alert Epik Had A Major Breach

[DaveX]

Just read this. Looks like Epik may have been hacked and sensitive data compromised...

Read here:
https://domainnamewire.com/2021/09/14/hackers-claim-significant-epik-breach/

Thought I would share this.

 

[ixex]

I received notice from a credit monitoring service that an email of mine is detected again on the dark web due to this breach lol

 

[jmcc]

Well we are talking about geting tested and evaluated for accreditation here and I believe that it shouldn't be a one time deal. The tests and evaluations should continue on a yearly basis in order to maintain the accreditation by ICANN.

All very well in theory but the registry and registrar constituencies in ICANN (there are various constituencies with committees and groups) would respond with a very simple question: who pays?

Security audits cost money and someone would have to pay. If it is the registrars, then they would have to pass the yearly audit costs on to the registrant. This would mean higher registration fees with all the outrage that follows from that. There are around 2,500 ICANN accredited registrars but only 600 or so are retail registrars. The dropcatchers may be able to increase their fees but the retail registrars may find it difficult. Some are running on very narrow profit margins for domain names as it is and they use domain names to upsell the customer to more profitable products and services. This increased pricing would lead to a lower number of registrars and accelerate some of the drift to ccTLDs. Though the .COM continues to grow, the other gTLDs are having a much tougher time in gaining new registrations.

There are different types of registrars. Some have less than ten thousand registrations. Others manage millions. Some are in economies where registrants could easily absorb the costs. Others are in economies where the costs would be more of a problem. ICANN already has a serious problem with a very low number of accredited registrars in the Africa region. It has even lost registrars in the US/CA and European regions. This is often down to registrars being taken over and the registrar operator brand consolidating. The ccTLDs are also beginning to take over from the gTLDs and in most European countries, the ccTLD is the first choice TLD for registrants.

Would a yearly security audit have saved Epik? Perhaps. The comments suggest that it was a compromised backup rather than the compromise of an active production server. The full facts of what happened have not been published.

Regards...jmcc

 

[Paul]

Registrars have a responsibility to secure their infrastructure and data. Inevitably, some will be irresponsible, as appears to have been the case here. How are customers supposed to know about that before it’s too late? How would an average registrant make an informed decision? When all this is over, how will any of us know whether Epik has resolved the underlying issues?

Security audits work best when they’re performed regularly by different auditors. There are security auditors who will sign off on lousy security, but if you’re required to go to a new company each time, you’re not going to get away with the security flaws present at Epik for very long. Personally, I would like to see ICANN enforce annual security audits. That’s not to blame ICANN for what happened, but it would be a nice improvement to their policies that would help address the threats we’re seeing today.

 

[Paul]

Security audits cost money and someone would have to pay.

So do security lapses. I’d rather pay up front than take my chances.

The comments suggest that it was a compromised backup rather than the compromise of an active production server.

From a technical standpoint, that makes zero difference. There were production credentials in the backup; it would’ve been trivial for an attacker to shift laterally given Epik’s poor security practices and lack of isolation.

From an auditing standpoint, that makes zero difference. Backups are still subject to security requirements, for reasons that should now be clear to everyone in this thread.

 

[oldtimer]

All very well in theory but the registry and registrar constituencies in ICANN (there are various constituencies with committees and groups) would respond with a very simple question: who pays?

ICANN already charges the Registrars and Registries a yearly fee doesn't it,

And there is also the revenue from the 25 cents ICANN fee that is added to every domain.

Plus ICANN seems to be sitting on around 500 million dollars right now that it has gained through all the fees and donations that it has collected so far.

IMO

 

[Molly White]

Epik hack is front page news in the print edition of the Washington Post today: https://www.washingtonpost.com/todays_paper/updates/

 

[jmcc]

So do security lapses. I’d rather pay up front than take my chances.

It would have to be well marketed and there would be considerable push-back from the registrar and registry constituencies in ICANN. That's why it would be difficult to get it adopted as a policy even though it would be sensible.

From a technical standpoint, that makes zero difference. There were production credentials in the backup; it would’ve been trivial for an attacker to shift laterally given Epik’s poor security practices and lack of isolation.

That is an issue but it is difficult to say for certain that it could be done without knowing if Epik had IP rules on accessing its internal network. There was a claim earlier that it was a remote backup that was compromised but the problem is that there is a lack verifiable details of what was compromised and, more importantly, how.

From an auditing standpoint, that makes zero difference. Backups are still subject to security requirements, for reasons that should now be clear to everyone in this thread.

They would be but it is too late for Epik now.

Regards...jmcc

 

[oldtimer]

I would like to see ICANN enforce annual security audits.

Makes one wonder why it hasn't been done all these years.

As you know there are yearly security tests and evaluations done in every other Industry.

IMO

 

[jmcc]

ICANN already charges the Registrars and Registries a yearly fee doesn't it,

And there is also the revenue from the 25 cents ICANN fee that is added to every domain.

Plus ICANN seems to be sitting on around 500 million dollars right now that it has gained through all the fees and donations that it has collected so far.

IMO

You would have to convince ICANN to implement a policy as part of the registrar accreditation agreement. The current one is the 2013 one. That means basically campaigning for the changes by getting the various consituencies in ICANN to adopt it and having it accepted. Then, after it is accepted, it could be a part of the next RAA.

Regards...jmcc

 

[oldtimer]

You would have to convince ICANN to implement a policy as part of the registrar accreditation agreement. The current one is the 2013 one. That means basically campaigning for the changes by getting the various consituencies in ICANN to adopt it and having it accepted. Then, after it is accepted, it could be a part of the next RAA.

Regards...jmcc

I don't think that I have to convince them of that, the latest events dictate that ICANN should take additional measures to protect the Registrants.

That is if they hold true to their own mission statement.

IMO

 

[jmcc]

I don't think that I have to convince them of that, the latest events dictate that ICANN should take additional measures to protect the Registrants.

IMO

ICANN would, in that case, say that it is the registrars would should take additional measures. You may be focusing on ICANN rather than the registrars. It is the registrars who have to protect the registrant's data.

Regards...jmcc

 

[oldtimer]

It is the registrars who have to protect the registrant's data.

And it is ICANN's responsibility to make sure that the Registrars and Registries do that.

One way or another ICANN accreditation should mean something more than just collecting fees.

This has now evolved beyond just Epik,

In my opinion ICANN should immediately initiate an Industry wide evaluation of all security protocols and systems.

IMO

 

[Future Sensors]

How would an average registrant make an informed decision?

Good question. Most customers will not look at certifications like SOC2.

Customers base this mostly on marketing and blog articles. In the case of Epik, the registrar code was apparently thoroughly reviewed in 2011. In a blog article from June 2011, the following qualifications were used:

- Extremely robust
- Talented engineers
- Battle-tested code​

https://www.epik.com/blog/epik-introduces-domain-registrar-services-2.html

Interestingly, in 2021 Epik suddenly thinks very differently about the same code and calls it "shitty Russian code".

https://blog.mollywhite.net/monster-qa/

https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-50#post-8403335
https://www.namepros.com/threads/epik-had-a-major-breach.1252094/page-50#post-8403337

 

[Samer]

I know Rob. What drives him is his ego, his desire to be the center and control everything and everyone, to be the great moderator in the sky. He is an evil and malicious guy that is capable of anything. The Christian talk is just that, talk. He uses it to disarm people and get control of them. No real Bible believing, born again Christians talk like that. I am one and I have met some the best Christian men in the world and none of them talk that much hyper-spiritual nonsense and do so while LYING.

Also, he has $32 million in the bank.

Lol.
$32 Million.
Go Rob!!

Samer

 

[Jurgen Wolf]

And Estibot as Russian bonus...

 

[Jurgen Wolf]

And it is ICANN's responsibility to make sure that the Registrars and Registries do that.

One way or another ICANN accreditation should mean something more than just collecting fees.

This has now evolved beyond just Epik,

In my opinion ICANN should immediately initiate an Industry wide evaluation of all security protocols and systems.

IMO

>>> https://72.schedule.icann.org

 

[Bravo Mod Team]

https://www.troyhunt.com/weekly-update-261/

Weekly Update 261 [18 SEPTEMBER 2021]

Another:

Weekly Update 262 [26 SEPTEMBER 2021]

Troy Hunt and Scott Helme talk about Epik from 21:29 to 32:56.

If you don't know:

• Troy Hunt is a well-known, well-respected security expert.
• He operates Have I Been Pwned?, which he mentions in the video while talking about Epik.
• Learn more: https://en.wikipedia.org/wiki/Troy_Hunt

 

[oldtimer]

ICANN has done a good job when it comes to maintaining the security and stability of the DNS ,

But when it comes to overseeing the operations and security at the Registrar and Registry level I believe that it has to go beyond the initial testing and evaluation that has been done at the time of the original accreditation.

In the current environment yearly (and in some cases even monthly) audits seem to be the logical thing to do. (end of story)

IMO

 

[Truespin Domains]

When Epik became an accredited registrar didn't they have to pass certain tests and evaluations as far as their security protocols go and if they passed and got their accreditation then ICANN might consider Epik to be more of a victim than a villain as far as them getting hacked now (just saying).

IMO

I run a SaaS and have various accreditations. Thing is, no one ever looks at your code. They look at your company's procedures and policies.

Equally, a lot of pen testing isn't worth the paper it's written on.

The reality is you never really know how well an organisation is safeguarding your data. Until they fail...

 

[jmcc]

ICANN has done a good job when it comes to maintaining the security and stability of the DNS ,

But when it comes to overseeing the operations and security at the Registrar and Registry level I believe that it has to go beyond the initial testing and evaluation that has been done at the time of the original accreditation.

In the current environment yearly (and in some cases even monthly) audits seem to be the logical thing to do. (end of story)

IMO

It is all very high-minded and good to worry about things and say how ICANN should do this or that. It is only by getting involved that you will effect change. Attend some of the meetings, learn about ICANN and the various stakeholders and groups.

Regards...jmcc