2008年11月24日 星期一

網絡的索馬里海盜

索馬里附近海域有海盜專門搶劫油輪,商船,再勒索巨額贖金。
在網絡世界也有這類的海盜,我在前文講過的 makeuseof.com 就是這個例子。網主在他這篇文中進一步講他不是唯一的受害者,最少有另外兩個網站也受到同樣的勒索,而且相信是同一人所為。
事情的發生經過:
1. 幾位受害者都是用 gmail 作為登記 Registrant 的電郵。
2. 那位入侵者似乎用了一個 Gmail 的漏洞 (但大家到現在都未知道是甚麼),進入了受害人的 gmail 戶口,建立了一些非常「毒」的 Filters Rules。例如從 registrar 的電郵會自動轉寄至入侵者的電郵地址。以下的 screen cap 是其中一位受害者的:

3. 入侵者再到 registrar 用 Forget password 的方式改變原有的戶口的資料。跟手將 domain 轉到另一 registrar 的戶口。
4. 勒索金錢。


在提到的上文內有一個 Comment 很有用的 tips ,有用 gmail 登記為網站 registrar 可以參考:

Comment by Brandon Blaylock Subscribed to comments via email
2008-11-22 05:42:05

Here are some very easy ways to ensure the security of your domain.

1. Set your whois email contacts to an administrative email account. Set a very long and complex password on the account and have all email forwarded to your daily use account. Since you do not log into the account and it has a very long and obfuscated password it makes it much more difficult to break into. Also set very random security questions, as sometimes your security questions can be very simple to break. Since the email address listed in the whois database is publicly available it is the prime target for anyone attempting to steal a domain, this practice adds a layer of security, much like root priveledges in a linux environment.

2. Get privacy on your domain. Privacy masks your whois contact information. The less information someone has on your domain, the more difficult it becomes for them to gain control of it. Also be aware that there are services that keep a history of whois information, so this is not a fullproof method of privacy since the information is probably still out there.

3. Keep your registrar(GoDaddy, Moniker, Etc.) email address different than your whois email address. This makes it more difficult for someone to gain direct access to your domains since your account email will not be publicly available.

4. If you are really concerned, pay for a service like Protected Registration at GoDaddy. This service locks down a domain irrevocably. In fact, it makes it almost impossible to transfer even if it’s you that wants do the transferring.

5. Keep alerting on. Most registrars have account options that will send you an email if any registrant information is changed or a domain is unlocked. Make sure it’s turned ON!

6. Call the experts! I have all my domains at GoDaddy and I use Google Apps on over 40 domains. If I need to know something about my account I call the free support and ask them.

1 Comment:

Ben Lau 提到...

我覺得所謂的Security Question本身就是最大的security問題,每次我都是在keyboard上亂打下去。

不過有次在某日文網站,我不知道打了什麼,login不能,一定要回答Security Question,結果那帳戶就此報廢。