[HN Gopher] GoDaddy employees used in attacks on multiple crypto... ___________________________________________________________________ GoDaddy employees used in attacks on multiple cryptocurrency services Author : todsacerdoti Score : 120 points Date : 2020-11-21 18:18 UTC (4 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | javert wrote: | Here is my idea for a non-broken/secure domain registrar using | public-key crypto. | | a) When you register the domain, you provide a public key. | | b) The registrar will only ever redirect the domain if they | receive a message signed with the corresponding private key. | | There is a holding period if you stop paying for the domain, | before it is released to the public again. You pay for the | holding period in advance, when you do the initial registration. | | This can be built today with existing technology. | | Can someone please make this? Any feedback? Does this exist | already? | donmcronald wrote: | That's way too complicated for the average registrant. There | are lots of practical options that could strengthen the process | for the average registrant. | | Half the battle is for registrars to quit accepting the | equivalent of cold calls from registrants. How hard is it to | make a call back to the registrant when they're asking for NS, | MX, etc. changes? | | If the registrant phone number hasn't changed since | registration, it's pretty safe to call them back and trust them | IMO. If the registrant phone number was changed 5 days ago and | someone is calling in asking for changes, that's an easy red | flag and could be coupled with a technical restriction that | requires escalation for important domain changes. | | Another option similar to yours but easier would be to set a | pin during registration and to require it for making over the | phone domain changes. I guarantee those will get lost / | forgotten by the average registrant though. | | You'd be shocked at the number of small businesses that don't | know where there domain is registered, who registered it, when | it expires, etc.. | | If a domain is making money use a registry lock. If it's a high | value domain making tons of money, pay MarkMonitor or similar | to manage it. | Meekro wrote: | I'm pretty intrigued by the cryptocurrency-based DNS alternatives | that get kicked around in discussions like this. But if you need | a way to mitigate this threat for your business today, I'd | recommend Cloudflare's Enterprise Registrar. | | It was designed specifically to prevent these kinds of attacks. | You can design your own security procedure. "For instance, if a | Custom Domain Protection client wants us to not change their DNS | records unless 6 different individuals call us, in order, from a | set of predefined phone numbers, each reading multiple unique | pass codes, and telling us their favorite ice cream flavor, on a | Tuesday that is also a full moon, we will enforce that. | Literally." | | As far as I can tell, they've never been pwned. | viraptor wrote: | But this is only a procedure for the customer. We'd hope that | their employees have internal rules that are just as strict for | interacting with internal IT, but can't be sure. | | The rules for the customer don't matter much is it get hold of | a company account which can make the right change. | | Re. Cryptocurrency, I'd be really nervous implementing that in | production. The current registers may not be perfect, but | there's an escape hatch where things go wrong, you contact the | right people and changes get reverted. With coin based DNS, the | right hack may mean you lose access to your domain forever and | there's no rollback possible. | CydeWeys wrote: | Yup. If you're running something this critically important on | your domain (i.e. pretty much any business doing 7 figure | revenue or more), it'd really behoove you to switch to a | registrar that supports registry lock on your domain. Then | you're protected by the procedures at two unrelated business | entities. | phantom_oracle wrote: | These support jobs are grueling. The pay isn't too great and you | are sometimes required to know many years of accumulated sysadmin | knowledge for the price of entry-level salaries. | | Also, foreign tech support, typically Eastern European. For all | the expensive audits tech companies do on their appsec, all it | takes is 1 disgruntled Ukrainian who says "fuck those Americans | for playing a part in fucking up my country" (or more usually | phishing or a bribe) and suddenly a few important domains are | compromised. | | I wonder if paying the premium to MarkMonitor prevents the risk | of foreign and underpaid staff, but the domain industry is more | like a commodity now and they hook you in with "cheap cheap | cheap". | | Also, the only thing crypto seems to be making the news for these | days is when a company gets hacked. So much for that revolution. | Scaless wrote: | 6 years later, nothing's changed. | | https://techcrunch.com/2014/01/29/godaddy-admits-hackers-soc... | | Stay far, far away from godaddy. | CharlesW wrote: | I think there are good reasons to avoid GoDaddy, but do HN-ers | feel like there are registrars whose employees would never fall | for social engineering techniques, or whose systems and/or | processes make such a scenario far less likely? | tmpz22 wrote: | Companies with better established security infrastructure | like AWS and Google make for better registrars in my opinion. | They're not perfect, for example with Google you might lose | your domains due to a youtube infraction. Actually, now that | I think about it strike Google from the list, just AWS | really. | n42 wrote: | I would love to use AWS's registrar exclusively for | anything I host there, but unfortunately they have a pretty | limited selection of TLDs. it's more important to me that | all my domains are in one place so I can review them at | once. I really wish they would support more. | tmpz22 wrote: | If "viewing all at once" in a single UI is more important | then security, reliability, etc., you don't have many | constraints to begin with. | toast0 wrote: | If it's really important, you need a registrar _and_ a | registry with a Registry Lock program. With this in place, | when you want to make a change, you notify the registrar, who | notifies the registry, who carries out the authentication | procedure and, if successful, allows the domain to be | changed, then relocks. | | Note that the registry may only be available to do unlock | procedures for limited hours, usually business hours in their | locale; that might be inconvenient if it's not your locale. | | My understanding is Cloudflare can do registry locks, but | does not offer registrar services standalone. Corporate | oriented registrars like CSC and MarkMonitor offer it. I | don't have experience eith CSC, but MarkMonitor had a pretty | high minimum spend (I think 10k/year) to get on their | platform circa 2013; that may have changed, also they're now | owner by a VC firm, just FYI. | | NetworkSolutions (boo hiss), rolled out a registry lock | feature after a high profile hijacking which was why my | employer had me work with MarkMonitor. | beachwood23 wrote: | What registrar would you recommend instead? | markdown wrote: | Cloudflare. | fgonzag wrote: | namecheap has actually been a really good registrar, contrary | to what the name suggests. | Erlich_Bachman wrote: | Instead of compromizing cryptocurrency services, they | support paying for their services in cryptocurrency. That's | arguably a better strategy for engaging with the target | audience of crypto enthusiasts ;) | SparkyMcUnicorn wrote: | Cloudlfare does domains at cost, and I use them for every TLD | they support. | | I've had great experience with porkbun, and no major | complaints with namecheap. | ForHackernews wrote: | gandi.net has always been outstanding. | donmcronald wrote: | Namecheap and Porkbun are pretty good. | | Namecheap is bigger, so it's possible to get support people | that aren't amazing. Porkbun is pretty small and I feel like | there's less room for underperforming support staff when you | have less than 10 of them. | | Porkbun has an extra "domain password protection" option | where you can require and extra password retrieving an auth | code for domain transfer. I'm not sure how much use that is | though. Once someone is into the account to the point they | can change NS, the real world impact is similar to having the | domain transferred away (and recovered). | orthecreedence wrote: | Nearlyfreespeech is more of a host than a registrar, but I | feel they generally have really good practices and procedures | areound security. I certainly trust them more than Godaddy. | That said, they don't support a lot of .wacky suffixes other | registrars might. | test1235 wrote: | it should be noted that GoDaddy also own quite a few other | registrars e.g. Host Europe Group who own 123-reg, Heart | Internet, Host Europe, Webfusion, RedCoruna, Mesh Digital and | Domainbox | | https://en.wikipedia.org/wiki/Host_Europe_Group | rasengan wrote: | This is literally why you need to own your name instead of | leasing it from some random registrar. That's why Handshake [1] | is so important. It looks like support [2] for Handshake is | building up quickly now, so hopefully we can move past the days | of insecure DNS. | | [1] https://handshake.org/ | | [2] https://blog.101domain.com/corporate-service- | series/handshak... | saagarjha wrote: | (This is a cryptocurrency pitch, in case the cry for | decentralization didn't make that clear.) | knowaveragejoe wrote: | Does Handshake have a token? Not all blockchains or other | decentralized tech circle back to currency. | rasengan wrote: | Handshake needs a token to create scarcity. Otherwise, what | would stop one from registering all the domains in the | world. You can read more details about this in "# | Decentralized Certificate Authorities and the Blockchain" | [1]. | | [1] https://handshake.org/files/handshake.txt | orthecreedence wrote: | This project looks interesting. Thank you for taking the | (honestly unwarranted) downvote hit to answer questions | about it. | imglorp wrote: | Decentralized naming is going to be critical to an open | internet. We've already seen fights over names by | corporations and governments. | | Decentralization does not imply cryptocurrency but you do | need (1) some proof of work to reduce squatting the whole | namespace, (2) atomic-ish transactions to ensure one owner of | a name, and (3) lots of malicious participants. | CharlesW wrote: | > _...every peer is validating and in charge of managing the | root DNS naming zone..._ | | I don't understand how anyone can read this (and many other | statements on the site) and take it more seriously than any | other ICO scheme. | | For fairness' sake, I propose the entire "crypo" ecosystem move | off of DNS to _[name of blockchain-based solution deleted]_ | first, and then we can see how it 's going after a couple | years. | rasengan wrote: | Handshake raised $10mm which was donated (all $10mm) to non- | profit organizations and open source projects, including | GNOME [1], Debian [2], KDE [3], among others. | | Far from an "ICO scheme," the project further allocated the | majority of the coins to developers and existing domain | holders. | | Unlike most decentralized projects you may be thinking of, | Handshake is a real project and people are buying domains | [4]. Compare the activity on chain with _____, and Handshake | speaks for itself. | | [1] https://www.gnome.org/news/2018/08/gnome-foundation- | receives... | | [2] https://dot.kde.org/2020/01/21/kde-receives-generous- | donatio... | | [3] https://www.debian.org/News/2019/20190329 | | [4] https://dns.live/ | jrochkind1 wrote: | I really gotta get a personal domain registration off of GoDaddy, | but everytime I consider figuring out how to do that, I get | exhausted. As is the intent. | ddevault wrote: | It's not as hard as it sounds. | jrochkind1 wrote: | I did find some instructions just now from NameCheap,where I | have some other more recent registrations. https://www.namech | eap.com/support/knowledgebase/article.aspx... | | With those instructions, it doesn't look too hard. Without | godaddy-specific instructions, I would have had a lot of | trouble figuring it out. Unlock registration; get authcode; | turn off whois privacy protection; accept transfer. Each done | in a different screen. | | I went to do that, to discover... this old domain, the oldest | I have registered, has both an email and a phone number that | I no longer have access to, and which GoDaddy wants to do | 2-factor using one of them even though I do have my password. | (The last 4 of the phone number I recognize as a landline I | last had around 17 years ago, before I had a cell phone. I've | had this domain for a while, from before I knew better than | to use godaddy). They let me pay them renewal every year | without me having to log into my account or notice I can't | anymore, which I guess is better than stealing my domain | becuase of it, but is also why I hadn't noticed for years I | could not log into the account. | | So I guess first step is figuring out how to get GoDaddy to | give me access to the account again... it looks like that may | necessarily involve some disruption/outage to my DNS which is | in the old account I can't get access to. We'll see. | | _edit_ wait a second, they totally _send me a renewal notice | to email every year_. They know my current email! They are | insisting on sending a 2-factor code to a _different_ email I | no longer have access to. Wtf is that? | makebackupstoo wrote: | Yes. GoDaddy is bad. That's why people have been | discouraging its use here and shaming people for using it, | for a decade? More? | | I recently got a notification that someone logged into my | GoDaddy account. I angrily log in, knowing that I don't | have any resources. | | I'm greeted with a login log that shows "Android app" | logging in every day for the past year, from multiple | different countries. And my account required email | confirmation (which must have been being by-passed on the | Android app?) | | It's bad. Don't use GoDaddy. While you're at it, you should | really actually make backups and use a password manager | too. | dylan604 wrote: | If you can still login to the account, can you not update | the contact info (or does that update also require 2FA)? | yawnxyz wrote: | it's super easy, and if you transfer your domain like | Cloudflare you probably end up saving a few bucks too | cltsang wrote: | It isn't exactly straight forward for those without experience. | But if you follow the steps closely, for example [0], it takes | 15 minutes tops. | | [0] https://developers.cloudflare.com/registrar/domain- | transfers... | dabeeeenster wrote: | Blows my mind that people running these trading platforms would | trust GoDaddy with the security of their domain name. | dboreham wrote: | As an old dinosaur who ended up becoming involved in the | blockchain space, this doesn't surprise me at all. I suspect | this is a generalizable pattern: a new industry is created and | very little of the experience learned in older industries is | transferred. | swiley wrote: | Marketing is surprisingly effective. Because of it, almost no | software or service that is popular is good. ___________________________________________________________________ (page generated 2020-11-21 23:00 UTC)