[00:00:35] Tom Garrison: Hi, and welcome to the Cyber Security inside podcast. I’m your host, Tom Garrison and with me is my co-host Camille Morhardt. How are you doing Camille?
[00:00:44] Camille Morhardt: Hi Tom. I’m having a great day.
[00:00:47] Tom Garrison: I am too. And our guest today is a break from maybe some of the other types of guests we’ve had today. We’re going with a guest who is very entrenched into the researcher, community and the ethical hacking movement, which I think is fascinating.
[00:01:05] Camille Morhardt: Yeah, she is fascinating. She started off early on in life as a hacker and so early, she said she didn’t even know there was a word for what she liked to do, and it didn’t occur to her that there was anything wrong with it at the time. And then she kind of went through this whole life story of realizing that actually there isn’t anything wrong with it if you plug in, in the correct ways. So she’s kind of run with that over the course of her life.
[00:01:28] Tom Garrison: Yeah. And I, I thought it was also fascinating–one of my big takeaways–this was a person who’s obviously very, very intelligent, but she was inspired as a young girl to progress and to proceed through her cybersecurity sort of journey, but in, in very unique ways, in ways that we might not really think about. And I think it might open our eyes to how can we expose more people from various backgrounds? To cybersecurity in a way that invites them to continue down that journey. And I thought her particular story was inspiring and I think others can learn from her as well.
[00:02:10] Camille Morhardt: Yeah. Well, she’s really interesting and fun and completely full of energy. So it was a great conversation.
[00:02:17] Tom Garrison: Yeah. So what do you say we get right to it?
[00:002:20] Camille Morhardt: Let’s do it.
[00:02:25] Tom Garrison: Our guest today is Keren Elezari. She is a security researcher, author, TED speaker, and an industry analyst. She is co-founder of Bsides, Tel Aviv Israel’s largest hacker community events since 2016, and founder of Leading Cyber Ladies. Welcome to the podcast, Keren.
[00:02:47] Keren Elezari: Thank you. It’s so fantastic to be on the show. I appreciate the invitation and the chance to share my point of view. SO thanks for having me.
[00:02:54] Tom Garrison: Yeah, this is going to be fun because our listeners don’t know, but we do, you have a sister that works with us here at Intel, and that’s how we actually came in contact with each other.
[00:03:06] Keren Elezari: Yes. And I’m so proud of my illustrious sister: Dr. Amit Elezari; she’s the first doctor in our family. So we’re very proud of her, not a medical doctor, but rather a Juris doctor, a doctor of law. And I’m very proud of her work with Intel.
[00:03:21] Tom Garrison: Yes. She’s an incredible lady; but you are incredible as well. And we want to talk about your background. You got started very early in the interest in cybersecurity. You have a kind of a non-traditional foray into cybersecurity, and I thought it’d be great to start there.
[00:03:42] Keren Elezari: Absolutely. So I first became fascinated with technology and computers from a very young age. Probably when I was 10 or 11, I was already using the computer in our school’s library. We even had an robotics lab and that was really ahead of its time in the early 90s here in Israel, I was very lucky to have access to that kind of technology. And I was really inspired and curious about this technology and spent a lot of time wondering about the many questions I had.
In fact, as a girl, instead of a bedtime story, I would read the encyclopedia! True story That’s how much of a nerd I am. And I had so many burning questions that received access to the internet in Israel–which happened around 1993–it was amazing. It was like the world’s largest and never ending encyclopedia. Now Wikipedia didn’t exist back then and neither did Google, by the way. It was really about teaching myself how the worldwide web worked, so that I could find answers to my many, many questions.
And sometimes those answers were password protected websites, or they were on all sorts of curious databases. So I had to teach myself how to access all of that information. And to me, it wasn’t a criminal act, it was a really passionate curiosity. I never for once me life thought that what I was doing could be illegal or wrong. In fact, it wasn’t because we didn’t have a computer crime law in Israel until 1999. But that point aside, I was really discovering and learning everything I could about this digital world. And I was teaching myself how to do it. Until a moment that changed my life forever.
In 1995 when I met my first hacker mentor. That’t when I knew all of my activities, passions and curiosity is actually called being a hacker and could be pretty cool. And her name is Angelina Jolie. And she portrayed a fierce high school hacker and Acid Burn was her name in the Hollywood movie that captured my heart and my imagination and changed my life.
In fact, I want to show you something. So I have the soundtrack right here. It’s a digital CD format. I don’t know if you remember this format. It’s how we used to listen to music.
[00:06:08] Tom Garrison: Do I remember a CD? (laughs) Is that what you said?
[00:06:11] Keren Elezari: Well, some of the people listening to the podcast might not know, but this is how we used to listen to music. And if you just take a look at the cast of characters here, it really caught my imagination because it was just about Angelina Jolie who was so cool. It was a really diverse cast. It was a group of people that represented hackers, but they looked like all kinds of people. And it really, really captured my imagination that high school kids could become the heroes of their own story through hacking. So that’s when I really realized this is what I am. This is what I want to become. This is the world I belong in. It’s the world of hackers.
[00:06:47] Tom Garrison: I think you (laughs) might be the first person who claims Angelina Jolie as their cybersecurity mentor. I think that’s a fascinating story. And I think part of what also captured my attention was when you were talking about the diversity of people that were in this group. I haven’t watched the movie by the way. I really should watch it.
[00:07:13] Keren Elezari: Yeah, and spoiler alert, Tom: the hackers are not the bad guys, those high school kids end up saving the day. Just so you know, you’re in for a treat. I think its a classic.
[00:07:24] Tom Garrison: Let’s carry forward in your story. You got intrigued by this movie. And so then in Israel–some people may not realize this–in Israel there’s compulsory military duty. And so maybe we can pick up the story when you got to your service.
[00:07:41] Keren Elezari: Just after finishing high school and before my mandatory draft, I remember showing up to that first ever hacker convention in Tel Aviv in Israel. And it was about 300 guys, me, and the woman who was organizing the conference. And thanks to that woman, I felt like maybe I do belong here even though I didn’t see any other young women or girls, but I saw so many interesting people and I could just learn from them. And I realized this hacking thing that I’m into it’s not just in the internet, it’s not just in Hollywood; there’s hackers right here in Israel. And the few weeks after that is when I was drafted to the military.
So on draft day, you show up, get your uniform, get shots, get your picture taken. You also get very uncomfortable boots. Then I was sent to a small room with a stern looking officer who had a big pile of files and folders on the table with all the information about the kids coming in that day—all the kids who turned 18 and were to be drafted. And that officer finds my file out of the pile of hundreds and says, “Okay, Keren; what’s your story Keren Elezari?” And in one sentence, I looked at him and said, “I want to be a hacker. This is what I want to do for the army. This is what I know. I’m curious about hacking. I’ve spent a couple of years exploring. I would love to do for the military if you gave me a chance.” And that was 21 years ago.
So I was really lucky, I think, to be there in that point in time–turn of the millennia where digital technology was a big part of the military. It wasn’t as big as it is today, but cybersecurity was already something that the military was thinking about and that recruitment officer, while not being a technology expert or a cybersecurity expert responded to what I had to say. He said, “Okay, a hacker. I think I know what I’m going to do with you. And he sent me to the Communication Security Department within the military intelligence branch. So he actually sent me to the relevant unit.
And for me, it was an extremely eyeopening experience because for the first time I could use my tricks and my curiosity and my hacker mindset, but I had to learn how to use it within the military methodology.
I had to learn how to use it to protect systems and not just to break things. I was much better at breaking things and poking holes in systems than I was building secure systems and through the military service I had to practice both of those mindsets: the red team and the blue team, if you will. That’s something that we talk a lot about in the security space, red team, blue team. So the military service really forced me to embrace both of these perspectives. And it taught me so much about the different technologies that a huge organization uses to deploy people in the physical realm, but how much the digital realm is what they rely on.
And I would also add, it was quite equalizing because as a woman, I was serving with other young men and women, and it wasn’t about my gender in that particular role, it was just about the talent and the passion that everybody could bring to the job. And oftentimes I would be the only woman in the room or the youngest person in the room, or both. And I believe that through my passion for technology, I was able to overcome those odds, as it were, and present a point of view that hacking is valuable and the hacker mindset is valuable.
[00:11:06] Camille Morhardt: Is there a way to actually teach hacking or is it something that you have to evolve the skill for on your own by discovery?
[00:11:14] Keren Elezari: That’s a fabulous question, Camille. And what I’m asked often; in fact, one of the most frequent questions on my talks and speaking engagements is “where is the friendly hacker school? Where do I sign up to become a friendly hacker?” So I think there is a combination of things. One is certainly there is a mindset. And I was either born or nurtured in me from an early age to have the very curious mindset–the one that keeps asking questions, the one that is interested in taking things apart to understand how they work, the one that’s not afraid to poke a finger in a hole or a vulnerability and see what happens and unravel that thread. That’s the hacker mindset, and that’s something I kind of always had with me, so I didn’t necessarily learn it anywhere. Maybe I somehow received it by osmosis from my environment, perhaps.
But there are ways to cultivate that mindset, the curiosity, the creativity that comes with the hacker mindset. I think there are ways to artificially cultivate that. Certainly with a younger age group, you could cultivate that with games, with puzzles with mystery challenges, even the library could be an incredible place to explore and identify things. The second part of it is the technical side, and that’s certainly something that you can and must learn. In fact, I have to spend some time each day learning about the latest technology, the latest threats, the latest techniques that cyber criminals are using. So the learning aspect of the technical element is an ongoing journey, and that’s something that you can learn and that there are many types of programs and certificates and diplomas that one could take. But I would start with the curiosity and the hacker mindset. The approach, which is not necessarily tied into the technical realm, but it’s something that I think we can cultivate.
[00:13:13] Camille Morhardt: When you’re deciding kind of what sort of hacker to be on, and I’m not talking friendly or unfriendly, but just how you’re going to go about it, it’s a really broad spectrum. Do you focus on the type of system that you’re interested in hacking? Or are you looking more at like I’m going to pick software or hardware or I’m going to pick physical attack or remote attack? How do you kind of classify which direction?
[00:13:36] Keren Elezari: I think there’s a challenge there to know what’s possible in order to choose a particular path or particular specialty; kind of like the field of medicine–which is of course, vast and different–but in the world of medicine you could be a general doctor or you could have a specialization. And in order to reach that phase in your career as a doctor where you choose to become a children’s doctor or a surgeon, any other type of doctor, you are exposed to different types of medical practices. And then something probably calls out to you or you make the choice because you see that not a lot of people are practicing that kind of medicine in your community. So it’s required, it’s needed, so you choose that.
In the security world and the hacker world, I believe in showcasing the different aspects. Which is why events like BSides, which is part of a global community are so important because people can be exposed to the different aspects in the hacking world in the cybersecurity world–from hardware hacking to application security, to networks and communications, to cryptography, to cloud. There’s so many specialties that one could follow.
If somebody was asking me, how do I choose a specialty? I would recommend spending some time, even if it’s a day or two immersing yourself in each of these different disciplines and just finding what speaks to you, what grabs your attention? I was always really intrigued by network security and communications. That was kind of my forte–the area that really captured my imagination. But that’s not to say that over a few years, I also developed an interest in cryptography and other aspects of the security world like vulnerability management. So it really is up to you or up to the listeners, I imagine to spend some time. I’m a really big believer in experience and learning through experience. So spending some time in each of these areas, whether it’s through a conference workshop, taking an online course, reading an article and seeing what speaks to you so that you can choose a path.
[00:15:35] Tom Garrison: Yeah. You mentioned that you were one of just a very few females going through this. Did you see a change in terms of young girls or young women that were getting into hacking and cybersecurity in general over your time?
[00:15:53] Keren Elezari: Absolutely. You know, I have more than 25 years of perspective in the cybersecurity world. So the days of when I was the only girl, those days have absolutely changed.
Nowadays I see women all across different positions in cybersecurity, whether it’s entry-level positions, students at Tel Aviv university where I’m a researcher, or at different parts of our community with the BSides and of course with the Leading Cyber Ladies community, I see women all across the cybersecurity realm.
I am hopeful that the situation we see here in Israel with about 25 or 30% representation of women within the security industry is one that we’ll see around the world, hopefully leading up to gender equality and 50% for presentation, which should be the ideal. But of course nothing’s perfect in life, and I’ve absolutely seen a change. To your question, in 25 years, ladies, gentlemen, I can tell you the picture has changed. It’s a very diverse worldview, right now.
[00:16:52] Tom Garrison: So Keren you’ve been spending time teaching, I’m wondering if you could share with us what are you teaching in Israel and where are your passions on teaching taking you?
[00:17:06] Keren Elezari: So for the past few years I had a research project at Tel Aviv University where I focused on the value of bug bounty programs–otherwise known as vulnerability disclosure programs. These are programs that allow companies as big as Intel and as small as innovative startups to work with individual hackers from all over the world. And I’ve been really following the bug bounty phenomenon closely for the past six years. And through my research grant that was able to show that these programs provide incredible value, not just in the economical sense of dollar value per vulnerability identified.
Where still in many cases, these programs tend to offer incredible efficiency, if you contrast the amount of under abilities and how critical those vulnerabilities are with the amount of money that companies end up paying to the researchers. But there’s also other forms of value. Like the reputational value for the company as being known as a company that collaborates with hackers, the reputational value for the hackers who build their name and their brand on bug bounty platform and often become role models and mentors for other hackers, and other forms of value as well that ultimately I believe raise up the entire level of the security ecosystem.
I do believe that we need all the help we can get that security is a team sport. It’s not just up to one government agency or a technology company to solve on their own. And my vision for the security world is one of a digital immune system where hackers play their part by helping us identify vulnerabilities.
Now in the next year I’m gonna start a new course at Lachman University, which is Israel’s latest and newest private university and this is specifically a course that’s designed for master’s students that are in management and legal professions. And it’s all about the changes in the security world that they have to understand in terms of new regulations that are coming in, digital transformation trends, and what that mean from the security perspective, learning about how to work with hackers through vulnerability disclosure programs, and how the personal household is also becoming the arena for cybersecurity decisions.
[00:19:16] Camille Morhardt: You had mentioned that you follow up on trends or you’re constantly reading about trends and new ways that people are hacking. Can you just give us one trend that you were surprised that you think is here now, and you didn’t expect to see it?
[00:19:33] Keren Elezari: Sure. Absolutely. Ransomware did not surprise me. Ransomware becoming such a valuable criminal tool–in fact, probably the most lucrative form of cyber crime right now–that did not surprise me because I’ve been tracking ransomware for more than five or six years. What surprised me though, is that throughout the pandemic and throughout COVID-19, criminal groups were so unscrupulous as to attack hospitals and healthcare providers, specifically. That’s something we saw just this week in Israel; we experienced an attack on the hospital and that’s something that surprised me.
And I shouldn’t be surprised by cyber criminals because they go where the money is and they really don’t have a moral code or any ethics to speak of, but the fact that throughout the pandemic that impacted everybody around the world, they would still go after healthcare providers and hospitals, that to me was really jarring.
Now, to build on top of that we have to look at what criminals are doing because they have really used the past 18 months as an opportunity to reinvent themselves. They’ve come up with new business models. There’s ransomware as a service now where some ransomware operators partner with distributors and affiliates that make sure that the ransomware gets delivered. There’s just a vast ecosystem of players within that. There’s the ransomware and extortion model. There’s faster ransomware. So they invest so much time and effort into development of the technical payload itself so that they can spread faster and encrypt faster. It’s changing every week and I’ve been following these trends closely.
[00:21:14] Tom Garrison: Do you have a sense that this is a winnable battle? or the more you get into it do you get more and more discouraged?
[00:21:22] Keren Elezari: Wow. Thank you for the question because I was starting to feel depressed by my own messages. That’s the challenge, I think with cybersecurity, we have to really keep our optimism. Yes, there are elements of this battle that are winnable. However, I’ve said this before, and it’s been said by others, cybersecurity and achieving security, it’s not a destination. It’s not a train that you get on, then at the end, “I’m secure. I’m done.” It’s a journey that’s continuous and we’re going to be on it. It’s never going to stop. It’s always going to be cat and mouse. It’s always going to be, and a new vulnerability and new technical capability and you criminal business model.
So is it winnable? I think there are ways to make security a sustainable state. There are ways to make a company more secure. There are ways to make our daily lives more secure in the way that’s sustainable. It doesn’t require you to live in a bunker with offline communications and only communicating via morse code, with a bunch of sheep in the backyard. I think that there is a sustainable way to achieve a secure state. So in that sense, it is winnable. I’m not depressed by the amount of criminals out there because there’s also a million friendly hackers out there. I’m not exaggerating. There’s literally a million according to the bug bounty platforms.
So there are so many friendly hackers out there. There’s so many great companies developing new technologies, new products, and new paradigms.
So through this pandemic period, we have experienced digital transformation like no other; there is a silver lining and that is there’s a possibility that many people’s security posture actually improved. I know that sounds counter-intuitive. I think coming out of this we are going to see different approaches to online authentication, different approaches, to a network perimeter, different approaches to managing healthcare data. So we’re going to have a lot of lessons to learn from the pandemic, but the overall trend, I believe is a positive one.
[00:23:23] Tom Garrison: Maybe one last area here before we wrap up. I know that you do work with the female hacker community, and I think it’d be great to share some of the work that you’re doing specifically there for people that are interested in becoming hackers or who have kids that might want to be hackers. How do they get involved?
[00:23:44] Keren Elezari: So, firstly, I’m very proud of the Leading Cyber Ladies network that we’ve started. It started here in Israel, but it’s now global. And we’ve got chapters in Europe, North America, Canada, and the United States. And as of November ‘21, in Japan, in the Pacific region. And we’re always starting new chapters and new activities. So if you’re interested in joining a Leading Cyber Ladies networking event or meetup, check us out online at leadingcyberladies.com. We’re also on all of the social media platforms.
Now, I want to recommend that if somebody who’s listening today–whether they’re a young woman, or a person of any age or gender–if you’re curious about cybersecurity and you’re not sure where to start, I recommend reaching out to your local community meetup or event, whether it’s virtually or in person. I was really inspired by the security BSides movement, which is a network of events for the security community. I started the one in Israel in Tel Aviv, but there are BSides events all around the globe also available virtually. They are a great way to make your first step. And even if you have a younger person, or a child, some BSides events could be great for bringing your children along with you. Of course, check with them specifically.
I recommend you look into securitybsides.org. In fact, I’m wearing the shirt from BSside Study Week 2019. And Intel has been a proud sponsor of BSides Tel-Aviv since our very first year. So thank you for that.
[00:25:13] Tom Garrison: That’s great. Very good. Well, I’d like to close with our fun little segment that we do on every podcast called Fun Facts. And I know we kind of sprung this on you, but, I’m hoping that you have a fun little fact that you would like to share with our listeners.
[00:25:40] Keren Elezari: Sure. So my fun fact is about the digital currencies and more specifically cryptocurrencies, which some of you know made the scene in 2009, Bitcoin was invented or the first Bitcoin white paper was published by Satoshi Nakamoto. However, the science fiction author Neal Stephenson imagined cryptocurrencies about ten or fifteen years before Bitcoin was a reality. He wrote a story for Time Magazine in 1995 called “The Great Samoleon Caper,” which described the world with a digital currency and with some criminals stealing cryptocurrency. Later in the book Cryptonomicon, he wrote in 1999, he described a cryptocurrency in more detail. So that’s my fun fact.
[00:26:27] Tom Garrison: Very good. Interesting. Camille, how about you?
[00:26:32] Camille Morhardt: Elephants and whales both communicate on a very low frequency spectrum. Some of it so low that humans can’t actually hear it with our own ears. Part of that is so that they can communicate over multiple kilometers at a shot. But one thing that I think is very interesting and I can’t confirm is some researchers are looking into whether elephants and whales actually communicate with one another.
[00:27:00] Tom Garrison: That would be awesome.
[00:27:02] Keren Elezari: My mind is blown. That’s fantastic.
[00:27:05] Tom Garrison: Wow. I’m going to go into the world of gross for a moment. It turns out that a human adult can produce enough saliva to fill a bathtub, not once, but twice in a year.
[00:27:26] Keren Elezari: Impressive!
[00:27:27] Tom Garrison: Two bathtubs full of spit. Can you believe that? Boy, where have we gone? Well, hey, on that low note there, I did want to say it’s been great having you on the show and specifically, I think just what you represent in terms of your energy around cybersecurity, around the idea of being friendly hackers, the role that you play helping be a leader among the female community as well within that group, I think it’s great. And I really appreciate you coming on our podcast and sharing your story.
[00:28:06] Keren Elezari: Thank you. And thanks to my sister who convinced me to join the podcast.