GoDaddy
NameSilo

Silentptnr

Domains88.com
Impact
48,165
Last edited:

Paul

Tech, NamePros
Impact
4,468
Some credit cards offer a virtual / one time credit card number that ties to your account. You use it once and then it's no longer any good. You might want to see if any of your cards offer it.

This is the approach I tend to use. Just be careful to avoid developing a false sense of security if you go that route; you still need to monitor for suspicious charges and rotate out the numbers if they're compromised.


READING NOW:

https://techcrunch.com/2021/09/17/epik-website-bug-hacked

Web host Epik was warned of critical security flaw weeks before it was hacked.

Notable:



That's strike two. I had a similar experience in which Rob didn't respond when I reported a vulnerability, despite him being the one to initiate communication. The LinkedIn spam excuse certainly doesn't apply there.

I prefer to assume good faith, but my supply of optimism is quickly depleting.
 
Last edited:
Notable:



That's strike two. I had a similar experience in which Rob didn't respond when I reported a vulnerability, despite him being the one to initiate communication. The LinkedIn spam excuse certainly doesn't apply there.

I prefer to assume good faith, but my supply of optimism is quickly depleting.

Not looking good.

I am starting to wonder if Epik even knows themselves what was compromised and how it was compromised. That makes this whole thing even worse.

If they don't know, how can they possibly fix it?

Brad
 
Last edited:

The Durfer

Wesley Sweatman
Impact
15,752
Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.
with bug bounty, you should already have the best hacker in the world on your payroll, then see who out there can beat it. lol.
 

TauseefKhan

Top Contributor
Impact
1,268
It is indeed a worrisome news for all of us. I hope it gets resolved.

before posting this - I did a little research on how some entity can become an ICANN accredited domain registrar. And, I found ICANN REGISTRAR ACCREDITATION APPLICATION FORM in which section or serial 24 deals with security aspects of domain registrar: For example it says "please attach evidence of an International Organization for Standardization (ISO) 27001 Certification demonstrating effective security controls for the services to be provided by the registrar. An accredited third party must award the certification. If the ISO 27001 Certification has been awarded for a service or process equivalent in complexity to the proposed registrar's services, the applicant must explain the equivalence and make an assertion that it will use the same security controls in the registrar's services. And, so on

My point is that we trust bank with our money because banks are protected by federal or reserve banks. Similarly, domain registrar should also get the same protection from the body that has given them the authority to carry such a business. After all domain is more than money. It's serious business for many companies. Imagine big giants losing a domain for even a second will cost them millions.

Domain investors are effected by this - but importantly many businesses also gets effected because of lost emails, domain hacks and so on if the registrar faces a major attack.

So, I think there has to be some more stringent ICANN policies and compliance's to make sure that in such a scenario of attack/hacks the domain registrants domains are safe.

Safe in the sense that they are not easily transferred out nor easily pushed to another account at the same registrar paving way for an easy transfer out.

There must be rules and policies from ICANN governing such a scenario for the safety of endusers.

After all domain registrants also pay a small amount to ICANN as a fee during checkout.
 

Paul

Tech, NamePros
Impact
4,468
Kinda feels like Epik [halfheartedly] relies on their bug bounty program rather than invest in true security professionals, to keep costs down.

Bug bounty programs are quite effective, actually, but they usually need to be live for more than a day to work their magic.
 

Paul

Tech, NamePros
Impact
4,468
Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.

Usually, when you acquire or maintain untrusted code, best practice would be to isolate it from the rest of your infrastructure so that an attacker can't pivot laterally if they compromise it. If their claim is true, one of their first steps forward will likely be to implement such isolation, since it's usually one of the easier improvements that can be made.

For any other companies watching for the sidelines, that's worth noting. You don't want an attacker to be able to use your old, neglected WHOIS server as a foothold.
 

eternaldomains

Established Member
Impact
357
Now that I think of it, @Rob Monster it's better that you separate the registrar into 2 registrars; the main 1 for end users, the other 1 strictly for domainers (and of course using a different name). If those whatever hackers wanna whack again, chances are they'll only bother the one with hosted crap.
 

eternaldomains

Established Member
Impact
357
Rob mentioned on twitter they're using over a decade old coding, originating from Russia... Supposedly planned to update. may explain the weak hashing.
Took them too long for this. It's as expected just like what I said earlier in this thread: they focused too much on "innovations" (aka expansion/acquisitions etc) instead of focusing on the most important things.

There was a comic I read some time ago (yes I know, horrible source, but still.... surprisingly relevant) saying that it's simply easier to just buy tech from another company as part of "innovation" instead of actually trying to improve on their own.

To me that's just a lazy way to do things, and that laziness will surely bite you back eventually (like now). This is the 2nd time I see Epik being lazy on the dev side. 1st mention was their "responsive" design causing icons/images to look distorted. Did that one got fixed yet?
 
Last edited:
September 16, 2021 - 30min - Steven Monacelli conversation with CEO of Epik Robert Monster

I am still watching it, but very interesting so far...

This is a serious issue about doxxing.

Rob Monster to the other person -

"How much cocaine did you do today..."

"I think if you were an honorable guy, the site would come down..."


Real professional.

Here is some free advice - when you are in a hole, stop digging.

Brad
 
Last edited:

April004

Established Member
Impact
188
Someone here posted Epik has 37 members here worked for them. Cutting the corner by hiring cheap employees is not good business along with other inadequate security measures like store data in plain text.

with just 500,000+ domain registrations in total up till now, how much might Epik be paying for 37 employees?
There were few domain-sales in aftermarket!
 
Last edited:

The Durfer

Wesley Sweatman
Impact
15,752
Is Rob Epik.com? Is epik.com Rob? Why is it epik.com to begin with? If it was personal identifying business then it wouldve been Rob.com or Monster.com, he named it, epik.com is doing business as usual, what should be asked is why they are attacking the person instead of the company. The company is a registrar, not a personal individual living their life on earth the best way they know how, with likes, dislikes, dreams, aspirations, realizations. Keep the stuff on the field, not as a disease. ty.

It was a personal attack and they changed the shield to suit their evil plan, instead of what it was standing for and good to begin with. Im glad Rob was transparent and interacting with domainers. Who wants a king that distance themselves from the people to begin with?
 
Last edited:
Are you sure he wasn't just reading the message that was written in chat?

1:47 in the video. There is nothing in the chat. That is his own statement.

What a terrible video. The language used and basically defending doxxing because someone is not "honorable" (in whose judgement?).

Brad
 
Last edited:

Paul

Tech, NamePros
Impact
4,468
What a terrible video. The language used and basically defending doxxing because someone is not "honorable" (in whose judgement?).

I don't suppose anyone has a transcript? They kept talking over each other, and I'm too sleep deprived to tolerate that nonsense. Combine that with the guy who kept yelling into his mic, and it's quite difficult to follow on a Friday night after a long week.
 
In the middle of the video, Rob finally seems to take the doxxing issue more seriously and disables the website, after some standard complaining about the "left media".

NO ONE CARES about excuses, deflections, and whining. They care about the data breach.

Brad
 
Last edited:
Top