In 1992 a 22-year-old hacker named Jeff Moss set out to throw a farewell party for an online bulletin board that was shutting down. Word spread quickly and the invitation list ballooned. By the time all the guests arrived, Moss’s party had transformed into the first DEF CON, now the biggest hacker convention in the world. Soon after, though, Moss gave up hacking for a professional gig, helping companies safeguard their computer systems, and in 1997 he founded Black Hat, a series of conferences that serve as the security professionals’ counterpart to DEF CON. Even the U.S. government looked to him for security tips, naming him a member of the Homeland Security Advisory Council in 2009. In April Moss stepped up his responsibilities, becoming the chief security officer of the Internet Corporation for Assigned Names and Numbers, or ICANN, the international group that keeps Internet addresses up and running.
What exactly does ICANN do?
ICANN is in charge of the unique identifiers on the Internet, things like IP addresses, which are like a telephone number for your computer. We hand out blocks of addresses to countries, and the countries figure out how to slice them up, giving them to Internet service providers, for instance. Then when you log online, you have a unique ip address. icann ensures the security, stability, and resiliency of the systems. We take that very seriously; if we screw up, it can impact the whole planet.
In 2011 hacker groups Anonymous and LulzSec launched high-profile attacks on corporate and government websites. What was their significance?
What they’re doing isn’t new, but the scale and the recognition they’re getting is. Before, hacking groups would do digital sit-ins and things like that, to point out companies’ abuses or privacy rights violations, but now they’ve reached a critical mass. Generally speaking, they’re not interested in blackmail. In the past, you would have organized-crime groups sneaking in to steal money, and you would hear about it weeks or months later. But these people want to turn you into a media opportunity. They break into your site and you hear about it on the news.
What do you think of the way people have responded?
Whenever you have this amount of media coverage on a subject, laws get passed, and I think we’re going to get a lot of bad laws out of this if we’re not careful. Already people are calling for much stiffer penalties and mandatory sentencing. Ultimately, by pursuing these protesters in the short term, they might create really long-term problems for other people who have legitimate social gripes and don’t have an easy way to be heard.
What has been done this year to make the Internet safer?
The Internet as a whole is in the process of getting an upgrade. It’s focused on DNS, the Domain Name System, which is a giant system of servers that resolves a name to an address. When you type in microsoft.com, for example, DNS turns that name into an IP address and uses that to connect to the Microsoft website. There are ways to hack into the system, so that when you type a name, bad guys could send you to the wrong IP address without your knowing.
What we’re working on now is a trusted directory system, where organizations running websites would essentially sign their records so the system could verify where a site is. That means you’ll know that if you ask for Microsoft, you’ll get to Microsoft. Or if there’s a bad guy in between tampering with the DNS and you don’t get to Microsoft, you’ll at least not go to where the bad guy wants you to go. Once you can start trusting all the answers that come out of DNS, you can start doing lots of other things, like trusting your email more.
What can individuals do to protect themselves online?
Here’s one simple thing: If you have a million windows or tabs open on your browser, certain phishing attacks can guess what other windows you might have open and attack those other windows by trying to steal passwords. If you’re doing online banking, you should close your browser, reopen it with only one window running, and then do your banking. When you’re done, close the browser entirely so it will flush the cache and clean everything out of memory.
What are the major security challenges coming up?
Cloud computing, where people store data or run programs not on their own computer but in a data center with thousands and thousands of servers, is a big one. The technology is moving very quickly because it has such promising benefits, since people don’t have to deal with the time and expense of maintaining all those computers. A big problem is that malicious hackers are pretty good at using the cloud too. They’ll use a fraudulent or prepaid credit card to buy an account from a cloud provider, like Amazon, and then they’ll upload their software, which might be a password-cracking utility or a tool that scans for vulnerable websites. Instead of having to break into people’s computers, they’ll just run their software directly from the cloud provider, connecting to other users in the cloud. If the scan is coming to you from Amazon cloud space, it’s hard to block that without blocking large parts of the cloud provider.
What about the rise of smartphones—is that a security challenge as well?
When mobile devices were designed, security wasn’t a top concern. The phone companies were thinking that they controlled their own phone networks in a big, walled garden. Now with everything Internet connected and installing apps from third-party app stores, the age of mobile malware is coming. There are already some mobile botnets—networks of compromised devices that hackers can control. Phones are not as fast or as powerful as desktop computers, but they’re also generally less secure. Android phones, for instance, hardly ever get security updates. So if you can get malware on some of these mobile devices, you’re probably good for a long, long, long time.