alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[oldtimer]

Perhaps it's a good idea for ICANN to reevaluate all the accreditations on a yearly basis so that if there are certain security flaws or improper business practices by the Registrars and Registries they can be found sooner before they get out of hand.

And by this I mean for ICANN to do more than just charging the yearly fees.

IMO

 

[Future Sensors]

Perhaps it's a good idea for ICANN to reevaluate all the accreditations on a yearly basis so that if there are certain security flaws or improper business practices by the Registrars and Registries they can be found sooner before they get out of hand.

https://www.icann.org/resources/pages/audits-2012-02-25-en

 

[Qc4]

Epik acquired InTrust Domains in 2011.

In 2012 there was this ICANN "Notice of breach of registrar accreditation":

https://www.icann.org/en/system/files/correspondence/burnette-to-palm-27apr12-en.pdf

Confusingly, the acquisition did not include InTrust's ICANN registrar ID. In the letter, there's a reference to ID 653, which is now "NamePal.com #8028, LLC" (probably a drop catch registrar). For whatever reason, Epik acquired the ID 617 instead from a company called NameQueen.

 

[jmcc]

Perhaps it's a good idea for ICANN to reevaluate all the accreditations on a yearly basis so that if there are certain security flaws or improper business practices by the Registrars and Registries they can be found sooner before they get out of hand.

And by this I mean for ICANN to do more than just charging the yearly fees.

IMO

ICANN has an audit programme but it concentrates on policy rather than on individual registrar security:
https://www.icann.org/resources/pages/audits-2012-02-25-en

There are limits to what ICANN is able to do and it is constrained by agreed upon policies. These policies can take years to develop and go through thousands of hours of discussions.

Regards...jmcc

 

[DN Playbook]

When Epik became an accredited registrar didn't they have to pass certain tests and evaluations as far as their security protocols go and if they passed and got their accreditation then ICANN might consider Epik to be more of a victim than a villain as far as them getting hacked now (just saying).

Last time I checked, all you need to have are policies in place, an interface to register and manage domains, and pay a substantial fee to ICANN. ICANN doesn't do a detailed audit of your infrastructure or code. Someone who knows better may correct me on this.

EPIK is a victim as are all the customers. But when you walk in a dangerous neighbourhood in the middle of the night with your wallet exposed and get mugged, then your judgement and decision making skills are called into question.

 

[oldtimer]

In my opinion how Epik originally got started and what it is today are two separate things as far as ICANN accreditation goes.

If Epik is an accredited registrar today then why didn't ICANN audits catch any of the security flaws.

IMO

 

[DN Playbook]

If Epik is an accredited registrar today then why didn't ICANN audits catch any of the security flaws.

Making excuses and deflecting the blame is not a way to fix it. To fix it, you own the problem and take measures to ensure it is not repeated. You don't blame others.

Many registrars that lose their accreditation either go bankrupt or have many complaints against them from disgruntled customers. There are likely other reasons as well.

 

[oldtimer]

ICANN doesn't do a detailed audit of your infrastructure or code.

I believe that ICANN requires those to be evaluated by third parties at the time of accreditation.

What I am saying is that perhaps they need to continue to be reevaluated every year instead of just the one time test that the Registrars have to pass to get accredited originally.

IMO

 

[DN Playbook]

I believe that ICANN requires those to be evaluated by third parties at the time of accreditation.

What I am saying is that perhaps they need to continue to be reevaluated every year instead of just the one time test that the Registrars have to pass to get accredited originally.

IMO

Maybe. But this is not the main issue here. This is not about ICANN. They have their own issues to deal with which are completely separate from the topic of this thread.

 

[oldtimer]

Making excuses and deflecting the blame is not a way to fix it. To fix it, you own the problem and take measures to ensure it is not repeated. You don't blame others.

I am not deflecting nor am I trying to blame others, I am trying to fix the system as a whole so that problems like this don't happen again.

IMO

 

[branding]

If Epik is an accredited registrar today then why didn't ICANN audits catch any of the security flaws.

Because you're not gonna let ICANN snoop around in your code and encryption methods. That would be a security risk

 

[Future Sensors]

Because you're not gonna let ICANN snoop around in your code and encryption methods. That would be a security risk

Exactly.

https://www.theregister.com/2015/04...posed_over_300_times_in_icann_security_snafu/

 

[oldtimer]

Because you're not gonna let ICANN snoop around in your code and encryption methods. That would be a security risk

I believe that is done by third parties at the time of the original accreditation,

What I am saying is that perhaps it's a good idea to do that on a yearly basis in order to catch any problems before they get out of hand.

IMO

 

[DN Playbook]

What I am saying is that perhaps it's a good idea to do that on a yearly basis in order to catch any problems before they get out of hand.

This is the responsibility of the service provider, who can hire a third-party security firm to audit their security, if they are concerned about bad code that can easily be exploited. You should be able to expect service providers to be adults that don't need an oversight body to audit them every year.

 

[oldtimer]

This is the responsibility of the service provider, who can hire a third-party security firm to audit their security, if they are concerned about bad code that can easily be exploited. You should be able to expect service providers to be adults that don't need an oversight body to audit them every year.

Well we are talking about geting tested and evaluated for accreditation here and I believe that it shouldn't be a one time deal. The tests and evaluations should continue on a yearly basis in order to maintain the accreditation by ICANN.

In another words when a Registrar displays the seal of accreditation by ICANN it should mean that they can be trusted beyond just the first year of getting accredited.

IMO

 

[johnn]

The job to protect the data belongs to the company not the customers.
Either Rob does not care or he just don’t know how to do it.
You guys twisted the topic into a new topic: how customers can help the company to protect the data.

 

[oldtimer]

The job to protect the data belongs to the company not the customers.
Either Rob does not care or he just don’t know how to do it.
You guys twisted the topic into a new topic: how customers can help the company to protect the data.

It's the customers (the registrants) that I am trying to protect here against future disasters.

It's the seal of accreditation that the customers see and trust and I believe that that seal should really mean something beyond just for ICANN collecting their yearly fees.

IMO

 

[johnn]

Why do you want to protect them? It’s not your job.
Epik had a lousy security measures which leave thousand of customers data exposed to the public and they don’t seem to care.
Don’t waste any more time on this nonsense topic.

 

[branding]

It's the customers (the registrants) that I am trying to protect here against future disasters.

It's the seal of accreditation that the customers see and trust and I believe that that seal should really mean something beyond just for ICANN collecting their yearly fees.

IMO

I don't think it's a particularly bad idea, I just don't see it happening/working from a purely practical point of view.

 

[oldtimer]

Why do you want to protect them?

Why do I want to protect the Registrants,

Well because I am a Registrant too

 

[ixex]

I received notice from a credit monitoring service that an email of mine is detected again on the dark web due to this breach lol

 

[jmcc]

Well we are talking about geting tested and evaluated for accreditation here and I believe that it shouldn't be a one time deal. The tests and evaluations should continue on a yearly basis in order to maintain the accreditation by ICANN.

All very well in theory but the registry and registrar constituencies in ICANN (there are various constituencies with committees and groups) would respond with a very simple question: who pays?

Security audits cost money and someone would have to pay. If it is the registrars, then they would have to pass the yearly audit costs on to the registrant. This would mean higher registration fees with all the outrage that follows from that. There are around 2,500 ICANN accredited registrars but only 600 or so are retail registrars. The dropcatchers may be able to increase their fees but the retail registrars may find it difficult. Some are running on very narrow profit margins for domain names as it is and they use domain names to upsell the customer to more profitable products and services. This increased pricing would lead to a lower number of registrars and accelerate some of the drift to ccTLDs. Though the .COM continues to grow, the other gTLDs are having a much tougher time in gaining new registrations.

There are different types of registrars. Some have less than ten thousand registrations. Others manage millions. Some are in economies where registrants could easily absorb the costs. Others are in economies where the costs would be more of a problem. ICANN already has a serious problem with a very low number of accredited registrars in the Africa region. It has even lost registrars in the US/CA and European regions. This is often down to registrars being taken over and the registrar operator brand consolidating. The ccTLDs are also beginning to take over from the gTLDs and in most European countries, the ccTLD is the first choice TLD for registrants.

Would a yearly security audit have saved Epik? Perhaps. The comments suggest that it was a compromised backup rather than the compromise of an active production server. The full facts of what happened have not been published.

Regards...jmcc

 

[Paul]

Registrars have a responsibility to secure their infrastructure and data. Inevitably, some will be irresponsible, as appears to have been the case here. How are customers supposed to know about that before it’s too late? How would an average registrant make an informed decision? When all this is over, how will any of us know whether Epik has resolved the underlying issues?

Security audits work best when they’re performed regularly by different auditors. There are security auditors who will sign off on lousy security, but if you’re required to go to a new company each time, you’re not going to get away with the security flaws present at Epik for very long. Personally, I would like to see ICANN enforce annual security audits. That’s not to blame ICANN for what happened, but it would be a nice improvement to their policies that would help address the threats we’re seeing today.

 

[Paul]

Security audits cost money and someone would have to pay.

So do security lapses. I’d rather pay up front than take my chances.

The comments suggest that it was a compromised backup rather than the compromise of an active production server.

From a technical standpoint, that makes zero difference. There were production credentials in the backup; it would’ve been trivial for an attacker to shift laterally given Epik’s poor security practices and lack of isolation.

From an auditing standpoint, that makes zero difference. Backups are still subject to security requirements, for reasons that should now be clear to everyone in this thread.

 

[oldtimer]

All very well in theory but the registry and registrar constituencies in ICANN (there are various constituencies with committees and groups) would respond with a very simple question: who pays?

ICANN already charges the Registrars and Registries a yearly fee doesn't it,

And there is also the revenue from the 25 cents ICANN fee that is added to every domain.

Plus ICANN seems to be sitting on around 500 million dollars right now that it has gained through all the fees and donations that it has collected so far.

IMO