Information Security News mailing list archives
Brazilian Company Hacks Its Way Up
From: InfoSec News <isn () C4I ORG>
Date: Mon, 26 Feb 2001 13:07:45 -0600
http://www.nytimes.com/2001/02/26/technology/26BRAZ.html By JENNIFER L. RICH February 26, 2001 RIO DE JANEIRO, Feb. 25 The first time Rinaldo Ribeiro hacked into the computer, he did it in less than three minutes. Vendors from the largest information security companies in the world had rigged the system, a Windows NT server, to try to keep him out, but that did not faze him. Nor did the several dozen people who were watching his every move on a large overhead video screen. What bothered him was that it had been too easy. "I talked to the guy in charge afterwards to ask if they had left the flaw in on purpose because it was really simple and quick," said Mr. Ribeiro, whose boyish grin makes him look younger than his 26 years. Mr. Ribeiro is a professional hacker with Mdulo Security Solutions, an information security firm here. He broke into the system in New Orleans 16 months ago while attending a conference sponsored by the Sans Institute, a leading research center for the security world. Each year, the institute challenges industry professionals from around the world to try and hack into a secure Internet server. Of the 40 or so people who tried to beat the computer in New Orleans, only Mr. Ribeiro and two others succeeded. When Mr. Ribeiro defended his title last March at a conference in Orlando, he was the only one. That time, it took him eight minutes. He plans to defend his title again in May, at a conference in Baltimore. "He seems like he really knows his stuff," said Christopher Pettit, a senior security officer at the Computer Sciences Corporation and a designer of the Sans Institute's challenge. "I would tend to hire a company like his because I know I would have somebody who understands what is going on." That is exactly what Mdulo is counting on. The company, with employees like Mr. Ribeiro, and with a second round of venture capital financing expected to close any day, is a market leader for information security in Brazil, serving clients here like Microsoft and ABN Amro. Having acquired five smaller security companies the last year, Mdulo is setting off to conquer new markets elsewhere in Latin America and in the United States. Its goal is to become one of the largest security companies in the world. Mdulo, with revenues of $13.6 million last year, is housed in a nondescript office building in downtown Rio, and it still has a long way to go to catch up with current leaders. The major consulting firms, like KPMG, provide security services, as do big software vendors like Oracle. But analysts say that the market is ripe for new contenders. "There are so many mom-and-pop information security companies out there, like the software industry 25 years ago," said Darren Lacey, managing director of the Information Security Institute at Johns Hopkins. "If you are good at it and you can get a few flagship customers, you are a player." Though technology companies are suffering, the information security industry is booming, thanks in part to a growing number of high-profile attacks. Last month, for instance, vandals broke into the computer system of the economic summit in Davos, Switzerland, and downloaded files filled with personal information on the participants. With companies scrambling to protect their privileged information, the worldwide market for security services is projected to grow to $17.2 billion in 2004 from $5.5 billion in 1999, according to the International Data Corporation, a market research firm. The United States is expected to account for nearly half that spending. Mdulo was founded in 1985 by 13 students at the Federal University of Rio de Janeiro, home to one of only two mainframe computers in the country at the time. With computers only trickling into the protected Brazilian market, the partners recognized the potential security risks in allowing a number of people to share the same computer, and they set about developing software that would limit each user's access. As Brazilian banks started automating, they became Mdulo's first big clients, and the company's security services grew along with its clients' needs. By 1993, the company had developed a patented method, called security analysis and certification, to evaluate a company's security risks a process that involved everything from debriefing employees to staging hacker attacks. "We find all of the vulnerabilities that a company might have networks, laptops, palmtops and especially personnel," said Jaime Arajo, vice president for marketing and business development at Mdulo. "We had a client once who had information stolen because a competing company hired away the driver of the C.E.O.'s car." The next year, Mdulo got its big break, winning a contract from the Brazilian government to secure a nationwide project to computerize voting. In last year's municipal elections, Mdulo trained 2,000 poll workers and provided security for more than 13,000 electronic voting machines throughout the country. The company also won a federal contract in 1997 to provide security for income tax filing over the Internet. Last year, 11 million Brazilians filed tax returns electronically. But according to Mr. Arajo, the fortunes of the company really changed when the partners decided to enter a business plan contest sponsored by the Brazilian government in 1997. During a trip to a trade show in San Francisco a couple of months earlier, the partners met with venture capitalists at Hambrecht & Quist, who, despite declining to invest in the company, allowed them to take home a handful of business plans from successful start-ups like Amazon and Real Networks. "None of us slept the whole way home on the plane devouring those plans," he said. "We were miles away from having a business plan like those." Using the plans as guides, Mdulo eventually won the government contest's $350,000 first prize from among hundreds of competitors, providing the seed capital for the company's international expansion. It also provided a structure for the company's growth. "Without a doubt, it was the culture of the business plan that allowed us to triple our revenues every year for the last four years," Mr. Arajo said. In 1999, Mdulo opened a small office in the Silicon Valley city of San Rafael, Calif. Rather than tackling the entire security market, the company decided to concentrate on its strongest area of expertise electronic elections. Mdulo set up a company called SafeVote, and in January 2000, it was invited to the White House to address an electronic commerce working group led by Vice President Al Gore's staff on computerizing voting. At the time of the presidential elections last November, SafeVote ran its first live test in the United States, organizing a mock election with several hundred voters in Contra Costa, Calif., under a contract with the California secretary of state. Although the company published the specifications of the system and invited hackers to try to disrupt voting, SafeVote said the test went off without a hitch. The company is hoping that, after the Florida ballot debacle, the new interest in updated voting systems in the United States will provide a market opportunity. At the same time, Mdulo wants to branch out in the United States to offer a full range of security services. Because hundreds of security companies already operate in the United States, though, analysts say that competition in the American market will be stiff for Mdulo. To create a foothold, the company said it had decided to use its newest round of financing to buy at least two security companies in the United States. It declined to identify them, other than to say that one is in New York. "There is still space in the market for people who know what they are doing," said Mr. Pettit of Computer Sciences. "What's going to happen is that there is going to be a shakeout because of lack of talent." As part of the company's Latin American expansion plans, Mdulo is also in talks to buy companies in Argentina, Chile and Mexico. It has also created a Web portal, Modulo.com.br, and is selling training courses over the Internet. Mr. Arajo has found that the hardest thing to overcome in the United States market is the bias that he said American companies had against Brazil. Unlike Israel or Japan, he said, Brazil is not known for being technologically strong. To go around the problem, he said that the company had hired an American financial adviser to do most of its negotiating for acquisitions. And then, of course, there will be the inevitable culture clash. "While a Brazilian spends a half an hour talking about a problem over a coffee," he said, "an American will discuss it in two minutes and want an answer in the third." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Brazilian Company Hacks Its Way Up InfoSec News (Feb 26)