Securing Corporate Identity - 3 Things You Shouldn’t Leave Behind

by Dmitry Kirsanov 5. December 2011 08:57

The new culture of making business “more social” brings so many new possibilities and chances, it’s hard to analyze the consequences of every step you take. We are doing so much in order to use the latest features of the web, that don’t recognize the jeopardy hidden in most innocent things we do.

In October of 2011 I took an experiment, which lasted for two months and gave me so interesting results, that I couldn’t resist to share. For some of you these findings could be shocking and reveal something new, but the reason for the experiment was purely to prove what seemed logical even without the experiments.

1. Web Sites

Domain names are cheap these days. Sometimes you can get them for free, when buying hosting packages from website hosting providers. And companies are creating such websites for each advertisement campaign they have, for events and buzz words – how many times you’ve seen domain made of slogan in ad campaign, or which ends with a year of the event?

Well, the life span of these resources is limited to the time of event or campaign. And after that – they expire and become open for registration. More often than not, they are acquired by someone else with unclear purpose, usually you find them to host adverts. But is it the only thing that happens?

During my experiment I’ve acquired a domain name of previously well known local website. It wasn’t operational for 3 last years and what I soon found out – there were still many hundreds links pointing to that website from a lot of different places. People or robots, they still visited this website hundreds times per day. Analyzing these incoming requests gave me information about places where links to that old website are still exists.

If I would be a criminal, I would be a happy one. Not only working links provide me with possibility to create a malicious copy of old web page and catch users who came by legitimate links placed by legitimate users, but also any e-mail pointing to the revived domain name, which is still left in someone’s address book or web page, could suddenly become operational.

While it’s safe to assume that not many people would try to use old e-mail contact belonging to decommissioned domain, there could still be reminders on 3rd party websites that could warn you of long period of inactivity and provide you with the login. Although they won’t send you the password, it could be reset using the e-mail address.

In order to create the page resembling the old one, the easiest way would be to go to the Web Archive ( and use the Wayback Machine. It presents you with the snapshot of website’s layout for the required date, and usually it contains snapshots of popular sites, even local ones. So if you think that there are no traces – check and see for yourself.

External links placed during the life time of abandoned web site are not the only sources of traffic. T-Shirts, cups, pens – whatever adverts you placed on merchandises or documents, still serve as valid source of incoming visitors, even this would happen once per month or so.

2. Social network accounts

Quite usual situation – one of your employees creates an official page in social network of his choice and it serves as such for some time, until you decide it should be either renamed or activity moved to another account. Since it is against the rules of some networks to have more than one corporate page and you didn’t rename it, you removed the old account. And guess what – it appeared again, but now promoting your rival.

Even worse – it could promote you, but in a way that has a hidden warning against using your services.

3. Online services

Your company and employees may have accounts in different online services. File sharing, perhaps. Imagine the situation, when some documents were placed by one employee to online service account and then used by other employees as a legitimate source, even though they have no clue who placed it there and when. When that employee leaves the company, there are many new opportunities opened for a potential attacker.

Do you have backup scripts that back up your sensitive data to either online service or domain which is not under your control anymore? I mean – are you aware of (non)existence of such scripts in your network and are you sure you still control the external accounts used?

Do you build software packages which download prerequisites, stored online at 3rd party services? Or perhaps you had another 2nd level domain name for such things?

E-mails on online services, like Gmail or Hotmail is another story – some companies are using free services until they grow up for having own dedicated e-mail server, and old e-mail address is not maintained for long enough.

The Morale Of The Story

To sum it up, there are few rules you should follow and keep an eye on:

  1. When buying temporary domains, consider to add 2 years to their life time. During the first of these added years the soon-to-be-abandoned website should redirect to your existing website using HTTP Permanent Redirection directive 301.
    The second year the domain should be simply non-responsive, so search engines will get the hint and perhaps remove old link from the index.
  2. All social network accounts should be monitored, maintained and in case you want to get rid of them – warn your users before doing that. Like placing a notice and stop any activity on that account for a few months before decommissioning it.
  3. Ensure that for all online services you are using e-mail accounts which belong to your company. Ensure that all e-mails are managed and passwords are changed in case the address is decommissioned or another employee begins to manage that e-mail account. In fact, a good idea is to create a forwarding of old addresses to a special account for abandoned addresses and send autoreplies to senders with current contact information.

Everything that we create in world wide web leaves the trace. The trace that could be followed. And it’s up to us to make sure these fading traces will still lead to us.

blog comments powered by Disqus