so Brian Krebs just published a story about how a domain got stolen even though it had a registry lock

good old social engineering y'all

krebsonsecurity.com/2020/01/do

"“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”"

Show thread

Currently reviewing Ten Forward's security posture and I think we are doing pretty good.

Show thread
Follow

If you are a Mastodon administrator or moderator you should be protecting your admin/moderator account(s) with two factor authentication and a strong randomly generated password stored in a password manager.

More specifically for Mastodon server admins:

- SSH key auth only on all servers, audit which public keys are in your user accounts
- 2FA on domain registrar, DNS and server provider accounts.

There are other things like if you are keeping off site database backups (you should be) the backups should be encrypted before they leave your database server.

That is your offsite storage should never see anything but encrypted copies of the database.

The offsite storage should also be secured as much as possible.

Show thread

Ten Forward's database backups are done using pgBackRest and are stored encrypted on a AWS S3 bucket. Separate IAM credentials that only have access to that bucket.

I'm considering adding IP restrictions to that IAM policy so that only the database server can access the bucket so that even if the access keys were compromised they wouldn't be usable from outside.

Show thread
Sign in to participate in the conversation
Ten Forward

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!