
Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others - bhartzer
https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/
======
bhartzer
From the article: For maximum security on your domains, consider adopting some
or all of the following best practices:

-Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.

-In cases where passwords are used, pick unique passwords and consider password managers.

-Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.

-Use registration features like Registry Lock that can help protect domain name records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).

-Use DNSSEC (both signing zones and validating responses).

-Use access control lists for applications, Internet traffic and monitoring.

-Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

I'm still amazed that some of the largest sites, like Facebook and Google,
don't have DNSSEC enabled.

~~~
tptacek
Since your registrar controls your DNS delegation, DNSSEC can't do anything to
prevent a spearphishing attack against the registrar itself. It doesn't apply
at all to this article, and it's weird that it's listed as a suggestion;
usually Krebs is better than this.

 _Virtually none_ of the largest sites use DNSSEC; DNSSEC is a moribund, dead-
letter standard that will never be adopted. Virtually all new DNSSEC adoption
is European, and a consequence of European registrars that auto-sign new
domains (which is, for obvious reasons, security theater). For a few years,
DNSSEC adoption in the US had ticked up as a consequence of the federal
government requiring it; the USG has rescinded that requirement, and CLOUD.GOV
doesn't even support it.

You can confirm this for yourself by taking any list of the top DNS zones and
checking them for DS records with "dig" or "host":

[https://news.ycombinator.com/item?id=22321703](https://news.ycombinator.com/item?id=22321703)

