Bright ways to go dark, part 1
So I think we're looking at two kinds of threats to our blogging safety. I think we've always been subject to these threats but now that we're aware of them we're in a much better position to deal with them.
Before getting into the more substantive problem let's dispense with the "trivial" case of site hijacking first. (I say trivial though a single hacker has caused enormous damage because the remedies are technological.)
#1: If you own your domain name don't let it expire! As the fees for registering a domain drop closer to zero and the technology for detecting and picking up expired domains has gotten easier it's just too easy for the spam-minded webmaster to harvest your domain, especially if it's got a good flow of traffic, and replace it with a link farm pointing your erstwhile users to commercial porn, gambling, or viagra sites. Yeah, chances are your users won't come back, but the economics are such that the hijacker can make enough money from the few click-throughs to make it worth his while. Some registries have an automatic renewal feature. Assuming the registrar is at all reliable it's a great idea to use it.
#2: If you get email from someone claiming to represent your blogging host with a "click this link to protect/confirm/change your important information" delete instantly. It's almost guaranteed to be a phishing attack, a bogus message pointing you to a bogus website where you'll politely enter your login name, password in the superficially recognizable forms... and possibly lose your site for eternity! If you just want to make sure, close the email, mark it as spam, then open a new window in your browser and navigate to your blog host through their main URL (e.g. "www.blogger.com") and navigate from there to the site's news page or to your account-info page. If there's something you really need to do you'll find out that way *and* you'll know you've gone to the right place to do it.
#3: Tidbits: A) If you access your site from a public machine make sure you're somewhere reputable. It's not likely that a black hat will go to the trouble of harvesting everyone's names and passwords at their internet cafe but it's always possible. B) *Do* be sure to log out before you leave though. It's far more likely that the next person to use your machine might get curious and look in the browser's history or just click the "Back" button a couple of times to get back into your blog administrator. If you're logged out of that system it won't let do much damage. C) Use a good password -- something easy to remember but hard to forget, preferably something with numbers and capital letters as well as lower-case letters. (My favorite trick is to pick a memorable song lyric or slogan and make an acronym out of it. For instance, "Roll your leg over oh roll your leg over (it's better that way)" becomes Rylo0rylo. Easy to remember, hard to guess.)
More in a following post
figleaf
Update: Oh bother! I'm not used to Blogger yet and didn't realize I'd gotten comments to my previous post saying people weren't phished via email after all. Yikes! That doesn't mean this advice is invalid. It does mean it's terribly incomplete. Sorry about that. More later though.
Before getting into the more substantive problem let's dispense with the "trivial" case of site hijacking first. (I say trivial though a single hacker has caused enormous damage because the remedies are technological.)
#1: If you own your domain name don't let it expire! As the fees for registering a domain drop closer to zero and the technology for detecting and picking up expired domains has gotten easier it's just too easy for the spam-minded webmaster to harvest your domain, especially if it's got a good flow of traffic, and replace it with a link farm pointing your erstwhile users to commercial porn, gambling, or viagra sites. Yeah, chances are your users won't come back, but the economics are such that the hijacker can make enough money from the few click-throughs to make it worth his while. Some registries have an automatic renewal feature. Assuming the registrar is at all reliable it's a great idea to use it.
#2: If you get email from someone claiming to represent your blogging host with a "click this link to protect/confirm/change your important information" delete instantly. It's almost guaranteed to be a phishing attack, a bogus message pointing you to a bogus website where you'll politely enter your login name, password in the superficially recognizable forms... and possibly lose your site for eternity! If you just want to make sure, close the email, mark it as spam, then open a new window in your browser and navigate to your blog host through their main URL (e.g. "www.blogger.com") and navigate from there to the site's news page or to your account-info page. If there's something you really need to do you'll find out that way *and* you'll know you've gone to the right place to do it.
#3: Tidbits: A) If you access your site from a public machine make sure you're somewhere reputable. It's not likely that a black hat will go to the trouble of harvesting everyone's names and passwords at their internet cafe but it's always possible. B) *Do* be sure to log out before you leave though. It's far more likely that the next person to use your machine might get curious and look in the browser's history or just click the "Back" button a couple of times to get back into your blog administrator. If you're logged out of that system it won't let do much damage. C) Use a good password -- something easy to remember but hard to forget, preferably something with numbers and capital letters as well as lower-case letters. (My favorite trick is to pick a memorable song lyric or slogan and make an acronym out of it. For instance, "Roll your leg over oh roll your leg over (it's better that way)" becomes Rylo0rylo. Easy to remember, hard to guess.)
More in a following post
figleaf
Update: Oh bother! I'm not used to Blogger yet and didn't realize I'd gotten comments to my previous post saying people weren't phished via email after all. Yikes! That doesn't mean this advice is invalid. It does mean it's terribly incomplete. Sorry about that. More later though.
1 Comments:
Thanks Figleaf. I think it's very importannt to hang on to our names.
I'd hate to see stuff like what happened at Corinthian Couple's site.
Thank you.
Post a Comment
<< Home