This friendly hacker is defending our digital immune system

13 Apr 2022

Keren Elazari. Image: Kelsey Floyd

Israeli cybersecurity analyst Keren Elazari explains why she’s proud to call herself a hacker and why passwords belong in the 20th century.

Click here to view the full Infosec Week series.

The conversation around cybersecurity has no doubt evolved in recent years. Leaders are paying more attention to it as a critical business area and the rise of phishing scams and high-profile cyberattacks have put it in the spotlight for the wider population.

However, there are still many misconceptions and misunderstandings around cybersecurity, cybercriminals and hackers.

Some may imagine the stereotypical cybercriminal to be, as cybersecurity researcher Jan Carroll previously put it, “young lads in hoodies sitting in their bedrooms”.

Furthermore, when people hear the term ‘hacker’, they can associate that with criminal activity, when in actual fact hackers are often the front line of defence when it comes to infosec.

Israeli cybersecurity analyst Keren Elazari describes herself as a proud “friendly hacker”, opting to move away from terms like white hat and black hat hackers because “the reality is more like 50 shades of grey”.

She likened friendly hackers to the friendly bacteria in our bodies, which work in harmony to help keep us healthy.

“There’s a lot of different types of friendly hackers out there and even though they might not be coordinated in their actions, the impact that they have is an overall positive impact on our security ecosystem – therefore, they have built our digital immune system,” she told SiliconRepublic.com.

‘We can learn quite a lot from the criminal hackers. They teach us a lot about innovation’
– KEREN ELAZARI

Elazari said she has been proud to call herself a hacker ever since she found out what they were in the mid-1990s. “For me, that term was never about criminal intent. It was always about the curiosity and the creativity, the passion for technology that the hacker mindset brings with it.”

The changing threat landscape

With more than two decades of experience in this field, one of the biggest changes Elazari has seen in cybersecurity in recent years is the number of devices that are creating a larger attack surface.

“It’s estimated that within two or three years, we’re going to have 10 times more digital devices on planet Earth than human beings,” she said.

“Even if you look around your home, most of us already have four or five times more digital devices than we have family members and pets. That trend is only going to continue exponentially and that means, from an attacker point of view, the attack surface has not just multiplied, it has increased exponentially.”

She pointed out that one of the biggest issues with this is that many consumers don’t know what’s going on inside each of their devices, for example when the last firmware update was on their router. “Most people don’t really perceive the responsibility that they actually have for their digital home.”

Beyond the devices themselves, the tech landscape itself has also erupted. There are new coding languages, new technologies, new cloud infrastructure and new concepts. Elazari said that while these have many benefits, they also come with their own bag of security problems.

“While the rate of adoption of a lot of these new technologies is getting faster, the rate of adoption for new security paradigms and security tools is not as fast,” she said.

“So we were kind of racing ahead into the future, definitely jumped straight into digital transformation. But the embracing of new security mindsets, or the fast kind of speed that our security mindset needs to be at, hasn’t really matched that.”

Stuck in the wrong mindset

Elazari said misconceptions around security and being stuck in old paradigms is slowing down the cybersecurity industry. This includes that stereotypical image of a hacker or the idea that all hackers are criminals.

“There are more and more friendly hackers every day and they are identifying vulnerabilities, they’re showcasing problems, they’re publishing research, they’re pushing our security forward,” she said.

“We can also learn quite a lot from the criminal hackers. They teach us a lot about innovation. Even if you just look at ransomware, there has been incredible innovations just around ransomware in the delivery vehicles and the business models with the invention of the double extortion ransomware model and the ransomware-as-a-service model.”

Another misconception Elazari is passionate about eradicating is the supposed need for what she deems to be “outdated security concepts”.

“So passwords, for example, which really belong in the 20th century. And even then, they were not a very scalable, useful tool to monitor or to manage access to digital services.”

She said the average user now has between 40 and 50 different sets of credentials or passwords to various different services, from the devices they have in the house to every social media, streaming or shopping platform they have an account for.

“We recycle these because they’re hard to remember, and why are they hard to remember? Because we are continuously told that we have to make them complicated, uppercase, lowercase numbers, special characters, etc,” said Elazari.

“That requirement of password complexity is outdated by at least 10 if not 15 years. I think passwords should be a thing of our past altogether. But if we are to encourage people to have unique passwords, let’s encourage them and enable them to have long passwords or even pass phrases. Pass phrases would be easier to remember, much harder to guess and the more you add to it, the more it increases the difficulty for a software or human to crack.”

‘There’s also a change in the mindset that hackers should not be criminalised’
– KEREN ELAZARI

Another outdated thought process that Elazari called out is the idea that having bug bounty programmes will act as a sort of invitation for cybercriminals. These programmes are essentially rewards offered by organisations and software developers to individuals who report bugs, especially those pertaining to security exploits and vulnerabilities.

Elazari said it’s important that organisations realise that bug bounty programmes do not invite cybercriminals to maliciously hack them, mainly because cybercriminals do not wait for an invitation. Luckily, she said this attitude is changing and more bug bounty programmes are popping up.

“It’s a little bit of crowdsourcing, a little bit of open-sourcing and really ends up benefiting everybody. It raises the level of security for everybody.”

She also said bug bounty programmes are sometimes a way of finding really great talent within the security space – a potential solution to the critical skills shortage within the industry. It can often highlight talent that may not have access to the traditional career path of going through university and so it diversifies the expertise. It also gives younger hackers a legitimate route into the security ecosystem.

“When I was growing up as a hacker in the mid-’90s, I couldn’t participate in bug bounty programmes and be legitimately rewarded for my actions or even publicly acknowledged by my name for my actions. I had to hide behind the screen and a nickname if I even wanted to get something changed out there in the world. So there’s also a change in the mindset that hackers should not be criminalised.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com