GoDaddy, the largest hosting company in the world, announced on the 23th April 2020 that their security was breached on the 19th October 2019.

The public announcement from GoDaddy reads:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

If you have been affected by this breach, you would probably already been notified or will be notified soon. There are several issues with this breach. Firstly, it can be presumed that the breach affected their main operation and not one of the other companies that they own.  They own the hosteurope group of hosting companies which they bought in 2017. Host Europe includes: Heart Internet, Mesh Digital Host Europe, Webfusion, Red Coruna and Domainbox. GoDaddy has also bought up many other companies. Any of these could have been in the breach but it appears that only the main brand that is affected.

What happened

It appears that someone managed to get their certificate in to a server. This allowed them to have access to everyones files on the server even if the affected client changed their password.

How does this affect the server

There are generally two ways to authenticate to the SSH server, through either username and password or username and certificate (private/public key). Using a certificate is very secure and the recommended way to connect as it doesn’t require the exchange of a password but uses the robist public key technology to authenticate you. In this case the attacker managed to get their certificate installed on teh server and granted access to every account on the server.

What have they done to fix it

GoDaddy said that they have removed the certificate and that there is no evidence that anything malicious had happened. That being said they did not notice that there was a problem for nearly seven months.

Alternatives

We can help if you have been negatively affected by this experiance. Get your account in the CritchCorp Computers Ltd Store. If you prefer friendly, personal assistance with your website then we can help.

Keep Safe

CrichCorp

YahooMail, which has now merged with AOL to form OATH, part of Verizon, can allow others, including and most likely, cyber criminals who are out to hack your digital life, to permanently have your yahoo email address; and there is nothing you can do about it. Except get off their service as quickly as possible or don’t start to use them in the first place

Even though Yahoo has now been merged they have kept the terms and conditions, which some on the internet have called a privacy nightmare, largely the same.

The first part is the same as all other FREE email and social media companies, and that is that everything you put, send or receive belongs to you, BUT, you grant them a sublicense to do with your data whatever they please.

The second part is more worrying and that is the fact that, if, for any reason, your account is terminated; including because you didn’t have enough activity on it for a given length of time, which remains unspecified in the terms and conditions, so as they determine it, then they can and will make your username (email address) available for anyone else to register.

If you don’t have enough activity on your account, like those who just use email occasionally or those who just use it for recovery purposes, e.g., you set it as the backup email account if you can’t get in to your Facebook, Twitter, Amazon account, etc.; then you risk having your account terminated and someone else registering it. A cybercriminal, who is sitting watching you and notices that your account has been terminated, can register that account and then reset all your passwords. Then you will lose access to your Twitter or Facebook account and in some cases your PayPal, Bank or Amazon account where your credit card numbers are stored. Now in some countries you may have some protection if this happens but in many you will not and even if you do they typically take around 3 to 6 months to give you any money back, not to mention the hassle of having to change your bank account and credit cards and re-setup your accounts. Avoid all of this and get yourself a proper email account. If you are paying for your email to a reputable company then there is little chance that they are going to use your information to make money (even free services are not free, you pay one way or another) and they are more likely to want to look after you as a client.

Below is the link to the OATH YahooMail Terms and Conditions in full. It has been said that they are the same ones for all their services, and that may be true, although they state there may be other policies, these are the ones that you agree to when you sign up for YahooMail, which is the subject of this article.

https://policies.oath.com/us/en/oath/terms/otos/index.html

And here are the bits we were talking about above:

Look at section 6b – What you give them:

IP Ownership and License Grant. Except as otherwise provided in the specific Oath product terms or guidelines for a Service, when you upload, share with or submit content to the Services you retain ownership of any intellectual property rights that you hold in that content and you grant Oath a worldwide, royalty-free, non-exclusive, perpetual, irrevocable, transferable, sublicensable license to (a) use, host, store, reproduce, modify, prepare derivative works (such as translations, adaptations, summaries or other changes), communicate, publish, publicly perform, publicly display, and distribute this content in any manner, mode of delivery or media now known or developed in the future; and (b) permit other users to access, reproduce, distribute, publicly display, prepare derivative works of, and publicly perform your content via the Services, as may be permitted by the functionality of those Services (e.g., for users to re-blog, re-post or download your content). In some of the Services, there may be specific terms or settings allowing a different scope of use of the content submitted in those Services. You must have the necessary rights to grant us the license described in this Section 6(b) for any content that you upload, share with or submit to the Services.

And Section 7d – What happens when your account is terminated:

Subject to any statutory rights you might have, if your account is terminated, access to your username, password and all related information, files and content associated with your account may be terminated and your username may be recycled for use by others. If the Service is a paid service, please consult Oath’s payment terms which can be found here.

One last important note; if you are reading this thinking well, luckily I use Gmail or Hotmail (LiveMail) or some other free email provider then remember this. They own the server, they own the domain name, and they can charge whatever they like, which may well be nothing at the moment. ALL of the social media and free email companies that we have looked at have similar terms and conditions as far as you Intellectual Property (IP) goes. They can always add the section that says they can reuse your email address if they choose to. They owe you nothing.

Stay Safe

CritchCorp Computers Ltd

[ink-ad-creator ad=”1327″][/ink-ad-creator]

That’s right, as of July 2018 Google Chrome will start reporting non-SSL sites (that is sites that don’t use https:// for access) as insecure. This is a major change from the current norm which is to highlight sites that use SSL certificates with a green SECURE next to the address and other browsers who use a green padlock. They will from July this year not show the green SECURE but they will show a NOT SECURE next to any site that does not have an SSL certificate. Making the norm to have an SSL certificate. That is going to be followed in the future by a warning screen that informs users that continuing to your site is not recommended. Though the warning wall is not being implemented right away it is planned for the future.

The new move forces website owners to have an SSL certificate and make their site secure, even if it is not required, or risk losing visitors that are scared away.

There are several different types of SSL certificate and the higher (more expensive) ones will still show the green bar in the address bar, but the norm will be to have one of the cheaper ones and if you don’t have any or it expires, the company backing the SSL cert (Cert provider not the retailer) goes out of business or has their master certificate rejected then you will be faced with a blocking screen when trying to get to your site which will prevent users from going there, with warnings that your site is insecure and should not be visited. This is obviously not good for business.

Google have also hinted that sites that use SSL certificates currently get a boost in the Google rankings over those who do not.

At CritchCorp Computers Ltd we have a quick and easy way for you to comply with this new Google rule for all our shared hosting customers you can purchase a fully managed SSL certificate from your yesDomains account or submit a support ticket here to get the ball rolling. It is quite an in-depth process but we will take care of it for you, with as little interaction as possible required by you. Please go here to get started.

The industry is working towards lowering the cost of SSL certificates to nothing and automating the install and renewal process, but that is still in development so for the time being you will need to purchase an SSL certificate in the normal way. If you want the users browser to light up in green then you need to select the Extended Validation (EV) certificate otherwise the cheaper normal one will suffice to prevent you being labelled as NOT SECURE. We have monthly or annual billing options to spread the cost but all certificates are annual commitments.

We use Comodo, DigiCert, Symantec, Thwarte, GeoTrust and Trustwave certificates  that are strong providers in this field and highly unlikely to go out of business or have their master certificates rejected. This provides you with stability and reassurance that your certificate will not become invalid before it expires as does happen from time to time with smaller SSL providers.

If you want to read the Google blog entry about this; with their advertising spin on it then click here. What this does do is add further costs to businesses. Whilst we absolutely agree that any site that accepts payments or collects user data should be secure, there are still many sites that do not and so forcing them to have this does seem unfair to us, but that is what the mighty Google has decided and so it shall unfortunately be.

There has been some discussion about the colour of the NOT SECURE. The current SECURE label is green and it is understood that the new NOT SECURE is going to be Red, although some discussions at Google say it will be more neutral, which ever it is it isn’t good for business.

Keep safe

CritchCorp Computers Ltd