Chema Alonso, Eleven Paths: The security guru

03 December 2013 |


A former poster boy for the hacking community, Chema Alonso is bringing his huge expertise on security to the telecoms community. Capacity catches up with the CEO and founder of Eleven Paths.



When Chema Alonso takes to the podium, he brings with him a lifetime’s experience in fighting cybercrime. He will also bring a pen, and quite possibly, some paper.

But the one thing he will not bring is a laptop – at least not his own. For Alonso, the chief of Eleven Paths, the fraud-busting “spin-in” that was created earlier this year by Telefónica Digital, is a cautious man. Some might say overly-so – after all, who else do you know that routinely tapes over the webcam of any terminal on which he works, lest it be hijacked by some criminal element in order to garner secrets such as confidential passwords?

“You would be very surprised”, Alonso cautions, “just how easy it is to hack into a webcam.”

And indeed, I was. It turns out that it is possible to hide a few lines of computer code in the “play” icon on an internet page that, once clicked, can take over a web cam and start sending images of the user and their keyboard to another machine anywhere in the internet.

It is, I quip, enough to make you feel a touch paranoid.

“All hackers are paranoid”, replies Alonso. “We have to be. At the end of the day, I don’t want to be a victim, so I leave my own laptop at home when I come to conferences.”

Yes, you read that right: Alonso, founder of one of Telefónica Digital’s most high-profile acquisitions of the year, is a self-confessed hacker who writes a blog under the strapline “A computer guy on the evil side”, and whose motto loosely translates from Spanish into “no hacking, no fun”.

But the hacking community is made up of good guys as well as baddies and the beanie-wearing security genius, you will be relieved to learn, is very definitely a poster boy for the former.

A keen snowboarder and Star Wars fan, when Alonso is not politely batting away requests from desperate high school students looking to retrospectively tweak poor grades or e-mails from companies looking to spy on staff, he is devising state-of-the-art security techniques to keep cybercrooks at bay.

He holds an honorary ambassadorial role at Madrid’s University of Technology and lectures at both the European University of Madrid and the Open University of Catalonia, he has published more than 50 papers on cybersecurity, authored two books, set up a specialist company to publish seminal works by like-minded hackers and he is lauded by Microsoft, where he has appeared on the software giant’s register of so-called “Most Valuable Professionals” (MVP) every year since 2004. The MVP progamme highlights independent individuals with “exceptional technical expertise”.

The fight against metadata
Before founding Eleven Paths, Alonso set up Informatica 64, a Madrid-based security firm that is perhaps best known for its work in creating FOCA, a network reconnaissance tool that hunts out metadata that has been inadvertantly discarded out on the web.

Metadata is essentially data about data and it lurks invisibly behind virtually every document that is created, from a simple Word document to a PowerPoint presentation or a PDF. Metadata carries a vast treasure trove of confidential information for would-be fraudsters, including the user name of the terminal that created the file, as well as how and when it was formatted and who the recipient of the file was. In the wrong hands, metadata is dangerous stuff, which is why Alonso created FOCA to hunt it down and clean it up.

Alonso sold Informatica 64 to Telefónica earlier this year and folded its operations into a larger security-focused unit under a new name, Eleven Paths. The name, he says, comes from an in-house joke: for every quick and easy way into a company’s seemingly watertight defence system, there’s another one right alongside it – hence, two ones side-by-side, or the number eleven. “It’s good branding – we wanted to be different from the very beginning. Plus it trips off the tongue nicely.”

Impressive as Alonso’s credentials unquestionably are, one has to ask why Telefónica Digital, under pressure to hold good on a pledge to deliver annual revenues of €5 billion by 2015, is putting its faith – not to mention its reputation – in a man who to all intents and purposes represents the very antithesis of the telecoms establishment.

But it is precisely because Alonso is so ready to strip away all of the preconceptions that have shaped the current industry status quo that he represents such an interesting proposition to Matthew Key, Telefónica Digital’s enlightened CEO.

To Alonso, the challenge is to liberate Eleven Paths’ small team of 20 or so engineers, so that they can blaze new trails.

“We are completely different. We want to use the vast knowledge base that Telefónica has built up internally, but we want to put it to new uses. We are looking to the future but not through the eyes of a traditional carrier – we won’t get involved in Telefónica’s traditional product pipeline,” Alonso says.

The acceptable face of hacking
Eleven Paths has a huge depth of experience in the hacking environment and the challenges that new companies face in the digital age. Alonso’s goal is to harness all of that know-how to create a suite of innovative security products, both for Telefónica and for its enterprise customers.

“The beauty about Telefónica is that a vast amount of data passes over its network. And that is a huge positive – we see a lot of potential threats, a lot of attacks, a lot of information out there in the wild that we can harvest and learn from.”

And learn we must. Alonso warns that the great misconception among many businesses, big and small, is that their intellectual property is safe and secure behind the four walls of the company HQ.

“It’s not – it’s out there in the internet and it’s vulnerable. Security is no longer in the hands of the company – it is in the hands of every employee who picks up their device, types in their user name and connects to the network, whether they are on the company premises or not,” Alonso warns.

But the growing trend for employees to use their own device for company business is just part of the story: the explosion in demand for cloud computing services is also casting a long shadow over the integrity of company data as it travels to and from the cloud.

Carriers might be desperate to tap into the high-margin enterprise market, but they must accept that in so doing, they are taking far greater responsibility for the safety and security of that data as it travels through all the various levels of the network.

The pipeline of new products at Eleven Paths aims to serve both the Bring-Your-Own-Device phenomenon and the move towards sophisticated cloud services. Chief among them is a new penetration testing (pentesting) tool that simulates an attack on a network in order to lay bare any vulnerabilities.

It is the acceptable face of hacking and it is a key weapon in Alonso’s fight against cybercrime.

“The more we meld our lives into the digital world, the greater the security threats we lay ourselves open to,” says Alonso.

Such is the breakneck speed at which this is happening, that many companies – carriers included, are struggling to keep up.

“Companies typically bring in an outside consultancy to test their network security once, maybe twice a year. But the bad guys are testing the system every day. Security must be a key pillar of internet and services architecture from the beginning,” Alonso says.

The company has already developed a tool that can test the networks of medium-to-large businesses up to 2,000 times a minute, with further developments aimed at the smaller end of the market are also in the offing.

The CV
Hacker Nickname: “Evil one”.
Education: Graduated from Madrid’s University of Technology with a first-class degree in Computer and Systems Engineering. He holds a master’s degree in Information Technology and Systems and a PhD in Computer and Information Sciences and Security from Madrid’s King Juan Carlos University.
Career: Co-founded Informatica 64 in 1999 and went on to develop the metadata tool FOCA. Sold the company to Telefónica Digital in April 2013 and folded the business into a new venture, Eleven Paths, of which he is CEO. Also owns OxWord, a publisher specialising in books on security issues and hacking.
Awards: Alonso is an Honorary Ambassador for Madrid’s University of Technology.