Let’s start in November a few years ago. A friend contacted me, obviously distressed. Her site had been hacked.
I thought, no problem. We’ll get on it.
It turned out to be not so routine.
Eventually, we found out her website wasn’t hacked.
Her domain was stolen. The new website was not hers. Not on her web hosting account.
Someone stole her entire business from under her.
Fast forward a couple of months. Another sobering story. Mat Honan, one of Wired’s senior writers had his Macbook, iPhone, iPad, Google Account completely wiped and his Twitter account hijacked. Then, I heard news of another friend’s domain getting hijacked.
Then just this week, another major story. Naoki Hiroshima, creator of Cocoyon and developer for Echofan had his highly valued Twitter username extorted from him. What did the extortionist have on him? Oh… just all of his domains and PayPal account. Reading his story and the hacker’s responses sent chills up my spine.
Since working with my client and learning about Mat Honan’s hacking, I’ve been careful. There’s still much to be done but definitely more careful. I worry a lot about what my husband puts out too. But that’s another story for another day.
By now, I’m feeling rather helpless. Then I read another followup story in response to Naoki’s. Now, I felt hopeless as well.
I’m writing this not to scare you. Although, I know you can’t help but feel scared. I do. My intention is to help everyone stay informed.
What can be done?
Honestly, I’m not 100% sure. These social engineering attacks aren’t always caused by our own carelessness. Many times they are but sometimes they aren’t. I do have some ideas I’m willing to share what I’ll be doing.
A quick disclaimer. These are not a guarantee you will be insulated from social engineering. Nobody can guarantee that. With that, let’s begin.
Your Data Is Not Isolated
When we open a new account anywhere, we tend to think our data is separate from each other because the companies we deal with are owned by different people. To a certain extent, yes they are. But these stories tell us that social hackers don’t need all data from one place. That would be best for them, but it’s not necessary. They just need a little bit from here and a little bit from there.
Don’t just secure everything to do with banking, finances and the likes but leave other areas of your digital life open.
I pay a lot of things online. Where possible, I will choose not to store my credit card information with a company. More inconvenient? Yes but very much worth it I think. Where PayPal or Amazon and even Apple is involved, I don’t have much choice. Even so, I will investigate my options with fresh eyes.
With Honan and my friends, their weak link was Gmail. At that time, the advice was not to use Gmail for important things. Or at the least have double authentication turned on. Hiroshima had the opposite advise – to use Gmail and not an email of a domain you own. The followup report from Droplr CEO Josh Bryant correctly pointed out that using Gmail does not guarantee security.
Many large company’s security is only as good as the person answering the phone.
I agree with Bryant. I quit using Gmail on important stuff and even for domains. I’m not all that confident they can be any better. I’m sticking to email addresses from my domain and other places I shall not name. Since my friends’ incidents, I have spread my risk out to a different email addresses. Not the ones I use publicly.
After this, I will go back and fragment this even more by using several domains. I’m not sure this will be any better or worse but I think it would be better. Which leads me to the next point.
I’ll be going back and transferring several domains out of GoDaddy and their reseller account. Although I have two accounts but their reseller is still GoDaddy and prone to the same problems.
I don’t necessarily despise GoDaddy. I know of lot of people have a bone to pick with them. Personally, I’ll never host with them but they’ve always been good to me for domains. Besides, just because the vulnerability is with GoDaddy doesn’t mean other companies aren’t prone to the same loopholes.
I won’t be closing it out, just spreading the domains out to different places. Especially high value domains.
I struggle with this all this. We own a lot of domains. To make them all private – yikes! That’s quite a chunk of money out the door. I have some domains private but I will now select a few more to make private.
For public domains, I’ll continue to use an address that is not my home address. This has been my protocol for years. Now, I’ll be going back to change other information with other companies (where possible). This includes public records we might have with the local and state government.
This isn’t just for privacy but the fact that it can be socially engineered in combination with your domain registration warrants a second or third look.
Amazon & Amazon Web Services
I will be taking Bryant’s suggestion to separate out Amazon (mostly personal use) from Amazon Web Services account. I have a lot of things on Amazon Web Services. While I haven’t quite built our technical infrastructure there, there are plans that could include that. Still, a lot of my products are there. I have a copy, but losing access to AWS will cost me in the form of time.
Usually, I’m wary of connecting any form of services to any type of account. It doesn’t hurt to go back to look things over. Disconnect services not used anymore. While at that, remove any information that they don’t require.
Turn on dual authentication wherever possible. We have Duo running on a some WordPress powered websites too.
Watch What You Share
Many of us already practice this. I’ve always tried to filter my words and everything put out on social media. Heck, even on this blog. I hesitate to write this post because I really don’t want this information be socially engineered on me. It’s not perfect. Things spill out somehow. Maybe not today, but sometimes, somewhere. When your guard is down.
Irregardless. Start new habits when it comes to social media and your blog. Watch everything you post and share. I don’t just mean when you are going out of town. Review too stuff like birthdays. Images with location tags. Quiz results. Ok, I’m not sure how a quiz result could be detrimental yet but you can tell I’m a little shy of paranoid.
Long story short, just… be careful.
This is certainly not an exhaustive list. It’s a start.
Can you think of anymore? What do you do that I’ve not covered?