The Big Bald Blog: Why Did I Get Hacked?

Tuesday, January 15, 2008

Why Did I Get Hacked?

I didn't get hacked, I was just posing that as a hypothetical.

Most of you are familiar with the story behind David Airey's domain/site hijacking. To recap, some enterprising individual hacked his way into David's Gmail account through some exploit and proceeded to transfer away his domain and then hold it hostage. Thanks to the intervention of Bob Parsons, CEO of GoDaddy, David was able to get his domain back from the offending party.

With that groundwork laid, what are you to do to protect your domain? Making sure your little piece of the web is safe is something that most of us take for granted. I know I sure do. Even as I sit here and look at this list of things to do, I am realizing that I am doing a few things that you are NOT supposed to be doing.

James Koole over at the TuCows blog has a list of things that you may want to pay attention to.

"Use WHOIS Privacy. It can protect you to a certain extent from this kind of theft. If the administrative email address that is listed with the domain name under WHOIS is exposed, then a potential domain thief has two pieces of information he needs – the domain name, and the email address used to manage it. The thief can then gain control of the email address, and then use that email address to gain control of the domain by having passwords emailed to himself. WHOIS Privacy offers some protection because it prevents the domain thief from finding out what the administrative email address is for the domain name.
If you can avoid it, don’t use free, web-based email addresses for your administrative contact. In this case, a security flaw in GMail allowed the hacker to gain control of the email account of the domain holder. Likewise, having your entire domain portfolio under a single administrative email account is another mistake. Never mind having one domain name stolen, if a thief gains control of your email account, he could steal your entire portfolio of names.
Your domain name is worth more to you than you might think. It may only cost you $10 a year to register the domain, but take a moment to imagine what the cost would be if you had to change domain names tomorrow. It could be as easy as reprinting business cards, or as difficult as re-branding your entire company.
Chose your Registrar wisely. Look for a Registrar with a solid Compliance team and a good record within the industry. They’ll have policy and procedures in place to protect you against domain name theft, and in the event your domain is taken from you fraudulently, you stand a better chance of getting it back with a solid registrar. Our CEO, Elliot Noss, has talked about this in the past. You can read his “Ten questions to ask before you pick your domain name Registrar” post for more information on how to make an informed choice."

I guess I have some work to do after reading this. It really doesn't matter what you do or how secure you think you are, there is always someone that is going to find a way into your stuff. But question is, what makes certain people a target? Traffic? Perceived worth? Did they anger someone? Or is it the thrill of randomly picking someone and hacking them just to see if you can do it? AND exactly how many licks DOES it take to get to the center of a Tootsie Roll brand Tootsie Pop? The world may never know.

Labels: domains, internet

9 Comments:

At January 15, 2008 12:21 PM , GeekMom said...: That's good information. I never think about that stuff. I pay extra for private registration, but besides that... And the giant laser cannons, of course (hackers beware). :-)
At January 15, 2008 2:11 PM , Big Pappa said...: Yeah, I have a few claymores and sonic nausea cannons set up similarly. It keeps the minions at bay.
At January 15, 2008 8:04 PM , Adrian said...: Another point worth mentioning, is never challenge a hacker to hack your site. Yes it sounds stupid, but ive seen people do it because they were mad that a friends site/account got hacked. Hackers will definitely rise to challenge, and most likely they will succeed.

Also watch for emails from you registrar asking you to do something and giving you a link to get to your account - often these are phishing emails and the web site will look right, but is just stealing your password.
At January 16, 2008 12:55 AM , anti said...: I have a shotgun, a shovel, and a few hundred acres of mountain out back of the house here. Highly effective against stalkers, but I am not too picky.

Good point about the seperate emails. I did spread my domains out over a few registrars, but I admit I was lazy about having them all at the same email address. Easily remedied. :)
At January 16, 2008 1:33 AM , BroTee said...: Thanks. This is a great post. I only wish you made some recommendation as regards registrars you have used before. You mentioned GoDaddy but not as if you recommend them. What do you think about NameCheap registrar? I am thinking of using them! Thanks for sharing.
Saved By Jesus
At January 16, 2008 6:18 AM , Big Pappa said...: I have used GoDaddy, Joker, NetworkSolutions, TuCows and Wild West Domains.

I prefer to stay with someone that is very established like GoDaddy or NetworkSolutions. Brotee, I have never heard of or used NameCheap. I would have to look into them.
At January 16, 2008 6:19 AM , Big Pappa said...: @adrian - Yeah no kidding. You are just asking for trouble of you do something that stupid.
At January 16, 2008 11:35 PM , Mark said...: Regarding your second point, not using the same email account for your admin contact, that's a tough one, particularly if you want to get the same price and features that come with your favorite registrar. Granted, all it takes is one key to the kingdom, but it could also mean other conflicts as well.

I'm not saying it's not a good idea, but one definitely has to weight the odds of making such a move.
At January 17, 2008 7:19 AM , Big Pappa said...: I see what you are saying Mark. I too struggle with that. I have over 300 domains.