Triune Designs Blog: Web Design, Development, & Marketing

This is a good article showing the results from a website user-attention study that was recently performed.

The information gathered from these results is nothing new, but the study is excellent at reinforcing the fact that the conventional web design layout is still the best.

Another good reminder for non-web designers and developers is to think like a newspaper editor. When adding content to your website, try to always keep the most important information above the fold… and to the right of the “second fold.” If the results above are true, your website will be happy you did.

A few days ago I wrote about our website having been potentially hacked by way of our WordPress blog. After performing a couple of preventative measures I decided to contact our web host, Media Temple to see if there was anything else we could do.

Jeff’s Advice To Me… And You
Jeff, who provided excellent customer service, and I spoke about our situation. To help you with your website, here is the rundown I received.

• Stay on top of your blog and its members. Try to catch possible issues early before users have a chance to do harm to your website.
• If you can do it, turn off the “anyone can register” option under general settings of your WordPress blog.
• Change your password frequently and use something alphanumeric with lowercase letters, capital letters, and typographical symbols.
• Check out Google Webmaster Tools. In general they provide good information for your website. An added benefit, is that if you have any red flags from being hacked they will let you know here.
• Run virus scans on your computer to make sure you do not have any viruses or spyware. This is a “just-in-case” measure for extra protection for you, your computer, and your website.

We Are Not Just About Security
I know a lot of the past few blog posts have been about personal, blog, and online security. Please know this is just a temporary subject given all of the things that have been happening around Triune Designs and the web in general. We should be resuming our “normal programming” quite soon.

A few weeks ago I read The Anatomy Of The Twitter Attack on TechCrunch. All I can say is wow!!

In case you have not been following along on TechCrunch (TC) lately, let me fill you in. The online tech publication recently received over 300 documents from a hacker who retrieved sensitive business information from the executives at Twitter. These documents included Twitter’s financial details, executive-level meeting notes, and various documents outlining Twitter strategies, goals, and processes. Using this information, TC wrote a series of behind-the-scenes articles about Twitter and their plans for the present and future.

Security Holes
The Anatomy article reveals exactly how the hacker gained access to Twitter’s sensitive information. Hacker Croll (HC), as he wanted to be called, gained access through a Twitter employee’s Gmail account.

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Your Security
In terms of online security and privacy, this is a horror story at its finest. Jason, Freddy, and all the others would be jealous.

Web developers are always a little paranoid of security and (hopefully) try to minimize the number of security holes on a given website. This mindset should apply to everyone, though. As more of our (and our companies’) information heads on-line we need to stay mindful of keeping our data more secure.

Quick Security Tips
Here are a few quick tips for increasing your security.

• Have a different password for every on-line account.
• Change your passwords regularly
• Keep your password retrieval options up to date.
• Consider changing your security questions to things that are not true, but that you will remember.
• Keep all of your on-line apps and computer software up-to-date. (i.e. make sure you are running the latest WordPress version available. Make sure you are running the latest version of Internet Explorer, Safari, or Firefox.)
• Always be careful with email and any attachments. This is especially true if the email comes from an unknown sender or from your bank, credit card company, etc.

If you have any other online security suggestions please throw them down in the comments.

Many Thanks
Thanks to TechCrunch, Twitter (reluctantly I am sure) and H. Croll for providing us with this great example our fragile online security.

The bank vault image is courtesy of Anonymous Account and can be found on Flickr.