With the case, reported by ZDNet, the person was able to access login credentials of SSH accounts used in GoDaddy’s hosting environment. The company discovered an “unauthorized individual” had gained access to login credentials that enabled them to “connect to SSH” on the affected hosting accounts. The security incident that took place on October 19, 2019, was discovered on April 23, 2020.
SSH stands for ‘Secure Shell’; it is used for remote connections to a computer. Using an SSH client, a user can connect to a server to transfer information in a more secure manner compared with some other methods. SSH provides multiple mechanisms for authenticating the server and the client. Two of the commonly used authentication mechanism are password based, and key based authentication. However, despite a strong security framework, SSH has some limitations, as the most recent data breach indicates.
GoDaddy has reported a full-year net income of $138.4 million on revenue of $2.99 billion. The firm had 19.3 million customers as of the end of 2019.
Commenting on the issue for Digital Journal, cybersecurity professional, James Carder, the CSO and VP of LogRhythm Labs says: “With this particular incident, there are unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised.”
Looking at the wider picture, Carder says: “It is easy to assume that GoDaddy, as the world’s largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats. GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password.”
Looking at what should be done in terms of future protection, Carder notes: “Strong SSH key management is critical in protecting internet accessible functions…fundamental controls for properly securing and managing SSH should have been implemented.”
With an SSH key in place, Carder points out: “It is important to ensure that SSH keys are associated with an individual user and are continuously rotated. The principle of least privilege should be utilised for the account authorised to SSH”. Furthermore, he recommends that “an organization should conduct thorough auditing and monitoring of all privileged sessions and key usage.”
This feeds into preventative measures for all businesses using this type of system, here Carder states: “If such controls were implemented, then the likelihood that GoDaddy would have suffered a breach, leveraging stolen or acquired username and passwords, would have been minimal. Of course, no incident is 100 percent preventable, yet, this particular breach reflects how GoDaddy overlooked simple security controls.”
