t make this mistake

Baltimore

14 West

Senior Java Software Engineer

Apply Now
Baltimore, MD 21201

14 West

Senior Data Engineer

Apply Now

Mayor: City of Baltimore will have to rebuild some IT systems to recover from cyber attack

City of Baltimore ransomware attack affects home sales, payments and more

Maryland’s ID Agent acquired by Kaseya

SPONSORED

Baltimore

How SmartLogic accelerated these startups’ product growth trajectories

Baltimore, MD

SmartLogic

Product Designer

Apply Now
Baltimore, MD 21201

14 West

Customer Success Associate

Apply Now
Baltimore, MD

SmartLogic

Developer

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!