Some of today's hottest digital marketers have been known to explore the Internet's back alleys to test vulnerabilities and shine light on tactics that can wreak havoc with social profiles. They've operated somewhere between black hat and white hat tactics. Some would deem them hackers. Others would call them explorers, visionaries, or trailblazers.
Whatever the term, a lot of good can come from the information gleaned in dark digital corners. On a recent trek to an exclusive SEO conference in Germany, I met up with a couple of industry legends who have danced the hacker dance at some level. They provided great insight into tactics being deployed against brands and individuals and ways we can all protect ourselves from social media shenanigans.
Last week, we heard from Joe Sinkwitz, Intellifluence CEO. This week, we hear from a guy with a notorious sounding pseudonym "RSnake."
Robert "RSnake" Hansen invented what became known as the Clickjacking exploit and then repurposed it into the devastating social hacking exploit, Likejacking. He also crafted a denial of service exploit called Slowloris, used during the Iranian green revolution against Iranian leadership websites. "I've been a good guy all along," notes Hansen. "That was just research misappropriated."
Solving vulnerabilities by breaking systems may be controversial, but guys like Hansen learn from dark concepts to promote good.
Here are some of Hansen's top tips to protect your social assets:
1. Register your brands.
If you don't, attackers will. It's critical to properly register your brand across all social platforms, even ones you don't use. You can use a tool like Knowem to identify dozens of platforms where you should control brand messaging.
It's typically cheaper to use services like Knowem versus agencies, but there are some concerns. You'll want to reset all passwords after setting up accounts through such a service. If your staff or consultants are ever compromised, so too will your information. It's much like changing passwords after you terminate an employee who had access to your accounts.
Maintain a current list of all social accounts and websites. Smart marketers use automated monthly reminders to ensure the list is current. You cannot protect what you don't know you have. Many companies miss the basics of preventing account takeovers.
2. Protect social logins.
This should go without saying: Use strong passwords. The longer the better. Sentences, lyrics, poems or long strings of gibberish can work. Special characters add uniqueness.
Never re-use passwords, even though it's tempting. You will greatly limit an attacker from compromising all accounts after nabbing that first foothold.
Employ second-factor authentication. Your mobile phone is a great example of a second factor (something that changes and originates from something you have in your possession verses something you know and re-use).
It's essential for your email, because once hackers crack your email, they can use the "forgot password" options to hack other systems. Application- or hardware-based second factor is stronger than text/sms-based options, because mobile phone carriers can have gaps that allow people to trick them into sending the SMS to the wrong person.
Beware of phishing attacks. Clicking a link that then asks for a password or seeks your "secret questions" is one dead-on sign of a phishing scheme. In an ideal world, you'd perform all social work from a dedicated computer on an isolated VLAN from the rest of the network. Total pain, yes. But it's a powerful way to protect against the inevitable malware that sites drop into your computer.
Other great options include antivirus or application white-listing. While not foolproof, whitelisting can go a long way to reduce risks. Windows techies can explore creative options like OpenDNS, which can help prevent you from visiting malicious sites in the first place. SandboxIE isolates your browser so malware can't permanently infect your machine.
3. Monitor your reputation.
Unmoderated content and comments on your sites or any channel can suck. Manually review all comments. It's a pain, but comment reviews are a big security plus and force you to stay in touch with users' concerns, which can boost customer relationships.
Finally, Google News Alerts tell you when your name or brand ends up in the press. If you have many brands and websites, add them too. Use programs like Markmonitor to ID when people misappropriate your brand. The Internet is a big place, so it's best to let pros monitor the vast weirdness of the web.
Exploring the future of digital marketing requires a trek into the confusing space between black hat and white hat activity. My sincere appreciation to Joe Sinkwitz and Hansen for allowing me to share their insights. These are top notch guys who understand the dark side of the web, but rest assured, they put their knowledge to use for good.