20 minute read
Amber Mac: Keren, thank you so much for joining me today. I was recently listening to an interview that you did on a podcast for MIT and the host introduced you as a friendly hacker. Is that an accurate description?
Keren Elazari: Absolutely. And thank you so much for inviting me to be a part of this conversation. Yes, I am absolutely proud to call myself a friendly hacker. I think that hacker is not necessarily a criminal term. It's a capability, it's a mindset. And I grew up as a very young, curious little girl right here in sunny Tel Aviv, Israel. And when I was hacking, I didn't realize I was doing anything criminal. I was just driven by curiosity. I was discovering what the internet had to offer. I was learning about how technology worked. I was taking apart computers. I never for a minute thought that my actions could be malicious or criminal.
“I am absolutely proud to call myself a friendly hacker. I think that hacker is not necessarily a criminal term. It's a capability, it's a mindset.”
And actually it was only in the year '95 when I saw the film "Hackers" that I realized this activity could be actually seen and called a hacker, especially when Angelina Jolie does it. So she is responsible for my career choices. Ever since that moment, I have been very proud to call myself a hacker.
AM: Before we get into the conversation about some of the threats that exist today, I wanted to ask you about this concept of a friendly hacker and a not so friendly hacker. Who gets to decide what the line is?
KE: Fantastic question, Amber, and it's not easy. You know, in the past, in the security world, it was kind of common or classic to talk about white hat hacking versus black hat hacking. You may have heard these terms. I've recently started to walk away from those terms. Firstly, I think that using a color to denote malicious or unmalicious motivations is way too black and white. The reality is a lot more like 50 shades of gray in any case, it's a lot more nuanced.
And the reason that I like to talk about friendly hackers versus malicious hackers, who draws the line, it's a really good question. It's about, do you cause harm? Are you using your hacking in order to extract payment or to leverage it into somebody doing something that they didn't want to do? These are very clearly malicious activities.
However, at the end of the day, there is a moral compass that's kind of internal for each person or each group to decide whether what they're doing is ethical or unethical. And the term ethical hacker has also been used quite popularly in the security industry and there's good reason to use it. I like to talk about friendly hackers because I think that these nuances and these motivations can shift and they can change. And for example, if you look even during democratic campaigns or democratic elections, there might be a group of hackers which is friendly towards a specific cause or a specific idea. But a few years later they might not be your allies anymore. They might be somebody else's friends. So it could be a shifting alliance. It's not necessarily strict or cut in stone like black and white.
“How can we use the power of hacking for good? How can we use it to better people's lives, to uncover security vulnerabilities, to improve technology, to improve our lives?”
However, for me, that moral compass is always been about how can we use the power of hacking for good? How can we use it to better people's lives, to uncover security vulnerabilities, to improve technology, to improve our lives. And that's my personal compass.
AM: Let's talk a little bit about the conversation that is going on during this event, which is of course the future of 5G networks. When it comes to these networks, what is your opinion right now in terms of security?
KE: Oh, fantastic question. So 5G is actually already here in Israel. One of the local CSPs has already rolled out 5G access and it's available in other places around the world, in the US, in Europe, in Finland, I'm sure that it's already available. We can rest assured that for criminals, it's not that brand new. Criminals are always the early adopters for any new technology, any new capability that's becoming popular, that's gaining traction, you can rest assured that the criminals will find different ways to abuse it or to research it and to see what they can come out with this new capability that's available to them.
So I recently had the privilege of listening to an expert who spent more than a decade at Nokia researching cybersecurity threats in cellular networks. Her name is Dr. Silke Holtmanns and she recently spoke in a webinar and she talked about the actual attacks that she is seeing in the world of 5G from the criminal perspective. And what's really curious is that one of the most popular ways that criminals have been abusing the 5G world is by crafting location finding attacks. So they've been using the signaling protocols and it might even be SMS protocols, but the basic signaling protocols within the cellular network to help them identify the location of potential targets.
Now, this is not necessarily a capability that's used just by criminals, it's also something that could be used by law enforcement and some aspects of it are built into the network. But when I think about security of 5G networks, one thing I consider is the more granular control for location information and whether that could be potentially abused.
AM: When we think about some of these threats, you often hear that people want to get inside the minds of some of those criminal hackers. What are they thinking? What do you think about, about that mindset?
KE: So the hacker mindset, the attacker mindset is actually extremely educational. And that's how I spend most of my time, most of my days, researching the tags and the motivations for potential attack groups. And it can actually shows us a lot. There's an old saying that your adversary can be your greatest teacher. And it's absolutely true. The attackers out there show us what's possible. And sometimes they use of technology in a way that was never planned or intended, or they take one unrelated technology and they make it even more popular.
One great example of that is ransomware where criminals have come up with almost a perfect crime where they take away your data, they steal your access to your data, and then they sell you back that access. And recently they have evolved that with the next stage of ransomware, which now also includes the threat of leaking the data.
So let's say they attack the company. They have encrypted their files. They took away a copy of their files. Now they're gone, they want you to pay in order to decrypt the data so that you can have it, that you can go back to your normal operations, but they also double their payment and they say that, you know, if you don't want us to leak all of this out to the public, if you don't want to be known as a company that was hacked, you're going to have to pay double.
So it's very clever. Yes, it's absolutely criminal. But if you think about it, they're weaponizing our own data against us. And this is a sort of use case that really brings to mind how important cybersecurity is. And even the classic aspects of cybersecurity like backups, or having secure access to your data and making sure that you are ready for such an occasion. And it's not something that a lot of companies thought about, you know, before the advent of ransomware. Backup was never sexy. But ransomware has brought sexy back to back up, if I can say that.
AM: It's interesting when we talk about network security, we should definitely have a conversation about the Internet of Things, knowing more and more that there are billions of devices connected to the internet, not all of them secure. So with the rise of IoT, how do you then view the future of network security?
“Planet Earth is already home to more digital devices than human beings.”
KE: Wow, so first of all, it's true that planet Earth is already home to more digital devices than human beings. The Munich Security Conference did a report on this together with Gartner and 2020 is the year where we are forecast to have about three times more digital devices, IoT devices in our lives than human beings. And probably, you know, Amber, I know that you're in the studio right now so definitely are surrounded by digital devices, but even at home where many of us are these days, we have more digital devices than family members and pets.
And that's the trend that we're going to see. We're sharing our households. And that also means our corporate networks these days, because we're also working from home. We're sharing our household and our corporate networks with a bevy of devices. And they're for different purposes, whether it's education, entertainment, fitness, home safety, but these devices are part of our ecosystem. They're a part of our lives. Hackers have known this and they were the early adopters of hacking into these devices. So five years ago, and eight years ago, we heard about hackers hacking into baby monitors or home safety cams and they're still doing it today.
If you want to learn a little bit more about it and why, you have to take the security of the devices you bring into your home or your office seriously, all you have to do is go on the little internet safari. You can do that using a search engine called Shodan, Shodan.io, Shodan like the black belt in karate, it's actually a tool that was created by a brilliant, friendly hacker to showcase how every internet connected device could be potentially scanned remotely. And yes, bad guys can use this tool as well, but you can use it to identify the different types of devices that you have in your home, in your organization, in your corporate network. And that you didn't even realize that your office Xerox machine was talking to the internet, but it is.
And we have seen the capability to use these devices for bad, for malicious purposes, whether it's to harness them into a botnet, that's a network of infected devices that then overloads key internet servers like in the Mirai attack which took place in 2016, took down a lot of major internet websites because they overloaded primary DNS provider. So we've seen that use case.
We've seen the use case of using the computing power to generate cryptocurrency - that's crypto mining. These are very creative use cases that criminals have come up with. Now, I want to double down on this Amber, because a lot of people say, I don't have anything to hide. So what if my vacuum cleaner talks to my lamp and to the camera outside, I don't have any secrets. I don't have anything to hide. It's not just about protecting secrets. It's about protecting the connectivity of all of these devices is part of your ecosystem. It's part of the fabric of our new digital life. And if these devices are hacked or manipulated in some way, it actually impacts all of us.
So think about it a little bit in the context of hygiene, right? These days with COVID-19, we talk about hygiene all the time, we wash our hands, we are maintain social distancing and you wouldn't want somebody who was potentially infected to just walk down a full street without their mask on. So having all of your devices at home, potentially vulnerable, is kind of like that. You're not maintaining cyber hygiene, you're actually helping spread the infection further. So I hope that's the lesson to everybody who's listening to kind of take control a little bit about all of the devices that they have in their home. And it can be a little bit scary.
AM: Absolutely. I read recently that the average household with two teenage children will own roughly 50 internet connected devices by 2022. We know more and more, there are more opportunities for issues with all of these connected devices. When we talk about hackers and some of the new methods that they are using right now, can you discuss that in terms of what the audience should expect over the coming years?
KE: Yes. So what we should expect from attackers is innovation and adaptation. And we've seen that. We've seen that with the way ransomware now evolved to include that leak element, that extortion element. We've seen that with crypto mining using computing power to generate cryptocurrencies. We're seeing that with attacks IoT devices, harnessing them for botnets to take down websites. And a lot of these components in the criminal world are now commoditized. So they're actually done as a service. So you don't have to really be that big of a hacking expert to be a successful cyber criminal. All you need is some seed money, preferably in an alternative cryptocurrency and you can actually buy, or, you know, be an affiliate in a larger program that offers ransomware as a service, denial of service as a service, crypto mining as a service.
Now, some of the latest aspects that I've been researching, because we've all gone into lockdown, because people work from home, criminals are now focusing on the digital collaboration tools that we all have come to rely on, whether it's Zoom or WebEx or Google Drive or Trello or whatever it is that you use in your company and by the way, chances are that you use a dozen different digital collaboration devices, not just one. These digital collaboration tools have become the targets for criminals because that's where they can find intellectual property and more importantly that's where they can get access. They can trick you by sending you a link that looks just like a WebEx sign in or a Zoom sign in, or they can tell you, you need to update your app because the work, like the Trello or the task management tool, whatever it is that you're using Slack, whatever it is, you need to update it. And that's how they trick people and they get on people's devices on their phones or their computers.
So they're really using whatever's popular right now to get on people's devices and from there into the corporate network. So it's a lot about access. This is one of the things I've been really seeing, criminals are now really focusing on where they can get access to the most lucrative victims, the most lucrative targets. If in the past it was more opportunistic - we're going to send a million phishing emails, we’re going to create these fake websites. Now it's a little bit more targeted and it's about finding specific access to interesting targets that they can monetize.
And the monetization is not just about stealing intellectual property it's also about weaponizing data with ransomware and with leaks. It might be about disruption. It might be about denial of service, there's different aspects to that. But at the end of the day, you can expect criminals to come up with things that we haven't imagined yet, which is why the hacker mindset is so crucial. It's why we need hackers researching these capabilities and showing us what is possible because what they show us what's possible now in five years becomes an attack that we all have to deal with.
AM: So let's talk then a little bit about prevention. What can leaders who are watching today do to protect their networks?
KE: So there's quite a few different things that can be done to protect your network, whether it's their home network or your organizational network. I always say it doesn't start with technology, it starts with talent, it starts with people. Putting the people on the front line and empowering them with capabilities to make better security decisions. We all make security decisions all the time. When we click on a link, when we install an app, when we connect to something and we need to empower the workforce, whether they're at home or on an island or in the office, or in an airplane, to make better decisions. And you yourself, the audience, the dear listener and of course you Amber as well, we've all also had to become the CTOs, the chief technology officers, of our own home environment, regardless of what our position in the office is. We might be the CEO or the CFO, you might be a product manager, a journalist, a designer - at home we are the CTO right now.
And so we have to really accept that responsibility with both hands. And that means setting time aside, you know, once a week, once a month to do a little bit of a review, what's going on with all of our devices, how many digital devices do we actually have at home? Where are they all connecting? Have we updated the software on these devices? When's the last time Amber, you updated your router operating system?
AM: Well, it's probably been many, many months.
KE: So it's a task that we don't really understand as something that we all have to do. Or alternatively, the communication service providers can step in and actually help people take care of many of these tasks. And this is something I've been saying for years. I'm not just saying it because we are here on the line with Nokia, I've been saying this for years, communication service providers have the capability to support people in many ways and to help them, whether it's by protecting the access to the devices that people have at homes, whether it's by making sure that the devices have up to date operating systems or just empowering people with better security tools so that they can make better decisions themselves.
And there's a lot that can be done there. And I think in the past, CSPs have been hesitant to be very active on the security front, because it has a little bit of that connotation of we're messing with what's in the pipes. We just want to be the pipe. We don't want to mess with the flow of data. But when it comes to security there's actually a lot of things I think CSPs can do to, for example, block known IP addresses that are affiliated with cyber criminal activities to identify communications that are part of botnet infections and drive down infections.
I know there was a project focusing on that in Australia, combining the Australian ISPs and they've seen great success with reducing their botnet infection rates, using a capability like that. So there's a lot more that can be done by the CSPs.
AM: So, I started off this conversation with you asking about friendly hackers. So as we wrap up, what are the opportunities to collaborate with the friendly hackers out there?
KE: So, one of the most important things I want to share with the audience today is that security is never one and done. It's a journey and it's a journey that we're all in and we're all in it together. And that ecosystem requires the attention of technology vendors, communication, service providers, individuals making decisions at home as consumers, and as employees in the office and the global community of friendly hackers, which have actively been helping people identify vulnerabilities.
So one of the phenomena, one of the ways to work with hackers is through something called bug bounty programs. And that's something I've been personally researching for the past five years at Tel Aviv University. Bug bounty programs have proven to show incredible value in helping a major company or an innovative company, or even a government agency, like the Department of Defense, the American Pentagon, identify vulnerabilities that were in their blind spots for years, months, or for a long period of time. And these vulnerabilities are identified by friendly hackers who then report on them and are acknowledged and rewarded for their actions, that's the bug bounty, that's the bounty element. That's very important.
And the award can be, you know, a t-shirt or money or a gift card, or even a medal. The bug bounty program for Tesla gives out medals, challenge coins, which only go out to the top hackers that can hack Tesla's products. That's their cars, their hardware, their firmware. So hackers are really motivated to go after these things and they call it the Hacker Olympics because you win a medal at the end. And it's one great way, it's just one example of how a company can actively work with hackers.
At the end of the day, bug bounty programs are very, very efficient. They're one way to do it. The rest of the work, the rest of the journey, we all have to be in it to win it, right? We all have to consider security as a shared goal, an ecosystem goal, not just something that the IT department needs to worry about, because it is not just about protecting secrets it's about protecting a digital way of life. One, which right now we absolutely rely on and we're going to rely on so we have to care about security.
AM: Keren, before I let you go, is there anything that I didn't ask you that you want to share with the audience today?
KE: Yes, so one more thing I wanted to bring up about 5G security. I think 5G is going to be a major part of many other technology mega-trends. It's one trend, but when you bring it together with IoT devices, with sensors everywhere, with autonomous vehicles and with a lot of other trends that are actually converging right now, the security of the 5G configuration and the devices, the technology that's in, it is going to be key. It's going to be really crucial.
So as you make your decisions right now with your planning, maybe your 5G journey, as you're thinking now, what you're going to do down the line, think about that as well. It's not just the 5G cellular network that you are buying into, or that you're planning into in terms of the technology. It's also a lot of other elements that are going to play into our lives. It could be medical devices, sensors, cars, smart cities, a lot of different elements. And this convergence, this mega-trend really requires us to make very responsible decisions these days about the technologies that we trust and how we plan for a trusted future down the line as well.
AM: Well, listen, thank you so much. I definitely enjoyed getting inside the mind of a friendly hacker like yourself. Thanks for being here.
KE: My pleasure. Thank you so much Amber and you're welcome to jump into the friendly hacker world anytime you like. You're invited.
AM: Great, thank you so much.
Intrigued by what you've watched? Read more about why hackers hack