My head is still spinning and my mind is still decompressing from everything I learned at the Blackhat and Defcon conferences last week. Blackhat and Defcon are what are professionally known as InfoSec (Information Security) conferences – or "hacking" conferences to the rest of us.
Why would an SEO need to attend a conference about security, exploitation and hacking? What would you hope to gain from that experience other than the feeling that tin foil hats are maybe not such an odd fashion accessory?
Well, maybe you've heard about "negative SEO"?
I really dislike this set of words. "Negative SEO" sounds as serious as having a sick headache, when in reality it covers a much broader set of potentially harmful techniques.
The words "negative SEO" have been bantered about as though it just arrived on the scene as Panda and Penguin's drunken cousin. Nothing could be further from the reality.
"Negative SEO" has been around since SEO started having rules. The question is, what is it, why do we care?
Lately, mostly the talk is about links. "If I get x bad links, will I get a Google-y letter telling me how Google-y wrong I have gone?"
What many don't know is how extreme that game has gotten, how links are like the Sea Shepherd throwing soap bombs, limitedly effective, but hardly worth the effort, especially when there are so many other better and permanent methods afloat.
Attack! The Vulnerabilities
How do these vulnerabilities (also known as attack surfaces) offer competitors new opportunities to take you off page one into SEO oblivion? Worse yet, with Google the only gatekeeper how long you stay in oblivion is well, completely arbitrary.
Oh and links? Links are about to feel like what Mr. Rogers would do if black hat were his SEO technique.
Note: This article isn't intended to scare you into buying tin foil hats or unplugging your servers from the wall and calling it a day. It is very UNLIKELY unless you are a certain type of site that many (or any) of these would ever come your way, but you SHOULD be aware they exist.
When Links Become Bullets
Or how simple it can be to make your site stinky.
How many links does a bad link buy directed at your website take before you get a notice from Google that something is afoot?
Rand Fishkin of SEOMoz put out the challenge to any and all to come after his site. Finally, in just the past two weeks and after x bad links pointed at his site he indeed got the notice from Google that his link profile was full of stinky links and he needed to fix it.
Now assuming someone had the time, effort, and inclination the question that logically emerges from this scenario, can they torpedo a site's rankings? Can they bump your site from its glorious placements in Google and send it to page 10 hell? Yes, they can.
Is this new? No.
Do we know the percentage of links it takes to take a site off the Google grid? We have a very good idea.
Let's just say that test was run over a year ago, successfully. The details aren't online in a news article on any mainstream search industry publications, and never should be. Just know that it can happen, has happened, and (until links can be attributed – not any time soon) will happen again.
Negative SEO: Much More Than Bad Links
What can someone with a little bit of programming skill stil do to hurt your site SEO?
- Strategic placement of a noindex tag into a page.
- Strategic placement of personal data such as social security numbers or porn.
- Cross site scripting malware into your site.
- Injection scripting code into your links.
- Anchor text bombing – goes with link building, but is a technique of its own.
- WordPress plug-ins with built in exploits.
- Proxy Hacking – this one is so severe I will give no details – it can cause your homepage to disappear from Google overnight.
Is your mind turning yet? Got some ideas? Well, let's go further down the rabbit hole.
HTML 5: Negative SEO on ‘Roids
Or: how your website code can be turned against you
(Note, many attacks can also be accomplished in HTML4)
Well how about the code surface? The use of HTML 5 has taken some old vulnerabilities and moved them into new strata, while creating a much larger attack surface with its greater capabilities.
Remember HTML 4 was a tagging language. HTML 5 is a coding language. There is a tremendous difference here.
So if you are using HTML 5 to create websites or web apps, shore up and make sure you aren't standing naked in a Chicago wind.
Here are 3 of the 10 exploits from "HTML5 Top 10 Attacks – Stealth and Silent"
1. CORS Attacks & CSRF Exploit
The long and short of this exploit is the ability to have your domain and another domain get together and have a party without your knowledge.
CORS (or Cross Origin Resource Sharing) is where the ability to add an extra HTTP of header of origin that can establish a stealth connection then by using a POST method can set "withCredentials" to true.
How could this vulnerability be used?
Someone could upload a file to your site without your knowledge. From the somewhat benign, "I am running a Viagra Store on your PR 10 .edu" to the potentially lethal, let me add some porn to your site where you would not notice it and see you get put in the Google Adult Filter.
2. XSS With HTML 5 Tags, Attributes and Events Exploit
In this case it is especially important to be careful during dynamic reloading and the implementation of these new tags and feature to help prevent accidental exposures.
How could this vulnerability be used?
Primarily for an XSS or Cross Site Scripting Attack, otherwise known as code injection. Now think, what are the many ways someone could harm my site if they could inject code into it.
First and foremost, get you a malware warning from Google and subsequent web browsers, quickly pushing you off your traffic and rankings. From here the possibilities are too large to list.
3. Third Party/Offline HTML Widgets and Gadgets Exploit
The base for this exploit is a poisoning of the browser's cache. This can then be used to "watch" the activities of the user offline.
How could this vulnerability be used?
With this exploit an unscrupulous user can lead you to a site where code is downloaded and kept offline. This offline code "watches" your activities and reports back those activities.
Sounds like an excellent way to grab data on a competitor's SEO strategy to me.
Now, get your tin foil, let's take it to the extreme! Ready?
Negative SEO Extreme: Hardware/Firmware Hacking
Or: how your mobile device could lead to your SEO demise
Now here is one that will probably keep you up at night! But don't let it. Out of all the ones discussed so far, this is the least likely to happen as someone has to be near you to initiate the attack.
However, if I thought about it I know others far more gifted in the dark arts are probably already working on it. And if you have a site that is extremely competitive with others and they already play in the mud, this is a must know because the future of hacking is not only on the web, but also through your device.
NFC (Near Field Communications) Chip Attacks
I am going to concentrate on the NFC chip today because it was the discussion at Blackhat. However, these same concepts are said to be possible with other features built into your smartphone (Features such as S-Beam or Bump).
So what is an NFC chip and why do you need to be concerned?
NFC chips are the chips that allow you to make payments from your phone by waving it in the air, waving it like "you just don't care"!
OK well maybe you care, but just didn't know that that single act is one of the most insecure things you can do with your phone if you do not know whether everyone within 3 feet of you is a good guy.
(Supposed limit is 3 centimeters, tested limits were 1.3 meters)
This video shows you how features such as the NFC and S-Beam work. Pretty cool isn't it? Also, highly vulnerable.
In the most simplistic of terms, the NFC chip (and other functions) allows your phone, via radio frequency to communicate with other devices. The problem is, this isn't a secure method of data transmission if someone knows what he or she is doing.
What is even more concerning is that – if I were so inclined – I could stand up to 1.3 meters away from you and make your phone "do things". Oh noting of course you don't have to activate this feature on your phone to be attacked. The phone merely has to be on to be vulnerable in most cases. (Though lock screen status seems to have an effect.)
What it means in laymen terms is I can get into your device, at the root level and I can activate functionality inside of it without you knowing.
What can I make your phone do? Well it depends on the phone and the operating system, but some of the "things" that I can make your phone "do" are share documents, read files, and open browsers.
For all the details read Exploring the NFC Attack Surface from Blackhat.
Why would opening browsers be bad? Here is just a small list of issues that being able to open a browser might create, especially if you store your passwords in the browser fields.
So you might inadvertently give someone access to:
- Access to Webmaster Tools.
- Access to the delist tool in Webmaster Tools.
- Access to your site and inject code, malware, etc.
- Access to your site where changes could be made.
- Ability to open a browser of their choice, go to a website and download an executable file that does whatever it is scripted to do as though you went there yourself.
Well you get the idea. Smartphones, NFC chips all are highly insecure right now, so the best thing to do is keep your phone close, your log-ins in your real world memory and never turn on the beaming capabilities if you are in a commercially hostile environment.
They also only have single factor authentication, so if you leave your phone out anything stored in the NFC chip can be easily accessed with your PIN, either given or hacked.
Sometimes people forget the biggest type of hacking involves nothing more than getting into your stuff in the real world. Now for 99 percent of you this isn't even the remotest of concerns on an SEO level, but for many in the search industry, travel is part of the job.
When you're traveling, you should be able to just lock up all your valuable data in your room. No one can get to it there, right? Well, one hotel key hack, revealed at Blackhat/Defcon, showed that it "only takes $50 and a junior level understanding of programming."
This hotel key hack affects one of the largest hotel key providers in the U.S. An even bigger concern: it is unfixable unless the actual hotel locks are changed.
The goal here is not to scare you into frightful nights and fits of terrified sleep. The goal here is to make you aware, so you can take appropriate steps to protect yourself such as:
- Hiring top level developers who are well versed in security protocols.
- Getting a security audit on all your site code.
- Getting a security audit on your site implementation including databases.
- Getting an SEO audit once every few months to check your link profile for bad links and if any are found taken immediate action.
- Never just remove bad links. An SEO professional can help you eliminate the negative links without exacerbating the situation.
- Keeping your smartphone off when not sure or if able, get it secured with encryption so data that leaves your phone is undecipherable. It makes the attack more difficult. Feature flip phones are a possibility too, but most of us have past that phase in our cell life.
- Use security bags like PacSafe or hotel safes for your valuables.
Only Scratched the Surface?!
My goal here isn't to give bad people ideas (besides they know these already) or people not inclined to do these things methods for doing them, that is why I am only giving a few well-known examples with limited implementation information.
So why am I telling you all this? Because Google carpet-bombed the SEO industry the past 12 months. Some for the good and some for the not so good, but everything got much more competitive. Not knowing your vulnerabilities is like walking in the woods at night without a light or into the desert without water.
Whether you're a site owner, developer or SEO, these are things you need to know. The SEO waters are only going to get rougher.
For help on protecting your site against the above mentioned vulnerabilities, see:
- Using Fetch as Google Bot to find Hacked Sites
- More HTML 5 Attacks and how to prevent them
- Protecting your site against XSS
- Near Field Communications (NFC) and protections:
Meet Your Favorite Search Engine Watch Contributors
Many of SEW's leading expert contributors will be at ClickZ Live, the new online and digital marketing event kicking off in New York (March 31-April 3). Hear from the likes of: Thom Craver, Josh Braaten, Lisa Barone, Simon Heseltine, Josh McCoy, Lisa Raehsler, Greg Jarboe, Dan Cristo, Joseph Kerschbaum, John Gagnon, Eric Enge and more!