Just half an hour in the company of Professor Yehuda Lindell can make you paranoid.
The Bar-Ilan University digital security expert argues that too many of us are wandering into cyberspace without the proper precautions.
“We’re already in the era of cyberwarfare and cybercrime. And we‘re completely unready,” he says, as you start wondering whether to slap a “hazard” notice onto all your digital equipment. Through malware, he adds: “I can easily turn your phone into a tracking or listening advice. I can remotely turn on your microphone or camera and I can get hold of your location data. Think about how powerful that is.”
Prof Lindell is head of one of the academic teams working to strengthen Israel’s long-range cyber defences, and was in London earlier this month to address Bar- Ilan’s British Friends group.
He cites three main factors in our vulnerability to information bandits and data raiders. The first is the “ubiquity of computing” where everything is a computer — “your phone, your car, your home.” The second, he argues, is that too many manufacturers treat cyber-security as an afterthought rather than a priority. And the third is a lack of education.
“We teach our kids not to take candies from an old man outside school, we teach them to cross the road,” he says. “But we don’t teach them online safety. This is often because we don’t know how to behave online.”
Prof Lindell — who heads the Centre for Research in Applied Cryptography and Cyber Security at Bar-Ilan, overseeing a team of more than 20 — says that Prime Minister Benjamin Netanyahu showed a “lot of foresight” when he established the National Cyber Bureau in 2011 to counter the increasing threat of cyber-saboteurs.
Only a few weeks ago a Hamas plot to trap Israeli soldiers via social media was exposed. The plan was to approach soldiers with pictures of pretty women, entice them into an electronic conversation and persuade them to download an app baited with malware.
“Israel is definitely very proactive and the fact that Israel found out about this means they are keeping on track,” Prof Lindell says.
However, this does not mean he is in favour of everything the government proposes. When the Israeli government announced plans to set up a national database of the biometric features of all its citizens — such as fingerprints — he was one of the experts who protested against it, arguing that it was a “very bad idea.” This belief was based on his suspicions that such a register could be dangerous.
“My argument is there no such thing as fully secure — therefore we should not have any database which has all of the biometrics of the entire country,” he says simply. Any such database could put the population at risk, he argues, from dangers such as blackmail to terrorism.
It is not the happiest of conversations, as Prof Lindell paints the following scenario He asks you to imagine that you have just bought a new car with an up-to-date entertainment system able to pre-download the type of music you might like to keep you awake on a night drive.
“You’re driving on the highway at 11 o’clock on a rainy night in the middle of winter and suddenly strange things start happening to your car,” he continues. “The air conditioning starts spewing out freezing cold air, your lights shut out so you are driving in the dark.
“Then you lose complete control, you can’t steer or brake any more, the accelerator goes full down and you are driving at 200 miles an hour on a highway with no lights, no steering capability — you know the end of the story.”
He would like to have said this was merely a “futuristic” projection, but in 2015 Chrysler recalled over a million Jeep Cherokees when security researchers showed they could hack into its entertainment system connected to the internet and through that, gain remote control of the car’s computer.
Now Prof Lindell points out that the more vehicles become computerised, the more protection they will need. Terrorists, he speculates, could try to mount a spectacular, 9/11-style attack by seizing control of thousands of cars on the motorway and crashing them.
And if that doom-laden scenario was not enough, he’s emphatic that medical devices need to be cyber-protected, too.
For example, there are pacemakers which can communicate remotely with doctors so they know if they need to be fine-tuned. However, imagine the danger if a third party could hack into the device — as Prof Lindell himself managed to.
In one instance the authentication method to make sure access to the pacemaker was genuine was so weak that it took him “seconds to break”.
Just as organisations post security guards on the entrance, they should also have cyber security he claims.
“We have physical security — it doesn’t mean people aren’t mugged or that there are no terrorist attacks,” he argues. “But there was a time when we didn’t have physical security.
“We are in a digital world where it is just not safe, but unlike the physical threat, people aren’t even aware of it. It’s like the Wild West.”
At least with physical security we have measures to prevent theft, he continues. “In the cyber-world, deterrence is almost non-existent. Someone can be sitting in east Europe or Asia or Africa somewhere and you don’t have jurisdiction over them.”
If there were some kind of certification showing how digitally secure a product was, consumers would also benefit. “They need to have some sort of measurement, like an energy tag on your washing machine. To measure the amount of energy your washing machine uses is easy. It is not so easy to measure whether something is more secure but that is the direction we have to move.
“Once consumers are aware and make a choice based on that and when companies understand if there is a breach, the ramifications are huge, then they will take it more seriously.”
Even apparent innovations have huge risks, Prof Lindell explains, and he sees the use of electronic voting machines in the United States, for example, as another potential issue. “As someone said a year ago, if someone hasn’t hacked the US elections, it’s only because they decided not to, it’s not that they couldn’t.”
When the US government’s Office of Personnel Management and the Philippines Electoral Commission were hacked, millions of fingerprint images were filched.
“You can take the data and from that build a silicon fingerprint,” Prof Lindell continues. “Somebody could plant your fingerprint at a crime scene.
“Fingerprints are good to keep my kids out of my phone. But an expert can take my phone, lift a fingerprint and use it to log in. It’s not difficult.”
Protecting privacy in the era of social media is increasingly a challenge. When two years ago, hackers released the names of users of Ashley Madison, a dating site for those seeking extramarital affairs, millions of people were potentially compromised. Even those who used fake email accounts were at risk of being traced, because the locations where they logged into the site could be identified.
Embarrassing online information can expose a person to blackmail. “If you want to recruit a spy today,” he says, “it is the easiest way to do it.”
Investment in Israeli cyber-security start-up companies is second only to United States. But whereas industry is good at coming up with quick solutions, it is the brainpower of academia that is required to find longer-term protection, this Bar-Ilan professor argues.
Finding ways to guard privacy is currently his research focus. “Let’s say there is a database of thousands of DNA samples of different cancer patients. When someone goes to the doctor, the doctor can take their DNA sample, upload to the service and compare and see if their DNA is close to some samples of the database.
“If all those samples happen to be colon cancer, he will know this person is a high risk and will plan prevention appropriately. The problem is DNA is private information.”
Using an advanced method called “secure multi-party computation”, it is possible to make use of the information in the database without actually accessing it. “It sounds like it is impossible, but it can be done. The person’s DNA is not revealed to the database, and the database is not revealed to the person.”
Privacy is also of the utmost importance to Prof Lindell on a personal level. He makes payments over the internet but avoids services which take personal data. “I don’t have Facebook, I don’t do social networking apart from Linked-In,” he says. “My own rule is that whatever I do online, I should assume is public information because effectively it is: it can be traced.”