washingtonpost.com  > Print Edition > Business
The Download

Security Expert Pokes Holes In Their Walls

By Ellen McCarthy
Thursday, March 17, 2005; Page E01

In the early afternoon in Severna Park, Ira Winkler sits on his couch, casually moving one hand across the mouse pad of his laptop computer. His three boys come and go, and his puppy, Bandit, plays underfoot. Within 30 minutes, Winkler has gathered identities and home addresses of employees at the company he is attacking. He knows the names of the servers holding the corporation's precious data and he knows which systems are vulnerable.

All that's left is the invasion, firing away and exposing every crack and crevice of the company's system, documenting the moves each step of the way and presenting the firm with a detailed report of its security failures.

_____Recent Downloads_____
New Start-Ups Aim to Build Content Capital (The Washington Post, Mar 10, 2005)
MCI and AT&T Leave Little Guys Behind (The Washington Post, Mar 3, 2005)
MindShare Extends Its Grad Roots (The Washington Post, Feb 24, 2005)
The Download Archive

Winkler, a former National Security Agency analyst, is hired by major corporations to break into their computers. The best way to prevent an attack by hackers is to hire someone who can think like them, the theory goes. U.S. companies are spending hundreds of millions of dollars each year to protect sensitive information, but Winkler says most firms are spending unwisely.

"Everybody's interested in Security 899, as opposed to Security 101. . . . It's the simple things that get overlooked," said Winkler, whose new book on the topic, "Spies Among Us," comes out later this month. Corporations invest in extensive systems that monitor network activity, for instance, but then neglect to tell employees to shred sensitive documents before discarding them. At one commodities trading company, Winkler said, he pulled from one trash bin a salary list for the traders, a bonus schedule, and a letter accusing an employee of sexual harassment. "There was a lot more in there, but that was just documents one, two and three," Winkler recalled.

Winkler, who used to work as a security expert for big firms such as Science Applications International and Computer Sciences, now runs his own "penetration testing" firm, Internet Security Advisors Group. He says he has done tests for a third of the Fortune 50.

When he gets a new assignment, his first step is to find out everything he can about the company, including its locations, partners, subsidiaries and the types of technologies running its systems. Much of that can be gathered with a few investigative Web searches.

The next part is even less technical. To expose a typical weakness in corporate security, Winkler often goes to one of the firm's offices and presents himself as a technical support specialist or other official. Sometimes it takes a fake identity or two, but he usually gets in.

Once inside, he makes himself at home with whichever computer he chooses, then loads a spyware program that gives him access to the company's innards. Often, Winkler says, he finds evidence that security already has been compromised. He once discovered that an employee of a pharmaceutical company was running hacking tools against the firm's computer.

High-profile breeches like the one at ChoicePoint are making more companies pay attention, Winkler says, but it's not inciting all of them to take what he considers the most appropriate security measures. A secure building, complicated passwords, computer log-ins that require two forms of identity and a well-trained workforce are often the best firewalls against hackers, he says.

The Tower Club has lost some of its sparkle.

Actually, the sparkle moved down one floor in the building and took a new job: Ardell Fleeson, the club's effervescent membership director, quietly bowed out of that role last month to join the Vienna business software firm Appian.

"It's the purest of all motivations. I needed to do something different," said Fleeson, now Appian's director of federal business development.

Fleeson was a fixture at the private dining club for 13 years, making rounds through the lobby, introducing dealmakers to one another and asking about members' spouses and kids by name. She saw the club through the best of times -- the late 1990s, when membership was the hottest ticket in town -- and the worst, when Fleeson ran support and networking groups for out-of-work techies.

Her extensive Rolodex will be valuable to Appian as it elbows further into the government sector. The company, founded in 1999 by the former MicroStrategy executive Matthew Calkins, has emerged as one of the region's promising young software companies, landing work with clients that include Federal Express and the Department of Homeland Security.

Fleeson, a member of the Tower Club's Hall of Fame, was bidden adieu with a standing ovation at the club's last board meeting.

"We were sad to see Ardell leave because she has been quite a force in developing membership relationships with the club. She just had the pulse, she was just superb," said Stan Krejci, chairman of the board of governors and managing consultant of the McCormick Group, an Arlington executive search firm.

The tough task of filling Fleeson's shoes falls to Stephanie Turk, who previously worked as director of sales for the Airlie Conference Center in Fauquier County, and Jeff Brouse, who has been with the club for several years.

Fleeson's face won't be totally absent from the 17th-floor dining room. She sold herself a membership before leaving and has been eating there "on an every-other-day basis."

Overheard: "The impact of [Indian Institutes of Technology] and that of its graduates has been felt broadly and deeply throughout the world . . . but I wouldn't get in if I applied today," joked Northern Virginia Technology Council Chairman Sudhakar Shenoy, at a meeting with local alumni of India's prestigious university system. Among the dozens of titles Shenoy holds is that of co-chairman of IIT 2005, a conference that will bring thousands of IIT graduates to Bethesda in May.

There is no replacing Shannon Henry, but I'll be writing in this space on Thursdays from now on. Please e-mail tips and thoughts to mccarthye@washpost.com.

© 2005 The Washington Post Company