How GoDaddy got hacked for no particular reason
This story describes the events that took place on January of 2007. The names had been changed to protect the innocent.
I’m no hacker. My knowledge of operating systems in particular and computers in general may be above average but no one can accuse me of being a hacker. However, I need to narrate this to clear my conscience.
How did this happen?
I work for a company that (to avoid legal complications) I’ll call Metallic Metals. For a long time, we had contracted the services of… Exponential Warfare Corp. They did our web page, our emails and also registered the Metallic domain for us. However, their contract was about to expire and that’s how it got started. We had the option to renew the contract or find another company to take care of our modest needs: a server for a Web page and a few email addresses.
GoDaddy offers all that for a small fee. Among other things, five GB to set up a Web site and 500 email addresses. More than enough. Exponential Warfare’s services were not bad, but left much to be desired. For example, no one answered the phone. Technical support happened by e-mail, which was always slow. Not to mention some of the answers they gave us… Once, when I complained that an attachment of five megabytes from one of our customers was not getting through, the technician asked: Are they sending this with Outlook or what kind of program are they using? My answer (a little more diplomatic, of course) was that I didn’t give a damn about what kind of program they were using, since I had no control over that part of the equation and the same file had arrived without problem to my free Google address.
Let’s say that the fate of Exponential Warfare was sealed. My boss has a tendency to agree with me on technological issues, so without thinking it twice he gave me the compani’s Black American Express and said he didn’t want to hear any more about any kind of Warfare.
The Cyber Move
GoDaddy’s technical support is efficient. In less than two minutes I was able to talk to a representative who explained everything in plain English. I opted for a two-year economy plan, and here began the story that I think has to be told. I explained to the representative (who I will call Herbert McPollo to avoid legal issues) that we acquired the domain through GoDaddy but I didn’t know the user name or password of the account.
“No problem,” said McPollo, typing frantically at his terminal. “Can you confirm the last four digits of your credit card?”
Of course I could. The numbers shone like a mirage on the card. I read the numbers and then he told me my account number. Within seconds he was going to send me an email so that I could change the password. It was very easy. Very efficient. But the email address they had on file was for somebody on Exponential Warfare.
“No, no,” I said. “That’s the company we’re leaving…. can you send it to my address?”
“No problem,” said McPollo. “Can you confirm the last six digits of your credit card?”
Obviously I could. Six numbers, four numbers. What was the difference? So a few minutes latter I received the email containing the temporary password and the link that opened the website that allowed me to enter my account number and my temporary password and thus create a new password and finally log in. If only everything was that easy.
The password has to be at least six characters long and have at least one number. It should also be easy to remember. Ergo: BigBoy69.
“That’s all,” said McPollo. “Make sure you have the files on your Web page before they remove them from the server on the other company. Once they release your domain, you can create the email addresses on GoDaddy. “
Very Simple. Very efficient.
The Beginning of the End.
But something didn’t feel right. I entered the system and changed some basic information. I put myself as the technical manager and primary contact, of course. I returned the black card to my boss and tried not to think about it. The most difficult part was over. But there was the issue of the email addresses… the deadline was January 31, the next day, after which some twenty people in Metallic Metals could be without email. Dear Lord! What would we do without email?
When I got home I tried to get started. Contrary to what my wife thinks, you can accomplish a lot sitting in front of a computer. Just typing. Entering bits of information on a keyboard that translates all this into machine language. Binary system. A stream of zeros and ones running through the network, talking with other computers in refrigerated rooms that have never seen the ligth of day. Night and day crunching information for millions and millions of users. Account numbers and passwords.
BigBoy69. Access Granted. Very efficient.
I entered the system and began to browse. All systems resemble each other. There are layers that lead to more layers of information. Hosting. Domains. Email… Then I discovered something strange. In the domain section there were more almost two hundred domains registered. How was this possible? Metallic Metals had only one domain and was not trying to extend into the world of the Web.
Then came the discovery. I had become the manager of Incremental Warfare’s account.
The last day at Warfare Corp.
I’m no hacker. My knowledge of operating systems and other things like that is barely above those of a mere mortal. However, in less than two hours I had breached the security of two companies of considerable size one of which had the word Warfare stamped in their letterhead.
How was it possible? The answer was simple: the Black American Express of Metallic Metals. Some of the technicians at Incremental Warfare had used the card and the information had been filed with GoDaddy. When they asked for the last six numbers of the card to verify my identity, the information was consistent. That was all it took.
However, the situation was tricky. My boss is not interested in technical or legal details. He just wants his email to work and that’s part of my job. At seven o’clock I contacted McPollo and explained the situation. At the end of the line there was a long silence. McPollo was aware of the legal ramifications of the case.
“Any Webmaster would be very interested in these details,” said a gloomy voice. And then he explained the plan of action. I had to open another account as soon as possible and transfer the domain and hosting.
At nine o’clock in the morning, after two days of leaving messages and waiting in vain for an answer, I received a call from Incremental Warfare. I was surprised to find that it wasn’t the technician who ussually talks to me.
“This is Herbert Warfare,” said a rough voice.
Naturally, I thought. Someone had called the boss at an ungodly hour. Seven-thirty? Eight in the morning? A technician on the verge of a nervous breakdown used the red phone labeled: Use only in case of nuclear emergency. The boss of bosses had decided to answer my call. BigBoy69 was responsible.
“Someone has entered our system and changed the contact information,” said Mister Warfare. “I’m calling to see if you have information about this matter.”
Mister Warfare, despite the bellicose name, was more reasonable than I had expected. He was very interested in the technical details and lamented that we had decided to leave his company. He said that at four PM he would release our domain server and I could finish the transfer of the email addresses.
“The domain has already been transferred,” he said.
“Yes,” I said smiling. “I saved you some work.”
“Indeed…” said Mr. Warfare without conviction. “Indeed.”