No Comments

Three of Google’s top internet security people are Kiwis – which on the law of averages is punching way above our weight.

But there’s a pretty good reason for them landing roles as the world’s biggest search engine’s (of just one of its roles) sheriffs, based in Zurich.

All three, Ben Hawkes, Darren Bilby (‘Sham’) and Morgan Marquis-Boire had worked at either Lateral Security in Wellington or Security Assessment in Auckland.

Ben Hawkes was essentially headhunted to Google after winning a competition ‘Google Native Code’ that exposed a number of security vulnerabilities. The company’s HR department then contacted Lateral Security’s sales director Ratu Mason who quite unashamedly was able to say Hawkes was a highly skilled operator who would be an absolute asset to any organisation. Hello Zurich.

The fact that there are three NZrs in Google’s goodies ‘white hat’ gang isn’t surprising given this country’s creative environment that encourages techies to look under software’s covers.

Mason says there are a number of IT tools which can be run in New Zealand that are considered illegal in Europe.

One example is Metasploit (no, sticK had never heard of it either), an open source platform that provides information and tools on system penetration – in other words a way of testing vulnerability.

These and other manual tools are used by security researchers to uncover vulnerabilities in a legitimate way and sometimes they get paid to find these holes. Both Microsoft and Google pay for techies to find holes in their software in a legitimate way.

Mason says many organisations in this country let their IT people carry out vulnerability testing in the background, with managers either not understanding what’s being done or turning a blind eye and hoping that the internet world is safe.

“The fact is, you need to discover things, you need to prod and poke,” he says.

“It is always on the edge of legality; but the fact is that those guys who have gone to Google have done so because of their ability to push the boundaries and be creative at the edge.”

The job of Google’s security gurus is to “discover the next vulnerability, to be creative about thinking about them before someone else does.”

An IT term called Zero-Day, are vulnerabilities within a system that can’t be protected, mainly because they’re newly discovered – a new virus with no cure for example.

Within Lateral Securities’ daily work for its clients’ systems, the company will often come across a Zero Day vulnerability. They will take this information to the original manufacturers of the services and software, pointing out the issue.

Mason regards this as being a responsibility to clients, “something we know about, but the rest of the world doesn’t.”

Mason says this ‘white hat’ (read good guy) approach by NZ techies is partly a result of kiwis ‘have a go’ culture.

“There’s plenty of guys who will pull a PC apart in their garage, try to reverse engineer something.”

One example of this is the ‘Kiwicon’ event, recently held for the third time in Wellington. This year 350 IT individuals, “security nuts” as Mason calls them, attended, and such was the demand that numbers had to be restricted as tickets sold out in three days.

“These people are enthusiasts, creative individuals,” he says. “A lot don’t know where to point their attention, they’re not comfortable to disclose their findings. This is an event where they can point their knowledge.”