Because from the sound of it, the unwillingness of the registrars (both of them) to take action here without being compelled to by a lawsuit is the root of the problem. The FBI's willingness to be helpful is nice, but doesn't solve the root problem, and as a law enforcement agency they can only really help in cases where they manage to "catch the criminal". And paying off the criminal just isn't an acceptable solution (although stopping the payment immediately is cool and all).
I would be willing to select a registrar on the basis of their policies, not their prices. Policies like this sort of dispute resolution and policies about how they handle DMCA notices or government subpoenas (and non-subpoenas), if only I knew which registrars had the best reputations for these things.
Gandi ONLY accepts support requests through their web form (no email, no phone), and generally ignores those or provides nonsense answers several days later.
As long as you never ever need any sort of support, Gandi is fine.
http://www.dnforum.com/f208/warning-privacy-whois-issues-fai...
Not saying a claim from anyone should cause a seizure, but the legitimate previous owner should be able to dispute it for a time period. Domains are stolen all the damn time.
So GoDaddy's refusal to help was ridiculous. At the very least, they could have frozen control of the site for a day or two while investigating.
One thing is certain though most people i know have had issues with GoDaddy and avoid it like the plague.
Yes, absolutely this. I've searched through forums and read various reviews of various registrars and some say gandi is good, some name.com, some others, but at the end of the day nobody said "I've had this problem where my domain was stolen and this company was willing to help".
I'm also willing to pay more for good support when serious problems arise.
The company can only do so much, so make sure you do everything you can do as well to make your domains as secure as possible.
2 Factor Authentication and other security policies
But really, I'm a bit puzzled by her 5 "recommendations". Turn off your devices while you're not using them? I feel like the most important one is missing - don't use HostMonster or Godaddy, their representatives are not paid enough to care about the implications of you losing your domain name.
My guess is "turning off" relates to not leaving a device that is logged in and open available for someone at school/work/... to stop by and mess with.
She ends up advising 2 factor authentication for email (an old email that was compromised is he guess on the cause of the problem). It is a good article. For advice it might be nice to put a TLDR of: "use 2 factor authentication."
So, if you like Harry Potter and Enders Game, what are the phrases that come to mind?
Harry Potter - expelliarmus
Enders Game - win all the future fights
Why not "Win all the future fights expelliarmus"? Passwords that don't accept spaces are pretty rare, and you end up with a longer password 'for free'.
There are (very) roughly 2^17 words in the dictionary, so if you pick 4 there are 2^68 possibilities, or 2.95e20.
There are 94 printable characters on a US keyboard. This means that an 11-character "hard to remember" password has over 16 times as many (~2^72, 5.06e21) combinations as a four-word xkcd style password.
But again, we are comparing two different types of attacks. I don't even know how feasible a 4-word dictionary attack is, or whether it's actually used "in the wild". Still interesting to think about.
The reality is that people have trouble remembering 11 truly random and unrelated things, so they try to simplify and group things - e.g. by taking a base word and changing the spelling, or adding numbers on. This is what leads to the easy to brute force passwords; the cracking techniques now cater for the most popular variations.
So again, while you may be right on paper, you can't compare a 4 word passphrase with a true 11 character random password; they are on completely different scales of difficulty to remember. If you're interested, take a look at how the xkcd comic constructs the difficulty of the two passwords, it is fairly realistic. For what it's worth, it considers only "common" words (top 1000 to 2000 most popular) from the dictionary, and the passphrase wins out even so. Throw in a word from another language, would be my suggestion.
> don't use HostMonster or Godaddy
http://internetshitlist.org is free for the taking :)
I've been using Hover a lot, but I'm not sure what their exposure is like.
edit Can only receive the text code on US-based numbers, but you can get one of those from something like Google Voice for free.
I have Network Solutions, KVC Hosting, and have tried 1and1, but all of them...from a security standpoint...are lackadaisical when it comes to security.
Network solutions WANTS their clients to bundle userid's into 1 account...that makes it easy.
KVC, I emailed them to update my domain contact info, then I transferred one of my domains out with that new email.
I never did any test with 1and1...but then again the 2 above (with kvc and netsol) weren't even tests.
Another security breach involving GoDaddy(1)?
(1): Naoki lost his twitter (https://medium.com/cyber-security/24eb09e026dd)
http://community.namecheap.com/blog/2013/10/08/two-factor-au...
You can also create a second account there and delegate limited rights to it for making changes. The odds of losing both accounts are remote.
All of her accounts were compromised - seems more likely to be malware than social engineering.
Also the hosts you mentioned use in-house support.
From what I understand though, it isn't all that easy to actually stop a wire transfer once it is being processed. I wouldn't be at all surprised to hear that both sides might have actually gotten the money and the backing bank will be left trying to go after one or both of them for it.
Here is what I recommend for website security (this is a lot of advice and is not perfect - if you want me to write this up in a detailed blog post and cover more things let me know)... I also provided my contact information at the bottom if you have any questions or need any help settings this up.
Domain Registrar:
1. Melbourne IT - https://www.melbourneit.com.au/ 2. Namecheap - https://www.namecheap.com/ 3. Gandi - https://www.gandi.net/
- Enable WHOIS protection - Enable domain locking - if you want more details on how to set this up let me know - Enable email notifications and make sure you keep your account information up to date - Log in from a computer using a VPN (I use and recommend proXPN - https://proxpn.com/) which encrypts your connection
DNS
1. Any of the domain registrars mentioned above 2. CloudFlare - https://www.cloudflare.com/ (offers performance benefits as well) Their DDOS protection, DNS, and performance benefits are why I use and recommend them. They are not very good in terms of their WAF or website security and that is why I use and recommend Sucuri as well. 3. DNS Made Easy - http://www.dnsmadeeasy.com/
- Follow advice from passwords section - Delete unnecessary DNS records - Enable DNSSEC if possible
Email Hosting
1. I recommend that you use Google Apps for Business - https://www.google.com/enterprise/apps/business/.
- Follow advice from passwords section - Take advantage of the security Google offers
Passwords
1. Create strong passwords using a password generator. I use GRC's Password Generator by Steve Gibson. - https://www.grc.com/passwords.htm 2. Store your passwords in a password manager such as LastPass. - https://lastpass.com/ 3. With LastPass use a strong master password, limit login attempts to your country and the ones you travel to frequently, use two factor authentication, don't use a password reminder, don't write down your master password - only memorize it and don't ever share it, change your master password at least slightly every 3 months, and disable logins from the TOR network. 4. Use the same password only once (Don't use the same password on multiple sites). 5. Don't store your passwords in the browser or save them, so you are automatically logged in. 6. Make sure your password is at least 15+ characters (I use 50+ characters) and it contains lowercase letters, uppercase letters, numbers, and special characters. 7. If a site requires a secret question, make sure the answer to that question no one else would know or make it a password or phrase that you would remember. 8. Use the browser add-on HTTPS Everywhere and use Mozilla Firefox or Google Chrome as your browser. 9. Try to not share your passwords - I would like to say never share your passwords, but I know that is not possible :). If you have to share your passwords, do so using LastPass, change the password after they are done, make sure they haven't done anything that looks malicious, have a clear plan of what they need to do, and ask them how long it will take them.
Website Security
1. Backup your site - I recommend and use Sucuri Backups - http://sucuri.net/services/website-backups (it is $5 a month per website) 2. Use monitoring, alerting, and a removal service - I recommend and use Sucuri - http://sucuri.net/signup
It is $89.99 per year for one website. The service includes 3 main areas which are monitoring (http://sucuri.net/services/website-scan-malware-detection), alerting (http://sucuri.net/services/alerting), and removal (http://sucuri.net/services/malware-removal). You can use any of those links for further details.
3. Use a WAF - I recommend and use Sucuri CloudProxy - http://cloudproxy.sucuri.net/signup ($9.99 a month for the most basic plan - the two other plans are $19.98 and $69.93 per month)
4. There could be a lot more in this area, but that should do a pretty good job for you. If you are using a CMS such as WordPress, Joomla, or Drupal you have quite a bit more you can do in this area.
Hosting
1. It honestly depends on your needs, so I am not going to recommend anyone specifically. If you want help with this or anything you can find my contact information at the bottom.
Network Security
1. Use WPA2 for the encryption protocol 2. Make your network name random 3. Make your password to connect to your network very strong 4. Change the default login credentials to login to your network to a secure username and password. 5. Disable Wi-Fi Protected Setup (WPS) 6. Configure OpenDNS at the router level - http://www.opendns.com/ 7. Follow the passwords section for your passwords
Computer Security
1. Use a antivirus program (Antivirus for Mac by Sophos for MAC computers and Microsoft Security Essentials or Avast for Windows) 2. Use an anti-malware program (Malwarebytes Antimalware and Malwarebytes Anti-Exploit for Windows) 3. Use a firewall (Windows Firewall or TinyWall for Windows) 4. Keep your operating system updated 5. Keep your programs updated (Secunia PSI or FileHippo Update Checker for Windows and AppFresh for MAC) 6. Remove Java and Quicktime if you don't need them 7. Replace Adobe Reader with Foxit Reader or Sumatra PDF 8. Make sure you keep Adobe Flash Player up to date 9. Uninstall programs that you don't need or don't use 10. Only download things from trusted sources (the browser extension Web of Trust would help with this) 11. For your browser make sure you are using Google Chrome or Mozilla Firefox. For Google Chrome and Mozilla Firefox, I recommend that you use Adblock Plus, Disconnect, and HTTPS Everywhere). If you want to be very secure and are somewhat technical, I recommend that you also use NoScript for Mozilla Firefox and NotScripts for Google Chrome.
If you have any questions you can email me at [redacted].
If you tell me how to attribute you properly, I will do this. I'm about to embark on a year long experiment in a lifestyle app development business. The first step I will be taking is to buy a new PC, laptop, smart phones (android & iOS) tablets (again, android and iOS), set-up a blog and marketing website and get some form of cloud provider (I currently have AWS, but I'm looking at different options.
So I will be setting everything up from factory new hardware and brand new accounts (new email, hosting providers etc) putting all the info you've listed into a repeatable process would be beneficial to anyone else who wants to try the same experiment I'm heading out on.
I know you guys don't often send out emails (and I really appreciate that), but perhaps a mail shot letting people know it's an option would be worthwhile. For security stuff I'm happy to receive unsolicited emails
So I guess her suggestion is to have $30k stashed to make up for lack of security. From what I read...she's still out money, even though she did get her domain back.
And then I called the wire transfer company and placed a stop on the payment.
It's unclear to me how this works. At first, it seems as though she and Anthony pursued this action independently, which would seem quite risky: risk of the apparently-fraudulent stop payment not being processed in time, or at all, resulting in the loss of 30k; risk of legal action from the seller, however seemingly ridiculous and unlikely, is scary. Later it sounds like maybe this was done with the FBI's blessing (point 5 under "Here's what to do").
> Please don't submit comments complaining that a submission is inappropriate for the site. If you think something is spam or offtopic, flag it by going to its page and clicking on the "flag" link. (Not all users will see this; there is a karma threshold.) If you flag something, please don't also comment that you did.
GoDaddy may have great electronic protections, but I do not trust their phone support personnel at all
I did not realize that wire transfers can be cancelled after the receiver has already had the funds placed in the account(else the thief would not have released the domain).
It would be interesting to know what would have happened if she had instead waited for the legal methods to play out. Instead, it's a story of one trick undoing another trick.
Okay, fair enough, I'll give that fact a close second in the rankings. But to me, the fact that she had to descend to the level of the criminals she was dealing with, had to do things that under slightly different circumstances would have made her a criminal, is the most discouraging part of the account.
If it is locked down, it can not be transferred without, iirc, a picture of your driver's license or something like that. There may also be time delays. For my valuable sites, I pay for this service.
Go Daddy offers Protected Registration, which prevents a domain name from being transferred to another registrar. The product includes our privacy service, as well as a Deadbolt lock.
Our Deadbolt lock means that in order to cancel the service, you must show documented proof of your identification, which makes the lock more robust than a standard registrar lock. This may seem “cumbersome,” but that is the point; if the domain name is valuable to you, you would be well-served to use product that safeguards against making it easy for a hijacker to gain access.
Not sure if they did anything useful but they certainly looked more interested then GoDaddy.
* 1) Use 1Password to generate and store them
* 2) Use DropBox or similar to share your encrypted vault between your devices
* 3) Secure your shard vault with a strong computer-generated password, and keep it written down somewhere
I wonder why strong password management isn't built into operating systems, thus educating everybody and making them ubiquitous. What am I missing? Where is MacPass? WinPass?
The advice on the blog and this comment thread isn't any good, but there's really no good advice besides use a password manager.
I'm kind of shocked that there have been no class action lawsuits on phone manufacturers. Especially from banks.. just imagine the liability of millions of customers getting keylogged no matter what the bank uses to secure its site (even two factor authentication). It's almost unfathomable.
Someone really should make a one time pad login that doesn't work a second time even if you look over the user's shoulder. For example their password could be their favorite song and the site would ask them to enter the 2nd, 3rd and 4th letters of the 5th, 6th and 7th word respectively or something. Or how about a custom grid of letters printed on the back of the phone they’d look up positions on so it would have to at least be in someone's physical possession. Or how about a dongle in the headphone jack that's hardcoded and can't be hacked, that the user would type rolling codes through. There has to be a better way of doing this!
I have to believe there are some seriously rich criminals out there. What do they expect to do with their ill gotten gains?
* use 2 factor authentication (if your registrar doesn't find one that does or better yet, have ICANN rule that all registrars must have it)
* ICANN rule that says if a domain has been recently moved it can be frozen by previous owner until the matter is cleared up
* whois privacy will not only hide who the owner of the site is but also who the registrar is (if you don't know who the registar is among the hundreds out there, you can't target the right one with social engineering!)
I think this is a bad advice. You only need long password that are not feasible for a brute force attack and not trivial (personal data). If you have a password you can't remember you are going to write it somewhere and that can be a security issue
Or don't let your kids use your work computer when you have very important privileges at stake? I would definitely keep all of this in a very encrypted environment that isn't accessible by my kids or anyone else.
For when just 'cyber' and just misuse of the word hacking aren't enough.
Edit: >assuming that... my husband had accidentally logged into my account instead of his own
I think this shows her attitude to security could at best be described as lax.
>3. Turn off your computer and personal devices when they’re not in use.
I... this is... wow, what.
input: correcthorsebatterystaple
output: ~~krct^hrs333bttstpl$$:)
input: password
output: lulz!isma:PASSWORD#sorrynotsorry