alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[oldtimer]

Perhaps it's a good idea for ICANN to reevaluate all the accreditations on a yearly basis so that if there are certain security flaws or improper business practices by the Registrars and Registries they can be found sooner before they get out of hand.

And by this I mean for ICANN to do more than just charging the yearly fees.

IMO

 

[Future Sensors]

Perhaps it's a good idea for ICANN to reevaluate all the accreditations on a yearly basis so that if there are certain security flaws or improper business practices by the Registrars and Registries they can be found sooner before they get out of hand.

https://www.icann.org/resources/pages/audits-2012-02-25-en

 

[Qc4]

Epik acquired InTrust Domains in 2011.

In 2012 there was this ICANN "Notice of breach of registrar accreditation":

https://www.icann.org/en/system/files/correspondence/burnette-to-palm-27apr12-en.pdf

Confusingly, the acquisition did not include InTrust's ICANN registrar ID. In the letter, there's a reference to ID 653, which is now "NamePal.com #8028, LLC" (probably a drop catch registrar). For whatever reason, Epik acquired the ID 617 instead from a company called NameQueen.

 

[jmcc]

Perhaps it's a good idea for ICANN to reevaluate all the accreditations on a yearly basis so that if there are certain security flaws or improper business practices by the Registrars and Registries they can be found sooner before they get out of hand.

And by this I mean for ICANN to do more than just charging the yearly fees.

IMO

ICANN has an audit programme but it concentrates on policy rather than on individual registrar security:
https://www.icann.org/resources/pages/audits-2012-02-25-en

There are limits to what ICANN is able to do and it is constrained by agreed upon policies. These policies can take years to develop and go through thousands of hours of discussions.

Regards...jmcc

 

[DN Playbook]

When Epik became an accredited registrar didn't they have to pass certain tests and evaluations as far as their security protocols go and if they passed and got their accreditation then ICANN might consider Epik to be more of a victim than a villain as far as them getting hacked now (just saying).

Last time I checked, all you need to have are policies in place, an interface to register and manage domains, and pay a substantial fee to ICANN. ICANN doesn't do a detailed audit of your infrastructure or code. Someone who knows better may correct me on this.

EPIK is a victim as are all the customers. But when you walk in a dangerous neighbourhood in the middle of the night with your wallet exposed and get mugged, then your judgement and decision making skills are called into question.

 

[oldtimer]

In my opinion how Epik originally got started and what it is today are two separate things as far as ICANN accreditation goes.

If Epik is an accredited registrar today then why didn't ICANN audits catch any of the security flaws.

IMO

 

[DN Playbook]

If Epik is an accredited registrar today then why didn't ICANN audits catch any of the security flaws.

Making excuses and deflecting the blame is not a way to fix it. To fix it, you own the problem and take measures to ensure it is not repeated. You don't blame others.

Many registrars that lose their accreditation either go bankrupt or have many complaints against them from disgruntled customers. There are likely other reasons as well.

 

[oldtimer]

ICANN doesn't do a detailed audit of your infrastructure or code.

I believe that ICANN requires those to be evaluated by third parties at the time of accreditation.

What I am saying is that perhaps they need to continue to be reevaluated every year instead of just the one time test that the Registrars have to pass to get accredited originally.

IMO

 

[DN Playbook]

I believe that ICANN requires those to be evaluated by third parties at the time of accreditation.

What I am saying is that perhaps they need to continue to be reevaluated every year instead of just the one time test that the Registrars have to pass to get accredited originally.

IMO

Maybe. But this is not the main issue here. This is not about ICANN. They have their own issues to deal with which are completely separate from the topic of this thread.

 

[oldtimer]

Making excuses and deflecting the blame is not a way to fix it. To fix it, you own the problem and take measures to ensure it is not repeated. You don't blame others.

I am not deflecting nor am I trying to blame others, I am trying to fix the system as a whole so that problems like this don't happen again.

IMO

 

[dirk]

If Epik is an accredited registrar today then why didn't ICANN audits catch any of the security flaws.

Because you're not gonna let ICANN snoop around in your code and encryption methods. That would be a security risk

 

[Future Sensors]

Because you're not gonna let ICANN snoop around in your code and encryption methods. That would be a security risk

Exactly.

https://www.theregister.com/2015/04...posed_over_300_times_in_icann_security_snafu/

 

[oldtimer]

Because you're not gonna let ICANN snoop around in your code and encryption methods. That would be a security risk

I believe that is done by third parties at the time of the original accreditation,

What I am saying is that perhaps it's a good idea to do that on a yearly basis in order to catch any problems before they get out of hand.

IMO

 

[DN Playbook]

What I am saying is that perhaps it's a good idea to do that on a yearly basis in order to catch any problems before they get out of hand.

This is the responsibility of the service provider, who can hire a third-party security firm to audit their security, if they are concerned about bad code that can easily be exploited. You should be able to expect service providers to be adults that don't need an oversight body to audit them every year.

 

[oldtimer]

This is the responsibility of the service provider, who can hire a third-party security firm to audit their security, if they are concerned about bad code that can easily be exploited. You should be able to expect service providers to be adults that don't need an oversight body to audit them every year.

Well we are talking about geting tested and evaluated for accreditation here and I believe that it shouldn't be a one time deal. The tests and evaluations should continue on a yearly basis in order to maintain the accreditation by ICANN.

In another words when a Registrar displays the seal of accreditation by ICANN it should mean that they can be trusted beyond just the first year of getting accredited.

IMO

 

[johnn]

The job to protect the data belongs to the company not the customers.
Either Rob does not care or he just don’t know how to do it.
You guys twisted the topic into a new topic: how customers can help the company to protect the data.

 

[oldtimer]

The job to protect the data belongs to the company not the customers.
Either Rob does not care or he just don’t know how to do it.
You guys twisted the topic into a new topic: how customers can help the company to protect the data.

It's the customers (the registrants) that I am trying to protect here against future disasters.

It's the seal of accreditation that the customers see and trust and I believe that that seal should really mean something beyond just for ICANN collecting their yearly fees.

IMO

 

[johnn]

Why do you want to protect them? It’s not your job.
Epik had a lousy security measures which leave thousand of customers data exposed to the public and they don’t seem to care.
Don’t waste any more time on this nonsense topic.

 

[dirk]

It's the customers (the registrants) that I am trying to protect here against future disasters.

It's the seal of accreditation that the customers see and trust and I believe that that seal should really mean something beyond just for ICANN collecting their yearly fees.

IMO

I don't think it's a particularly bad idea, I just don't see it happening/working from a purely practical point of view.

 

[oldtimer]

Why do you want to protect them?

Why do I want to protect the Registrants,

Well because I am a Registrant too