Moniker Is Oblivious As Usual To The Disaster And Blames the Heartbleed Bug

monikerJust like after it changed its control panel Moniker is once again issuing a statement that solves none of the problems. And it can’t solve any of the problems because they don’t admit that there is an underlying problem: their new system.

I bet you all have heard of the massive hacking attack on Moniker. It was successful and many domains have been reported as stolen including domains such as bit.com.

Moniker, in an email today, claims that the Heartbleed Bug caused the system vulnerabilities.

They also said what seems to be completely not true: “there have been brute force attacks against Moniker accounts resulting in unauthorized domain name transfers”.

Actually I have talked with and read comments from tens of Moniker customers and I can assure you that there was no brute force attack. The hacker simply had a list of ALL customers numbers and passwords. There was not a single unsuccessful login that would suggest a brute force attack. And even if there was a brute force attack on the main server, why the hell were all passwords stored in plain text?

Here is the email from Moniker today and my comments on this email below:

Ongoing security measures

Moniker recently underwent a system-wide password reset to implement security improvements as a result of recent activity within several accounts. We would like to address these issues and respond to various articles and comments about security breaches at Moniker.

We take all reasonable steps to ensure the protection of domain names managed on our platform and understand that the safety and security of your assets is of upmost importance. With that in mind, we constantly assess system vulnerabilities and work towards quick resolutions to known issues.

In the past several weeks, we have seen suspicious activity on our platform which included login attempts to various accounts from unknown sources. We have reason to believe credentials to the accounts in questions may have been obtained through exploitation of the Heartbleed Bug published earlier this year.

In addition to suspicious activity, there have been brute force attacks against Moniker accounts resulting in unauthorized domain name transfers. Our staff is working diligently to identify instances of unauthorized transfers and to revert them as soon as possible. To date, we have recovered any domain that was transferred without authorization.

We encourage you to notify us immediately if you feel your account has been compromised or if you believe you are missing domains; however, we are confident all such cases have been identified.

Contact support at getsupport@moniker.com.

Of course they don’t actually reply to all the “articles and comments”. They don’t reply as to why when a domain is pushed from one account to another account there are no confirmation emails send about the push and the push is not even logged in the jobs section.

“In the past several weeks, we have seen suspicious activity on our platform which included login attempts to various accounts from unknown sources.”

What was Moniker doing in these several weeks? Did they identify the suspicious activity and did nothing or they didn’t even notice something wrong was going on? Either way these people are dangerous.

No Moniker, your “reasonable steps” are not good enough.

I suggest to anyone that has a domain at Moniker to leave this registrar immediately.

This is “How To Check If Any Of Your Domains Have Been Stolen From Moniker”.

Sold.Domains

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He loves domains and building websites. He is online since 1995, learned about html in 1996 and got into domains in 2002. He started the OnlineDomain.com blog in 2012.

19 comments

  1. I noticed the infamous IP logged in my account also. Luckily, my domains apparently suck so nothing was lost. Except further trust.

    Regarding this email, I think the real question is the following. Are they saying all these customer passwords were obtained individually through exploiting the Heartbleed flaw? Or was a single admin password obtained via Heartbleed while that admin was logging in, which led to the customer database being exposed?

    a) If it’s the former, then the odds would seem to be astronomical. Heartbleed required that a customer’s credentials were in memory when the attacker was issuing exploit queries against the login server. So the exploiter would need to be querying constantly to grab results when customers logged in successfully, and then be lucky enough that the entire plaintext password was in the right place in memory.

    It wasn’t that Heartbleed simply exposed the entire password database in plaintext, there was much more to it. The problem is that so many reports of that IP have surfaced, coupled with how frequently customers log into their accounts and the luck involved in actually seeing a *complete* plaintext password returned. The math doesn’t favor it.

    b) If it’s the latter, then maybe the attacker gained admin privileges which allowed them to grab the customer database. Then used standard rainbow table attacks against the password hashes. But I can tell you for sure, there’s no way that my 16 char pw could ever be reverse hashed with a rainbow attack. And of course none of that would matter if the user table was properly salted. Unless the attacker also socially engineered the salt key somehow. But this is getting too theoretical to even entertain.

    Heartbleed happened in the spring and was patched rather quickly. Given that at least one customer (me) changed their passwords after the transition in June, how could the attacker access my account on Sept 23?

    If it’s a problem with the multiple account numbers/usernames issue then I’m willing to listen because maybe Heartbleed did expose stagnant passwords over a long period of time. Or there was a dump of the user table and plaintext passwords laying carelessly around.

    But given how many times we’ve seen companies yell “Heartbleed!” since the spring, it really requires a full public postmortem to be believable. I really hope this wasn’t a Hail Mary, so to speak.

    Jmho.

    • “Or there was a dump of the user table and plaintext passwords laying carelessly around.”
      Hmmmm… Yes!

      • Heh, that was said more in jest than a realistic scenario. With a properly hashed+salted password database, a plaintext file would never exist. Only by knowing the salt *and* executing a hash collision attack would it be attackable from the public facing internet.

        Outside of that, there must be something else going on behind their walls. It’s hard to fathom how so many accounts were accessed from the outside as Moniker now implies (by laying this at the feet of Heartbleed).

        Maybe someone else can lay out a feasible scenario, or critique what I wrote. More than willing to be proven wrong.

      • There was nothing properly done during the system change.

        ALL Moniker accounts were accessed from a single IP in about 5-7 days of time. This is a fact.
        The hackers did not target certain accounts. I had empty accounts with the same successful logins.
        They had all accounts and passwords and did whatever they liked. Not a single login was unsuccessful.

        And nobody suspected how a single IP has logins into ALL accounts over 5 days. Ridiculous.

      • Everything you wrote certainly appears to be true, and it’s a headscratcher how an attack that broad was possible.

        But here’s a nitpick about the plausibility of someone gaining access to a file that has customer ids and passwords in plaintext: this implies they were letting plaintext customer passwords into their database (i.e. not using hashes).

        This would be the absolute most incompetent design imaginable, no professional programming team would ever let that happen. Seriously, I mean that, anyone implementing such a thing would be fired immediately because it proves they have no idea how security works. A site must never know what the user’s plaintext password is, even if the persistent storage itself is encrypted.

        Of course, everything I just said is essentially contradicted by their recent reset of emailing passwords in the clear. That’s really, really bad stuff. But the point is I can’t imagine their core databases have been running with plaintext storage of passwords. Therefore, it would seem that there’s some other vector that was exploited (but Heartbleed is a stretch until a plausible scenario is proposed).

        The answer is probably a simple one, and most certainly involves incompetence (or nefarious intent?) at some level. But I suspect we’ll never know what really happened.

      • “This would be the absolute most incompetent design imaginable, no professional programming team would ever let that happen.”
        This doesn’t sound so strange to me. I saw what they did with the new control panel.
        They managed to lose all transaction and invoice history, they lost domains, they lost all settings (auto-renew etc.), they pretty much lost everything and didn’t even blink.
        Yes, they should be fired.

  2. This is flat out a lie: “To date, we have recovered any domain that was transferred without authorization. ”

    Domains that were transferred to other registrars after being stolen from Moniker accounts have not been recovered. http://domaingang.com/domain-news/domain-thief-peddling-cache-domains-stolen-moniker/

  3. Maybe they wanted the cheapest solution for their system and outsourced it to some one who could do it for 10 $ ?

  4. I spoke to them many times via support when I got a hold of someone, and there answer would always be give it a couple of days, someone will get back to you. Names bought at snapnames were hanging in limbo, they said technically you own them, but we do not have control of them due to some shakeup. Always the same lame reasons with this lame company.

    The GTLD’s were pure cash cow, they missed that boat too, whoever took this once money making company, and drove it into the ground should seriously be fired. I remember calling, and it ringing, and ringing, then hold sequence, then hang up, then calling back, and offices were closed.

    MONIKER FAIL FAIL FAIL

  5. There is no way that Moniker can recover from this mess….The marketing budget to replace the “lost” customers would eat up all profits and prevent innovation to stay competitive. Couple that with the fact that there is more competition from innovative companies and it’s easy to conclude that Moniker is “toast”…..They have lost too much of their core customers and thus will never be the same…..If Moniker decides to continue, a name change and management shift is not optional, but necessary……The incompetence and lack of business and technical skills is astounding in this case…..

    • There is no marketing that can help recover from this.
      Once FMA and Telepathy and all big domainers are gone it’s done.
      Moniker will have less than 500k domains in a year. And even less in 2-3 years from now.
      Down from 2.5M+.

  6. If they were smart they would have tried to make a deal with uniregistry, and give them all their accounts, and merge into that company, and their secure backend. Do they really think they can turn things around, with the addition of namebright, unregistry, and countless others.

  7. HOW THE HELL DO I GET MY PASSWORD RESET?

    THEIR DAMN PASSWORD RESET TOOL DOES NOT WORK!!I HAVE OPENED 5 TICKETS and it’s been over 72 business hours, they don’t respond to SHIT.

    I can’t get them on the phone, called 40 times, they have a over ten minute hold time, and then at exactly ten minutes it auto connects to voicemail, I left 4 voicemails and NO ONE GETS BACK TO ME!!

    I have 140 DOMAINS with moniker and they are holding them hostage, I can’t F’ing login to even transfer them or renew them, my domains are expiring, my webhosts are changing, I can’t update my DNS.

    What the hell do I do? Do I have to fly to Portland and bust down the door to their office to get my f’ing password reset?

    I tried their password reset tool 100 TIMES, it DOES NOT WORK.

  8. I got an email from these clowns on 6th October that reads as follows:
    (Note that the this was a plain text email and had account numbers as well as new passwords for said account numbers, IN THE EMAIL!!)

    Dear Valued Client,

    With the recent ShellShock vulnerability making headlines in addition to the numerous instances of security breaches around the world each week, security is an ever increasing concern.
    We also saw an increased attempt to access Moniker accounts by brute force attacks.

    And we at Moniker are taking this very seriously.

    Accordingly, we are implementing new protocols to better protect our clients and their assets.

    As part of this process, you will be required to reset your account password while adhering to stronger minimum password requirements.

    You will now need to use a more secure password combination at least eight characters in length and including three of these four attributes:

    * Lowercase characters
    * Uppercase characters
    * Numerical digits
    * Special characters

    We have proactively reset your password and login credentials for sub-accounts to reflect this changes.

    The new password for your account XXXXXXX is as follows xxxxxxxxx.

    Please find below passwords for the sub accounts that we found in your settings:

    XXXXXXX xxxxxxxxx

    Please reset your passwords to one of your own choosing that meets the new password requirements at your earliest convenience.

    Blah blah blah….

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.