From Hacker to Protector

[InfoSec News <isn () c4i org>]

http://www.businessweek.com/technology/content/oct2005/tc20051025_346219.htm

By Arik Hesseldahl
Young Entrepreneurs of Tech
OCTOBER 25, 2005 

For many technically talented teens, computer hacking brings about a 
first brush with law enforcement. For Ejovi Nuwere, it was a ticket 
out of the poverty-ridden, sometimes violent streets of New York's 
Bedford-Stuyvesant neighborhood. 

What started as a hobby at the age of 15 led in time to a computer 
security job with Lehman Brothers, and later with @Stake, the fabled 
security consulting firm that grew out of L0pht Heavy Industries, the 
Boston-based hackers collective, now a unit of Symantec (SYMC ). 

BOOK DEAL.  The story of how he got from the streets of Bed-Stuy to 
working the edge of the computer-security world formed the basis of an 
autobiography he published in 2001 entitled Hacker Cracker with 
HarperCollins. 

The book, like so many other things in his life, happened 
unexpectedly. "I was working for a startup company, and they couldn't 
afford to pay me any cash," he says. "It was run by a husband and wife 
team, and one was a former book editor, and the other was a food 
writer, and so they had contacts in the publishing business. They made 
one phone call, and two weeks later I had a book deal." 

Now the hacker who escaped from the streets has started his own 
outfit. As many companies ditch their old circuit-switched phone 
systems in favor of less expensive Internet-based telephony, Nuwere's 
SecurityLabs Technologies is dedicated to helping them make sure those 
calls are secure. 

POORLY WRITTEN.  Nuwere started the firm as a one-man shop with 
$10,000 in cash and took on some credit-card debt. First came 
consulting work, with five companies. "I spun the money from 
consulting into product development," he says. Now the company has 
grown to three people, with three companies interested in its 
software. 

The problems related to VoIP (voice over Internet protocol) aren't as 
simple as they at first appear, Nuwere says. Sure, there are concerns 
about spam and call interception, but the VoIP programs themselves can 
also be hacked. 

Those applications, he says, sometimes have the same holes that have 
plagued other programs in the past. In one case, he showed how poorly 
written software code in a VoIP application can allow a hacker to take 
over a desktop PC -- a bug previously found in programs like instant 
messaging. 

MAD RUSH.  "There are a lot of fundamental security flaws in the way 
many of these applications are written," he says. "There's a mad rush 
among companies to deploy VoIP and make it work, and I can't fault 
them for that. But no one is looking at the software for security. 
Well, hackers are. I think in the next six months to a year we'll see 
a lot more vulnerabilities being publicized." 

Initially his product will be software installed on a network 
appliance that companies will install on their internal networks. But 
eventually, Nuwere plans to convert to an application service provider 
model -- in which customers rent software that runs on the vendor's 
servers -- somewhat like what Salesforce.com (CRM ) does. 

"We'll market it like an ASP, and that will eliminate the need for 
hiring additional personnel to monitor security of VoIP calls," he 
says. "We'll deliver updates for the latest security threats in real 
time and make the job of the chief security officer easy." Spoken like 
a true entrepreneur. 



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org