IT.COM

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
BugCrowd has the experience and is used to work with foreign developers like the dedicated team over at We Can Develop IT.
 
Last edited:
0
•••
@johnjhacking Now you're here, virtually that is, what's your professional opinion on the elite guys from Cybermarks?
 
Last edited:
1
•••
@johnjhacking Now you're here, virtually that is, what's your professional opinion on the elite guys from Cybermarks?
Do you have any references? I haven't particularly been keeping up with every single bit of this conversation. I'm going to need my memory jogged on that name.
 
Last edited:
2
•••
Do you have any references? I haven't particularly been keeping up with every single bit of this conversation. I'm going to need my memory jogged on that name.

It's the newly formed security company at Epik. Discussed in the Monster video and the last few pages in this thread. Enjoy. Your professional opinion is welcome. They are elite guys.
 
Last edited:
0
•••
0
•••
"Monster: I’m there! We already have a bug bounty program. So if you find stuff that’s weakly executed…

Jackson: …what?

High Fidelity: You have a bug bounty program?

Monster: We do!

Jackson: Where?

Monster: So right now it’s just an email, but we also are… [email protected] But what we are also doing, we actually have a software team… We have a cybersecurity team, believe it or not.

Unidentified SC3:02:39: You should fire them.

Unidentified: [laughing]

Jackson: Yes. Yes yes yes.

Monster: I’m telling you! We’ve just hired and assembled a team. A crack team from South Africa.

Jackson, SC3:02:53: From South Africa?? You guys are gonna get popped again! Their government just got fucking ransomwared!

[crosstalk]"
 
4
•••
@johnjhacking We have a problem!

I was talking about rebuilding the entire company codebase from scratch, while your answer was probably about self-hosting or outsourcing their Bug Bounty program. Is that correct?

ref:

upload_2021-10-22_22-59-47.png
 
Last edited:
1
•••
Right, I forgot about that. Thanks for the reminder. Yes - they most certainly need a new security team, or a reshift in focus which it sounds like they are doing. When he said "crack team" he must mean literally because...well do the math.

Yes an email distro that's not publicly facing. Where are users supposed to find that? Contact the company each time an issue is identified? It's not sustainable. @FernandoBMS
 
9
•••
6
•••
Last edited:
0
•••
Could someone technically inclined please make a list of all the specific things that Monster/Epik did and didn't do that they should have done? eg. saving failed login attempts in clear text or at all, saving credit card details on their own server. Perhaps in order from most to least egregious.
 
1
•••
Just to give an idea of Epik hack how it looks to me, example below.

I personally don't like many Wikipedia articles, now I must go pay some hackers and delete/edit those pages per my own fit, or I will negociate with them what they should publish on their website.

For the info I have websites that are like hungry dogs, if I publish them today Wikipedia will be at the bottom of the bottoms with their lefty fairy tale agendas.

P.s. thanks for the mods for unlocking me to voice my opinions!

Hi @iTesla

I understand that there is some content on Wikipedia that is not to your liking and want to see it changed. But what do you mean with 'pay some hackers' in relation to Wikipedia? For what services are you paying hackers?
 
4
•••
I personally don't like many Wikipedia articles, now I must go pay some hackers and delete/edit those pages per my own fit, or I will negociate with them what they should publish on their website.

It sounds like you are being scammed.
 
3
•••
As far as you accusing me of gloating simply because I agreed to a post by @Kirtaner is simply outrageous. The hack did reveal gross negligence by the company and exposed to customers and potential customers how poorly their data was being protected, the type of personal data stored, and how it was being stored, and alert non-customers that their data was being harvested as well. Hopefully forcing Epik to do something about it. The datasets were released because RM at first denied it and later downplayed it. If I am mistaken in the timeline, someone who knows better can correct me.

The question is, would you want to continue having your information exposed to anyone for years to come, including state players? Or a terrorist group, or someone that hides the fact that the data was hacked, so they can have unlimited time to exploit your finances and steal your identity? At least people have the opportunity to cancel their credit cards and change logins. It would have been much much worse at some point..
 
Last edited:
4
•••
4
•••
One of the big ? to me is, whether the foreign development team who used to maintain and protect the codebase from RM's prying eyes, is now working together with external security talent to fix their shortcomings.
 
0
•••
One of the big ? to me is, whether the foreign development team who used to maintain and protect the codebase from RM's prying eyes, is now working together with external security talent to fix their shortcomings.

Another question I have is how many talented people are even willing to work with RM and Epik?

How many people wanted to be associated with Epik before this, never mind after the data breach?

Their actions are going to really limit the potential talent pool.

Brad
 
Last edited:
4
•••
Another question I have is how many talented people are even willing to work with RM and Epik?

How many people wanted to be associated with Epik before this, never mind after the data breach?

Their actions are going to really limit the potential talent pool.

Brad

One would reasonably expect that, but Epik has always been able to surprise with new lab initiatives. Curious to see what's brewing this time. How will the 32MM be spent? On marketing, devops, politics, lawyers, bunkers, or a Russian language course for all employees?
 
Last edited:
1
•••
Another question I have is how many talented people are even willing to work with RM and Epik?

How many people wanted to be associated with Epik before this, never mind after the data breach?

Their actions are going to really limit the potential talent pool.

Brad
I'm going to have to agree. They are the laughing stock of the Information Security industry right now. No one wants to work infosec for a company that doesn't take it seriously.
 
5
•••
I'm going to have to agree. They are the laughing stock of the Information Security industry right now. No one wants to work infosec for a company that doesn't take it seriously.

Is this even discussed outside this forum, you mean? That's disturbing.
 
0
•••
One of the big ? to me is, whether the foreign development team who used to maintain and protect the codebase from RM's prying eyes, is now working together with external security talent to fix their shortcomings.
It sounds like development by accretion where layers of code are built upon layers of code. It can be quite deadly from a security point of view. Ironically, it is now getting a free security audit.

Regards...jmcc
 
8
•••
2
•••
https://www.nytimes.com/2021/10/21/technology/trump-truth-social-hackers.html
https://archive.md/UVbmm

Hackers lay claim to Donald Trump’s social app before its launch.

Within two hours, hackers had gained access to a private version of the social network, creating fake accounts for Mr. Trump; the far-right personality Stephen K. Bannon; Ron Watkins, the QAnon conspiracy theorist; and Twitter’s chief executive, Jack Dorsey, who barred Mr. Trump from Twitter after his supporters stormed the Capitol on Jan. 6.

Using a false “donaldjtrump” account, hackers posted images of defecating pigs, wrote expletive-laced rants aimed at Mr. Dorsey and inquired about the whereabouts of the former first lady Melania Trump. Images of the hackers’ handiwork were circulated on other social media platforms.

In interviews on Thursday, the hackers, who are affiliated with Anonymous, the loose hacking collective, said the effort was part of their “online war against hate.”

After a several-year hiatus, Anonymous has re-emerged as a digital force against the far right. The collective recently took down a Texas Republican website after the passage of an anti-abortion bill, replacing the site with a Planned Parenthood fund-raiser. And last month, Anonymous was behind a breach of Epik, an internet services company popular with the far right, dumping 220 gigabytes of data, including personal details of its customers.

In exposing the innards of Truth Social ahead of its launch, hackers demonstrated that Mr. Trump’s soon-to-be-released social network had lax safeguards and left open the ability to spoof anyone, including the former president.

Mr. Trump had revealed the social network in an online presentation on Wednesday as part of Trump Media and Technology Group, which aims to take on big social media platforms.

A representative for the Trump media company did not immediately respond to requests for comment.

“We had a fun time trolling it to high heaven,” Aubrey Cottle, a hacker affiliated with Anonymous who goes by the alias Kirtaner, said in an interview.

A Truth Social app was made available for “preorder” on Apple’s App Store on Wednesday, inviting anyone interested to join a waiting list for its release. The digital crumbs from that post, Mr. Cottle said, were enough for him and other Anonymous hackers to gain access to the prerelease version of the app.

Once inside, Mr. Cottle said, hackers posted memes from spoofed accounts for Mr. Trump, former Vice President Mike Pence and other prominent figures.

The activity forced the Trump Media & Technology Group’s app developers to bar new accounts and eventually shutter the development platform. (The New York Times viewed screenshots backing up hackers’ claims.)
 
Last edited:
4
•••
Thanks. Epik has been in that newspaper before. That has been an important reason for them co-facilitating alternative media, with varying degrees of success.
 
Last edited:
1
•••
https://www.nytimes.com/2021/10/21/technology/trump-truth-social-hackers.html
https://archive.md/UVbmm

Hackers lay claim to Donald Trump’s social app before its launch.

Within two hours, hackers had gained access to a private version of the social network, creating fake accounts for Mr. Trump; the far-right personality Stephen K. Bannon; Ron Watkins, the QAnon conspiracy theorist; and Twitter’s chief executive, Jack Dorsey, who barred Mr. Trump from Twitter after his supporters stormed the Capitol on Jan. 6.

Using a false “donaldjtrump” account, hackers posted images of defecating pigs, wrote expletive-laced rants aimed at Mr. Dorsey and inquired about the whereabouts of the former first lady Melania Trump. Images of the hackers’ handiwork were circulated on other social media platforms.

In interviews on Thursday, the hackers, who are affiliated with Anonymous, the loose hacking collective, said the effort was part of their “online war against hate.”

After a several-year hiatus, Anonymous has re-emerged as a digital force against the far right. The collective recently took down a Texas Republican website after the passage of an anti-abortion bill, replacing the site with a Planned Parenthood fund-raiser. And last month, Anonymous was behind a breach of Epik, an internet services company popular with the far right, dumping 220 gigabytes of data, including personal details of its customers.

In exposing the innards of Truth Social ahead of its launch, hackers demonstrated that Mr. Trump’s soon-to-be-released social network had lax safeguards and left open the ability to spoof anyone, including the former president.

Mr. Trump had revealed the social network in an online presentation on Wednesday as part of Trump Media and Technology Group, which aims to take on big social media platforms.

A representative for the Trump media company did not immediately respond to requests for comment.

“We had a fun time trolling it to high heaven,” Aubrey Cottle, a hacker affiliated with Anonymous who goes by the alias Kirtaner, said in an interview.

A Truth Social app was made available for “preorder” on Apple’s App Store on Wednesday, inviting anyone interested to join a waiting list for its release. The digital crumbs from that post, Mr. Cottle said, were enough for him and other Anonymous hackers to gain access to the prerelease version of the app.

Once inside, Mr. Cottle said, hackers posted memes from spoofed accounts for Mr. Trump, former Vice President Mike Pence and other prominent figures.

The activity forced the Trump Media & Technology Group’s app developers to bar new accounts and eventually shutter the development platform. (The New York Times viewed screenshots backing up hackers’ claims.)
I think it would behoove some here to understand some things about me at this point.

https://techmonitor.ai/technology/cybersecurity/the-return-of-hacktivists

The return of the hacktivists

Epik was the ‘Swiss Bank’ of domain registration services, according to its founder Rob Monster. Privacy was an organising principle, he said. Unlike other domain providers, Epik would afford its users a safe haven to freely express themselves on the websites they registered with the company without intervention. This was the responsible thing to do, according to Monster (his real name), amid a “continuing, coordinated and perhaps accelerating theme of censorship” afflicting the domain registration ecosystem.

But all this was a smokescreen, critics argued. The only safe haven Epik provided was for the alt-right, they said, servicing domains from which extremists could freely spout racial hatred and coordinate vicious trolling campaigns.

The scale of the alt-right’s presence on Epik’s domains was revealed earlier this month after Anonymous-affiliated hackers breached its servers and published over 220GB of user data in two tranches. The leaks contained not only the domains belonging to alt-right figures, but their real names, credit card numbers, home addresses, and Epik email chains discussing FBI subpoenas against customers (“DO NOT TELL the registrant,” read one.)

Epik’s fate is especially sweet for Aubrey Cottle, a security researcher and a founding member of Anonymous. While subsequent analysis has shown that much of the exposed data was mundane and unrelated to Epik, the leak has nonetheless been described as a ‘Rosetta stone’ for researchers eager to understand the internal machinations of the far-right. For Cottle – who prefers to be known by his hacker nom de guerre, ‘Kirtaner’ – it’s the first step in dismantling what he calls the “sources of hate” that have afflicted the web over the past decade (he declines to give details about those involved in the hack.) “The last handful of years have been pretty rough as far as the far-right [goes],” he says. “There’s a major pushback, as people are getting sick and tired of it.”

The Epik hack is just the latest manifestation of a new wave of so-called ‘hacktivism’ that’s not only targeting the alt-right. From the breach at video security start-up Verdaka, in which hackers took control of 150,000 cameras in hospitals, police stations and schools, to the ongoing campaign against the dictatorial Lukashenko regime by the Belarus Cyber Partisans and similar efforts among pro-democracy groups in Myanmar, activists are once again using hacking as a form of protest.

This level of hacktivism has not been seen since the glory days of Anonymous and Wikileaks, when hacktivists around the world lent their services to the Arab Spring, undermined the Church of Scientology’s online presence and leaked thousands of US diplomatic cables and war logs.

Kirtaner himself is a thread of continuity between that time and now. Having lain low for several years after a series of arrests ended Anonymous’s first era, the security researcher revealed his role in its creation last year before embarking on his own campaign against conspiracist movement Q-Anon. Aside from his disgust at the movement’s role in inspiring mass shootings and other crimes, Kirtaner is also motivated by a sense of personal regret at the line that can be traced from Anonymous’ early trolling phase to Gamergate, alt-right extremism and the rise of Donald Trump.

“That is a very long and complicated story,” he says. “By virtue of the butterfly effect, I’ve always felt a ream of responsibility, personal responsibility, for the state of the current world. And I felt I needed to do something about it, if only to [put] my own soul at ease.”

Kirtaner aside, the current wave of hacktivism is propelled by a new generation, politicised by the rise of the alt-right and the Black Lives Matter movement. But while the political environment may have changed, the legal context has not. The cybersecurity laws that enabled the crackdown on Anonymous and enabled those arrests remain in place, and it remains to be seen if the current generation will avoid the same fate.
 
5
•••
Back