[HN Gopher] GoDaddy employees used in attacks on multiple crypto...
___________________________________________________________________
GoDaddy employees used in attacks on multiple cryptocurrency
services
Author : todsacerdoti
Score : 120 points
Date : 2020-11-21 18:18 UTC (4 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| javert wrote:
| Here is my idea for a non-broken/secure domain registrar using
| public-key crypto.
|
| a) When you register the domain, you provide a public key.
|
| b) The registrar will only ever redirect the domain if they
| receive a message signed with the corresponding private key.
|
| There is a holding period if you stop paying for the domain,
| before it is released to the public again. You pay for the
| holding period in advance, when you do the initial registration.
|
| This can be built today with existing technology.
|
| Can someone please make this? Any feedback? Does this exist
| already?
| donmcronald wrote:
| That's way too complicated for the average registrant. There
| are lots of practical options that could strengthen the process
| for the average registrant.
|
| Half the battle is for registrars to quit accepting the
| equivalent of cold calls from registrants. How hard is it to
| make a call back to the registrant when they're asking for NS,
| MX, etc. changes?
|
| If the registrant phone number hasn't changed since
| registration, it's pretty safe to call them back and trust them
| IMO. If the registrant phone number was changed 5 days ago and
| someone is calling in asking for changes, that's an easy red
| flag and could be coupled with a technical restriction that
| requires escalation for important domain changes.
|
| Another option similar to yours but easier would be to set a
| pin during registration and to require it for making over the
| phone domain changes. I guarantee those will get lost /
| forgotten by the average registrant though.
|
| You'd be shocked at the number of small businesses that don't
| know where there domain is registered, who registered it, when
| it expires, etc..
|
| If a domain is making money use a registry lock. If it's a high
| value domain making tons of money, pay MarkMonitor or similar
| to manage it.
| Meekro wrote:
| I'm pretty intrigued by the cryptocurrency-based DNS alternatives
| that get kicked around in discussions like this. But if you need
| a way to mitigate this threat for your business today, I'd
| recommend Cloudflare's Enterprise Registrar.
|
| It was designed specifically to prevent these kinds of attacks.
| You can design your own security procedure. "For instance, if a
| Custom Domain Protection client wants us to not change their DNS
| records unless 6 different individuals call us, in order, from a
| set of predefined phone numbers, each reading multiple unique
| pass codes, and telling us their favorite ice cream flavor, on a
| Tuesday that is also a full moon, we will enforce that.
| Literally."
|
| As far as I can tell, they've never been pwned.
| viraptor wrote:
| But this is only a procedure for the customer. We'd hope that
| their employees have internal rules that are just as strict for
| interacting with internal IT, but can't be sure.
|
| The rules for the customer don't matter much is it get hold of
| a company account which can make the right change.
|
| Re. Cryptocurrency, I'd be really nervous implementing that in
| production. The current registers may not be perfect, but
| there's an escape hatch where things go wrong, you contact the
| right people and changes get reverted. With coin based DNS, the
| right hack may mean you lose access to your domain forever and
| there's no rollback possible.
| CydeWeys wrote:
| Yup. If you're running something this critically important on
| your domain (i.e. pretty much any business doing 7 figure
| revenue or more), it'd really behoove you to switch to a
| registrar that supports registry lock on your domain. Then
| you're protected by the procedures at two unrelated business
| entities.
| phantom_oracle wrote:
| These support jobs are grueling. The pay isn't too great and you
| are sometimes required to know many years of accumulated sysadmin
| knowledge for the price of entry-level salaries.
|
| Also, foreign tech support, typically Eastern European. For all
| the expensive audits tech companies do on their appsec, all it
| takes is 1 disgruntled Ukrainian who says "fuck those Americans
| for playing a part in fucking up my country" (or more usually
| phishing or a bribe) and suddenly a few important domains are
| compromised.
|
| I wonder if paying the premium to MarkMonitor prevents the risk
| of foreign and underpaid staff, but the domain industry is more
| like a commodity now and they hook you in with "cheap cheap
| cheap".
|
| Also, the only thing crypto seems to be making the news for these
| days is when a company gets hacked. So much for that revolution.
| Scaless wrote:
| 6 years later, nothing's changed.
|
| https://techcrunch.com/2014/01/29/godaddy-admits-hackers-soc...
|
| Stay far, far away from godaddy.
| CharlesW wrote:
| I think there are good reasons to avoid GoDaddy, but do HN-ers
| feel like there are registrars whose employees would never fall
| for social engineering techniques, or whose systems and/or
| processes make such a scenario far less likely?
| tmpz22 wrote:
| Companies with better established security infrastructure
| like AWS and Google make for better registrars in my opinion.
| They're not perfect, for example with Google you might lose
| your domains due to a youtube infraction. Actually, now that
| I think about it strike Google from the list, just AWS
| really.
| n42 wrote:
| I would love to use AWS's registrar exclusively for
| anything I host there, but unfortunately they have a pretty
| limited selection of TLDs. it's more important to me that
| all my domains are in one place so I can review them at
| once. I really wish they would support more.
| tmpz22 wrote:
| If "viewing all at once" in a single UI is more important
| then security, reliability, etc., you don't have many
| constraints to begin with.
| toast0 wrote:
| If it's really important, you need a registrar _and_ a
| registry with a Registry Lock program. With this in place,
| when you want to make a change, you notify the registrar, who
| notifies the registry, who carries out the authentication
| procedure and, if successful, allows the domain to be
| changed, then relocks.
|
| Note that the registry may only be available to do unlock
| procedures for limited hours, usually business hours in their
| locale; that might be inconvenient if it's not your locale.
|
| My understanding is Cloudflare can do registry locks, but
| does not offer registrar services standalone. Corporate
| oriented registrars like CSC and MarkMonitor offer it. I
| don't have experience eith CSC, but MarkMonitor had a pretty
| high minimum spend (I think 10k/year) to get on their
| platform circa 2013; that may have changed, also they're now
| owner by a VC firm, just FYI.
|
| NetworkSolutions (boo hiss), rolled out a registry lock
| feature after a high profile hijacking which was why my
| employer had me work with MarkMonitor.
| beachwood23 wrote:
| What registrar would you recommend instead?
| markdown wrote:
| Cloudflare.
| fgonzag wrote:
| namecheap has actually been a really good registrar, contrary
| to what the name suggests.
| Erlich_Bachman wrote:
| Instead of compromizing cryptocurrency services, they
| support paying for their services in cryptocurrency. That's
| arguably a better strategy for engaging with the target
| audience of crypto enthusiasts ;)
| SparkyMcUnicorn wrote:
| Cloudlfare does domains at cost, and I use them for every TLD
| they support.
|
| I've had great experience with porkbun, and no major
| complaints with namecheap.
| ForHackernews wrote:
| gandi.net has always been outstanding.
| donmcronald wrote:
| Namecheap and Porkbun are pretty good.
|
| Namecheap is bigger, so it's possible to get support people
| that aren't amazing. Porkbun is pretty small and I feel like
| there's less room for underperforming support staff when you
| have less than 10 of them.
|
| Porkbun has an extra "domain password protection" option
| where you can require and extra password retrieving an auth
| code for domain transfer. I'm not sure how much use that is
| though. Once someone is into the account to the point they
| can change NS, the real world impact is similar to having the
| domain transferred away (and recovered).
| orthecreedence wrote:
| Nearlyfreespeech is more of a host than a registrar, but I
| feel they generally have really good practices and procedures
| areound security. I certainly trust them more than Godaddy.
| That said, they don't support a lot of .wacky suffixes other
| registrars might.
| test1235 wrote:
| it should be noted that GoDaddy also own quite a few other
| registrars e.g. Host Europe Group who own 123-reg, Heart
| Internet, Host Europe, Webfusion, RedCoruna, Mesh Digital and
| Domainbox
|
| https://en.wikipedia.org/wiki/Host_Europe_Group
| rasengan wrote:
| This is literally why you need to own your name instead of
| leasing it from some random registrar. That's why Handshake [1]
| is so important. It looks like support [2] for Handshake is
| building up quickly now, so hopefully we can move past the days
| of insecure DNS.
|
| [1] https://handshake.org/
|
| [2] https://blog.101domain.com/corporate-service-
| series/handshak...
| saagarjha wrote:
| (This is a cryptocurrency pitch, in case the cry for
| decentralization didn't make that clear.)
| knowaveragejoe wrote:
| Does Handshake have a token? Not all blockchains or other
| decentralized tech circle back to currency.
| rasengan wrote:
| Handshake needs a token to create scarcity. Otherwise, what
| would stop one from registering all the domains in the
| world. You can read more details about this in "#
| Decentralized Certificate Authorities and the Blockchain"
| [1].
|
| [1] https://handshake.org/files/handshake.txt
| orthecreedence wrote:
| This project looks interesting. Thank you for taking the
| (honestly unwarranted) downvote hit to answer questions
| about it.
| imglorp wrote:
| Decentralized naming is going to be critical to an open
| internet. We've already seen fights over names by
| corporations and governments.
|
| Decentralization does not imply cryptocurrency but you do
| need (1) some proof of work to reduce squatting the whole
| namespace, (2) atomic-ish transactions to ensure one owner of
| a name, and (3) lots of malicious participants.
| CharlesW wrote:
| > _...every peer is validating and in charge of managing the
| root DNS naming zone..._
|
| I don't understand how anyone can read this (and many other
| statements on the site) and take it more seriously than any
| other ICO scheme.
|
| For fairness' sake, I propose the entire "crypo" ecosystem move
| off of DNS to _[name of blockchain-based solution deleted]_
| first, and then we can see how it 's going after a couple
| years.
| rasengan wrote:
| Handshake raised $10mm which was donated (all $10mm) to non-
| profit organizations and open source projects, including
| GNOME [1], Debian [2], KDE [3], among others.
|
| Far from an "ICO scheme," the project further allocated the
| majority of the coins to developers and existing domain
| holders.
|
| Unlike most decentralized projects you may be thinking of,
| Handshake is a real project and people are buying domains
| [4]. Compare the activity on chain with _____, and Handshake
| speaks for itself.
|
| [1] https://www.gnome.org/news/2018/08/gnome-foundation-
| receives...
|
| [2] https://dot.kde.org/2020/01/21/kde-receives-generous-
| donatio...
|
| [3] https://www.debian.org/News/2019/20190329
|
| [4] https://dns.live/
| jrochkind1 wrote:
| I really gotta get a personal domain registration off of GoDaddy,
| but everytime I consider figuring out how to do that, I get
| exhausted. As is the intent.
| ddevault wrote:
| It's not as hard as it sounds.
| jrochkind1 wrote:
| I did find some instructions just now from NameCheap,where I
| have some other more recent registrations. https://www.namech
| eap.com/support/knowledgebase/article.aspx...
|
| With those instructions, it doesn't look too hard. Without
| godaddy-specific instructions, I would have had a lot of
| trouble figuring it out. Unlock registration; get authcode;
| turn off whois privacy protection; accept transfer. Each done
| in a different screen.
|
| I went to do that, to discover... this old domain, the oldest
| I have registered, has both an email and a phone number that
| I no longer have access to, and which GoDaddy wants to do
| 2-factor using one of them even though I do have my password.
| (The last 4 of the phone number I recognize as a landline I
| last had around 17 years ago, before I had a cell phone. I've
| had this domain for a while, from before I knew better than
| to use godaddy). They let me pay them renewal every year
| without me having to log into my account or notice I can't
| anymore, which I guess is better than stealing my domain
| becuase of it, but is also why I hadn't noticed for years I
| could not log into the account.
|
| So I guess first step is figuring out how to get GoDaddy to
| give me access to the account again... it looks like that may
| necessarily involve some disruption/outage to my DNS which is
| in the old account I can't get access to. We'll see.
|
| _edit_ wait a second, they totally _send me a renewal notice
| to email every year_. They know my current email! They are
| insisting on sending a 2-factor code to a _different_ email I
| no longer have access to. Wtf is that?
| makebackupstoo wrote:
| Yes. GoDaddy is bad. That's why people have been
| discouraging its use here and shaming people for using it,
| for a decade? More?
|
| I recently got a notification that someone logged into my
| GoDaddy account. I angrily log in, knowing that I don't
| have any resources.
|
| I'm greeted with a login log that shows "Android app"
| logging in every day for the past year, from multiple
| different countries. And my account required email
| confirmation (which must have been being by-passed on the
| Android app?)
|
| It's bad. Don't use GoDaddy. While you're at it, you should
| really actually make backups and use a password manager
| too.
| dylan604 wrote:
| If you can still login to the account, can you not update
| the contact info (or does that update also require 2FA)?
| yawnxyz wrote:
| it's super easy, and if you transfer your domain like
| Cloudflare you probably end up saving a few bucks too
| cltsang wrote:
| It isn't exactly straight forward for those without experience.
| But if you follow the steps closely, for example [0], it takes
| 15 minutes tops.
|
| [0] https://developers.cloudflare.com/registrar/domain-
| transfers...
| dabeeeenster wrote:
| Blows my mind that people running these trading platforms would
| trust GoDaddy with the security of their domain name.
| dboreham wrote:
| As an old dinosaur who ended up becoming involved in the
| blockchain space, this doesn't surprise me at all. I suspect
| this is a generalizable pattern: a new industry is created and
| very little of the experience learned in older industries is
| transferred.
| swiley wrote:
| Marketing is surprisingly effective. Because of it, almost no
| software or service that is popular is good.
___________________________________________________________________
(page generated 2020-11-21 23:00 UTC)