alert Epik Had A Major Breach

[Silentptnr]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[Evil.dll]

The intrinsic value of it to post the scope of the data leak with flowcharts and spreadsheets without compromising PII

 

[Evil.dll]

I was going to buy epikfaildump, but some vulture beat me too it…

 

[Evil.dll]

Thefartking.com is available though

 

[Kirtaner]

I was going to buy epikfaildump, but some vulture beat me too it…

Wanna use epikfail.is? Might know a guy.

 

[johnjhacking]

It is certainly beneficial for the layman customer to have people like yourself, @Molly White, @Kirtaner, @bmugford, @johnjhacking, and others who are following the news and have reporting skills and other insights post their findings here. NP is like an aggregate of the news on this topic. Hopefully we can keep going until it is resolved.

Don't necessarily know if I can keep up, but if I notice anything prolific i'll let y'all know.

 

[branding]

Although I have to admit that the information provided by Epik is lacking, these kinds of domain names seem to me to have little value. The following domain has a Creation Date of 2021-09-14T17:44:19Z.

Show attachment 202997

Create affiliate links to other registrars, spam the domain on twitter,FB and linkedin = profit!

 

[Future Sensors]

Create affiliate links to other registrars, spam the domain on twitter,FB and linkedin = profit!

Not sure if that is a sustainable business model, Dirk

(I know you didn't suggest it as a serious option)

 

[Future Sensors]

OVEROPTIC SYSTEMS LTD was incorporated on 14 March 2013 in the U.K. and the the only public information available is the name of one appointed director, his address and nationality. He's a ukrainian citizen from Crimea.

Thank you @FernandoBMS

Are you able to present a short overview of the most prominent countries involved in the complete Epik ecosystem, maybe with a short description?

 

[Future Sensors]

Don't necessarily know if I can keep up, but if I notice anything prolific i'll let y'all know.

For this domain name forum, where the major registrars and registries are present, it would be very helpful if you can think along how to make Epik more secure, and also how other domain registrars, registries and domain aftermarkets can learn from this incident. This thread clearly shows the current risks and the rapidly evolving cyber threat landscape, which is useful for the domain industry. An industry that is at the core of doing business on the Internet. Technically, we can secure DNS against kaminsky attacks, we can do DNS qname minimization, we can do a lot. But we should think more about other attack vectors, like APIs, or registrars sending CSV's with EPP transfer codes using third party mail solutions instead of offering a secure download from their website. Just some examples, you get the idea.

 

[Future Sensors]

The intrinsic value of it to post the scope of the data leak with flowcharts and spreadsheets without compromising PII

The scope and impact of the Epik data leak (several leaks) can best be described by creating actual stories based on different customer profiles and profiles of other stakeholders participating/following this thread. Readers will gain a better understanding for their specific use case. There's indeed no need to disclose any PII data on this forum.

 

[branding]

Quick update:

- The tech work continues apace. Most significantly is the explicit separation of Dev and Ops. Traditionally in a small enterprise those teams can be one and the same but as an organization achieves maturity, those functions become operationally separate.

- The oldest legacy code from the 2011 acquisition of Intrust Domains is substantially being upgraded and ultimately replaced. Bear in mind that the registrar software is a rather unique class of software so full replacement is not a small task, but because we have a large dev team that work is well under way.

- Software like Masterbucks, DNProtect.com, WHOQ.com and TrustRatings.com are more representative of modern coding frameworks. They were being deployed apace. Some of these ecosystem innovations are now on a slower track due to the emphasis on the core.

- The support team continues to do an exemplary job, as it has undergone significant expansion and upgrade, operating 24.7 for email, chat and phone. Our TrustPilot score has stayed at or around 4.9 throughout the episode. Account security and domain security remain our top priority.

- Domains under management also continues to rise and never dropped below the level when the incident occurred. Today's transfers out were a benign 62 domains, quite typical for a registrar where domains are being bought and sold. Nearly 600 transfers in, vast majority of which is .com.

...

+ Some additional nonsense, use Google if you care.

 

[branding]

 

[johnjhacking]

For this domain name forum, where the major registrars and registries are present, it would be very helpful if you can think along how to make Epik more secure, and also how other domain registrars, registries and domain aftermarkets can learn from this incident. This thread clearly shows the current risks and the rapidly evolving cyber threat landscape, which is useful for the domain industry. An industry that is at the core of doing business on the Internet. Technically, we can secure DNS against kaminsky attacks, we can do DNS qname minimization, we can do a lot. But we should think more about other attack vectors, like APIs, or registrars sending CSV's with EPP transfer codes using third party mail solutions instead of offering a secure download from their website. Just some examples, you get the idea.

Sure, I mean some of the most common ways:

1. Build out a comprehensive Information Security Program with multiple subteams, including but not limited to:
Application Security (Engineers)
Security Operations (Security Analysts, Endpoint Detection and Response Engineers, Malware/Forensics Engineers or Analysts)
GRC (Governance Risk and Compliance Analysts)
Fraud (Analysts and Engineers)
Red Team (w/Penetration testers and Offensive Security Engineers) OR the willingness to hire firms for at a minimum: quarterly penetration tests - and this has to be for ALL assets - network, web app, mobile, etc.
Network Security (Engineers and Analysts)
Vulnerability Management (Engineers)


2. Provide tooling and resources to subteams. There are too many tools to go through in this post but for instance, AppSec Engineers need to know how to implement and configure a WAF properly, implement tooling such as soft/hard gates that check packages or known resources to check code prior to prod push, SAST scanners for vulns in code, automated DAST scanning tools, bot protection, preventing web application attacks such as credential stuffing and disruption to the applications...I mean...the list is quite vast and that's one subteam.

Then you have other teams like SecOps, responsible for implementing endpoint protection such as antivirus on the host machines in combination with EDR tooling that can catch more dynamic malware outside of the simple-state of AV which is using a DAT file, investigating malware and triaging affected hosts or preventing network-level attacks, etc.

...you get the point. It's a gigantic effort, and it has to start somewhere.

3. Taking reports from hackers seriously, which it appears Monster is doing if he's going to be working with Bugcrowd.

Security is a GIANT incentive. This is why consultants, engineers, and analysts exist. If I could explain everything one needed to do in a series of posts, our field would be dead.

 

[Future Sensors]

Thank you @johnjhacking, @DirkS, and @Rob Monster for your recent replies and updates. Will give a detailed response later. In the meantime, DNProtect, an Epik Labs project, has this news to share. They tagged the tweet with #domains, so it looks like the culture is really changing and they want to be open about security incidents. Was the hacked server under management of Epik and related companies?

 

[Evil.dll]

Thank you @johnjhacking, @DirkS, and @Rob Monster for your recent replies and updates. Will give a detailed response later. In the meantime, DNProtect, an Epik Labs project, has this news to share. They tagged the tweet with #domains, so it looks like the culture is really changing and they want to be open about security incidents. Was the hacked server under management of Epik and related companies?

Show attachment 203169

Show attachment 203170

When something is “Free” make sure to read the TOS or you may find yourself as the product.

 

[DN Playbook]

This is the part I find interesting, everything else reads superfluous to me:

"The oldest legacy code from the 2011 acquisition of Intrust Domains is substantially being upgraded and ultimately replaced. Bear in mind that the registrar software is a rather unique class of software so full replacement is not a small task, but because we have a large dev team that work is well under way."
​

The acquisition was in 2011. Intrust Domains was launched in around 2009. The code would have been written before then, possibly around 2008. Full replacement is a monumental task. This code was captive as per your words, which means it was apparently not accessible to Epik:

"It was an acquisition, it is a captive dev team, and I’ve operated with that group to a large extent on the basis of trust." - Transcript of Rob Monster's live Q&A following the Epik breach (mollywhite.net)
​

How was the code released from its captive state? @Rob Monster, can you clarify? This seems like an unusual arrangement.

 

[Future Sensors]

Monster, YT0:35:56: [reading chat. Full comment from “JP”: “I’m upset at the security incident at Epik, but my anger isn’t towards Rob specifically, he’s just human.”] “upset at the security incident at Epik but my anger isn’t towards Rob…” Yeah no, thank you, I appreciate that, JP. Yeah we… we did not nail that one. I think quite candidly that was some serious weak code, like hard-coding API keys… just weak sauce. And in reality, like I said earlier in the call, our top engineers mostly hadn’t seen that code because it was kind of blackboxed, behind a firewall, separate git repository, and not part of the Epik git. And that might sound surprising… [pauses to blow nose] sorry, I have a cold… considering that we’re like a registrar, but that’s basically because of the history of how that company became part of Epik. It was an acquisition, it is a captive dev team, and I’ve operated with that group to a large extent on the basis of trust. They’re good people, they’re honorable people, ethical, responsible people, but their coding methods and frameworks are not up to standard, and they’ve pretty much handed over all the keys to two top guys, Justin Tabb, David Roman. And they’re they’re doing a great job diving into the code. And there were some very unpleasant discussions, very heated conversations, because some of the team hadn’t seen the code until until it was exposed. That might sound a little bit crazy but you have to keep in mind that we’ve grown really quickly around a core registrar, and if you want to know the history, I’ll tell you a story. You guys mind a digression? I’ll tell you a story. So up until July 2018… yo yo! Welcome! I’m Rob, nice to meet you. So July 2018, right, I’ve been running for the last three years as a consultant, kind of interim exec, a company called DigitalTown. You could look it up, it was on pink sheets. It’s still existing but it’s pretty much defunct. I did a TED talk, it’s actually a banned TED talk, and it was about DigitalTown. I can share it, I have a copy. So July 2018, I’m kind of in this boardroom struggle with the group that was running the company at the time, and we go on vacation, cruising in the Mediterranean, like around August 17. Middle of the Mediterranean underneath a Persian meteor shower and I’m looking up at the sky. Beautiful, clear night, like endless stars, and I have absolute clarity that the Lord is going to need a registrar. It’s the closest thing to a calling I’ve ever experienced.

 

[bhartzer]

They tagged the tweet with #domains, so it looks like the culture is really changing and they want to be open about security incidents. Was the hacked server under management of Epik and related companies?

Very recently we (DNProtect) have been contacted to deal with 2 different cases, both unrelated to each other. They both involved stolen domains. Once the thiefs gained access to the servers, they started transferring domains to other registrars (stealing the domains). 1 incident involved about 50 domains, the other just a few domains.

None of these were on Epik's servers. One was on GoDaddy, the other on Blue Host.

 

[Derek Peterson]

Very recently we (DNProtect) have been contacted to deal with 2 different cases, both unrelated to each other. They both involved stolen domains. Once the thiefs gained access to the servers, they started transferring domains to other registrars (stealing the domains). 1 incident involved about 50 domains, the other just a few domains.

None of these were on Epik's servers. One was on GoDaddy, the other on Blue Host.

Do you really think it is appropriate to be talking about your clients issues. Also, this is a thread meant to discuss the Epik hack. I simply don't believe you. The fact that you, as an Epik employee, would come here and throw your other clients under the buss @GoDaddy in an attempt to deflect from the point of this thread shows that Monster found someone as dishonest as himself to fill in for him since he has been so discredited. No one should or would believe a word Monster says so it stands to reason that he would hire someone else to lie for him, as he has done many times.

The culture hasn't changed because Rob Monster is what he is. You are just more attempts to cover that up.

 

[Future Sensors]

My research suggests that there was some outcry among Sammamish residents after Epik was reported to be providing services to Parler shortly after the January 6 Capitol attack. Parler transferred their domain registration to Epik on January 10, which aligns fairly closely with the timing of this statement.

There was this petition as well, signed by 330 people.

https://www.change.org/p/karen-moran-sammamish-city-council-should-revoke-epik-s-business-license

 

[Future Sensors]

Very recently we (DNProtect) have been contacted to deal with 2 different cases, both unrelated to each other. They both involved stolen domains. Once the thiefs gained access to the servers, they started transferring domains to other registrars (stealing the domains). 1 incident involved about 50 domains, the other just a few domains.

None of these were on Epik's servers. One was on GoDaddy, the other on Blue Host.

Glad you were not affected. Thanks for the clarification.

 

[Future Sensors]

@bhartzer As mentioned earlier in this thread, Rob Monster is no longer listed as 'Partner' on the Russian website. Can you tell if the Russian team from wecandevelopit.com is still in charge of the Epik codebase? Did Epik cut ties with them after the recent data breaches?

 

[Future Sensors]

Mr. Troy Hunt, owner of the respected Data Breach search & alert website "Have I Been Pwned?", says on Twitter that he has received two copies of this book on Anonymous.

https://en.wikipedia.org/wiki/Have_I_Been_Pwned?

His tweet is included below.

https://twitter.com/x/status/1455137628370575362

The poll mentioned in another tweet was directly after the first Epik data breach. It was not yet known at the time that two more serious leaks (bootable disk images of Epik servers) would soon take place after that.

https://twitter.com/x/status/1439705567400894464

 

[mr-x]

Your whois data wasn't private. If you can't find it for free, you can buy it.

 

[Future Sensors]

Your whois data wasn't private. If you can't find it for free, you can buy it.

Well, you should probably know by now, after reading this thread, that there are strict regulations for collecting, storing, processing, and handling PII data. Furthermore, it's still unanswered where all the sensitive data of US and EU citizens was stored. Epik uses servers and offshore developers in the US, UK and Russia/Crimea.

Although the following comprehensive overview has been drafted especially for the financial services industry, it is a good reference for Epik and other registrars, as well. Btw, Epik offered financial services too, don't you agree?

https://www.upguard.com/blog/cybersecurity-regulations-financial-industry