Domain Registrar Epik Hacked

Domain registrar Epik is known for hosting certain types of domains. They call themselves the Swiss Bank of Domains – neutral in the political fights. They host the domains for right wing sites like Parler and Gab and political sites like Texas Right to Life and the Texas GOP, among many others.

The company confirmed that hackers breached their security AND downloaded customer account information.

The hackers may be affiliated with the non-group Anonymous, the loose collective of hackers that go after folks that they don’t like. They said, in a press release, that the hack was in retaliation for Epik’s habit of hosting questionable alt-right websites (their words).

“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet,” the group said. “Time to find out who in your family secretly ran an Ivermectin horse porn fetish site, disinfo publishing outfit or yet another QAnon hellhole.”

Epik Confirms Hack, Gigabytes of Data on Offer | Threatpost

It also appears that non-customers were also swept up in hack as well and some of their data was stolen too.

Size-wise, the hackers stole 180 gigabytes of data, they say, including names, phone numbers, physical addresses, purchases and passwords.

Also apparently much of the data was not encrypted and some of it was only lightly salted (meaning that reversing it was trivial for the hackers).

It seems that the hackers are GIVING the data away for FREE. Here is what you get for free:

  • domain purchases and transfers in and out, all whois history unredacted, all DNS changes, all email forwards, payment history (without credit cards), account credentials for customers, hosting, VPN, etc., Epik’s internal servers and systems, Epik’s GoDaddy logins and more.

The hackers said “yep, these Russian developers they hired are actually just that bad.” referring to the lack of encryption and weak hashing.

They also hacked the Texas GOP web site for fun.

What does this mean to you?

First of all – vendor cyber risk management. Are your vendors secure?

Second, if you used Epik, change all affected passwords and encryption keys

Third, assume an attack like this could happen; plan for it. Then do what you can to mitigate the damage from it.

Credit: Ars Technica

Be Careful What Contracts You Sign

While the details of this are interesting, what is more important is thinking about all of the contracts that you sign.

This is a legal battle that goes back several years.

In one corner is Fiserv, the Fortune 200 +/- financial services software behemouth.

In the other corner is Bessemer System Federal Credit Union, a small community credit union in Pennsylvania.

In 2018 Brian Krebs reported bugs in Fiserv’s platform that allowed one customer to see another customer’s name, address, bank account number and phone number.

So Bessemer FCU did some more testing and found more bugs – security holes.

According to the credit union, Fiserv responded with an aggressive notice of claims, attempting to silence Bessemer if they discussed these security bugs with third parties, including other Fiserv customers.

In the end Bessemer sued Fiserv and Fiserv counterclaimed.

Fiserv said Bessemer breached its contract, among other things, and wanted attorney fees.

Much of the argument seems to be around the security review, which, if accurate, shows that Fiserv’s software is not secure, something other Fiserv customers might want to know about.

Fiserv says that Bessemer just wants to embarrass Fiserv and get out of paying some bills.

Without spending a lot of time reviewing legal documents, it appears that Bessemer was not happy with Fiserv’s response to being notified about the bugs (like in fixing them, soon) and wants to terminate the contract.

Fiserv, appears to want to silence a critic (boy is that failing) and doesn’t want to let the customer out of its contract.

So what does that mean for you if you sign a contract with a vendor? Here are some thoughts.

  • The vendor is going to want you to sign as long a contract as possible and will usually offer you a price incentive to do so. If this is a new vendor, that is likely not a good deal for you. Shorter might make more sense.
  • You should review the reasons that you can terminate the contract and what that termination will cost you.
  • You should look for any clauses that stop you from talking about the vendor’s product quality. This is different than disclosing secrets. While bugs and security flaws may be secret, they should not be covered by these types of contract restrictions.
  • Vendors should have a fixed amount of time to fix serious bugs or you should be able to terminate your contract.
  • The contract should spell out that the vendor is liable for your losses as a result of security bugs. Software vendors will resist this like the plague, but why should you be responsible for their bad software.

The lawsuit is ongoing. It will be interesting to see how this works out. Given this is now in the news, Fiserv might be smart to try and make it go away. Quietly. A trial could be ugly. On the other hand, Fiserv has a lot more money than Bessemer does.

Stay tuned.

But think about those contracts you signed and how you would fare in a similar situation.

On the other side, if you are a software vendor, how would you handle this situation.

Credit: Security Week

Security News for the Week Ending September 17, 2021

LA Police Collected Social Media Account Info From People They Talked To

I’m sure they were just curious. The LA police watchdog says that officers were instructed to collect civilians’ social media details when they interviewed them. An Email from the Chief dating back to 2015. He said it could be beneficial to investigations and possibly even future outreach programs. These are people who are neither arrested or cited. I am sure that using people’s email addresses for social outreach is far more effective than, say, Twitter, Facebook or even the 6:00 News. Not. For harassing and scaring people, yes. Credit: MSN

Germany Admits Police Used NSO Group Pegasus Spyware

Germany’s Federal Police admitted that they used the Pegasus Spyware, which can totally own a mobile phone and all the data on it, when testifying before Parliament. They said that some features were disabled due to German law. What features and how many people were not revealed. Likely they are not alone – they just got caught at it Credit: Security Week

Taliban and China Are Reportedly in Bed Together

China has reportedly sent its best (?) cyber spies to Kabul to help the Taliban hack land lines and mobile calls, monitor the Internet and mine social media. While all governments, including ours, does this, the Taliban is not likely to put any controls on what gets monitored. China has been, US intelligence sources say, wooing the Taliban for years getting ready for this. One can only assume that the Taliban will reciprocate, like by giving China access to stuff we left behind. CreditL Mirror

FTC Says Health Apps Must Notify Consumers About Breaches

The FTC warned apps and devices that collect personal health information that they must notify consumers if their data is breached in a 3-2 vote, with the two Republicans voting against it. This is designed to specifically address the gap that apps are not considered covered entities for the most part, hence they are not covered by HIPAA. The two Trump appointees who voted against it are not necessarily against having app makers tell users that their data has been compromised, but would prefer to drag the decision out for a few more years as the government does its normal bureaucratic rulemaking process. Credit: FTC

Cop Instructed to Play Loud Music to Disrupt Public Filming of Their Activities

Police – or at least some police – do not like being filmed while performing their job. One Illinois police department officially came up with an interesting tactic. While it doesn’t stop people from filming them, it MIGHT cause the videos to be taken down from social media, which seems to be the goal. When they detect someone filming them, they turn on copyrighted music to be included in the recording. Most social media have been sued enough that they have tech that detects at least popular copyrighted music and if detects it, it removes the post so they don’t get sued. I think it is pretty simple to distort the music a little bit so the filter won’t work while still allowing a listener to hear the interaction with the police. My guess is that if a case like this came to court over copyright, the court would rule in favor of the person filming, but we are talking about the law here, so who knows. Credit: Vice

If You Do Email Marketing – The Times They Are A Changin’

Apple has always said that they are privacy focused and they usually are except when they are not.

Here is a case where they are and if you do email marketing, it is going to spell trouble.

Version 15 of the iPhone, Mac and Watch OSes are coming out on September 20th. For users of Apple mail, amount 50% of the market, Apple is going to do several things to enhance their privacy and reduce your ability to track them.

If you have a negative attitude, you might think that Apple did this on purpose to mess with Facebook and Google. Nah, probably not. Hah!

There is an option that will be added to Apple mail with that release so that users can opt in to proxying all of their mail through Apple’s proxy servers in Mountain View.

When Apple required users to opt IN to tracking in third party apps a couple of months ago, ONLY FOUR PERCENT OPTED IN. Said differently, 96% said that they did not want to be tracked.

If that even closely translates to the email world, 90+ percent of the users will ask Apple to add privacy to their emails.

What is going to happen?

Apple will open all emails in Mountain View (and other data centers) and that will trigger tracking pixels. That means that it will look like 100% of your emails were opened. If you do A/B email testing, it will look like each option was exactly as effective as the next one.

If your email has links that are location sensitive (i.e. Colorado users get Colorado ads), then everyone will look like they live in Mountain View.

If you do targeting by IP address, that won’t work either.

The actual tracking beacons will be deleted by Apple and not passed on to the user.

If you use any form of countdown timers, the countdown will start when the proxy server opens the email.

Other email tricks such as lead-nurturing, auto resend and others will need to be rethought.

On the other side, this will force senders to be more GDPR and CCPA compliant with respect to recipient’s privacy.

There are likely some things that you can do, but it is going to require rethinking things. Now is a good time to start thinking about what you are going to do.

For more info, check out Mailerlite’s blog post here.

IBM Says 2/3s of Cloud Breaches Could Be Stopped by Fixing Configs

IBM’s security arm, X-Force, released their latest Cloud Security Threat Landscape report for Q2 2020 to Q2 2021.

They said that two out of three breached cloud environments observed by them would likely have been prevented by more robust hardening of systems, such as better software security practices (called policies) and better patching.

They also said that when they sampled cloud environments during penetration testing, in every case they found issues with either credentials or policies.

They also said that API configuration and security issues, remote exploitation and accessing confidential data were common ways for threat actors to take advantage of lax cloud security.

The researchers said that they believe that over half of recent breaches come down to shadow IT – software that is not managed by IT.

Misconfiguration, API errors or exposure, and other bad cloud security practices have led to a booming market for access to cloud environments. According to IBM, 71% of ads listed in an underground forum – out of close to 30,000 ads – offer remote desktop access for criminal purposes.

Is your cloud environment secure? Are you sure?

Credit: ZDNet

Think the Cloud’s Not Secure? On-Prem Probably Worse

Security company Imperva says that almost all companies have internal databases with known vulnerabilities.

The average vulnerable database has 26 publicly disclosed flaws.

More than half of them are rated Critical or high severity.

They collected this data over the past FIVE YEARS.

While being internal does make it slightly harder for the hackers to get to it, all that means is that there needs to be one infected computer somewhere on the network and poof.

They say that many of the unpatched bugs are more than three years old.

Once the hackers are able to detect that a database is vulnerable, there are many ways to get free code to exploit it.

Different countries deal with this differently. France won the gold medal for most vulnerabilities, with 84% of their databases having at least one vulnerability and the average vulnerable database having 72 bugs. The US did better. Only – repeat only – 39% of the databases had at least one vulnerability and the average was 25 bugs.

Better check your patching protocol. Credit: Dark Reading

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed