honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Monday, December 31, 2007

'White hat' hackers in demand

By Greg Wiles
Advertiser Staff Writer

Hawaii news photo - The Honolulu Advertiser

Gregston Chu, a Damien Memorial School graduate, now works as a senior manager in Houston for Ernst & Young LLP's Advanced Security Center. He was in Honolulu recently to test the security of a local bank.

BRUCE ASATO | The Honolulu Advertiser

spacer spacer

Gregston Chu knows all the tricks of being a hacker, from talking his way into secure buildings to exploiting holes in Internet security or gaps in internal company systems to grab control of computers.

That makes him a highly valued consultant and as such he's criss-crossed the U.S. and traveled to Europe and Asia to uncover computer system vulnerabilities for Fortune 100 companies and other large corporations.

Last week, he was in town trying to breach the security of a local bank. Non-disclosure agreements prevent him from giving the name.

"We get the thrill that a lot of hackers do, without that going to jail part," said Chu, a 1992 Damien Memorial School graduate who performs "extreme hacking" work as a senior manager for Ernst & Young LLP's Advanced Security Center, based in Houston.

Chu, 33, is part of a fraternity known as "penetration testers" or "ethical hackers," a group of experts who are hired to hack into computer systems or find other ways to gain access. These so-called "white hats" will spend days or weeks searching company systems to come up with recommendations for fortifying corporations against such threats.

According to a survey by the Computer Security Institute, organizations reported $52.5 million of losses in 2006 because of computer security breaches. This included losses due to unauthorized access, theft of laptop or mobile computing devices and theft of proprietary information. Other categories where losses occur include Web site defacement, telecommunication fraud and viruses.

Such breaches are a daily occurrence. In one well-publicized incident earlier this year, Framingham, Mass.-based retailer TJX Corp.'s computers were broken into and data on at least 45.6 million credit and debit cards was stolen.

Locally, Jason Martin, president of Honolulu-based Secure DNA, said his business is growing because more companies want to make sure their systems are unassailable.

"It's definitely growing," said Martin, a former KPMG security expert who founded Secure DNA five years ago. "People are becoming more aware of it."

Martin said recent state legislation that fines businesses for losing confidential consumer information, along with internal controls mandated for publicly traded companies by the federal Sarbanes-Oxley Act is responsible for some of companies' increased interest.

Chu has tried to hack many of the biggest corporations in the nation, and was able to penetrate 80 to 90 percent of the systems of Fortune 100 companies that he tested.

His efforts included exploring security gaps that can be accessed from inside companies and as well as those that may come from external gateways such as the Internet.

"When inside the corporation we're about 100 percent successful in gaining access to 80 to 90 percent of their internal system," said Chu, who has an undergraduate degree in computer science and a master's degree in business administration from the University of Oregon.

When it comes to accessing company systems from the Internet, however, the success rate drops to between 20 to 30 percent because corporations generally have very good external protection.

"Typically, we'll penetrate a handful of systems and from those systems leverage access to compromise their entire network," Chu said.

At times he checks whether the company's systems are vulnerable to someone talking their way in, or sneaking into offices with a fake employee badge. But much of the work can be tedious and grueling as he works to map out systems and find weaknesses.

"It doesn't happen in 10 seconds like the Hollywood movies," Chu said. "Our engagements are typically a couple of weeks long."

But, through hard work, he's demonstrated his ability to get e-mails sent between people on Forbes list of 100 richest people in the world, and has been able to stage break-ins that could have led to millions of dollars of damage if performed by a so-called "black hat" hacker.

"It is kind of fun to find things that aren't supposed to be found," Chu said. "Hopefully we're here to help protect corporations and help protect consumers."

Reach Greg Wiles at gwiles@honoluluadvertiser.com.

Make a difference. Donate to The Advertiser Christmas Fund.