Avast Hacker Archives

“I work in the most interesting field in the world – cybersecurity. I’ve been doing this since I was 14 and I’ve not been bored a single day!” Keren Elazari tells Avast CISO Jaya Baloo early in the interview of our tenth episode and Season 1 finale of the Avast Hacker Archives (AHA) podcast. Keren is explaining how she maintains the energy to do everything she does, which includes: Being an internationally recognized security analyst, researcher, author, and speaker; working with leading cybersecurity firms, government organizations, and Fortune 500 companies; being the first Israeli woman to give a TED talk at the official TED Conference (her TED talk on hackers has been viewed millions of times and translated into 30 languages); founding BSidesTLV, Israel’s largest cybersecurity community events; founding Leading Cyber Ladies [https://leadingcyberladies.com] network, a global professional network for women in cybersecurity; and being a senior researcher at Tel Aviv University. She easily finds time for everything, she says, because she loves what she does. She’s had a curious mind since childhood when her father was an electrical engineer and would leave pieces of gadgets lying around the house. He was also an early adopter, so Keren found herself with all the legacy devices of the time. Then, in 1995, she saw a movie that changed her life – “Hackers.” Sure, it was Hollywood’s version of the hacking lifestyle, but she was hooked. She wanted to be Angelina Jolie’s character Acid Burn. She began exploring the internet. Before anyone thought of internet crime laws, she was poking around and finding herself in other users’ systems. She learned to speak English by communicating on early IRC channels. Her handle back then? Acid Burn, of course. But it was her time working in a military security communications unit that instilled the moral compass that would direct her career. She realized that her job was securing the systems on which her country relied and that responsibility was one she did not take lightly. “I like to believe that I am a techno-optimist at heart,” she admits. “So, while I grew up with cyberpunk movies and books, imagining a dystopian technological future, I like to believe that technology in the big picture has actually helped us in many ways.” And her positive outlook extends beyond the tech to the people who manage it. She led a project at Tel Aviv University that proved the fact that bug bounty hunters are not in it primarily for the money. In our episode, she explains to Jaya why hacking is like the internet’s immune system. Friendly hackers work to find vulnerabilities and bring them to everyone’s general attention, thus making the overall system healthier. “The mindset of a hacker is one that I think leads us to innovation, to evolution. It forces us to evolve, and I think it’s positive and it actually makes the world more interesting,” she tells Jaya. What is holding her interest these days? “Today, one of the things I’m researching and that I’m passionate about is a passwordless future.” She is occupying her time researching different technologies in that space, and she is hoping for a future with better forms of authentication. “Passwords belong in our past,” she says, explaining that it’s humanly impossible for people to manually manage all the different usernames and passwords they’re supposed to be managing. To Keren, the future is about leaving this password era behind us and focusing on a more holistic look at our digital identities. As Jaya says, “Digital identity is definitely the cornerstone of having a good security program, but it’s also the basis for being able to protect your security online.” Keren agrees, commenting that because people now work from anywhere, identity is the new perimeter, the new boundary. “Start thinking about your digital identity as an expansion of your physical identity,” she says. “Because that’s what it is. It’s part of you.” When asked what her advice is to young women who look up to her, Keren’s message is simple: You belong. Your voice matters. To provide even more inspiration, she teamed up with eight other women to publish their stories in the book “Women in Tech.” [https://sasquatchbooks.com/books/women-in-tech-3/] This season finale is packed with great insights, including Keren’s basic security advice, her take on what the pandemic did for us, and what the cybersecurity needs to change immediately in order to protect our future. It’s a great sendoff to a great season of episodes. We definitely saved one of the best and brightest for last. Check it out at the link below, and we’ll see you back here soon for Season 2!

She doesn’t just talk the talk, she also walks the walk every day in and day out for a service most of the planet has come to depend on,” says Avast CISO Jaya Baloo, introducing Heather Adkins, Senior Director of Information Security and Privacy at Google and founding member of the Google Security Team. That “service” Jaya mentions only happens to be keeping the most popular internet tool in the world safe and secure for all. In Episode 9 of Avast Hacker Archives (AHA), Heather tells Jaya that she didn’t set out looking to work in cybersecurity, cybersecurity just happened to find her. She was studying marine biology at Humboldt University when she took a job at a local ISP. Then something fateful happened that changed the direction of her life – they got hacked. All at once, Heather was intrigued, curious, and excited. This new cyber world fascinated her, and she headed down to Silicon Valley. She was referred to Google, got the job, and spent the next 19 years of her life dedicated to leading the pack in strong cybersecurity, tweaking as necessary to stay on top of the newest tech, tricks, and traps. The old way of deploying cybersecurity was site-specific. A company would have a building full of employees, those employees would work within an internal network, and a firewall would be placed around it. This is known, Heather says, as “the bonbon model” – a hard exterior protecting a soft interior. It seemed a sensible and sound method, and at first it worked. But then, in 2009, Operation Aurora struck. This was a series of cyberattacks that lasted for half a year targeting a variety of organizations like Adobe, Yahoo, Morgan Stanley, and Dow Chemical. The attacks originated from Chinese state-sponsored APT groups, and Heather and her team realized that things needed to change. The problem was that the bonbon model placed too much trust in the internal network. Cybersecurity needed to shift from protecting the building as a whole to protecting the individual machines. The shift would also cater to the emergent trend of remote workers. It required more stringent identity validation and authentication but allowed employees, in theory, to work safely from anywhere. And that is approximately where we stand currently in the evolution of cybersecurity, but more changes are imminent. Cyberspace is experiencing something of a security paradox at the moment, where most people depend on collected data – search engines, trends, etc. – but at the same time, they want more privacy. “If I were to make a prediction,” Heather confides to Jaya, “and this is not a Google opinion, this is a Heather prediction – I think consumers will get very comfortable with the idea that data yields solutions, but they’re going to want more control and more insight in simple ways over this data. And because of that, we will see more computing moving down to the endpoints, we will see more cloud-based storage and use by NCrypted, and more agency for the user.” Heather continues, “It’s all going to come down to the endpoints. That, plus the presidential order that came down in 2021 will really drive this idea of reshaping the ecosystem because we really have to do things differently than we’ve been doing them for the last 30 years or so.” That presidential order from Joe Biden mandates that all government agencies invest in stronger cybersecurity. This will affect the entire world of security, as vendors will find new solutions to meet the president’s order, and those solutions will then trickle down to the consumers. Heather is a female leader in a male-dominated field, and she finds inspiration, even a bit of connection, with another female leader from centuries ago – Mary Queen of Scots. Not only was Mary a strong leader of Scotland in the mid-1500s, but she has a historical footnote that still resonates today with the security industry. She met her end due to lack of privacy. Her messages were intercepted. In a way, it was death by 16th-century data breach. She’s both a model of strength and a reminder of caution. All this is only part of the info-packed conversation Jaya has with Heather. There’s a lot more, including the increased use of homomorphic encryption, the importance of “cyber hygiene,” and Heather’s secret formula for getting the masses comfortable with a new change. You could say Avast Hacker Archives Episode 9 is our only episode where a thought leader from the Googleplex shares a googolplex of her security insights with us. Click the link below to hear it all for yourself!

“I’ve always found the best way to get a kid to learn how to hack is to tell them to just never use the computer,” Dave Aitel confides to Jaya Baloo in Episode 8 of our podcast Avast Hacker Archives (AHA). Dave is speaking from experience. When Jaya asks him about his earliest hacking exploits, he harkens back to high school days, when his parents enforced a strict “hands-off” policy with their home computer. They kept it locked in his father’s office. Dave saw this as a challenge. And not a terribly difficult one. Before long, he was picking the lock to the office door, booting up the system, and playing Trade Wars on early BBS’s. Finishing his thought on how to create the hacker instinct in someone, Dave adds that, after you forbid them to use the computer, “they will find a way to learn how to erase logs before you have the time to instruct them on that type of thing.” We are thrilled to feature Dave in our 8th AHA episode. He’s the founder of the Aitel Foundation, co-author of “The Hacker’s Handbook,” and listed by eWeek Magazine as one of the 15 Most Influential People in Security. And that’s only part of his resume! Dave is a well-known keynote speaker at industry events such as BlackHat and DEFCON. Lately, he’s been very active with the No Starch Press Foundation [https://nostarchfoundation.org], for which he is the Program Committee Chair, and he’s been working heavily in the government cyber policy area. But it was that early verboten tinkering on his parents’ home computer that gave him his start. After high school, he applied for a scholarship with the National Security Agency (NSA) and got it. The NSA paid for Dave’s college, and, in return, Dave worked for the agency post-graduation. He became an NSA employee at 21, joining the group a lot of his peers saw as “the enemy.” The NSA were perceived as square, uptight administrators, but Dave quickly learned that they were all essentially cyberpunks, like him. He joined the agency at a time when it was just beginning to diversify, and he tells Jaya how he did his part to neutralize any sense of elitism within the organization by, very rebelliously, parking his ‘85 Toyota Camry in the employee parking space reserved for the Director of the NSA. The agency’s motto is “One team, one mission,” and Dave began to spread his spin on it: “One team, one parking lot.” But jokes aside, Dave gives the NSA a lot of credit for its evolution, both structurally and culturally, over the last 20 years. It’s progressive in form and function, and it reflects the cybersecurity climate. Dave mentions to Jaya that the Director of the NSA personally posted a Pride Month video. It’s the first time that’s ever happened, which makes it a historic moment, and it’s a direct result of having such a large number of LGBTQIA+ members in the cybersecurity community. Additionally, they cover a range of topics from the myth that hackers make a lot of money (spoiler: Dave says they usually just break even) to the reason the term “zero-day” is a fallacy (another spoiler: it presupposes that nobody else in the world knows about that vulnerability). Dave explains how security patches can actually hurt cybersecurity in general, and he names the most commonly compromised programming languages (third spoiler: you’ve heard of all of them). Okay, enough with the spoilers! There’s a lot more in this episode, including Jaya’s question, “If you could go back and tell yourself something to do, or not to do, what would that be?” Dave’s response includes the words “crazy,” “out-of-control,” and “socially awkward,” but you’ll have to hear it for yourself to get the whole answer. Are you ready to delve into the mind of another hacker? Please enjoy Avast Hacker Archives, Episode 8!

“Here’s how it works!” Dan Aykroyd energetically tells the SNL audience. “Catch a bass, remove the hook, and drop the bass – that’s the WHOLE bass – in the Bass-O-Matic 76!” As he says this in his best punchy announcer voice, he picks up a real fish and drops it in a blender. The audience begins to titter, nervously anticipating what might happen next. When he punches that blender button, turning the fish into puree, the audience loses it, laughing hysterically at what would become one of the most famous SNL [https://www.nbc.com/saturday-night-live/video/bassomatic/2721441] sketches in history. When cryptographer Phil Zimmermann created the first algorithm for his Pretty Good Privacy (PGP) email encryption service, he had to give it a name. That visual of the fish in the sketch getting completely eviscerated was an apt, if not hilarious, representation of what his encryption did to the data – scrambled it up until it was completely unrecognizable from its former self. Phil released his BassOmatic symmetric-key cipher in 1991. Back then, in ‘91, the only folks using email were the ones who actually had the technical know-how to implement encryption. As 2000 neared, more and more laypeople began using email, and encryption like PGP, involving trust models and public keys, was a bit too much to wrap their heads around. By that time, however, Phil was turning his attention to secure voice protocols, a pursuit, he says, that he found much more fun than encrypting emails. Today, encryption is more widely accepted, which is a good thing as far as Phil is concerned. Citing nation states, hostile foreign powers, and the recent Colonial Pipeline ransomware attack, he believes we need strong encryption to protect every part of society, from industry and ecommerce to individuals, police, and military. “The damage done to our national security interest by not having end-to-end encryption is worse than the damage done by a few criminals that are doing end-to-end encryption,” he tells Avast CISO Jaya Baloo in our 7th episode of Avast Hacker Archives. Phil also tells Jaya about his history with cryptography, even including a mini-lesson on the history of cryptography. “Cryptography is the product of an arms race,” he says. “There has been for centuries, many centuries, an arms race between cryptologists and crypto-analysts. The cryptographers make an algorithm, the crypto-analysts break it. The cryptographers improve their algorithm, the crypto-analysts improve their crypto-analytic techniques and break it again. And it goes on and on for centuries.” Jaya asks Phil what he makes of the sweeping migration of WhatsApp users to Signal when WhatsApp announced that it was changing its terms of service to work more with Facebook. His answer was simple: “Facebook is in the metadata business. And WhatsApp started collecting a lot more metadata and sending it to Facebook. And that means that even though you have an end-to-end secure channel for talking or texting with someone, the metadata is still being collected.” That metadata includes with whom you’re chatting, how long the chat lasted, the time stamp of the chat, and other details. “I think social networks, and Facebook especially, have done a great deal of harm to the world. They might be fun for a lot of things, but they come at a steep price,” he adds. “If you’re not paying for the product, you are the product.” Click the link below to hear Phil and Jaya cover more topics, including how nuclear power could save the world and how Phil’s pursuit of cryptography fell perfectly in line with his passion for activism and social justice. “PGP was originally designed for withstanding the attacks of nation states,” he reveals, expounding on how encryption protects civil liberties. It’s with great pride that we kick off Episode 7 of Avast Hacker Archives. Please enjoy!

At the age of 12, Wendy Nather was living in Israel. Her father was a professor at the University of Tel Aviv, and when she complained to him one day that she was bored, his response launched her on the course that quickly became her life’s calling. They had an electronic console known as a “teletype” in their home – essentially a primordial fax machine – and it had a little bell inside it. Wendy’s father tossed her a BASIC programming manual and challenged her to figure out how to make the teletype bell ring on command. She did. As a young woman, Wendy got a job at a bank in Zurich, where she took on her first cybersecurity duties. She stayed in the financial services industry for 12 years, specializing in IT and security. She served in the positions of strategist, research director, industry analyst, and CISO. She’s worked in both the public and private sector, including 5 years in state government. Today she heads up the Advisory CISO team at Cisco. Wendy is a cybersecurity guru with decades of experience, and she shares some of her most practical wisdom with Avast CISO Jaya Baloo in Episode 6 of Avast Hacker Archives. One CISO to another, Jaya asks Wendy what she finds most burdensome for a chief information security officer these days. Having started in security back when the only things that needed protection were mainframes, Wendy has witnessed every new evolution of technology since, each with its own specific security needs. “You’re having to cover all of that,” she says “And where everyone else has the luxury of forgetting the old stuff, you can’t.” A CISO ready for any threat is a CISO armed with an arsenal of knowledge that spans, essentially, the history of technology. And the new tech just keeps coming. This front row seating to emergent technology revealed a pattern, Wendy tells Jaya. The same security mistakes are being made over and over again when a new technology comes out. She witnessed it when computers went online, then again when computers went mobile, and now again as computers become IoT. The problem is that the teams introducing each new development seem to be doing so in a silo, without assimilating the lessons learned by their predecessors. Which brings us to Wendy’s main message for the security industry: more communication is essential, across all channels – device manufacturers, IT departments, security services, and even the consumer. Security needs to be understandable to everyone at this point in our technological development. “Everyone needs to know the basic security principles and how to implement them,” Wendy tells Jaya. “It can’t be the wizards versus the muggles anymore.” In fact, Wendy welcomes more muggles to step into the field. “You don’t have to have had 25 degrees in certifications and all this kind of stuff to be ‘a security person,’” she says. “There are just so many ways that you can contribute to the state of knowledge and security coming from wherever you’re coming from,” she adds. “Don’t let the gatekeepers get in your way. We’re all making this up together and you can do it just as well as we can.” Click the link below to hear more of Wendy’s wisdom and advice as she and Jaya discuss these topics and more, such as IoT sneakers, the reason Wendy doesn’t use parental controls on her kids’ devices, and certain ways CISOs can improve security without spending a penny. Wendy gives security advice that makes good, practical sense to everyone, so kick back and check out Episode 6 of Avast Hacker Archives.