The online world has 2 primary roots of trust: Domain Name System (DNS) and WWW. If you can control these, you can ‘prove’ you own a company. This allows you to do many things, including:
- send email without getting blocked (DKIM, SPF, DMARC)
- Azure domain takeover (access to Office 365, Azure Active Directory)
- Ads placed as company (Apple, Microsoft, …)
- Web admin consoles (Google Search Console, …)
- Industrial espionage (web traffic, keywords, …)
- Theft (credit card, injected Javascript keyloggers, …)
Really, the world is your oyster if you can put records in DNS and WWW. And, the biggest managed provider of them all in this space is GoDaddy. Landing today, this filing, dropped a Silent-But-Deadly set of hard facts. Over the course of multi-years, a bad actor systematically has ongoing access to 1.2M customers.
The width and breadth of the breach are enormous. Is it a single breach, or a set? Somewhat academic. In 2021, GoDaddy revealed that a password was leaked, said password allowing access to 1.2M WordPress installations, perhaps allowing cloning of SSL private keys, perhaps allowing malware to be installed, etc.
Funny, there’s that word again, password. How can one short string of characters, without even a multi-factor challenge, cause so much damage? It must be something that is shared, known by multiple people, written down somewhere. Imagine the turn-over that must exist in a company that size, this password was valid long enough for this breach to occur, in that time multiple people who knew it must have left the company.
Is it still a single breach? What about the 2019 issue? This one is more squarely on the DNS side of the business, allowing bad spam to come from good companies.
By this stage we are seeing a pattern. A company who is a big target (because of their scope and success) holds the keys to Boardwalk and Park Place attracts attackers, attackers who exploit weakness in strategy.
Consider instead if the target had used a Defense In Depth strategy? Start by segmenting down to a 1:1 basis. Instead of 1 password having 1.2M sites control, how about 0 passwords instead? Strong identity, authentication, from a single-sign-on provider. A separate access token for each. Breach it, you get 1, not 1.2M. This Defense In Depth strategy is a core part of a Zero Trust Network Architecture. First solve the “Who” problem (who are you), then the “What” problem (what are you allowed to do), then the “How” problem (how do i get you there). Do it on a pairwise User<->Resource basis, rather than on a “you are in and fully trusted, now do whatever you want”.
Now, let’s come back to the last line of that quote. “To date, these incidents as well as other cyber threats and attacks have not resulted in any material adverse impact to our business or operations…”. This is from the SEC filing. And this is, I think, the most impactful. There is no negative incentive, no feedback loop. If the downside cost of bad strategy is low, there’s no incentive to fix it. The pain was felt by their customers. Payment redirection fraud. Brand used to send spam. Spearphished. Malware on their web page. Etc. But not by the company itself. And that will have to change to change the behaviour.