IT.COM

alert Epik Had A Major Breach

Spaceship Spaceship
Watch

Silentptnr

Domains88.comTop Member
Impact
47,106
Last edited:
33
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
I will argue hackers are immune to patches submitted via bug bounty programs.

It discourages script kiddies and botnet scanners hammering an origin, but application-level vulnerabilities are rarely the cause of an entire system being rooted, as it was with Epik.

As jonh said, it is a matter of competent engineers and security experts.

Btw, thanks Rob for offering me a bounty, which I won't take. Unless you start taking security seriously by announcing you have rebuild your entire codebase, and are not relying on "remote PHP developers" to power Epik, I honestly think you are doomed.

Apologize to their customers, transfer them to a different company, shut down completely, and rebuild. Or just shut down.

There are no other options for them.

That is my professional opinion.
Kirt gave you an honest advise, listen to the part "rebuild". A broken technology is a broken technology, no patch and no team will fix it.

This stuff means Epik is persisting in using remote PHP devs, Zend cannot be patched, but well time will tell if your technical debt is really irreversible.


PHP, Wordpress, alright. That's not how you play the game, that's why you are losing.
 
Last edited:
7
•••
4
•••
Uhhhh what? Application-level vulnerabilities make up a giant percentage data breaches. I can't send links, so google "How many web apps get breached" -- you'll see a varying percentage, but it's not a small number. Infact, most of the networks I've breached have been a result of vulnerabilities i've found on the client side of web applications.
@Jona4s
 
5
•••
Yeah, I was refering to more secure networks, and not Internet-facing services based on cve tracked stacks.

Such as a bank with propietary protocols over layer-2, with no "application-level" to exploit.

It's rare to see credit cards stored in the same server as the application server.

I'm sure you can MITM'in your way into internal endpoints, but those services are not public-facing so cve vulnerabilities will not apply.
 
3
•••
I think you should set up security in such a way that you don't trust anyone within your own organization. A sort of Zero Trust, as it were. Especially in an organization like Epik, that seems to be a chain of takeovers, remote workers and third parties that develop software. Furthermore, I think all CVEs are important, including those that concern non-Internet facing systems. Usually they are used in combination to gain, consolidate and perpetuate access within a network.
 
Last edited:
3
•••
And for your crown jewels, always use the five eyes principle.
 
Last edited:
0
•••
1
•••
1
•••
I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

ShvE8Z6.png
 
3
•••
Time to take a Mulligan. Pay competent engineers to build a solid foundation from scratch, pay a real red team to attack that foundation, Learn to defend with a competent blue team and bring in a purple team to ensure the red and blue teams are working in step, but the idea of being able to secure that site will be impossible with the current or any variation of the existing code and with the data that was leaked, securing any system moving forward will be a difficult task. Sure, you can change your password and your credit cards, but the data like names, birthdays, security questions, password histories will populate wordlists and credential stuffing attacks. Judging by the clever quips and solutions cybermarks posts it does not feel like they have a grasp on the idea that NO system is secure. A padlock will keep an honest man from stealing your lawnmower from your tool shed and you can sleep comfortably knowing that you gave it your best shot, but if someone really wants that lawnmower they are gonna get a couple wrenches or a pair of bolt cutters and destroy the theatre of security most live in. Sure, another site may pop up, but it will be furiously attacked because someone left the gun cabinet unlocked and painted a target on their back.An organizations biggest vulnerability will always be the arrogance of the people saying it is “The Fort Knox of….” Or the “Swiss bank of…” you might as well just hand them the keys to the server room and write your passwords on a post it.
 
7
•••
The bugcrowd thing is cool, but this thing could have been averted or at least marginally delayed if people would have listened to the Vulns that were presented. No amount of duct tape will salvage that Zend shanty.
 
3
•••
And brand loyalty is cool, but it means nothing when the brand you are defending is throwing you under the bus and you just keep on dusting yourself off and deflecting blame. People on this thread keep repeating the mantra about how the researchers and security professionals don’t know the complex world of domains, which is a dangerous assumption to make when they clearly know enough to point domains to hugs for cats and exploit shitty mastodon forks in little to know time, but alas “Never correct your enemy while they are making an error”
 
7
•••
See how far the “But the hackers” mindset gets you. The people making this argument are NOT the law enforcement that will comb through this data and they definitely do not have any idea of the way in which this breach will be prosecuted so they should just sit back and keep their commentary locked far away in their narrow minds.
 
2
•••
I just want to let you know how I’m feeling, We know the game and we’re gonna play it.
 
1
•••
All technical talk aside. At this point, with so much data leaked in several batches, I think social engineering has become a serious problem for employees that must be guarded against. (This should be best practice already.) Not only the data of customers, but at least as much data of administrators, employees and ambassadors has been published - metadata, administrator IP addresses, and probably a lot more than I can even think of.
 
Last edited:
2
•••
And stop taking pictures of your server racks with petabytes of storage claiming that is #bigdata it only serves to further show a clear misunderstanding of the situation and allows people’s to know what you are packing. Cool, for less than 15 grand you can pick up some used thunderbay 8s and call yourself #Bigndata, but that does not secure anything if you don’t know WTF you are doing.
 
Last edited:
4
•••
@Evil.dll Lower your blood pressure and use less salt.
 
0
•••
I have seen yottabytes of storage on 34.82 acres of land with 1.5 million square feet of sensitive data that has yet to be breached and I am under no delusion that means it is completely secure.
 
2
•••
3
•••
I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

ShvE8Z6.png

Not all readers know what this actually means, as this used to be not a security forum.

@Jona4s is referring to the following service:

https://www.maxmind.com/en/solutions/minfraud-services

minFraud Web Services
minFraud is a data return service that helps businesses prevent online fraud by providing risk scoring and risk data related to online transactions. Learn more about whether the minFraud service is right for your organization.​
 
3
•••
Epik is also mentioned in the article referenced in the tweet:

"The group behind the leak was Distributed Denial of Secrets, a collective of journalists and transparency advocates. Founded in 2018 by journalist Emma Best and an anonymous partner known as The Architect, DDoSecrets has quietly been one of the most effective organizations at bringing information powerful organizations want to keep hidden into the light. Since the BlueLeaks drop last June, DDoSecrets has published more juicy contraband, including videos, photos, posts, and direct messages scraped from far-right social media sites Gab and Parler in the wake of the Jan. 6 insurrection attempt. In the last few weeks, the organization has hosted a mirror of data from Epik, an internet services company that has been utilized by far-right and white supremacist groups, and has published emails, chat logs, and member and donor lists from the Oath Keepers, a far-right militia group involved in the Jan. 6 insurrection attempt."

"The hackers who claim to be behind the release of data from far-right web host Epik identify themselves with the name Hackers on Estradiol, a reference to a hormone therapy utilized by trans women."
 
Last edited:
2
•••
Last edited:
4
•••
I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

ShvE8Z6.png

This stored data could actually help a lot during investigations, as the MaxMind minFraud system takes a lot of variables into account. Having a look at the indicators combined with the orders is a goldmine for LEA and will help them to better focus on a certain group of customers, while excluding others.
 
5
•••
You may be king rich of domain speculation, but that means nothing in my world.

This still keeps me thinking, because it didn't come with the recommended grain of salt.

Yes I know I'm an emo guy :unsure:
 
1
•••
The irony is that he is extorting businesses to pay a +10000% price for what costs $7.

But has the moral to call security professionals criminals.
 
4
•••
Back