Ani-Blogging Safety Tips: Keep Your Domain Name Safe!

November 23, 2018

Introduction

Some of you might know that during the day, I’m a computer security professional. So I’m always scouring the internet for the latest in malicious actor attacks (that is to say, attacks from people who want to steal your stuff), like this article from Krebs on Security.

That got me to thinking. Are we doing enough to protect our anime blogs from attackers? I’m not sure we are, so as an ani-blogger myself, I figured I'd share what I've learned about blog safety over the years -- both as a software developer and as a blogger. This is the first in a series of public services posts to the ani-blogging community. Once the series is done, you should know most of what you need to begin protecting yourself.

Wait -- you mean I’m not going to claim to give you everything you need?

Nope. That’s the nature of security. The best I can do is give you a good idea of what the dangers look like (that’s the threat landscape) and give you an idea of what you’ll need in your toolset. I'll prepare you to be safety minded in a dangerous environment. In the immortal words of Mad Eye Moody, you need to practice “Constant vigilance!

Read on to see if you’ve got the bases covered!

No One Wants to Steal My Blog!

Oh, yes, they do!

Once upon a time, part of me wondered who in the world would want to steal my anime site? I mean, it’s not like I have the reach of ESPN!

The answer is that crime syndicates worldwide are constantly watching for sites to take over. And they're skilled and highly automated, too. They know how to monetize even small sites, as the Krebs on Security article illustrates. If you have a site, they want it. It’s as simple as that.

Not convinced you need to protect your domain name? What if you hate Sword Art Online Alicization -- and the attacker starts posting posts gushing about how amazing it is? Or worse -- what if the attacker starts posting crazy claims that Shino Asada wasn't best SAO girl? Now, that'd be criminal! Capture from the Crunchyroll stream.

The Foundation: Domain Name

If you host with a blog service platform like WordPress.com or Blogger.com, guess what? You get a short version of this post, which is:

Make sure you have a reasonably complex password to WordPress.com or Blogger, and change it from time to time. WordPress.com and Blogger should do the rest. 

That's all! You can now wait for the next post!

If you don't host on WordPress.com or Blogger.com, the rest of this post is going to talk about what you need to know to host your own domain with an internet hosting provider.

Depending on how much you love dealing with technical stuff, there are two broad approaches you can take:

  1. You can manage registering your domain yourself (e.g., crowsworldofanime.com), install the operating system, install WordPress, and manage the entire platform yourself using something like Amazon Web Services or Digital Ocean. This is fun and is the right approach if you have an interest in being a systems administrator or a developer.
  2. You can select an internet hosting provider and let them manage registering the domain name and keeping the operating system and technology running.

I’m going to assume you’re selecting the second option, because if you’re more interested in the first option, I doubt you’ll need my advice!

There are a number of things you should look for when selecting an internet hosting provider. Check their reputation to make sure they’re not a fly by night operation intent only in separating you from your money. You can do that by reading articles like this one from CNet. Or check with your fellow ani-bloggers by DM-ing them on Twitter or using their site's Contact Us form.

This is the look you're going for. Kirino has clearly checked with her friends and is now confident in her internet hosting provider! I think Kyousuke was hoping to steal -- and shutdown -- her site! Capture from the Crunchyroll stream

Once you select them, ask about the protocols they use to keep your domain name safe. Malicious actors love to sit in wait for your domain name to expire, then swoop in and register it for themselves. Once they have your domain, it’s tough to get it back, so your focus is to prevent it from falling into their hands in the first place.

I use an internet hosting provider named TigerTech. I registered my first domain (interstell.com) with them back in 1999. Yes, that’s almost 20 years ago! Their performance has been rock solid and their support has been amazing.

Despite my experience with them, I wanted to verify that they knew what they were doing with domain names. I have several registered with them, and it’s best to be safe! Here’s part of their response to me when I asked recently:

Sure, security is something we take very seriously as well. Unlike most companies, we've never published personal contact details in WHOIS records, so strangers can't use that to get any detailed information about you.
As far as the specific situation of somebody trying to steal a domain name, we have several protocols in place to prevent that:
The main thing is that it is impossible for anybody to make any type of changes to the contact or registration status without the account password. The passwords are all encrypted on our end, so it would be technically impossible for a staff member to give one out to a stranger regardless of the situation.
Of course if a stranger does have the password, that is more complicated because anybody who gets your passwords will have more access than normal and that is harder to protect against. 
However, we still take several precautions even in that case:
Any time a piece of contact information is updated, we send a notice to the previous contact in case it was done maliciously. If the previous contact responds and says they didn't authorize it we will reverse it immediately. You'd also get an email notification if somebody attempted to start a transfer without changing the contact information. Transfers require multiple steps of approval as well.
Separate from that, we record specific times, network addresses, and geo locations of where contact and other changes are made from and have all outgoing transfers reviewed by several staff members before approving them. This is actually done at all stages of the transfer, so it is reviewed multiple times.
If the contact information has recently changed, password updated from a different location, or anything seems out of the ordinary we will have an extra review and where appropriate call the owner to get verbal confirmation of the transfer.
Though of course as you say, the reality is that 99.9% of these cases are people that just forget to renew the domain name because they ignored the email reminders or have bad contact information on file. 
We're legally required to send an email to the administrative contact once every 6 months with the details we have on file and prompt them to update them if not correct, but many people ignore those too unfortunately.
TigerTech’s response basically laid out what’s known as industry best practices. 

Did you see that they will send an e-mail to disclose any changes? That’s a key step, and it leads me to the next bit of advice:

When you register an e-mail address with your internet hosting provider, don’t use the address that’s associated with your site. If you do and the attacker manages to get control of your domain, you won’t receive any e-mail notification.

You don't need to have Tsugumi's hacking skills to keep your domain name safe! Just follow four simple steps! Capture from the Funimation stream.

As trustworthy as your internet hosting provider is, you should set a reminder for yourself the morning after your domain is supposed to be renewed. Go to the WhoIs database and search for your domain name (e.g., crowsworldofanime.com). Make sure that the “Registry Expiry Date” is in the future! If it’s not, get in touch with your internet hosting provider immediately to fix the situation!

If you know your site is already a target, you might want to register look-alike domains so the attackers don't try to mimic you without actually taking over your site. For example, I might buy the domain crowswor1dofanime.com. However, generally speaking, protecting your domain name is your best bet.

Fundamentals Checklist

  1. Select a reputable internet hosting provider
  2. Verify your candidate internet hosting provider knows how to keep your domain name safe
  3. Register the site with an e-mail address that’s part of a different domain so that an attacker would have to compromise both domains to silently change your domain settings
  4. Set a reminder to check WhoIs to make sure your internet hosting provider renewed your domain as expected

Summary

As you can see from the checklist, making sure your foundation is secure isn’t really hard. It’s just a hassle! Don’t give in to the temptation to skip it. A little investment of time can prevent hours of fruitless work to reclaim a stolen domain. You’ve spent a ton of time building your online reputation. Spend just a little more to protect it!

Got some security tips of your own? Have suggestions to improve this article? Let me know in the comments! Security's a discussion -- the more we know, the better off we all are!

Related Links

  • Good article. When I picked my host, my three main concerns were the overall cost, the level of security offered, and the quality of support I had when discussing things with them. I’ve been quite happy as they’ve helped relatively quickly whenever I’ve had issues.

    • tcrow says:

      I’m glad to hear you’ve found a provider that gives you good support! I’ve enjoyed that kind of support with TigerTech, and it’s hard to quantify the positive impact that has on one’s site, isn’t it?

  • chikorita157 says:

    Most of it is common sense such as passwords and using a reputable host/registar. Given that I have been running my blog for almost 10 years, which started off from free hosting for the first two years, then 1 year of paid share hosting before I moved everything to an unmanaged virtual private server. I use BuyVM/Frantech since 2013 and for the most part is very reliable and affordable compared to AWS and Digital Ocean. The VPS route isn’t for the faint of heart for someone who doesn’t have much IT experience.

    That said, one should consider using private registration to hide the whois details as one can lookup the domain information and get the person’s address to possibly do a social engineering attack. Some domain registrars provide private registration for free. Also, not mentioned in this article is of course backing up your blog. I witness some bloggers forgetting to backup their website just to find out that they got hacked or the server crash and lose everything. Some host providers, especially shared hosting provide their functionality in CPanel, but for virtual private servers, this can be automated.

    • tcrow says:

      “Most of it is common sense such as passwords and using a reputable host/registar.”

      While I personally agree with you, I’ve come to understand that what seems like common sense to me, as first an operating system support engineer, then a software developer, and now a security practitioner, is foreign to a significant percentage of the population. Some very bright people have never been exposed to the ideas that would drive common sense, so I figured I might be able to help with this series!

      “The VPS route isn’t for the faint of heart for someone who doesn’t have much IT experience.”

      Very true! But it gives you a _ton_ of insight into what works, what doesn’t work, and why!

      “That said, one should consider using private registration to hide the whois details as one can lookup the domain information and get the person’s address to possibly do a social engineering attack.”

      That’s a great point, and one in hindsight I should have included. The solution provider I mentioned, TigerTech, took care of that for me, and they do exactly as you said they should. Thanks for mentioning it — you’ve filled in a gap in my original post!

      “Also, not mentioned in this article is of course backing up your blog.”

      You are absolutely right! I’m going to cover that in a future post or two. Or three. It depends on how the next one turns out.

      Thanks for sharing your experience!

  • >
    %d bloggers like this:

    By continuing to use the site, you agree to the use of cookies. more information

    The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

    Close