Just because you’re paranoid...

Cyber security whiz kid Nir Gaist warns of the growing danger by state and individual hackers to modern economies.

Nir Gaist 370 (photo credit: Asaf Kliger)
Nir Gaist 370
(photo credit: Asaf Kliger)
Israel is exposed to the threat of a severe cyber attack, which could paralyze ordinary life, a leading information security figure told The Jerusalem Post this week. Nir Gaist is the 24-year-old chief technology officer and founder of the Nyotron computer security firm, which is currently assisting state security and economic agencies to protect themselves against the growing cyber threat.
In a pleasant and calm voice, Gaist lays out the scope of the disturbing danger as he sits at his company’s headquarters in Herzliya.
“Cyber warfare is already here,” he says. “But in terms of the damages, it hasn’t arrived yet.” The potential damage to the economy and other sectors that lie at the heart of a functioning 21st-century state are “endless,” Gaist adds.
It’s worth lending an ear to Gaist, as he has managed to amaze the information security world on several occasions at his young age.
Maj.-Gen. (res.) Amos Malka, former IDF head of Military Intelligence and ex-chief of the Ground Forces, helped raise $3.5 million in investment for Nyotron, which is releasing a security product called Paranoid – a program that Gaist claims is capable of stopping a cyber attack on the level of the Stuxnet virus, which caused havoc to Iran’s uranium enrichment site at Natanz.
In recent weeks, Gaist invited a group of top hackers to his office and promised them a respectable sum of money if they could penetrate his defenses. “I’m glad to say that I didn’t have to pay,” he says.
When he was six years old, Gaist set up a computer repair lab at Kibbutz Sde Nahum, where he was born. At age 10, his elementary school teacher decided that it would be a waste of time to force Gaist to study the fourthgrade curriculum, and sent him to the Israel Institute of Technology in Haifa (the Technion) to study advanced computer science with students more than twice his age.
Four years later, at 14, Gaist found himself providing telephone consultations to Microsoft founder Bill Gates and the company’s CEO Steve Balmer, giving them tips in data protection. A year afterwards, he represented Microsoft at international conferences.
Gaist has been a regular expert guest for the Knesset’s science and technology committees.
He chooses his words carefully, but the message he sends is troubling.
The more technology and the Internet form the basis of our modern existence and allow vital state and private sectors to function, the more the country is exposed to attackers on the web with nefarious intentions.
The most dangerous cyber attacker is the state actor, such as Iran. A country motivated by a hostile ideology will gain access to resources and capabilities that the lone hacker can only dream of.
Organized groups of non-state hackers also exist in this murky world.
These hackers also have impressive capabilities. All of the sectors are in the firing line: Transport and aviation, the banking industry, the energy sector, communications, the government, security agencies, the IDF and the police.
An example of the threat can be found in one past virus that ended up preventing maps from being uploaded to cockpits of French passenger jets, grounding the planes.
“There’s no doubt that the next war will not be like the previous ones we’ve known,” Gaist says. “It will happen the moment that a green light is given. Unlike a missile that is launched, it’ll be hard to know who launched a cyber attack,” he adds.
Until now, Gaist argues, despite incidents like Stuxnet in Iran and reported Chinese attacks in the US, state actors have been cautious in their use of cyber weapons and have taken care to refrain from major uses of them.
“Those who carried out the attack on the nuclear facilities in Iran were also careful. The damage from a cyber attack can be far wider in scope,” Gaist warns.
“Someone with resources can take the gloves off. And not necessarily in one go, but over time, in several areas. In this way, he could cut us all off from all of the systems,” he adds.
“I don’t see a reason why the Iranians won’t make progress. They have the know-how, and they choose young, gifted teenagers,” he says.
On the one hand, there is growing awareness of the threat. The state has begun investing resources in cyber defenses, such as the State Authority for Securing Information, managed by the Shin Bet (Israel Security Agency), the government’s National Cyber Defense Bureau and the IDF’s recently set up cyber defense headquarters.
Gaist praises these developments, but adds that many of the defenses are simply irrelevant to future threats.
“There is no virtual Iron Dome,” he says, since many of the defenses are built on known threats.
“The current evolution is good, but it won’t bring a solution quickly enough. Fortunately, in recent years, this issue has gotten on the national agenda. There’s no organization that does not understand the size of the problem, and which isn’t searching for a solution.” The threat does not only affect large organizations, Gaist stresses.
“As a private individual, your entire identity, except your skin and bones, is completely virtual. The money in your bank account is, at the end of the day, just lines in a database. Your driver’s license, medical record – it’s all virtual,” he says.
In the past, Gaist would check the defenses of Internet service providers and banks. Once a year, he would attempt to penetrate these systems and was amazed by how simple it was for him to get in and begin transferring money to any account he chose.
“There is no bank in Israel I haven’t broken into,” he says with a smile.
Thousands of cyber attacks occur every month on these systems, but the real danger lies in the one attack that gets through.
Some attacks, like distributed denial of service, are simpler in nature and cause less severe damage. In DDOS attacks, computers infected by a Trojan horse are directed to visit Internet sites selected by the attacker as a target.
If enough requests are directed at a server, it will crash temporarily.
The more serious type of attack occurs when hackers gain access to computers and networks. Once access is gained, serious damage can be caused. The attacker can steal sensitive information, alter specifications in a way that causes a disaster or use the computer as the perfect spy, switching on its microphone and camera to eavesdrop on conversations in sensitive installations or government offices.
Last year, according to foreign reports, Iran suffered from a wave of viruses that allowed an attacker to listen to conversations taking place in the vicinity of the infected computer.
Often, when a traditional anti-virus program identifies a virus, the programmer can change a few lines of the virus’s code and it will again become invisible and go back to work.
With Israel’s infrastructure more modern than that of Iran, there are more targets to strike here than there, Gaist points out. “It’s reasonable to assume that Israel has developed attack capabilities, but we can’t necessarily cover for our defensive abilities with attacks,” he adds.
At his company’s conference room, Gaist gives a live demonstration of how quickly one can take control over another computer. His fingers type out code at a dizzying speed, and within a short time, he shows how a computer labeled as “attacker” gains control of a second computer, named “the victim.”
Throughout the hack, a traditional anti-virus program fails to sound the alert.
In one of the attacks, Gaist even has the virus send a text message to his cellphone to let him know that full control has been gained over the target computer.
“The victim is connected to me,” he says.
“Cell phones are also a hole in defenses, since they can be hacked and used as a listening device. A worker who enters a place that has a secure network, but who is carrying an infected cellphone, can spoil everything.”