The Atlanta Journal-Constitution

Pay them to hack you

Atlanta firm works to expose companies’ security flaws

- By Joshua Sharpe joshua.sharpe@ajc.com

Some of Bonnie Smyre’s stories from work sound like cheesy thriller movies.

One of her favorites:

She put on generic black-framed glasses. She tucked her red locks under a wig. It was cheap looking and blond, shining brightly — like a … cheap wig — but to her amazement, security officers in the New York City high-rise didn’t seem to notice her. She slipped onto an elevator and sneaked into a financial services firm.

Toying with an unattended computer, she found her way into the guts of the software the company used to track investment­s. Within minutes, she was ready to start draining the life savings of the company’s clients.

Of course, Smyre didn’t steal the money. She isn’t a thief. She works for Raxis, an Atlanta cybersecur­ity firm that will hack or break into your business for a fee.

It might sound like a strange idea for a business, but the reason it exists is obvious: cybersecur­ity becomes more important and urgent all the time as devastatin­g data breaches become more frequent. In the long and growing list of hacking victims, you’ll find Home Depot, the city of Atlanta, the Georgia Department of Public Safety and the U.S. government.

In 2019, 205,280 organizati­ons said they’d been hit in a ransomware attack, in which the hackers

“Some of the hacks are, ‘I found one thing.’ A lot of the hacks are, ‘I’ve found a lot of little things, and I put them together.’ ” Bonnie Smyre

Chief operating officer of Atlanta-based cybersecur­ity firm Raxis.

shut down computer systems and demanded a ransom, according to the New York Times. That was a 41% increase from the year before.

Companies and institutio­ns must figure out how to keep their systems safe. In its short history, Raxis has already racked up a long client list, including Delta Air Lines, Ferrari, GE, Nordstrom and Southern Co.

Investment in cybersecur­ity is a necessity for these large firms, as well as smaller ones that could founder after a costly hack. Repairing the damage is often expensive.

When the hackers demand a ransom, things get worse.

In December 2019, the average payment made to attackers was $190,946, and several organizati­ons faced demands for millions, according to data obtained by the New York Times.

The problem is expected to get worse before it gets better because so many businesses and organizati­ons are behind the curve.

“Some of the hacks are, ‘I found

one thing.’ A lot of the hacks are, ‘I’ve found a lot of little things, and I put them together,’” said Smyre, who started as an “ethical hacker” at the company and now is the chief operating officer. “It does sort of feel like some of the movies about hacking sometimes.”

The company was founded in 2011 by Mark Puckett. He’d worked in cybersecur­ity at various companies around metro Atlanta and saw the need for a firm that could take a hard look at other com- panies and find their vulner- abilities. As others who’ve started similar firms have, Puckett thought: What better way to attack the hacker problem than to hack?

Raxis started with two employees and now has 15.

None of them went to school for hacking or figured it out in their mother’s base- ment. They generally end up at Raxis after spending years working with computers and for whatever reason becoming interested in this corner of the cybersecur­ity industry.

That’s how Smyre found herself donning that wig. She used to work at the Univer- sity of North Carolina, doing web developmen­t. One day, her high school classmate, CEO Puckett, told her about his new business, and she decided to join up.

She learned the services the company offered and how to provide them. Because the industry is fast-changing, sometimes the research is hands on, creating software and trying to break into it yourself, or falling down obscure Google rabbit holes.

It isn’t just computers that Raxis helps clients secure. They have to contend with any eventualit­y. They try to clone employee ID badges to get into buildings. They search company websites for little trapdoors to exploit. They scrutinize passwords (or in some cases, tell their clients their systems need to be password protected.)

“Once you get started, it’s just fun,” Smyre said. “It’s exciting. It’s a puzzle.”

The pandemic hasn’t slowed them down much. Raxis has started using a remote device that clients plug into their own network to allow the ethical hackers, quarantine­d some- where, to pretend they are in the building.

As it happens, the high-rise job Smyre worked a few years back serves as a good example of the sometimes surreal gig she and her co-workers signed up for at Raxis.

They were there to see if they could sneak into the building (check), slip into the financial services com- pany (check), hack into inter- nal software (check) and, ulti- mately, show the firm it indeed needed the help Raxis was offering (check).

Before Smyre and a co-worker went in, they’d researched the company and heard a lot about the breakroom, which employees had praised. Smyre went to the breakroom and saw why everyone liked it. It was fully stocked with a wide selection of free food and drinks.

She texted one of the client’s bosses to say she agreed — awesome breakroom.

A few moments later, he appeared. How did you get in here? he inquired.

?? ??
?? CONTRIBUTE­D ?? Raxis’ chief technology officer, Brian Tant, clones an entry badge. With a reader concealed in his backpack, he was able to steal informatio­n from an employee’s exposed badge and copy it to a blank card.
CONTRIBUTE­D Raxis’ chief technology officer, Brian Tant, clones an entry badge. With a reader concealed in his backpack, he was able to steal informatio­n from an employee’s exposed badge and copy it to a blank card.

Newspapers in English

Newspapers from United States