Ever heard of the website desperaterussianhousewives.co.uk? Or watchagrownmanrot.co.uk? You won’t have done because they don’t exist, and are part of a BBC strategy to register unusual domain names which are associated with some of its television shows. The list has reached 154 bizarre domain names, among which are the above as well as singlessos.co.uk and bestmurders.co.uk. The domain name jellyparties.co.uk, for example, was registered as part of the BBC’s Psychoville series.

The registering of these domain names is part of both a brand protection measure and a way to gain Google rankings. In an article about the practice of registering domain names that never become actual websites, the BBC quotes Murray Dick, a professor in online journalism:

“If you look at a highly competitive keyword area like health and well-being, you’ll find no shortage of results from companies who have set up domains using words like ’sixpack’, who rank competitively with more established sources of information on health and well-being. Organisations exploit this fact to earn lots of money on Google’s AdSense service.”

The BBC didn’t release all of its domain names because some aren’t covered by the UK’s freedom of information act, and because as an organisation, it wants to avoid cybersquatting in its naming strategy. The cybersquatting practice is defined as: Cybersquatters register domain names once a new brand becomes public and then demand inflated prices to hand over the address.

Source | BBC
Photo | Flickr

0 comments

There are many ways to search Linux files and directories using grep, find, or locate. All of them find files that match certain search parameters, usually words or characters. On a Linux server, you can also find any files that were modified within the current day. This is useful for finding security exploits and generally tracking website usage.

Using the find command, you can look for all files modified in a specific directory within the current day. To do so, enter the following string:

find -maxdepth 1 -type f -mtime -1

The output will look something like this:

./syslog
./lastlog
./user.log
./auth.log
./daemon.log
./mail.info
./syslog.1

To find only the directories created on the current day, simply change the “f” to a “d”:

find -maxdepth 1 -type d -mtime -1

Using this information can help you track down possible problems. Certain files like ones listed above are supposed to be modified daily, but if you find files that should not be modified, that can be a clue to help you fix whatever ails your server.

Image Source: Wikimedia Commons

0 comments

The .ru ccTLD has a long-held reputation as a haven for spam and cyber crime, but recent changes made to the domain’s registration requirements could clean it up.

It used to be very easy for criminals to register .ru names with fake identities. But as of April 1, all registrants have to provide a copy of a passport or business registration papers in order to buy a domain. China implemented a similar system several months ago to clean up its .cn extension.

Will Russia’s actions improve .ru’s reputation? Probably, but by making registration such an inconvenience, many legitimate users will find another TLD to register. And as Rodney Joffe, chief technologist at Neustar put it, “It’s pushing the malicious activity elsewhere. If it’s so much of a hassle, [criminals will] say, ‘Screw it. I’m going to register another top-level domain.’”

Source | PCWorld
Photo | Flickr

0 comments

ICANN announced this week the hiring of cryptographer Whit Diffie as Vice President for Information Security and Cryptography. The 65-year-old former chief security officer from Sun will use his advanced knowledge to help improve the security of the domain name system.

Diffie is famous for co-writing a paper published in 1976 that has helped scientists better use math to decrypt secret messages. Although it’s hard to say how long the MIT graduate will be hanging around ICANN, I think this addition to the organization’s staff is a very good move. It will go a long ways towards easing fears about Internet security.

Source | CBS News
Photo | Wikipedia

0 comments

If you are accustomed to working with a graphical interface, such as Windows or Mac OS, having to manage your server from the command line can be arduous, but it is sometimes necessary. In some situations, for example, you might need to send a file directly from the server without jeopardizing security.

Assuming you are already logged into your server via SSH, you can also use the secure shell to send files. The command that handles this is called SCP, which stands for Secure Copy. SCP encrypts the file and any passwords, unlike FTP or RCP.

Sending files only involves a single line of commands. For example, if you wanted to send a file called “database.sql” to your backup server at “mybackup.me”, you would enter the following:

scp database.sql username@mybackup.me:/home/username/sqlbackup

Replace “username” with your actual username on the backup server, and the path after the “:” should match the actual path on the backup server where you want the copied file stored.

After you finish, you do not even need to disconnect. The connection will only stay open as long as SCP is sending the file. For more advanced SCP tips, type “man scp” from the command line.

Image: Wikimedia Commons

0 comments

Question: My web host has accused me of being a spammer and has suspended my account. How do I prove I am not a spammer?

Answer: Usually, you will only be accused of spamming in one of three situations: (1) you actually are a spammer, (2) your account is hosted on an unsecured mail server, or (3) You have a dedicated server or VPS, and you have left your mail server unsecured.

In the case of the first situation, I cannot help you. If you are in situation number 2, then you are truly one of the victims, and whoever is running the server needs to fix the problem. Usually this will happen if the server admin is someone different than the web host. Contact the web host and let them know that you are not in charge of the server but have been blacklisted.

In the third situation, you need to find the security hole in your server and fix it. You could have an open relay in your SMTP system. Another possibility is that a user account has been comprised. And the third unfortunate possibility is that one of your users may knowingly be a spammer. In any case, get the problem fixed first and then tell your web host. You should then automatically start dropping off of DNS blacklists, and everything will go back to normal.

Image: Wikimedia Commons

0 comments

A “safe mode” in general is a term used to refer to software that has all but the most critical components disabled in order to increase stability. Often times when there is a stability or security issue, running in safe mode will allow the user to still access the system and fix any problems.

In PHP, safe mode is primarily a security option that prevents would-be attackers from using PHP scripts to execute operating system commands. Theoretically safe mode is supposed to be a method for increased web application security. It is intended to be run in shared hosting environments and is not needed on a VPS or dedicated server. In PHP 6, safe mode will be removed.

The downside of PHP Safe Mode is that certain scripts and web applications do not function properly with it enabled. Server administrators can disable it and take other security measures to harden their Web applications, and individual users can also work around it, although they should check with their web host first to make sure they do not compromise security.

Most web developers and website owners dislike safe mode because of the limitations it places on scripts. If you feel strongly about it, you should find out if a web host uses it before subscribing to their service.

Photo Source: Flickr

0 comments

Whether you have a single small website or a data center filled with servers, security should always be at the top of your agenda. One of the most basic security holes that attackers often exploit is the weak password. It is important for you and any users on your server to use secure passwords.

There are certain practices you can use to make your passwords more secure:

• Use a mixture of letters and numbers
• Mix lowercase and uppercase letters
• Make the password at least 8 characters long
• Change default passwords given to you
• Do not use a real dictionary word in any language
• Do not use acronyms that are easily deciphered
• Never give your password to anyone, even someone claiming to be a web host or system administrator
• Do not use the same password you use for other things
• Do not use letters or numbers that relate to personal information (birthdays, names, etc.)
• Change your password often.

If you need help creating a password, consider using a password generator. PC Tools has a free online password generator that will allow you to specify length, types of characters, and similarities. Best of all, it will allow you to create multiple passwords at once. Now you have no excuses left for having a password that is easy to guess.

0 comments

SSL allows you to serve encrypted web pages to website visitors over the HTTPS protocol. Certificates must be signed in order to not set off browser flags that will question your site’s authenticity. But OpenSSL also provides the option to create a self-signed certificate, and many web hosting control panels have an option for it.

In most circumstances involving financial transactions, you should purchase a signed certificate, but there are instances when self signing will suffice. Some examples include private intranets, internal business groupware, web-based control panels, and other content backends. In all of those situations, you need encryption, but it does not matter to you if the certificate is official since you are the one who signed it.

You will still receive the browser warning the first time, but your browser should have a function that allows you to add your site to your browser’s trusted sites. From then on, you will not see the warning, although other users still would see it. If you ever decide that you do actually need to purchase a certificate, you can always change it later. For information about creating a self-signed certificate, see this site.

Photo Source: Flickr

0 comments

SSL certificates allow website owners to provide something like a badge of authenticity to their users. In theory a website with a valid certificate should be trustworthy and secure. By default, web browsers will recognize a number of certificate authorities, companies that sell annual certificates and verify them. Depending on the company selling the certificate and the level of encryption, they can run from free to nearly $500.

When a web browser connects to a site without a valid certificate, the user will receive a nasty warning about the site not being trusted. This increases the chances that a user may not stay on the site, and if you are a business, it means that customers may be unwilling to proceed with sales transactions. In some cases, you may even have a self-signed certificate with perfectly secure encryption, but the user’s web browser will stay say it is untrusted.

Purchasing a certificate is only the beginning of the process. You will need to setup your server correctly to use it. Each secure HTTPS site will require a unique IP address and correct certificate authority information that matches the certificate. If anything does not match (such as the domain name - common problem with domain CNAME aliases), web browsers will still spit out errors. Be mindful of all these factors as you choose the right certificate for you.

Photo Source: Flickr

0 comments