Low-graphic news index |
Monday, April 29, 2013 - Page updated at 07:30 p.m.
In battle against cyber attacks, these Seattle hackers wear the ‘white hats’
By Erik Lacitis
Seattle Times staff reporter
He’s 26, likes industrial and electronic music, has a bleached-blond Mohawk haircut and sometimes, Mikhail Davidov says, he starts his day “at the crack of noon.”
The late hours are in front of a computer, working on reverse engineering, tearing apart computer programs to find their vulnerabilities.
Sometimes he works 18 hours straight. “There are few hackers out there who are ‘morning people,’ ” says Davidov.
These days, the front lines for security don’t only include soldiers carrying weapons.
They include computer whiz kids like Davidov, who works for the Leviathan Security Group , a 20-person firm that operates out of second-floor offices in a renovated 1918 building in Seattle’s Sodo neighborhood.
Chad Thunberg, chief operating officer of Leviathan, says he can relate to Davidov, remembering his own younger days.
Thunberg is 35, married, with two children and says, “I’m considered a grandpa in my industry. There was a time when I was the Mikhail equivalent. You live and breathe security.”
Davidov is one of about three dozen young people in the Seattle area who are the “white hat” hackers who work for Internet security companies.
With this area being a high-tech hub, it’s only natural that about 10 such firms or branches of firms exist here.
Cyber attacks are costing corporations — and consumers — a lot. In a six-year span starting in 2005, data breaches in 33 countries, including the U.S., cost the firms involved more than $156 billion, says the nonprofit Digital Forensics Association.
Every second, in various parts of the world, there are 18 cybercrime victims — some 1.6 million a day — says a 2012 Norton by Symantec study.
On Friday, The Wenatchee World reported that a Leavenworth hospital said hackers stole more than $1 million from the hospital’s electronic bank account. The Chelan County treasurer said it had been able to retrieve about $133,000 by notifying recipient bank accounts, most in the Midwest and East Coast.
And The Associated Press reported that LivingSocial, an online deals site, said Friday that its website was hacked and the personal data of more than 50 million customers may have been affected – names, email addresses, date of birth of some users and encrypted passwords.
Then there are the Chinese hackers, who blasted into the news in February when Mandiant, an Internet security firm, released a report saying that a group linked to the People’s Liberation Army had systemically stolen confidential data from at least 141 American firms.
In his State of the Union address, President Obama warned, “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.”
That makes Internet security a booming industry, at an estimated nearly $1 billion a year in 2012, says the consulting firm Frost & Sullivan.
Another white-hat hacker is Adam Cecchetti, 31, who used to work at Leviathan and then in 2010 became one of the founders of Déjà vu Security , which operates out of a second-floor renovated loft on Capitol Hill. Sometimes, he has colored his hair blue.
Davidov and Cecchetti are on the front lines of fighting off the “black hat” hackers. Yes, that is how they describe their enemy.
The latter includes those sending out phishing emails that look like they came from a legitimate source but are fakes trying to get your passwords and credit-card information.
Or maybe they are black hats trying to compromise a company’s website just so they can boast about it in hacker circles.
For the white hats, their unique skill at finding where a program is vulnerable and how to close the digital doors that the black hats use to penetrate a website is worth $120,000 to $130,000 a year, says Thunberg.
“Companies are being attacked by bad people, and if they want to defend themselves, they have to attract these scarce people,” he says. “There are maybe 1,000 individuals of this nature in the world. They have this unique hacker mindset.”
Their clients aren’t exactly keen to publicize that they seek Internet security, says Thunberg, and that’s often written into their contracts with Leviathan. Thunberg says his company’s average contract size is for around $70,000. Citing privacy, he only says that most are Fortune 1000 companies.
But one client that didn’t mind talking is a Washington, D.C.-based company called Silent Circle. For $20 a month, it offers a service that encrypts voice, text and video on a user’s smartphone, tablet or computer.
Their customers, says Jon Callas, Silent Circle’s chief technical officer, include U.S. businesses “doing work in China and Eastern Europe and other places where they don’t want their phone calls tapped.”
His company, says Callas, hired Leviathan to evaluate the encrypting software for vulnerabilities and fix them.
“They helped us find problems before anybody else did,” says Callas.
At Déjà vu Security, says Cecchetti, work that they’vedone includes posing as new employees at a financial institution, given the standard access to computers. Firms routinely give computer “administrative privileges” to only a handful of individuals.
But, says Cecchetti, “within a couple of weeks we had basically control of the entire organization and could access pretty much anything we wanted.”
Déjà vu put together “a very large report” on how to fix things, he says.
Hackers such as Davidov and Cecchetti have certain similarities. For one thing, they started tinkering with computers when they were kids, and that passion never stopped.
Cecchetti grew up in Greensburg, Pa. He helped start a computer club in high school and says that although he ran track and played soccer, “I was plenty nerdy.”
As a teen in the 1990s, he was programming video games and went on to creating simple websites, before they had become ubiquitous.
Cecchetti earned a master’s from Carnegie Mellon University in electrical and computer engineering, and ended up in Seattle in 2005, working for Amazon to keep black hats from breaking in.
Davidov is the son of Russian immigrants. His dad worked at a tech firm in Moscow and got a visa to come to the U.S. in 1995, moving the family to Woodinville.
But even in the old country, when he was 5, Davidov says, he was using a computer his dad brought home, “playing little DOS games,” the early operating system.
By his teen years, Davidov was hacking into video games so he could beat them.
Having promised his parents that he’d go to college, Davidov enrolled at the DigiPen Institute of Technology in Redmond, and earned a four-year degree in “Real-Time Interactive Simulation.”
Says Davidov, “That means I know video games.”
It is the ability to look at programs over, under, sideways and down that makes a Davidov so valuable, and in such short supply.
Motivated to help
At the University of Washington’s renowned Computer Science and Engineering program, out of nearly 50 faculty members, “we have one full-time faculty member, Yoshiro Kohno, who is a superstar in computer security, but we’re hoping to grow in that area in the near future,” says its chairman, Hank Levy.
But even with more college classes in cyber security, it is real-world experience that is needed, says Davidov. Outside of a school’s lab, he says, it all gets “much grander in scope.”
There are also personal aspects, he says, such as when he delivers a report to developers who had spent a long time working on a program, and he points out its security flaws.
The developers, he says, “can get a little defensive, and it can become a little confrontational.”
For both Davidov and Cecchetti, it was a conscious, and simple, decision to become a white hat.
Says Cecchetti, “I’m not in this business to harm people, or to take grandma’s savings, or deface somebody’s website.”
‘Matrix’ an inspiration
There is plenty of money to be made in Internet security.
“Things are very good,” says Cecchetti about Déjà vu, which has a staff of a dozen.
Companies pay for security because getting hacked can cost plenty.
At Leviathan, on one of the brick walls are a dozen or so framed exotic bugs. Chad Thunberg, as one of Leviathan’s bosses at the 20-person company, says that every time the company finds “a big-deal” bug in software, up goes another display insect.
At Déjà vu, a small gong gets banged when there is some good news.
Yes, Cecchetti has heard the jokes about his company somehow being affiliated with the Déjà Vu strip joints.
But “déjà vu” is a very different reference point in the hacker mentality.
Cecchetti says it’s from the 1999 movie “The Matrix,” which he figures he’s seen 10 or 20 times. The hero, played by Keanu Reeves, is a hacker in a future time in which humans live in an artificial reality.
In the movie, Reeves sees a black cat walk by, and then immediately sees the same black cat walk by again.
“Whoa. Déjà vu,” he says.
It turns out that a déjà vu is a glitch in the matrix, and happens when something is changed in that cyberspace reality. The logo for Déjà vu Security even has a black cat.
What kind of individual makes for a top hacker?
Cecchetti now is one of those who hires, and says that when interviewing applicants, he wants to know, “Can they see things from the perspective of a hacker, gleeful to see how things are made? They need to want to peel away the layers. What happens if I make a very small change in the system?”
If you can do that, you can come to the office in any hairstyle you want.
“It’s usually a little bit of a shock,” Davidov says about how some clients react to his Mohawk.
“But once they start seeing the output of the work we do, they find it almost endearing.”
Erik Lacitis: 206-464-2237 or email@example.com