As strange as it sounds, there can be "legal privacy breaches" that can occur for a number of reasons. In the age of social networking, many of us inadvertently put enough information on the internet in scattered across various places to have our identity taken. While it may be illegal to actually make use of this information for malicious purposes, nothing is stopping people from gathering it and compiling it against your will. This is often overlooked when the inexperienced register a domain or setup a website for them or their business.
As a hypothetical example of my point, I will give you a scenario which I see very frequently. Let's say we have an individual and for our purposes, I'm going to call him "John Smith". John Smith runs his own small business from home and decides to make a website. He registers his own domain and fills in all the required information without a thought of privacy because, being a layperson, he doesn't know what it's used for. Further down the track, he has a competitor who decides that he wants access to Johns private email address and hires someone to take care of this, but he only has the web address for Johns site.
So, what does our attacker do? A WHOIS lookup of course, which reveals Johns full name, address, email, phone number, etc. This is more than enough information to work with for an experienced attacker, it provides multiple attack vectors from social engineering, to further researching and even the possibility of a physical break-in on Johns house. Going down the 2nd avenue mentioned, our hypothetical attacker could then very easily locate most social networking accounts which, chances are, would contain a personal email address or further information leading to one, as well as miscellaneous data like names of pets, a date/place of birth, education and even close friends or family. This alone could allow any attacker to answer most security questions on an email account and gain access.
This is only one very simple example of how regular people can allow security breaches accidentally, sadly there are infinite possibilities when it comes to this kind of attack so I can't list every avenue or vector. How abstract an attack is comes down to the creativity and perseverance of an attacker. There is no simple solution to online privacy problems, but the possibility of an attack like this can be decreased substantially with understanding and a layered approach to privacy.
For this post, I will only be looking at the domain, but I will follow it up in posts to come. WHOIS data is very easy to retrieve and is indexed by an extremely large number of websites and databases. One of the safest ways to register a domain is "By-Proxy". A proxy is basically a go-between which hides your information from the outside world, the term is also used in other areas of computing and even other industries altogether. In the case of Go Daddy's service, the WHOIS information is replaced with something such as:
Registrant:
Domains By Proxy, LLC
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: --Removed--
Domain servers in listed order:
NS67.DOMAINCONTROL.COM
NS68.DOMAINCONTROL.COM
Obviously, your personal information could still be requested through a legal subpoena or similar, but it should stop most outside attackers, not accounting for social engineering attacks on your registrar.
Another similar alternative which is also very effective is WhoisGuard. It does a similar thing, instead replacing all the contact fields with their own information and an anonymous email address that can be redirected to the owners email. A WhoisGuard record typically looks similar to this:
Registrant Contact:
WhoisGuard
WhoisGuard Protected ()
Fax:
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Administrative Contact:
WhoisGuard
WhoisGuard Protected (@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
Technical Contact:
WhoisGuard
WhoisGuard Protected (@whoisguard.com)
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064
US
I hope that this post has helped enlighten you to a possible security risk that you could be preventing, and as I said earlier, I will be following up this post with further privacy advice at a later date.
9 comments:
I am website designer in Perth and privacy precautions is one of my concerns. I want to add more privacy and I am searching for ways so I can do it for my websites. I think I will trhi WhoisGuard free trials first before buying any premium package from them.
Great information. I agree with Lilian here. Belonging to a web design agency in perth means putting privacy issues at a priority when it comes to website designing.
I’ve been doing website design Perth for almost five years and I agree with you that we should be aware of legal privacy breaches. I always bear in mind that there are many factors that can come up while developing a website.
So in summary, you are saying that we should know the ins and out of the privacy when we have our company website, for instance www.perth-web-design.com.au done? Will a web designer tell us this?
Well, it's great that I did go to good and reputable perth website designers. A company's privacy and security is the first and foremost thing on their mind in designing websites.
Stumbling unto your post, now its easy to understand what the staff from calgary web design company were talking about. Security is something that should be taken seriously.
David Huffman
Continue posting about this topic because it's very interesting. Mine I started my blog with very basic.Thanks for the post.
Birmingham Alabama Web Design
PG Slot Asia เกมส์สล็อตพีจีออนไลน์ โดยตรงเว็บไซต์ใหม่ ฝากถอนโอนไวดูแลตลอดการเล่นเกมของลูกค้ารับโบนัสกับslot asia เล่นง่ายจ่ายเร็ว PG SLOT เว็บไซต์พวกเราเหมาะสมที่สุดในประเทศ
Post a Comment