Brazilian Company Hacks Its Way Up

[InfoSec News <isn () C4I ORG>]

http://www.nytimes.com/2001/02/26/technology/26BRAZ.html

By JENNIFER L. RICH
February 26, 2001

RIO DE JANEIRO, Feb. 25 The first time Rinaldo Ribeiro hacked into the
computer, he did it in less than three minutes.

Vendors from the largest information security companies in the world
had rigged the system, a Windows NT server, to try to keep him out,
but that did not faze him. Nor did the several dozen people who were
watching his every move on a large overhead video screen. What
bothered him was that it had been too easy.

"I talked to the guy in charge afterwards to ask if they had left the
flaw in on purpose because it was really simple and quick," said Mr.
Ribeiro, whose boyish grin makes him look younger than his 26 years.

Mr. Ribeiro is a professional hacker with Mdulo Security Solutions, an
information security firm here. He broke into the system in New
Orleans 16 months ago while attending a conference sponsored by the
Sans Institute, a leading research center for the security world. Each
year, the institute challenges industry professionals from around the
world to try and hack into a secure Internet server.

Of the 40 or so people who tried to beat the computer in New Orleans,
only Mr. Ribeiro and two others succeeded. When Mr. Ribeiro defended
his title last March at a conference in Orlando, he was the only one.
That time, it took him eight minutes. He plans to defend his title
again in May, at a conference in Baltimore.

"He seems like he really knows his stuff," said Christopher Pettit, a
senior security officer at the Computer Sciences Corporation and a
designer of the Sans Institute's challenge. "I would tend to hire a
company like his because I know I would have somebody who understands
what is going on."

That is exactly what Mdulo is counting on. The company, with employees
like Mr. Ribeiro, and with a second round of venture capital financing
expected to close any day, is a market leader for information security
in Brazil, serving clients here like Microsoft and ABN Amro. Having
acquired five smaller security companies the last year, Mdulo is
setting off to conquer new markets elsewhere in Latin America and in
the United States. Its goal is to become one of the largest security
companies in the world.

Mdulo, with revenues of $13.6 million last year, is housed in a
nondescript office building in downtown Rio, and it still has a long
way to go to catch up with current leaders. The major consulting
firms, like KPMG, provide security services, as do big software
vendors like Oracle. But analysts say that the market is ripe for new
contenders.

"There are so many mom-and-pop information security companies out
there, like the software industry 25 years ago," said Darren Lacey,
managing director of the Information Security Institute at Johns
Hopkins. "If you are good at it and you can get a few flagship
customers, you are a player."

Though technology companies are suffering, the information security
industry is booming, thanks in part to a growing number of
high-profile attacks. Last month, for instance, vandals broke into the
computer system of the economic summit in Davos, Switzerland, and
downloaded files filled with personal information on the participants.

With companies scrambling to protect their privileged information, the
worldwide market for security services is projected to grow to $17.2
billion in 2004 from $5.5 billion in 1999, according to the
International Data Corporation, a market research firm. The United
States is expected to account for nearly half that spending.

Mdulo was founded in 1985 by 13 students at the Federal University of
Rio de Janeiro, home to one of only two mainframe computers in the
country at the time. With computers only trickling into the protected
Brazilian market, the partners recognized the potential security risks
in allowing a number of people to share the same computer, and they
set about developing software that would limit each user's access.

As Brazilian banks started automating, they became Mdulo's first big
clients, and the company's security services grew along with its
clients' needs.

By 1993, the company had developed a patented method, called security
analysis and certification, to evaluate a company's security risks a
process that involved everything from debriefing employees to staging
hacker attacks.

"We find all of the vulnerabilities that a company might have
networks, laptops, palmtops and especially personnel," said Jaime
Arajo, vice president for marketing and business development at Mdulo.
"We had a client once who had information stolen because a competing
company hired away the driver of the C.E.O.'s car."

The next year, Mdulo got its big break, winning a contract from the
Brazilian government to secure a nationwide project to computerize
voting. In last year's municipal elections, Mdulo trained 2,000 poll
workers and provided security for more than 13,000 electronic voting
machines throughout the country. The company also won a federal
contract in 1997 to provide security for income tax filing over the
Internet. Last year, 11 million Brazilians filed tax returns
electronically.

But according to Mr. Arajo, the fortunes of the company really changed
when the partners decided to enter a business plan contest sponsored
by the Brazilian government in 1997.

During a trip to a trade show in San Francisco a couple of months
earlier, the partners met with venture capitalists at Hambrecht &
Quist, who, despite declining to invest in the company, allowed them
to take home a handful of business plans from successful start-ups
like Amazon and Real Networks.

"None of us slept the whole way home on the plane devouring those
plans," he said. "We were miles away from having a business plan like
those."

Using the plans as guides, Mdulo eventually won the government
contest's $350,000 first prize from among hundreds of competitors,
providing the seed capital for the company's international expansion.
It also provided a structure for the company's growth.

"Without a doubt, it was the culture of the business plan that allowed
us to triple our revenues every year for the last four years," Mr.
Arajo said.

In 1999, Mdulo opened a small office in the Silicon Valley city of San
Rafael, Calif. Rather than tackling the entire security market, the
company decided to concentrate on its strongest area of expertise
electronic elections. Mdulo set up a company called SafeVote, and in
January 2000, it was invited to the White House to address an
electronic commerce working group led by Vice President Al Gore's
staff on computerizing voting.

At the time of the presidential elections last November, SafeVote ran
its first live test in the United States, organizing a mock election
with several hundred voters in Contra Costa, Calif., under a contract
with the California secretary of state. Although the company published
the specifications of the system and invited hackers to try to disrupt
voting, SafeVote said the test went off without a hitch. The company
is hoping that, after the Florida ballot debacle, the new interest in
updated voting systems in the United States will provide a market
opportunity.

At the same time, Mdulo wants to branch out in the United States to
offer a full range of security services. Because hundreds of security
companies already operate in the United States, though, analysts say
that competition in the American market will be stiff for Mdulo. To
create a foothold, the company said it had decided to use its newest
round of financing to buy at least two security companies in the
United States. It declined to identify them, other than to say that
one is in New York.

"There is still space in the market for people who know what they are
doing," said Mr. Pettit of Computer Sciences. "What's going to happen
is that there is going to be a shakeout because of lack of talent."

As part of the company's Latin American expansion plans, Mdulo is also
in talks to buy companies in Argentina, Chile and Mexico. It has also
created a Web portal, Modulo.com.br, and is selling training courses
over the Internet.

Mr. Arajo has found that the hardest thing to overcome in the United
States market is the bias that he said American companies had against
Brazil. Unlike Israel or Japan, he said, Brazil is not known for being
technologically strong. To go around the problem, he said that the
company had hired an American financial adviser to do most of its
negotiating for acquisitions.

And then, of course, there will be the inevitable culture clash.

"While a Brazilian spends a half an hour talking about a problem over
a coffee," he said, "an American will discuss it in two minutes and
want an answer in the third."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".