Hi Hackers, it’s your podcast host and best friend - Amy Tom 🌈
As the CEO of Nanolock Security and a serial entrepreneur, Eran was such a great podcast guest to chat about ransomware and malware with. If you’ve been following the podcast for the past year, you might know I spent a bit of my career in the cybersecurity industry, so I always enjoy chatting to people about what the current industry is like. And of course, the cyber war in Ukraine comes to my mind immediately when I think of cybersecurity today.
To date, there hasn’t been any major news on cyber attacks in Ukraine - most of the warfare seems to be happening on the ground or in the air. As Eran explained on The HackerNoon Podcast, this could be because we don’t know what’s happening. It could be because things are not getting disclosed. There could be a number of reasons.
One thing he told me is that you should act as if hackers are already inside your network and have plans for every scenario. I think you can literally hear my head spinning, haha. There are so many layers to keeping an organization safe and secure, that it already blows my mind - with or without potential cyber warfare in the mix.
I think you’ll like this episode of The HackerNoon Podcast. And until next time, stay weird and I’ll see ya on the internet ✌️
Amy chats with Eran Fine, the CEO and Co-founder of Nanolock Security, about the ongoing cyber war in Ukraine. They also chat about the history of Russian-Ukrainian cyber attacks, ransomware, the Colonial Pipeline attack, and more. 🇺🇦
On this episode of The HackerNoon Podcast:
This episode is sponsored by Sonatype - the software supply chain security platform that reduces open source risk and minimizes exposure. Visit sonatype.com for more information.
Find Eran online:
Connect with Eran on LinkedIn: https://www.linkedin.com/in/eranfine/
Machine-generated, please excuse the errors!
[00:00:00] **Amy:** This podcast episode is brought to you by Sona type your software supply chain security platform. So just head over to Sona type.com to find and fix critical security vulnerabilities and listen over 15 million developers trust to type. So if you are looking to develop smarter and not harder in a secure way, go over to Sonatype.com. Seriously, you won't regret it anyways, onto the episode.
Hey hackers. Uh, welcome to another episode of the hacker union podcast. Of course, it's me your best friend and host Amy, Tom. And today I am going to talk to Eran Fine, who is the CEO and co-founder of NanoLock Security. But first let me tell you, okay, let me tell you. That I went to a concert last night for the first time in three years
And I almost cried because I was so overwhelmed by like the idea of being in that environment. And then I was like, cool, I'm ready to meet people and get into the culture. And then like I got there and I froze, like I couldn't talk to anyone. It was horrible. My extrovert ism has failed me too, but, um, we'll get it next time.
I'm going to make some friends. It's going to be great. And anyways, Thanks so much for coming to the podcast. How are you today?
[00:01:28] **Eran:** I'm very, very well, by the way, it's Iran with an E. Not with an, I am not the country. It's not that we brought Iran into the conversation. You're not speaking. Was those bad guys from the east.
Correct. And I'm very well we've hosted
[00:01:45] **Amy:** by the way. It was Jordan Rakei. So in Amsterdam, he is a UK R and B singer artist. It was amazing. Absolutely beautiful. It was beautiful to be in a room full of people, you know? Oh my goodness. Like what a concept? No math. No. No mask, it was normal. Like it was completely normal.
And I thought, wow, it's been two years. It's been three years since I've been to a concert, but it's been two years of this. So I'm very, I'm feeling very grateful today. So, um, but today I want to ask you. Please tell me, who are you and how did you get to where you are today? All right,
[00:02:24] **Eran:** so my name is Aaron fine.
I'm the co-founder and CEO of a company called nanoblock security. Now security is providing protection for connected devices in the industrial and energy sectors. Prior to that, I was working a little bit in, uh, the nanoscience center of the Tel Aviv university. And chink wine, China, which is the Chinese MIT.
I had three startups and I was fortunate enough to sell two of them. And between startups I did with every technology guys doing, I created comedy shows. So that's my background. Okay.
[00:02:54] **Amy:** Pause. Which comedy shows
[00:02:57] **Eran:** well there's Israeli comedy show. So, well, I didn't answer that. I'm based in Israel. So I'm the most normal one.
If somebody wants to browse a school, the leash, and it has about 200 episodes and it was all of my shows were either on national TV or cable here in Israel. But, um, it's definitely in Hebrew, there's some articles in English about it, but it was in Hebrew. We speak Hebrew here. Um, but, uh, and we, you know, Okay.
[00:03:32] **Amy:** All right. I hope so. Or going into the comedy category. Okay. Aside from the comedy, what genre of startups were you into?
[00:03:43] **Eran:** Um, the heavy stuff. So before nine o'clock, which is a cyber company detect cyber company. My previous company was called re O R w E. And that was an optical packaging of LEDs. We invented the.
In the world, uh, planner led, which is a new category in lighting. I have 22 patents on the world of electro optics and electro luminance materials. Um, before that I was with two software startups. So these were the areas. Not at all because the software company, so the categories, cyber using software, but these are the companies I was involved in.
I was also involved in a company called imagine that was sold to snap, what used to be Snapchat. And that was there's a feature. There are for reality and social force. So it was not a founder of the company, but I was working with the founders until the acquisition by snap, I think four years back.
[00:04:38] **Amy:** Startup world, but I actually wanted to talk to you about though is really specifically like ransomware and in ransomware in the current day times and what we can expect, especially given the war in the Ukraine with Russia. So, first off, I want to start by asking you. Whose job ransom it is whose job it is to care about ransomware.
[00:05:09] **Eran:** Which is, um, Amy, I have your computer, please make baby five Bitcoins on that. If you don't do that, your pictures with your dog will be disappeared forever. Well, he's a nice dog, but this is that's between you and the financial hackers. Um, there is ransomware or state level attacks or big financial events where you attack an organization.
And the reason for it, secondary organization are to either to bring it to. So you can not function or to get money out of that organization by bringing you on its knees. So he cannot function. The war in Ukraine is a trigger for two things. Number one, tactical. Russia versus Ukraine. I can bring an organization with its sneeze.
Number two is creating an act, a Kilz. So what we're seeing around this is what we call cyber chaos, where everybody's against everybody with the financial extras versus the state level. Actors is fate of Alexa is disguising themselves as financial actors. Um, there's so much complexities and havoc and chaos around us.
So read some work can be done by organizations for financial. Organizational purposes. And this is the flavor of the consumer side, which I think we'll leave out of this discussion because they just don't click on strange emails or limit your porn, you know, porn usage, and you'll be out of the, out of the danger, the enlistment.
[00:06:43] **Amy:** So when we talk about like enterprise level around somewhere then, right? Which companies right now, given the global situation or the situation specifically in the Ukraine need to be concerned
[00:06:56] **Eran:** about ransomware again, that's the, that between the story and Ukraine, which is companies that are related to that.
So defense companies relatively close geographically. Um, companies that can influence from a media perspective will be subject to those kinds of attacks. Right? The second layer is the companies that are not linked directly, but, um, Are in the public eye now, utilities, energy waters. So you were up, is this considering the events in Ukraine, a risk in terms of energy consumption?
If I wouldn't have been in a heck of a hacker, this is a very, very good time to attack the, uh, critical infrastructure and infrastructure in Europe because they're more vulnerable applies the same for the U S. So I'd say this kind of an event trigger, first of all, critical infrastructure defense, and, and media organizations, the wrong this universe in the second layer.
Um, it reminds everyone that, um, critical infrastructure customers are willing to pay a lot from colonial pipeline to anybody else. And in times of such is the willingness to pay is even arises.
[00:08:10] **Amy:** Yeah. Y then to date, as far as I'm aware and you know what else we're recording this it's like early April still, but why then at this point, have we not seen a massive attacks?
Like the colonial pipeline attack in.
[00:08:27] **Eran:** Number one. I don't know if they were or not. So none, everything meets the public eye and there's a lot of this information coming from Ukraine and the Russians. So I'm guessing there's a lot of, um, uh, events there. Number two are hacks around it in the dark. You can find a lot of traffic and a lot of discussions, a lot of utilities and, uh, smart infrastructure ingredient are under.
You're using that you you're speaking about ransomware, which is a very specific kind of attack. There are other ways to attack or, um, to have a cyber attack other than restaurant work. So there is quite a lot of thing events happening around it. Just remember there was a huge attack on Ukraine in 2017.
So this war, which has casualties of the ground, started with a non casualty. Cyber warfare back in the late 2000 and tens. So it's always out there. Number two, some of the PR the protection become became better. So the guys who were providing protection, you came more sophisticated, but it's an endless war.
They will eventually fail. And the third one, which I find to be the nicest. Um, actually, you just don't know because it's not supposed to be out there. So quite a lot of attacks, which are what is called apt, advanced, persistent threats. You put them, but you'll use them when you want to use them. So give them, let's take a situation where I want to attack a country.
There's the first wave I put my. Coding side. I say, okay, two years from now, when the, um, conflict with Iraq again, I will use it again. So think of a tax, not as a, I'm doing an attack, like I'm conducting an attack now I want to see results. Now I promise you that quite a lot of the infrastructure in the U S has already been act by state little actors, which will wait for the right time.
In many cases, the Americans find out, took it out. So it's a, it's a, it's a brains game and not immediate game. We'll just publish it. He has a restaurant where a lot of this is happening either undetected or twice on detective, detective deputy's confirmation by somebody who found out.
[00:10:34] **Amy:** Right. So you bring up a good point.
That is something I never thought of before, but does Ukraine have the same kind of laws around exposure of data attacks or cyber attacks and data fraud or exposure as America? Do you know what I'm asking?
[00:10:53] **Eran:** Yeah. But I think in a time for all the regulations are thrown into the basket. So even the U S will never exposed.
So there are so many events, especially in time before even a cold war, the full under act that prevents publishing information. I'm sure also in the U S are quite a lot of events and cyber events and not only cyber that occurred that are not published. Although America is very open, you have a relationship with some things.
Well, let's do national security, which will never be published. Right.
[00:11:24] **Amy:** That makes sense. Okay. So with an attack, like the colonial pipeline attack. So just to maybe recap for anyone who doesn't know anything. Also for you to fact check what I am aware of. But, um, as far as I'm aware of the colonial pipeline, ransomware attack was a ransomware attack on a American oil pipeline company and they pay.
I don't know, around four to 5 million in ransomware, um, money to the attackers. And it also wipe it out. Like it's something like 25, 70 5% of the infrastructure of oil for like a period of time where they couldn't like the prices of oil in America sword. They couldn't get oil out because that one company controlled a lot of the distribution of.
And so with that single attack, they both simultaneously wiped out a lot of America's infrastructure for a period of time and also had ransomware money. Is that accurate?
[00:12:26] **Eran:** Number one? I don't know all the details. So I know a bit of details. Um, when you say whites out, it's contradicting actually ransomware.
So ransomware is not wiping up. Ransomware is taking possessions and releasing that Richard for money. So wiping out is. Catastrophic you've had, were destroyed the infrastructure, um, colonial pipeline to the best of my knowledge was a ransomware attack where financial parts of the distribution of oil and gas was hijacked.
Meaning you can include distributed oil and gas. The pipes could work, but the billing and customer care and the things that generate money for the organization. We're um, we're under the, under the effect. I'm not aware and maybe this is go, they haven't published on events or what is called the OT operational technology.
The ability to transfer the transfer, the oil and gas products to customers. So the ransomware was on the financial side of colonial pipeline and they did pay rounds. And I'm sure that being five minutes in return. Um, losses have dramatically bigger amounts of money is, is, um, is important by the way, I, to your previous question, I'm not sure that the U S has very open laws of, um, reviewing, um, cyber attacks.
I think you're, you know, the media is speaking about a lot of things, but it's not regulated and you're not bound to, to disclose. Um, and,
[00:13:49] **Amy:** uh, I thought that in America, you were required to disclose. Data breach of a certain magnitude.
[00:13:58] **Eran:** I think you are bound to bring it to the school, some of it, but not all of the information that you have, but I promise I will take your degree.
But I think there I'm aware of quite a lot of attacks that there, they were not disclosed to the general public, maybe through the authorities, but not public. And I think the colonial pipeline and they paid $5 million, they got back part of it. The financial part is, uh, most significant portion. What is, what is scary about colonial pipeline?
Is the word pipeline. So it's not that somebody hacks the credit cards of, you know, Alltel, that's horrible, but people will not freeze to death. If a hotel is being impacted, that's happened by the way in the past, but it will tell us the fact that somebody could get to the it or the OT of a pipeline of oil and gas indicates its critical infrastructure in the U S is not protected by the way.
It's not good enough. It's not perfect. Good enough. We know that for a fact do way the attack was conducted. That's an interesting question. Was this an employee clicking on the wrong? Was that a social engineering? Was that somebody from the inside was that a, a manipulation, someone there's so many, um, questions and how to deliver the attack, but for me and for our customers and people that can speak the fact that a infrastructure provider was.
That's the big thing, not the fact that it was $5 million. That's a small amount
[00:15:16] **Amy:** of, yes, exactly. And I, and then to circle back, I think like, why does it seem, I guess to me in media, as a north American, that there are. These giant infrastructure talks happening in Ukraine. Um,
[00:15:33] **Eran:** any Ukraine where in the U S it's not happening in the Ukraine?
I have no idea it's scales there. I don't think you will know, because nobody has the motivation to tell that the Russians want to disclose that they can do that. And the Ukrainians doesn't want to disclose that they're on the record. Because it's everybody. So I don't know enough. I can do for sure.
That's under the umbrella of the war in Ukraine, accounts of vulnerabilities and attacks is occurring under that umbrella, whether it's in the Ukraine or around it, it's definitely wider than just your great,
[00:16:08] **Amy:** right. Yeah. And so tell me more about, I guess, like other kinds of vulnerabilities that are being exposed from the fallout of the.
[00:16:18] **Eran:** Well, the war is still going on. So we're not in the fallout yet. There's still, there's two awards. I think the vulnerabilities are not cyber yet. It's the dependency of the west on, uh, critical infrastructure, energy infrastructure, and so on and so forth. Becoming very, very of it. The fact that machines and devices in that world are subject to attack.
So we want to be digitized. We want to be connected when you're digitized and connected. You're vulnerable. So Israel proven 10 years, 11 years back with stock snaps that non-connected systems can be attacked. Um, we worked with them with, um, with LNG, the us in Israel, Iran. But when you have connected devices, connected machines on critical infrastructure, man, you have an issue there.
So the vulnerabilities is exposing itself. The second thing. Ransomware is a great way to say there's money there. So if before that it was state level attacks. Now everybody wants to make money, um, can go and find some technologies to do some wrenching words that can make money. The third one is, and this is geopolitical thing.
We have a new world. We have a world where it's legit to attack another country. It's a digital technology organization. We have chaos around us. What started from. Universal order became so-called and so complicated. The fact that you were asking me about cyber attacks in Ukraine, by Russia as a normal.
Okay. It's not normal. It's not normal that they're attacking them. It's not normal that they're trying to cyber attack them. It's normal that, uh, Belarus is trying to, you know, it's crazy. And a lot of organization and companies and smart and sophisticated, the are taking advantage of this, including Iran versus Israel, Israel versus Iran and Russia versus half of the world, you know, chaos.
When did the Avengers, but cyber ventures.
[00:18:09] **Amy:** Yeah. Okay. So when you talk about devices connected to infrastructure, are we talking about like my laptop connecting to my corporate network VPN? Or are we talking about my smart fridge?
[00:18:23] **Eran:** Well, you compare it to the next to the organization is nice. That's another device.
That's, you know, that's. So again, somebody can do an, your fridge is connected to the internet, but worst case scenario, no milk for you tomorrow, but change the word fridge with a smart meter, change it with the charging station. It should change it to, uh, the machine that does the pink and manufacturer the car will manufacture something or responsible.
It's called OT, operational. The thing is that OT became connected is operational technology. It means something operates apart from that. So computer doesn't make things operate. It's a data exchange. It's hard if it's horrible, if it's being hacked, but it won't be impact operations. If your fridge is impacted, its operation may be harmed and you know what it can turn into offering.
But again, it will, if worst case scenario will kill your ice cream, but do the same or on industrial fridge, do the same on. The refrigerators of a food company, and then you have an issue, right? Then you have a loss of goods for tens of millions of dollars and hunger in north. Okay. For the sake of the discussion have north in Poughkeepsie, but for the sake of the discussion, OT, operational technology, and that's what it was exposed.
This is colonial pipeline. It's a attack that happened many times before. Ransomware, but it's about, it's almost killed a distribution of critical goods to make people warm in the winter. That's
[00:19:49] **Amy:** a big thing. So what can critical infrastructure companies do then to solve this problem? By the way? Yeah, it's terrible.
It's terrible. I don't know what to do. How do, how do I, how do I fix it? I don't
[00:20:07] **Eran:** think we can fix it. Number one. It's we're speaking about it. It sounded to me like I'm bringing so many horrible, um, doomsday events waiting to lighten this up a bit. Um, awareness is important, understanding that there are many issues and, and connectivity is one challenge.
Um, the usage of a lot of, uh, outsource companies opens you to our ability of supply chain. And again, and by the way, Most attacks were more, most things happened because of human errors. People tend to drink at night, go to work in the morning and make a mistake, go to the machine. Number two, instead of machine number one.
So it's awareness even before anything else, there's something called cyber hygiene that you are trying to make sure that you are cyber infrastructure is protected. And to be honest companies like dynamo that are working under this assumption, obviously I'm trying to, I'm telling you the story from a perception and, and with, you know, the way I see them.
But it seems that it's going in our direction, meaning use a zero trust don't trust. So now lock is doing zero trust the machine and device level protect from insider supply chain and human errors. Not only from the outsiders, not just build a firewall around your infrastructure assume it was breached.
So if you're assuming there was a region now it's so vulnerability is there by the way, it's always true. Hundred percent, not 50, not 9,100, 500% of the time. Somebody one. In it will, that's not an issue. So there's always somebody in with brute force by any means and form. So as soon as somebody is inside and then ask yourself, how can I prevent it from making harm?
And there are companies, that's great companies out there. Now milk is one of those companies. I think we're a great company as well. That is assuming. That the adversary in the OT world will always get in and now let's prevent the outcome and the outcome could be the collapse of the critical
[00:21:50] **Amy:** infrastructure.
Right. Okay. Now I'm even more scared because they're already in it's too late. Okay, cool.
[00:22:01] **Eran:** Well, there's a lot of smart guys on the defense. A lot of smart things. So it's a warranted wisdom war between the two parties. The adversaries will always win, always because they have the advantage of attacking first, but there are a lot of counter measures and assumptions and work can be done by the protectors.
[00:22:21] **Amy:** So now let's go back after all of that. Let's go back my first question again and say like, whose job is it to care about this?
[00:22:28] **Eran:** Within the organization, the CSO chief information security officer, and beneath him is the guy who was responsible for the OT and on top of that, the regulation or before that, or after that doesn't matter, um, the consumers and again, and every employee.
So don't press on don't click on 3g emails. Don't answer to somebody who was saying on your cousin from the JIRA. It doesn't work this way, but this is simple. The guy that you trained, make sure and protect is the CSO, the CIC. The CSO of the organization, the OT manager and the employees of the organization.
[00:23:02] **Amy:** And general awareness you say? Yeah. All right. Cool. Makes sense. Okay. Hopefully we can all remain calm, cool, protected, and chill. Uh, thank
[00:23:14] **Eran:** you.
[00:23:17] **Amy:** And don't click on malicious. All right. Amazing Ron, thanks so much for joining me on a hacker noon podcast. If we want to look for you online and what you're working on, where can we find you?
[00:23:30] **Eran:** W w w the non Alok security.com or Erin E R I N F I N E on LinkedIn. And.
[00:23:37] **Amy:** All right. Great. Thank you very much. If you want to find hacker noon online, don't forget to search for hacker noon on Twitter, LinkedIn, Facebook, Instagram, wherever you want to look, you can find more technology stories and information on hacker, noon.com and for now stay weird and I'll see you on the internet by hackers.