Some of you might know that during the day, I’m a computer security professional. So I’m always scouring the internet for the latest in malicious actor attacks (that is to say, attacks from people who want to steal your stuff), like this article from Krebs on Security.
That got me to thinking. Are we doing enough to protect our anime blogs from attackers? I’m not sure we are, so as an ani-blogger myself, I figured I'd share what I've learned about blog safety over the years -- both as a software developer and as a blogger. This is the first in a series of public services posts to the ani-blogging community. Once the series is done, you should know most of what you need to begin protecting yourself.
Wait -- you mean I’m not going to claim to give you everything you need?
Nope. That’s the nature of security. The best I can do is give you a good idea of what the dangers look like (that’s the threat landscape) and give you an idea of what you’ll need in your toolset. I'll prepare you to be safety minded in a dangerous environment. In the immortal words of Mad Eye Moody, you need to practice “Constant vigilance!”
Read on to see if you’ve got the bases covered!
No One Wants to Steal My Blog!
Oh, yes, they do!
Once upon a time, part of me wondered who in the world would want to steal my anime site? I mean, it’s not like I have the reach of ESPN!
The answer is that crime syndicates worldwide are constantly watching for sites to take over. And they're skilled and highly automated, too. They know how to monetize even small sites, as the Krebs on Security article illustrates. If you have a site, they want it. It’s as simple as that.
Not convinced you need to protect your domain name? What if you hate Sword Art Online Alicization -- and the attacker starts posting posts gushing about how amazing it is? Or worse -- what if the attacker starts posting crazy claims that Shino Asada wasn't best SAO girl? Now, that'd be criminal! Capture from the Crunchyroll stream.
The Foundation: Domain Name
Make sure you have a reasonably complex password to WordPress.com or Blogger, and change it from time to time. WordPress.com and Blogger should do the rest.
That's all! You can now wait for the next post!
If you don't host on WordPress.com or Blogger.com, the rest of this post is going to talk about what you need to know to host your own domain with an internet hosting provider.
Depending on how much you love dealing with technical stuff, there are two broad approaches you can take:
- You can manage registering your domain yourself (e.g., crowsworldofanime.com), install the operating system, install WordPress, and manage the entire platform yourself using something like Amazon Web Services or Digital Ocean. This is fun and is the right approach if you have an interest in being a systems administrator or a developer.
- You can select an internet hosting provider and let them manage registering the domain name and keeping the operating system and technology running.
I’m going to assume you’re selecting the second option, because if you’re more interested in the first option, I doubt you’ll need my advice!
There are a number of things you should look for when selecting an internet hosting provider. Check their reputation to make sure they’re not a fly by night operation intent only in separating you from your money. You can do that by reading articles like this one from CNet. Or check with your fellow ani-bloggers by DM-ing them on Twitter or using their site's Contact Us form.
This is the look you're going for. Kirino has clearly checked with her friends and is now confident in her internet hosting provider! I think Kyousuke was hoping to steal -- and shutdown -- her site! Capture from the Crunchyroll stream.
Once you select them, ask about the protocols they use to keep your domain name safe. Malicious actors love to sit in wait for your domain name to expire, then swoop in and register it for themselves. Once they have your domain, it’s tough to get it back, so your focus is to prevent it from falling into their hands in the first place.
I use an internet hosting provider named TigerTech. I registered my first domain (interstell.com) with them back in 1999. Yes, that’s almost 20 years ago! Their performance has been rock solid and their support has been amazing.
Despite my experience with them, I wanted to verify that they knew what they were doing with domain names. I have several registered with them, and it’s best to be safe! Here’s part of their response to me when I asked recently:
Sure, security is something we take very seriously as well. Unlike most companies, we've never published personal contact details in WHOIS records, so strangers can't use that to get any detailed information about you.
As far as the specific situation of somebody trying to steal a domain name, we have several protocols in place to prevent that:
The main thing is that it is impossible for anybody to make any type of changes to the contact or registration status without the account password. The passwords are all encrypted on our end, so it would be technically impossible for a staff member to give one out to a stranger regardless of the situation.
Of course if a stranger does have the password, that is more complicated because anybody who gets your passwords will have more access than normal and that is harder to protect against.
However, we still take several precautions even in that case:
Any time a piece of contact information is updated, we send a notice to the previous contact in case it was done maliciously. If the previous contact responds and says they didn't authorize it we will reverse it immediately. You'd also get an email notification if somebody attempted to start a transfer without changing the contact information. Transfers require multiple steps of approval as well.
Separate from that, we record specific times, network addresses, and geo locations of where contact and other changes are made from and have all outgoing transfers reviewed by several staff members before approving them. This is actually done at all stages of the transfer, so it is reviewed multiple times.
If the contact information has recently changed, password updated from a different location, or anything seems out of the ordinary we will have an extra review and where appropriate call the owner to get verbal confirmation of the transfer.
Though of course as you say, the reality is that 99.9% of these cases are people that just forget to renew the domain name because they ignored the email reminders or have bad contact information on file.
We're legally required to send an email to the administrative contact once every 6 months with the details we have on file and prompt them to update them if not correct, but many people ignore those too unfortunately.
TigerTech’s response basically laid out what’s known as industry best practices.
Did you see that they will send an e-mail to disclose any changes? That’s a key step, and it leads me to the next bit of advice:
When you register an e-mail address with your internet hosting provider, don’t use the address that’s associated with your site. If you do and the attacker manages to get control of your domain, you won’t receive any e-mail notification.
As trustworthy as your internet hosting provider is, you should set a reminder for yourself the morning after your domain is supposed to be renewed. Go to the WhoIs database and search for your domain name (e.g., crowsworldofanime.com). Make sure that the “Registry Expiry Date” is in the future! If it’s not, get in touch with your internet hosting provider immediately to fix the situation!
If you know your site is already a target, you might want to register look-alike domains so the attackers don't try to mimic you without actually taking over your site. For example, I might buy the domain crowswor1dofanime.com. However, generally speaking, protecting your domain name is your best bet.
- Select a reputable internet hosting provider
- Verify your candidate internet hosting provider knows how to keep your domain name safe
- Register the site with an e-mail address that’s part of a different domain so that an attacker would have to compromise both domains to silently change your domain settings
- Set a reminder to check WhoIs to make sure your internet hosting provider renewed your domain as expected
As you can see from the checklist, making sure your foundation is secure isn’t really hard. It’s just a hassle! Don’t give in to the temptation to skip it. A little investment of time can prevent hours of fruitless work to reclaim a stolen domain. You’ve spent a ton of time building your online reputation. Spend just a little more to protect it!
Got some security tips of your own? Have suggestions to improve this article? Let me know in the comments! Security's a discussion -- the more we know, the better off we all are!