How to Protect Your Domains and Other Sensitive Data

Do you have one domain? Do you have multiple domains? Are you a casual domainer, domain investor, major company brand strategist, or blogger? Security for domains in all these positions and quantities is not a luxury.

This series will cover the basics of protecting your domains by identifying the 3 main categories of attacks and how to properly thwart them with a fundamental strategy: strong account information, secure communication, and a safe connection. The beauty of this advice is that it can extend beyond domains and apply to your other sensitive digital assets.

  1. Strong Account Information – If one piece of sensitive information is revealed, it’s very easy for attackers to access other sensitive areas with that information. For all intents and purposes, people believe the entity supplying the information is you and are willing to share information with you. Sensitive info yields sensitive info. This is referred to as phishing, brute force attempts, and plain bold social engineering by using something that is as common as your birthday, easy password, or mother’s maiden name. Avoid these attempts with random, long information that’s routinely changed and by enabling 2-step verification wherever possible.
  2. Secure Communication – A popular strategy for intercepting information, parsing archived information, or posing as you by accessing your communication methods primarily email, but sometimes simply texts and phone calls. These are a bit more complex to protect.
  3. Safe Connection – Another common way of gaining access to sensitive areas is via unsafe network connections. The easiest way to circumvent this is to avoid public WiFi and regularly update your antivirus, malware checkers, and OS.

If properly implemented, these protective measures will drastically lower the chances of a successful malicious cyber attack. Remember this isn’t an all inclusive list, but it does touch on the most basic heavy-hitters.

The most frequent types of attacks can be broken down into three categories:

  1. Unsecured Connection
  2. Phishing, Guessing, and Plain Bold Social Engineering (part II)
  3. Incognito Malicious Applications (part III)

We’re going to outline the different types of unsecured connection vulnerabilities and how to resolve them in this article.

Unsecured Connection Attacks and How to Prevent Them

  1. Public WiFi Hotspots – Open networks like those at a coffee shop or food court are generally unencrypted and leave the user open to attacks that novices can pull off. It’s extremely tempting to back-order a domain at the last minute at Starbucks or check on some recent DNS changes at your registrar while eating in a public food court, but you should be on high-alert in these areas and basically assume that anyone can see the information you’re sending out or viewing. On these networks, it is extremely easy to clearly see unencrypted traffic for anyone using it, including what you’re typing into web forms. Even a list of which encrypted sites you’re accessing can be seen.
    The tools for hackers to exploit public WiFi are vast, free, and widely available and common WEP and WPA network encryptions might not protect you (WPA2 is more secure). There’s countless YouTube videos and websites that illustrate how to access paid hot-spots in about 30 seconds. This article even shows you screenshots of what they quickly captured with a simple attempt. This security entrepreneur was able to easily reroute dozens of WiFi connections to his own private network while in a crowded hotel during Austin’s SXSW festival. Even if you don’t access sites directly related to your domains, your email is heavily susceptible by those looking to impersonate you and scam the people in your contact list. This goes for home WiFi as well if you don’t properly encrypt your connection with a strong password.

    • Encrypted https Connection – Only access sites using https level encryption and make sure it’s intact for your entire session.
    • Cloud Storage – Every online storage site makes our lives exponentially easier allowing us to access data when we need it without having to store all of it locally. Be mindful of the dangers of storing sensitive information on these servers. You should be cautious even when storing encrypted information in the cloud and avoid storing extremely sensitive information like passwords. And please, for your sake, don’t store all your domains’ authorization codes in a single non-password protected text file and leave your domain lock off. It’s tempting for ease of access if you have a Frank Schilling quantity of domains (if that’s possible) at various registrars, but the risk outweighs the gain.
    • VPN – By far the most secure way of accessing the internet is using your own virtual private network. Not all of us have this luxury, but it’s somewhat simple to setup if you’re technologically savvy.
    • FTP – Never use unsecured services like transferring sensitive files over a FTP server in a public place.
    • Firewalls, Antivirus, and Sharing – Make sure all of your firewalls and antivirus software are turned on and sharing services (screen sharing and autonomous cloud storage software included) are turned off before connecting. Most computers will ask you how it should classify the network location when you connect to it. Always choose the equivalent of a public network.
    • WiFi Spoofing – Be on the lookout for entirely fake ad-hoc WiFi hot-spots that are setup just to collect your information. This is more commonly known as a honeypot. If you’re at Starbucks and you see more than one connection, it’s best to ask one of the employees which one is designated for customers. Surprisingly, hackers are even getting as creative as creating spoofed WiFi connections on mobile flying drones to steal your information and then fly away with it.
    • Mobile Apps – Most people passively believe apps are impervious to public WiFi, bu they’re incorrect. The most dangerous part is that these apps don’t usually readily display if the connection is at least secure through https. If you’re using your mobile device’s apps to access your registrar or other sensitive areas, it’s best to just use your phone carrier’s data connection and disable your WiFi.
    • Disable Mobile WiFi – It’s best to disable your mobile’s WiFi connection when you’re not at home and you’re not using it, especially when travelling. Not only does this save battery, but it prevents your mobile device from pinging and trying to connect to every unknown network it comes across.
    • Logout of Accounts – When you’re done accessing your registrar or hosting provider, remember to log out. It’s possible for advanced hackers to pose as you and hijack your session.
  2. Outdated OS – Software that has not been continually upgraded over the years leaves you open to hackers exploring complicated, but large security holes. A recent Windows HTTP vulnerability could leave you open to attacks on any website you visit unless it’s patched.
    • Automatic Update – This is, by far, the easiest method for protection. Make sure automatic update is enabled for your computer, you actually regularly restart and install these updates, and you’re at least running Windows 7 if on PC. And no, switching to a Mac will not solve these problems. Apple has experienced their own wealth of problems in the past and their most recent security flaw last year went unnoticed for 18 months until a Google https engineer exposed it.
  3. Public Proxies and Tor – There’s a plethora of reasons why you shouldn’t use these when accessing sensitive data. Unless you’re highly technologically savvy, it’s best and easiest to just avoid using these altogether.
  4. Heartbleed – In 2014 we all experienced one of the largest security vulnerabilities in recent years through the OpenSSL cryptographic library that allowed hackers to access memory on data servers. The most alarming part of this story was being helpless while the affected websites had to fix the problem themselves.
    • Check Your Registrar – It’s been quite some time since the panic from Heartbleed, but it’s possible you missed one small outdated website that’s severely lacking with updating their site and have sensitive data of yours on their server or they house your domains. LastPass’s Heartbleed Checker does a great job of identifying if the site used SSL, securely updated it, and if you should change your password to be safe.
    • Annual Passwords Change – After the largest and most common sites that used SSL fixed the gaping errors in security, they recommended that you change your passwords because it’s plausible that, if the site was affected, someone could easily have your password. If you didn’t change all your passwords last year, this might be a good time to start. It’s even good practice to routinely change your passwords once or twice a year for each of your accounts in case it was recently compromised without your knowledge.

It goes without saying that even the dumbest criminals can perform some of these activities. If you assume you’re immune because you’ve never been the victim of an attack, you should know that smart criminals participate in black market activities where they buy, sell, and trade information to be used at a later date making it impossible to track the leak’s origin and when it will appear.

Depending on your social status as a high profile entity or private individual will ultimately determine the brute force quantity and complexity of attacks you’ll undergo. In the end, we’re all still targets and it pays to take the simple precautions that require very little time. Don’t be paranoid, be safe. Most of these methods only take once to setup and changing only your most important passwords annually will take 15 min. Would you rather spend 15 hours over your total life performing some boring protection routine for your assets or spend stressful months trying to rectify errors and attacks as they come in? Think long term and have a strategy.

Lookout for part II of this series next week covering phishing, guessing, and plain bold social engineering attacks.

{ 4 comments… add one }

  • Ian Ingram May 27, 2015, 6:13 pm

    Lots of great info here. 🙂

    Another nice protective measure regarding domain security is an account manager that needs to call and verify a pin number prior to moving any domains out.

    GoDaddy’s DTVS (Domain Transfer Validation Service) has been great although some may not qualify as I believe it is only for executive accounts.

    Reply
  • Edward Zeiden May 27, 2015, 7:00 pm

    Thanks, Ian!

    Great suggestion and you’re spot on. This one will actually be included in my next article when I reference last year’s Twitter handle @N ransom attack.

    Reply
  • hafgram October 21, 2018, 4:04 am

    Actually when someone doesn’t bbe aware of then its up to other people
    that they will help, so here it happens.

    Reply
  • TheBlackLake October 23, 2018, 6:05 am

    Probably the best material on cysec I’ve read in a while, I just want to add my opinion about a new VPN called Surfshark that I came upon. Since some of the bigger names got involved in various scandals (proven or not) I decided to look for a new reliable provider and came upon an article on medium that promoted Surfshark. I tried it out, at first was a bit disappointed by the limited number of servers, but the speed was good, connecting to a server takes little time as well. They have obfuscated servers, a kill switch and are based in the British Virgin Islands, which helps to back up the zero-logs claim. Over two months they’ve proven to be a decent service, maybe it will help some of you out. And thanks for a good read.

    Reply

Leave a Comment