Pages

  • RSS
  • Twitter
  • Facebook

Wednesday, 18 April 2012

Privacy Precautions in Web Development - Part 1

Privacy has been a hot topic of late among the IT Industry and the general public. With privacy breaches in the corporate world gaining media attention, along with the recurring news stories revolving around privacy (or lack thereof) in social networks such as Facebook and Twitter, privacy issues have shaken up quite a stir across both professional and unprofessional circles. But what does all this have to do with Web Development? Most business data breaches of late come from either internal corrupt employees or hackers gaining unauthorized access to information through security holes, but there is another side to privacy that most seem to miss.

As strange as it sounds, there can be "legal privacy breaches" that can occur for a number of reasons. In the age of social networking, many of us inadvertently put enough information on the internet in scattered across various places to have our identity taken. While it may be illegal to actually make use of this information for malicious purposes, nothing is stopping people from gathering it and compiling it against your will. This is often overlooked when the inexperienced register a domain or setup a website for them or their business.

As a hypothetical example of my point, I will give you a scenario which I see very frequently. Let's say we have an individual and for our purposes, I'm going to call him "John Smith". John Smith runs his own small business from home and decides to make a website. He registers his own domain and fills in all the required information without a thought of privacy because, being a layperson, he doesn't know what it's used for.  Further down the track, he has a competitor who decides that he wants access to Johns private email address and hires someone to take care of this, but he only has the web address for Johns site.

So, what does our attacker do? A WHOIS lookup of course, which reveals Johns full name, address, email, phone number, etc. This is more than enough information to work with for an experienced attacker, it provides multiple attack vectors from social engineering, to further researching and even the possibility of a physical break-in on Johns house. Going down the 2nd avenue mentioned, our hypothetical attacker could then very easily locate most social networking accounts which, chances are, would contain a personal email address or further information leading to one, as well as miscellaneous data like names of pets, a date/place of birth, education and even close friends or family. This alone could allow any attacker to answer most security questions on an email account and gain access.

This is only one very simple example of how regular people can allow security breaches accidentally, sadly there are infinite possibilities when it comes to this kind of attack so I can't list every avenue or vector. How abstract an attack is comes down to the creativity and perseverance of an attacker. There is no simple solution to online privacy problems, but the possibility of an attack like this can be decreased substantially with understanding and a layered approach to privacy.

For this post, I will only be looking at the domain, but I will follow it up in posts to come. WHOIS data is very easy to retrieve and is indexed by an extremely large number of websites and databases. One of the safest ways to register a domain is "By-Proxy". A proxy is basically a go-between which hides your information from the outside world, the term is also used in other areas of computing and even other industries altogether. In the case of Go Daddy's service, the WHOIS information is replaced with something such as:

Registrant:
   Domains By Proxy, LLC

   Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
   Domain Name: --Removed--

   Domain servers in listed order:
      NS67.DOMAINCONTROL.COM
      NS68.DOMAINCONTROL.COM


Obviously, your personal information could still be requested through a legal subpoena or similar, but it should stop most outside attackers, not accounting for social engineering attacks on your registrar. 

Another similar alternative which is also very effective is WhoisGuard. It does a similar thing, instead replacing all the contact fields with their own information and an anonymous email address that can be redirected to the owners email. A WhoisGuard record typically looks similar to this:

Registrant Contact:
   WhoisGuard
   WhoisGuard Protected ()
   
   Fax: 
   11400 W. Olympic Blvd. Suite 200
   Los Angeles, CA 90064
   US

Administrative Contact:
   WhoisGuard
   WhoisGuard Protected (@whoisguard.com)
   +1.6613102107
   Fax: +1.6613102107
   11400 W. Olympic Blvd. Suite 200
   Los Angeles, CA 90064
   US

Technical Contact:
   WhoisGuard
   WhoisGuard Protected (@whoisguard.com)
   +1.6613102107
   Fax: +1.6613102107
   11400 W. Olympic Blvd. Suite 200
   Los Angeles, CA 90064
   US

Both these options provide extra privacy and security for your websites WHOIS information. They are reasonably priced and WhoisGuard has free trials on some large registrars.

I hope that this post has helped enlighten you to a possible security risk that you could be preventing, and as I said earlier, I will be following up this post with further privacy advice at a later date.

9 comments:

Anonymous said...

Nice post man, you rock! Keep it up, your blog is my favorite to understand the tips and tricks of web designing!

----
web design dubai

Lillian Gregory said...

I am website designer in Perth and privacy precautions is one of my concerns. I want to add more privacy and I am searching for ways so I can do it for my websites. I think I will trhi WhoisGuard free trials first before buying any premium package from them.

Unknown said...

Great information. I agree with Lilian here. Belonging to a web design agency in perth means putting privacy issues at a priority when it comes to website designing.

Unknown said...

I’ve been doing website design Perth for almost five years and I agree with you that we should be aware of legal privacy breaches. I always bear in mind that there are many factors that can come up while developing a website.

Unknown said...

So in summary, you are saying that we should know the ins and out of the privacy when we have our company website, for instance www.perth-web-design.com.au done? Will a web designer tell us this?

Unknown said...

Well, it's great that I did go to good and reputable perth website designers. A company's privacy and security is the first and foremost thing on their mind in designing websites.

Unknown said...
This comment has been removed by the author.
Unknown said...

Stumbling unto your post, now its easy to understand what the staff from calgary web design company were talking about. Security is something that should be taken seriously.

David Huffman

Unknown said...

Continue posting about this topic because it's very interesting. Mine I started my blog with very basic.Thanks for the post.
Birmingham Alabama Web Design

Post a comment