Changing names and Internet domain names is as common as changing your underwear these days, particularly for legal firms.
Partners come and partners go, firms merge and separate - and company names and websites change to reflect this.
But what happens to the old names?
If you’re just letting your old domain name lapse, think again.
CommArc security analyst Steve Brorens said Australian security expert Gabor Szathmari will be speaking at this month’s CHCon and he has a word of warning for local law firms.
“Gabor is going to be delivering a talk titled “Hacking law firms with abandoned domain names” - and that pretty much sums it up.
“If someone with ill intent gets hold of your old domain, they can take full control of your email services, using it to intercept legitimate and often financially sensitive emails.
"They can also use the email accounts to reset passwords to online services.”
When a domain name expires, registration eventually lapses allowing anyone to re-register that domain as theirs.
“Gabor’s blog goes through great detail how he and his team managed to hijack and get into very personal information on a variety of platforms of Australian legal professionals,” Brorens said.
“From Facebook and LinkedIn profiles to access to Law Society accounts and even court registries, having old email addresses and the old domain gave them access to everything.”
Brorens said prevention is essential through maintaining control of old domain names. If you’re not sure if you’re at risk, there are some simple things you can do.
- List all domain names that have been actively used in the past
- Check to see that these are all still being maintained, and by whom:
via whois at Freeparking: https://secure.freeparking.co.nz/whoislookup
via Domain Name Commision at: https://www.dnc.org.nz/whois
via GoDaddy at: https://nz.godaddy.com/whois
- Any “old” domain names that are not owned by the firm (and available), should be immediately registered, and maintained
- Any “old” domains now owned by others may pose a real security threat and should be investigated.
Don't lock the front door but leave the window wide open
In addition to old website domains, it’s also essential that old user accounts for staff are carefully managed, as these are a key part of the security breakdown that can occur with unregistered domain names.
Of course, two factor-authentication (2FA) is an essential business requirement that will almost completely eliminate any risk, and you don't have to worry about old user accounts becoming compromised if they're properly protected to start with, Brorens said.
“Having strong passwords is always best practice, and a password manager like LastPass will help you keep strong, unique passwords for each of your applications,” he said.
“However, with human nature being what it is, it’s always very tempting to use the same password for everything, with perhaps minor tweaks.
"It’s very important that work and professional passwords are different from private passwords. It makes it a bit harder for the individual, but infinitely safe for the business.”
To find out if your password or account has been compromised, go to https://haveibeenpwned.com.
You can check your own password through this channel, but if you’d like to do a sweep of your entire company to find out if any of your staff have been “pwned”, give us a call and we can arrange that for you.
If you have any concerns about old domain names or whether you or your company may have been at risk, give one of CommArc’s account managers a call today and we can do a double check of your Internet security.