Dynadot
Namecheap

Silentptnr

Domains88.com
Impact
48,159
Last edited:

Jona4s

Established Member
Impact
136
I will argue hackers are immune to patches submitted via bug bounty programs.

It discourages script kiddies and botnet scanners hammering an origin, but application-level vulnerabilities are rarely the cause of an entire system being rooted, as it was with Epik.

As jonh said, it is a matter of competent engineers and security experts.

Btw, thanks Rob for offering me a bounty, which I won't take. Unless you start taking security seriously by announcing you have rebuild your entire codebase, and are not relying on "remote PHP developers" to power Epik, I honestly think you are doomed.

Apologize to their customers, transfer them to a different company, shut down completely, and rebuild. Or just shut down.

There are no other options for them.

That is my professional opinion.
Kirt gave you an honest advise, listen to the part "rebuild". A broken technology is a broken technology, no patch and no team will fix it.

This stuff means Epik is persisting in using remote PHP devs, Zend cannot be patched, but well time will tell if your technical debt is really irreversible.


PHP, Wordpress, alright. That's not how you play the game, that's why you are losing.
 
Last edited:

johnjhacking

Established Member
Impact
66
Uhhhh what? Application-level vulnerabilities make up a giant percentage data breaches. I can't send links, so google "How many web apps get breached" -- you'll see a varying percentage, but it's not a small number. Infact, most of the networks I've breached have been a result of vulnerabilities i've found on the client side of web applications.
@Jona4s
 

Jona4s

Established Member
Impact
136
Yeah, I was refering to more secure networks, and not Internet-facing services based on cve tracked stacks.

Such as a bank with propietary protocols over layer-2, with no "application-level" to exploit.

It's rare to see credit cards stored in the same server as the application server.

I'm sure you can MITM'in your way into internal endpoints, but those services are not public-facing so cve vulnerabilities will not apply.
 

Future Sensors

78% of human domainers will be replaced by robots
Impact
8,885
I think you should set up security in such a way that you don't trust anyone within your own organization. A sort of Zero Trust, as it were. Especially in an organization like Epik, that seems to be a chain of takeovers, remote workers and third parties that develop software. Furthermore, I think all CVEs are important, including those that concern non-Internet facing systems. Usually they are used in combination to gain, consolidate and perpetuate access within a network.
 
Last edited:

Jona4s

Established Member
Impact
136
I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

ShvE8Z6.png
 

Evil.dll

Established Member
Impact
159
Time to take a Mulligan. Pay competent engineers to build a solid foundation from scratch, pay a real red team to attack that foundation, Learn to defend with a competent blue team and bring in a purple team to ensure the red and blue teams are working in step, but the idea of being able to secure that site will be impossible with the current or any variation of the existing code and with the data that was leaked, securing any system moving forward will be a difficult task. Sure, you can change your password and your credit cards, but the data like names, birthdays, security questions, password histories will populate wordlists and credential stuffing attacks. Judging by the clever quips and solutions cybermarks posts it does not feel like they have a grasp on the idea that NO system is secure. A padlock will keep an honest man from stealing your lawnmower from your tool shed and you can sleep comfortably knowing that you gave it your best shot, but if someone really wants that lawnmower they are gonna get a couple wrenches or a pair of bolt cutters and destroy the theatre of security most live in. Sure, another site may pop up, but it will be furiously attacked because someone left the gun cabinet unlocked and painted a target on their back.An organizations biggest vulnerability will always be the arrogance of the people saying it is “The Fort Knox of….” Or the “Swiss bank of…” you might as well just hand them the keys to the server room and write your passwords on a post it.
 

Evil.dll

Established Member
Impact
159
And brand loyalty is cool, but it means nothing when the brand you are defending is throwing you under the bus and you just keep on dusting yourself off and deflecting blame. People on this thread keep repeating the mantra about how the researchers and security professionals don’t know the complex world of domains, which is a dangerous assumption to make when they clearly know enough to point domains to hugs for cats and exploit shitty mastodon forks in little to know time, but alas “Never correct your enemy while they are making an error”
 

Evil.dll

Established Member
Impact
159
See how far the “But the hackers” mindset gets you. The people making this argument are NOT the law enforcement that will comb through this data and they definitely do not have any idea of the way in which this breach will be prosecuted so they should just sit back and keep their commentary locked far away in their narrow minds.
 

Future Sensors

78% of human domainers will be replaced by robots
Impact
8,885
All technical talk aside. At this point, with so much data leaked in several batches, I think social engineering has become a serious problem for employees that must be guarded against. (This should be best practice already.) Not only the data of customers, but at least as much data of administrators, employees and ambassadors has been published - metadata, administrator IP addresses, and probably a lot more than I can even think of.
 
Last edited:

Evil.dll

Established Member
Impact
159
Tags
bigdata Watch tag bigndata Watch tag
And stop taking pictures of your server racks with petabytes of storage claiming that is #bigdata it only serves to further show a clear misunderstanding of the situation and allows people’s to know what you are packing. Cool, for less than 15 grand you can pick up some used thunderbay 8s and call yourself #Bigndata, but that does not secure anything if you don’t know WTF you are doing.
 
Last edited:

Future Sensors

78% of human domainers will be replaced by robots
Impact
8,885
I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

ShvE8Z6.png

Not all readers know what this actually means, as this used to be not a security forum.

@Jona4s is referring to the following service:

https://www.maxmind.com/en/solutions/minfraud-services

minFraud Web Services
minFraud is a data return service that helps businesses prevent online fraud by providing risk scoring and risk data related to online transactions. Learn more about whether the minFraud service is right for your organization.​
 

Future Sensors

78% of human domainers will be replaced by robots
Impact
8,885
Epik is also mentioned in the article referenced in the tweet:

"The group behind the leak was Distributed Denial of Secrets, a collective of journalists and transparency advocates. Founded in 2018 by journalist Emma Best and an anonymous partner known as The Architect, DDoSecrets has quietly been one of the most effective organizations at bringing information powerful organizations want to keep hidden into the light. Since the BlueLeaks drop last June, DDoSecrets has published more juicy contraband, including videos, photos, posts, and direct messages scraped from far-right social media sites Gab and Parler in the wake of the Jan. 6 insurrection attempt. In the last few weeks, the organization has hosted a mirror of data from Epik, an internet services company that has been utilized by far-right and white supremacist groups, and has published emails, chat logs, and member and donor lists from the Oath Keepers, a far-right militia group involved in the Jan. 6 insurrection attempt."

"The hackers who claim to be behind the release of data from far-right web host Epik identify themselves with the name Hackers on Estradiol, a reference to a hormone therapy utilized by trans women."
 
Last edited:

Future Sensors

78% of human domainers will be replaced by robots
Impact
8,885

Future Sensors

78% of human domainers will be replaced by robots
Impact
8,885
I wonder who is going to use MaxMind now that their risk score factors were exposed in plaintext

ShvE8Z6.png

This stored data could actually help a lot during investigations, as the MaxMind minFraud system takes a lot of variables into account. Having a look at the indicators combined with the orders is a goldmine for LEA and will help them to better focus on a certain group of customers, while excluding others.
 
Top