Out-Law News 2 min. read
06 Nov 2008, 11:45 am
Business bloggers must take a series of simple steps if they are to avoid damage to their firm's reputation and potential liability for damage to others' computers, according to IT security company Network Box.
"More than 175,000 new blogs are created every day," said Network Box internet security analyst Simon Heron. "Of these, 58% are corporate or professional blogs. As the numbers grow, so do the potential threats. As blogging pervades our lives, so too do reports of malware delivered via Blogspot, Google’s blogging platform, or malicious code embedded in Wordpress."
Network Box said that there are two main threats to the users of blogs. One is a direct attack on their computers from computer code that has been 'injected' into the blog itself.
"[SQL injection attacks] can be used to put malware onto a reader’s computer; or to spam subscribers with a product website," said Heron. "Both Blogger and Wordpress have been vulnerable to SQL injection attacks, and don’t provide enough care when validating SQL queries."
The other kind of attack is less direct. It is when users of the blog publish spam in the posts section of the site, with links to websites they control which infect a user's computer with malicious code.
"This is where a spammer posts content advertising a product (typically health or finance products), with a link to a website that may contain malicious code," said Heron. "Increased exposure also helps these spammers increase their search rankings for a short time. Some research claims that as many as two in three comments left on blogs are spam."
Network Box said that blog publishers should follow some simple security steps to decrease the likelihood of their blogs infecting readers' machines.
It said that bloggers should insist that people fill in a 'captcha' box before being allowed to post. This demands that people look at a picture of characters and input those characters and is designed to ensure that automated posts are not successful.
Other actions bloggers should take are general security measures, such as ensuring the password is strong and not predictable; restricting access to control of the blog; the changing of default prefixes for named elements; and the use of a firewall.
"Once you have your blog working, disable any error messages. This will reduce the amount of information hackers can glean about your blogging software," said Heron. "[And] check your blog at the weekend. The most common time for a hacker to infect a blog is over a weekend, when the effects won’t be seen until the following Monday. This gives the maximum ‘window of exposure’ to the hacker."
Network Box's advice to corporate bloggers is contained in a guide to safer blogging. Heron said in that guide that the stakes are high.
"Blog readers are more likely to trust something they read in a blog they subscribe to, and this applies to clicking on unknown links. Most of us are pretty used to sharing links to unknown sites – YouTube videos, or photo albums shared between friends, for example – and this can lead to complacency that hackers exploit," he said.
"At best, the effect is to damage the reputation of the blog (and the blogger) and to have your blog closed down; at worst, you could be responsible for infecting the computers of loyal subscribers. The impact on a company’s reputation can be extremely negative."