CATEGORY: Security

Don’t Get Hacked: Password Lessons from the Flame Broiler

It lasted for over an hour and was so ugly that even their competitors were sending out empathetic Tweets.

mcdonalds empathy burger king

Burger King’s Twitter account had been hacked, and not only were the hackers sending their own racially-charged tweets about Burger King employees “crushing and sniffing Percocet in the bathroom,” but they also changed all the branding from BK to McDonalds. They even went so far as to promote McDonald’s new Fish McBites.

burger king twitter hacked

So with this kind of nightmare playing out in real life in front of the whole world, we thought it was time to contribute a quick, legitimate  piece to the “how to come up with a great password that’s memorable and fun and makes you feel safe” articles that will be swirling around the ‘net. From our staff we compiled dozens of tips all shrunk down to this one convenient list of tips and tricks for a better, safer, more memorable password.

Caroline Temple, our Affiliate Marketing Manager, knocked out 8 quick pointers for better Internet security:

1. Well – duh – we’ve got the free 2-step verification.

2. Don’t use words like “H3LL0!”  The programs designed to crack passwords have included subbing numbers for vowels now.

3. Consider the “pass phrase”.  Like “IReallyLikeCoffeFirstThingInTheMorning10:00am”

4. Change your password often.

5.. Don’t use the same password for more than one account.

6. WRITE  your passwords down somewhere safe.  Try your darndest to not store them within a document that can get hacked.

7. Review all those apps that you have given access to your Twitter account – maybe it’s time to revoke access of apps that don’t use SSL certificates or that you have not used in a while.

8. Always make sure the URL bar up top reads “https” before logging in to any account.  that means they have an SSL certificate installed that will encrypt your information when logging in.

Some of these steps can be completely alleviated with great tools like oplop (courtesy of Pat “P-Mo” Moroney) that let you simplify all your passwords to a nickname and one master password. And Fitz in support reminded us to plug one of our customers, Last Pass, a secure password manager that promises to make your life much easier.

Finally, it should be noted, that your password should NOT be any word or phrase associated with your personal information or business products. Those are very easy to hack. Like I should not use “Jared1” and you definitely should NOT use “whopper123”  as Burger King, the Home of the Whopper, used up until recently.

We’ll leave you with this helpful password hint from one of our favorite web comics, XKCD

cartoon password strength tips tricks

WordPress, Joomla and Drupal: How to Protect your Websites!

Chris Gaston, our systems administrator, says, “Hey all, FYI theres a lot of hacks for WP, Joomla, and Drupal floating
around lately.”

It’s time to update those themes! Here’s more from the National Cyber Awareness System.
US-CERT Current Activity
Increased Exploitation in Web Content Management Systems

Original release date: September 21, 2012
Last revised: January 4, 2013

US-CERT is aware of recent increases in the exploitation of known
vulnerabilities in web content management systems (CMSs) such as
Wordpress and Joomla. Compromised CMS installations can be used to host
malicious content.

US-CERT recommends that users and administrators ensure that their CMS
installations are patched or upgraded to remove known vulnerabilities.
This may require contacting the hosting provider. Also, users and
administrators can check for known vulnerabilities in the National
Vulnerability Database by searching their CMS by name.

UPDATE: This is an update to emphasize post-exploitation clean-up.

Basic post-exploitation clean-up can be summarized by this: “Clean,
Patch, and Monitor.”

Clean – Remove the malicious content AND validate all accounts, removing
unauthorized accounts and paying particular attention to accounts with
administrative or elevated privileges.

Patch – Keep systems patched and upgrade system software to the most
current supported releases (predominantly Joomla in this ongoing
campaign of exploitations).

Monitor – Stay abreast of new patches and version releases of your
content management software, and patch when new versions are released.
Also perform continuous baseline review of your site’s usage to detect
abuse before your site is used to attack others.

A number of support sites and other open source forums have had recent
discussions involving the exploitation of Joomla installs up to versions
2.5.2 and earlier. Additional vulnerabilities have been identified and
patched relating to versions 2.5.4 and earlier. In many instances Joomla
installs have been found to be very out of date. The attacker would
self-register an account and then proceed to escalate the account to
have administrative privilege using vulnerabilities in the outdated
software. Once privileges have been escalated, the attacker is able to
modify the website to include the upload of malicious content. The
uploaded content may be malware to infect your website visitors, or
tools to enable the attacker to leverage your website to launch denial-
of-service attacks against others.

If your site has been compromised, remember to “Clean, Patch, and

Relevant URL(s):

Our VP of Awesome Explains NameSafe, the Free and Easy Way to Protect your Domains

You don’t have to look too far or for too long to find someone who has had their domains hijacked. User names and passwords can be hacked, but when you add two-factor authentication–AND IT’S FREE–you can rest easy. Get your NameSafe today. And, yes, while we say free, we mean when you use your smart phone to get the Namesafe App. Here, Owen has all the details in Technicolor.

DDOS Attack | Picked a bad time to come back from vacation

But a few days ago I was building a sand castle on the beach with my two little boys. Actually, I’d build it and they’d knock it down. It was hilarious fun and could have had us featured on a brochure for contentment. I’ve been thinking fondly about those days, and hoping I was savoring every second of it, because I had no idea that at that very moment my work was getting spanked by the biggest DDOS attack ever to come barreling at

Paradise is great customer support

There would be waves at work too.

In short, some very large and very powerful Chinese entity was not happy with one of our customers. The owner of has been publishing news about the scandal of the former Chinese political superstars Bo Xilai and his wife, Gu Kailai. It’s a story involving murder, corruption and the widening gap between China’s rich and poor. This story deserves some serious media attention, but instead many involved have been silenced or locked up.

So here we are, this little but growing company in Denver, suddenly a target of some ticked off Chinese elite. This is where I show up, breezing in happy and as tan as paste can get, and receiving applause for returning to work.  Let me warn you, when you come back to work and people applaud, it’s not because they’ve missed you. It’s because they’re thrilled to have someone else take some bullets. I was quickly briefed on the situation, “Yah, it was bad, there are some pissed people,” and I swear there was an actual skip in her step as she walked away. I should give her more credit than that. It was Ashley, our Marketing Something or Other, and she and the entire staff did an amazing job of handling what could be the equivalent of a Honda getting sideswiped by the moon. DDOS attacks are common, and we have an awesome crew that regularly handles the onslaught, but this was the kind of mauling that inspires international treaties.

All our peeps are back to their regular scheduled programming, we’re still talking with for the best results for them, and I’m still on Hawaiian time, alternately staring out the window and at Google Translate. I think 你的母亲的气味像猪 isn’t good, and not once has anyone here at work offered to bring me a piña colada or rub sunscreen on my back.

It’s OK, it’s what I do, be the public face to these situations. At it’s easier than places that take more time glossing over things than they do being open and honest about them. So for that I’m happy to be back.

consistency at

Your future at looks to be pleasant.

Is your website safe?

Last week a string of domain hijackings caught the attention of many. Perhaps because the victims of the hijackings are all well established, technologically savvy individuals. The three notable cases where,, and each of them have written their own blog posts detailing their experience of finding out their domain was stolen and the ugly road to recovery. We won’t speculate too much on what happened but we do want to give everyone a heads up on security features that you can put in place to insure that this won’t happen to you!

If you are not currently a customer, you should be :) We are running a $7.39 COM/NET transfer special from now through the end of December. You can click here to start your transfer and then follow the instructions below to keep your domain safe by adding NameSafe -a free service!

What is NameSafe VIP?

NameSafe VIP service adds an additional layer of security by using the VeriSign Identity Protection (VIP) credential system. It will generate a unique six digit code every 30 seconds that is required to access your account. So you’ll log in using your username and password as usual, then enter the unique 6 digit code. It’s a super easy way to keep your account secure. The service is FREE unless you do not have a SmartPhone and need to purchase the FOB that will create the credential (the 6 digit ever-changing number).

How do I get NameSafe VIP?

Log in & Set Up NameSafe Now

From within your account you’ll see a link on the left hand side for ‘NameSafe’ (see below)

Simply click, ‘NameSafe’ then click the link ‘Signup for the NameSafe service.’ If you’re using your phone to generate your credential, you’ll set it up at but don’t worry, we’ll email you activation instructions that are really quick.

Setting up 2 factor authentication keeps your domain safe and secure, out of the hands of the bad guys. NameSafe is quick to set up and free of charge. You don’t have much to lose setting up extra security precautions but seems you have everything to lose by not being proactive when it comes to security of your domain names.

Log in & Set Up NameSafe Now

Buyer beware: Phishing email requesting renewal

Hey everyone,

Just wanted to post a quick note to give you all a heads up that it has come to our attention that there are phishing emails being sent out to customers. The email appears as if it is a notice of expiration from requesting a $75 renewal (youch!). The email will look similar to:

This is just a general reminder to read carefully through details and if something doesn’t feel right it probably isn’t. Let us know if you have any questions. Don’t fall victim!

Podcast Episode #3: Something Technical With Sean (DNSSEC)

Length: 9:44

This week our CTO, Sean Leach, joins the podcast to talk about a little thing called DNSSEC. The most basic explanation of DNSSEC is that it provides security for your DNS, but, as you will hear, there is oh so much more involved.

Non-tech folks, not to worry, Sean does a really good job of keeping the technobabble to a minimum. Even as I was politely smiling and nodding during recording, I was actually comprehending (most) of what was being said. :)

Speaking of DNS security, the .ORG registry is now running a campaign to practice safe DNS, and they’ve taken a clever angle with it. Check out the PSA-like video below:

Security is Serious Business

Anyone that has had one of their accounts (bank, online, or otherwise) compromised knows it can be a total nightmare to try and resolve. It’s not just an annoyance, it can leave you feeling violated and vulnerable. This can especially be the case if somehow this happens to your domain account(s). Now whether you’re a domainer or a small business, your domains can be your livelihood, and it’s important to secure your domains as best you can to ensure no one else can get their grubby little hands on them. Enter and a nifty little service we have deemed NameSafe.

The NameSafe VIP service is part of the VeriSign Identity Protection (VIP) credential system and it adds two-factor authentication to your account. This means that in addition to a username and password, you must enter a unique, randomly generated code in order to log in. This provides a second, stronger layer of security on your account, and if someone without this credential tries to log in as you, their IP will be blocked after a certain number of failed attempts.

This VIP credential comes in the form of a credit card sized card that fits in your wallet, a key fob, and you can even download applications for your Blackberry, iPhone, or Android device. The service itself is free, but the card credential will run you $30, the key fob $10, and the mobile applications are completely free. Even if you decide to go the $30 route, it’s a small price to pay for the peace of mind of having your domains and your identity protected.

What happens if you lose your credential? Not to worry, our support staff can help you get back into your account. It will be a minor hassle, as you have to contact us, fax a copy of your ID, etc., but this is only to ensure that the owner of the account is trying to gain access. After all, protecting your domains is just as important to us as it is to you.

If you’d like to learn a little bit more about the NameSafe service, you can check out our product page.