My last post GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission got a lot of traction and it reached the ears of the GoDaddy people!
I just got off the phone with Neil Warner, GoDaddy’s CSO (Chief Security Officer) and he explained the situation to me.
First, I was glad that they heard the customers, heard the complains and took the time to look at it. That was his explanation:
- They take security serious and spend a lot of money on intrusion/malware detection to protect their customers
- They have a security team 24/7 monitoring all their shared/VPS and private servers
- When they detect any issue, they try to fix the problem and that’s why they tried to access my box
- They store all the passwords encrypted (not one-way hashed which is the recommended), and they can only be retrieved and reversed after a member of the security team opens a ticket and explains the reason for using the password (like to investigate malware)
One thing that made me feel better was that they actually have a process in place to access the passwords and they hold their people accountable for that. Having them encrypted or in clear-text doesn’t make much a difference, if the process to recover them is open to anyone in their staff…
He said that most users like their free incident response and malware removal and the way they deal with security issues.
He also said that they should have contacted me before accessing the box, warning me of the possible malware, and that they will do that from now on (good to know).
I am happy they called and explained the situation. +1 for GoDaddy for being open, explaining the issue and trying to improve.
And to further my comments.
They have to keep the password in a format which they can retrieve later.
However, if it's dedicated hosting. You have to ask yourself how many other tenants are sharing that space with you.
There is NO reason why someone should give a damn about your personal space and malware if your paying premium for dedicated hosting.
What that simply means is that your premium space is subject to intrusions and breaks in or lax security practices on behalf of your neighbors.
Maybe they should keep those kernels upgraded and provide those premiun customers with some dedicated resources.
None of this shared masquerading as dedicated bullshit.
Jmo…
Your passwords are probably just "encrypted" in BASE64 for storage in their database.
"KeepassX works nice for passwords.
http://www.keepassx.org/
Cross platform also. It's eliminated quite a mess of black books and scribbled notes holding passwords for my clients.
On the other hand, it's a LOT of data entry for you 100 * 5-10 When you add all the other fields of data to the mix that' going to be more than 10,000 lines to type in. But the good thing is that once it's in there you can change them in a hurry or look them up in a hurry as well.
On the other hand, maybe I didn't follow your question. A lot of those passwords are on the client's shoulder to remember, unless you promised to manage passwords for them.
Anyway I only worked for a small ISP so what do I know? nothing…"
The point is that the passwords are still decryptable. I am looking for those who say passwords should never be written down to provide a solution.
You could always try the obvious: don't use godaddy.
Most VPS are just virtual machines running on a host (physical server), and the third law of immutable security applies – if someone has physical access to the server, it is not your server. As much as we would like to think they are "our" servers, the fact remains, as some posters have already pointed out, that GoDaddy can (from a technical perspective) access any VPS they need to (or want to) at any time, and there is nothing anyone can do from a technical perspective to stop them. They may even be allowed to do so legally under their TOS.
I have to agree that if one is concerned about someone else accessing his VPS, then one should either not contract for a VPS, or else not put install or store anything on there that anyone else should not see.
What do you allow root to login from ssh ?
Disable it and if needed "su root" when needed.
Regarding the KeepassX being decryptable, yes your correct you can click on the eyeball and see the password.
However the entire database itself is in fact encrypted, and you or your favorite BOFH employee would need a password to get into the data in the first place.
Maybe KeepassX ain't good enough for you need. I'm sorry, I simply tried to give you a quick answer. I could just as easily left this space blank.
With only 100 Accounts, I could see the sysadmin or the owner or both controlling the USB stick with the accounts. I've always liked the idea of having data in my HAND. What I wouldn't do however, is roll out a LAMP server for such a job.
Anyway Good luck on whatever you use!
OVH (French hoster, http://www.ovh.com) ask you to put their ssh key into .ssh/authorized_keys. If it's there, they can try to manage the system, if not and the system is spreading malware/spamming they'll have to take it off the net.
I think that's the better approach, because you can decide whether you want them to access your system or not. You see their key used in your logs in case and they need not know or store any root passwords.
Run your own server at your location and it won't be an issue. Also, don't use GoDaddy for domain registration. I wouldn't allow them to clean my toilet, let alone handle sensitive information.
OP seems to be an attention seeker
Holy crap. This is the security leadership of GoDaddy? Mommy, I'm afraid.
http://twitter.com/ngwarner
http://valleywag.gawker.com/361399/go-daddy-defrauds-customer-google-defrauds-go-daddy
Oh. My. God.
Wow. Big self-inflicted black-eye for the guy who writes this security blog — I can't imagine any serious employer hiring you after this incident. Hope GoDaddy paid you off darned well.
Giving GoDaddy you root passwd is like giving your house-key to your cleaning service. This works for some people: you get your house cleaned on a regular basis, and it gets done when your not home, so it doesn't intrude into your lifestyle. If you trust your cleaning service, its great. If you are paranoid, have valuables in your house, or happened to hire a cleaning service that's been infiltrated by the mob, you are SOL. If you live in a bad neighborhood, and your cleaning lady gets mugged, you are SOL. If your cleaning service hires a juvenille delinquent, your SOL. If they're not bonded, you're SOL. There's a whole mountain of failure scenarios that open up when you allow others to have too much access to your house. Same deal with godaddy — myself, I'd be wayyyy too paranoid to put up with that, and I can't even begin to imagine the lifestyle of a self-proclaimed security expert who thinks this is acceptable.
FWIW, My webservers have been getting SSH passwd-guessing attempts 24×7 for the last decade. Usually from China, often from eastern europe, but also California, you name it — there are script kiddies running ssh-passwd-guessers all over the planet. With that track record, ain't no way I'd let any godaddy employee anywhere near my machines. Your just setting up to get trojaned. Lots of luck w/ life…
The farther back you read on GoDaddy, the funnier this gets. These fools actually advertise the security solutions they put in place!!
http://www.webhosting.info/news/1/godaddy.com-boosts-web-hosting-security_0531069043.htm
Ah tippingpoint… now we know what's looking for us.
Great job there, Mr. SEE-ESS-OOO
How much do you want to bet that they put all those encrypted passwords on a server connected to the Internet? They didn't brag about the server being offline, so it's probably, stupidly, online.
One concern with the retrievable password storage – if you use the same password for your GoDaddy account as you do for anything else, such as your e-mail account, a snoopy CSR could potentially access it.
Get back to work ppl. Or are all of you out of work these days and troll blogs 24/7?
Since this is a Virtual Private Server giving the administrator who owns the real server root is not outlandish… You've given up your security to those who have physical access to the machine.
Pingback: JasonGiedymin.com » Blog Archive » Trust your host?