alert Epik Had A Major Breach

Too many questions:
If the house is on fire should I come in?

draco said:

Some credit cards offer a virtual / one time credit card number that ties to your account. You use it once and then it's no longer any good. You might want to see if any of your cards offer it.

Click to expand...

This is the approach I tend to use. Just be careful to avoid developing a false sense of security if you go that route; you still need to monitor for suspicious charges and rotate out the numbers if they're compromised.

Beezy said:

READING NOW:

https://techcrunch.com/2021/09/17/epik-website-bug-hacked

Web host Epik was warned of critical security flaw weeks before it was hacked.

Click to expand...

Notable:

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. [...] LinkedIn showed Monster had read the message but did not respond.

Click to expand...

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

Click to expand...

That's strike two. I had a similar experience in which Rob didn't respond when I reported a vulnerability, despite him being the one to initiate communication. The LinkedIn spam excuse certainly doesn't apply there.

I prefer to assume good faith, but my supply of optimism is quickly depleting.

Paul said:

Notable:

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. [...] LinkedIn showed Monster had read the message but did not respond.

Click to expand...

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

Click to expand...

That's strike two. I had a similar experience in which Rob didn't respond when I reported a vulnerability, despite him being the one to initiate communication. The LinkedIn spam excuse certainly doesn't apply there.

I prefer to assume good faith, but my supply of optimism is quickly depleting.

Click to expand...

Not looking good.

I am starting to wonder if Epik even knows themselves what was compromised and how it was compromised. That makes this whole thing even worse.

If they don't know, how can they possibly fix it?

Brad

johnn said:

Too many questions:
If the house is on fire should I come in?

Click to expand...

fire?? Rocking. lol.

Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

cbd said:

Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

Click to expand...

with bug bounty, you should already have the best hacker in the world on your payroll, then see who out there can beat it. lol.

How they plan to compensate all these adventures for us OR no any compensation and just another $6.99 ad???

It is indeed a worrisome news for all of us. I hope it gets resolved.

before posting this - I did a little research on how some entity can become an ICANN accredited domain registrar. And, I found ICANN REGISTRAR ACCREDITATION APPLICATION FORM in which section or serial 24 deals with security aspects of domain registrar: For example it says "please attach evidence of an International Organization for Standardization (ISO) 27001 Certification demonstrating effective security controls for the services to be provided by the registrar. An accredited third party must award the certification. If the ISO 27001 Certification has been awarded for a service or process equivalent in complexity to the proposed registrar's services, the applicant must explain the equivalence and make an assertion that it will use the same security controls in the registrar's services. And, so on

My point is that we trust bank with our money because banks are protected by federal or reserve banks. Similarly, domain registrar should also get the same protection from the body that has given them the authority to carry such a business. After all domain is more than money. It's serious business for many companies. Imagine big giants losing a domain for even a second will cost them millions.

Domain investors are effected by this - but importantly many businesses also gets effected because of lost emails, domain hacks and so on if the registrar faces a major attack.

So, I think there has to be some more stringent ICANN policies and compliance's to make sure that in such a scenario of attack/hacks the domain registrants domains are safe.

Safe in the sense that they are not easily transferred out nor easily pushed to another account at the same registrar paving way for an easy transfer out.

There must be rules and policies from ICANN governing such a scenario for the safety of endusers.

After all domain registrants also pay a small amount to ICANN as a fee during checkout.

cbd said:

Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

Click to expand...

Bug bounty programs are quite effective, actually, but they usually need to be live for more than a day to work their magic.

Beezy said:

Not sure what their agenda is but it sure isn't your safety.

Click to expand...

Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

Estibot is also in Russian hands.

DirkS said:

Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

Click to expand...

Usually, when you acquire or maintain untrusted code, best practice would be to isolate it from the rest of your infrastructure so that an attacker can't pivot laterally if they compromise it. If their claim is true, one of their first steps forward will likely be to implement such isolation, since it's usually one of the easier improvements that can be made.

For any other companies watching for the sidelines, that's worth noting. You don't want an attacker to be able to use your old, neglected WHOIS server as a foothold.

And what innovations there???
Even control panel is the same as it was many years ago and designed for legacy resolutions/screens.

Now that I think of it, @Rob Monster it's better that you separate the registrar into 2 registrars; the main 1 for end users, the other 1 strictly for domainers (and of course using a different name). If those whatever hackers wanna whack again, chances are they'll only bother the one with hosted crap.

DirkS said:

Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

Click to expand...

Took them too long for this. It's as expected just like what I said earlier in this thread: they focused too much on "innovations" (aka expansion/acquisitions etc) instead of focusing on the most important things.

There was a comic I read some time ago (yes I know, horrible source, but still.... surprisingly relevant) saying that it's simply easier to just buy tech from another company as part of "innovation" instead of actually trying to improve on their own.

To me that's just a lazy way to do things, and that laziness will surely bite you back eventually (like now). This is the 2nd time I see Epik being lazy on the dev side. 1st mention was their "responsive" design causing icons/images to look distorted. Did that one got fixed yet?

September 16, 2021 - 30min - Steven Monacelli conversation with CEO of Epik Robert Monster

Lox said:

September 16, 2021 - 30min - Steven Monacelli conversation with CEO of Epik Robert Monster

Click to expand...

I am still watching it, but very interesting so far...

This is a serious issue about doxxing.

Rob Monster to the other person -

"How much cocaine did you do today..."

"I think if you were an honorable guy, the site would come down..."

Real professional.

Here is some free advice - when you are in a hole, stop digging.

Brad

bmugford said:

Rob Monster to the other person - "How much cocaine did you do today..."

Click to expand...

Are you sure he wasn't just reading the message that was written in chat?

johnn said:

Someone here posted Epik has 37 members here worked for them. Cutting the corner by hiring cheap employees is not good business along with other inadequate security measures like store data in plain text.

Click to expand...

with just 500,000+ domain registrations in total up till now, how much might Epik be paying for 37 employees?
There were few domain-sales in aftermarket!

Is Rob Epik.com? Is epik.com Rob? Why is it epik.com to begin with? If it was personal identifying business then it wouldve been Rob.com or Monster.com, he named it, epik.com is doing business as usual, what should be asked is why they are attacking the person instead of the company. The company is a registrar, not a personal individual living their life on earth the best way they know how, with likes, dislikes, dreams, aspirations, realizations. Keep the stuff on the field, not as a disease. ty.

It was a personal attack and they changed the shield to suit their evil plan, instead of what it was standing for and good to begin with. Im glad Rob was transparent and interacting with domainers. Who wants a king that distance themselves from the people to begin with?

Paul said:

Are you sure he wasn't just reading the message that was written in chat?

Click to expand...

1:47 in the video. There is nothing in the chat. That is his own statement.

What a terrible video. The language used and basically defending doxxing because someone is not "honorable" (in whose judgement?).

Brad

Epik response is unacceptable at this point .. I feel the most important objective is to report what information of what all platforms have been effected to the consumers .. that as quickly as it is known .. that has not happened IMO ..

bmugford said:

What a terrible video. The language used and basically defending doxxing because someone is not "honorable" (in whose judgement?).

Click to expand...

I don't suppose anyone has a transcript? They kept talking over each other, and I'm too sleep deprived to tolerate that nonsense. Combine that with the guy who kept yelling into his mic, and it's quite difficult to follow on a Friday night after a long week.

I could not listen to that, I hate it when someone asks a question then keeps interrupting the person who is trying to answer.

In the middle of the video, Rob finally seems to take the doxxing issue more seriously and disables the website, after some standard complaining about the "left media".

NO ONE CARES about excuses, deflections, and whining. They care about the data breach.

Brad