EC|Council Portal Security Issues

the4tress

I recently found out that EC|Council is storing passwords (and possibly other sensitive information) in clear text. Does anybody else have an issue with this or is it just me?

Here is the forum thread discussing the problem: https://portal.eccouncil.org/forum/forum_posts.asp?TID=1280&PN=1&TPN=3

This is EC|Council's response to the security issue:

Hi,

Because of the flexibility to the users EC-Council provides password to the concerned members though E-mails and the password will be sent to registered E-mail ID's only.

The company keeps user information secure and confidential. The user passwords are stored in very secured way following EC-Council's strict confidentiality rules and regulations.

You can keep all your EC-Council certifications active with the help of Continuing Profession Education provided by EC-Council.

This was my response:

I expect more from a certifying infosec organization. Storing a user's credentials in clear text seems like a really basic security vulnerability. What else is being stored in plain text? My address? Credit card info?

I'm not trying to be hard on you guys, but I do hold you to a higher standard. I understand you keep our information "very secured", but storing original passwords in a database leads me to believe otherwise. I just hope other users don't use their EC|Council portal password on other sites (especially for their email).

One last thing, can you point me to "EC-Council's strict confidentiality rules and regulations"? I would like to see your policies for storing personal information.

Thank you.

- Ryan

Am I overreacting?

- Ryan

SephStorm

no, you are not. They are unprofessional, but that is a different issue.

The question for me is whether the account information can be easily acquired by a third party, ie could the system be tricked into revealing the contents of the database without the user's email being compromised. Whatever your view on the issue however, we all have the right to hold them to a standard, and expect the company to address those issues in a timely manner.

the4tress

I see you are in the Army in SC. Are you at Sumter?

Also, how do I send a private message on here instead of going off the topic of the thread?

ptilsen

I would agree that it is not professional at all. It's no different than storing un-encrypted PANs on the justification that network and server room are locked down (which is no justification at all). It's maybe a slight step above saying "we don't need antivirus; we have a firewall!".

In a related story, I've noticed certificate errors on ECC's web site before.

SephStorm

Strangely the personal message function seems to be missing... at least in the old way. It looks like you have to go to your profile center and send 1 from there.

Daniel333

EC Council has always been the Nigerian Price of IT certifications imho.

ChooseLife

the4tress wrote: »

Am I overreacting?

No, and thank you for sharing this information. Both the original issue and ECCouncil's inability to acknowledge it speak louder than all the marketing buzzwords filling their sites.

the4tress

Yeah, they still haven't replied with their policy on storage of personal information yet.

the4tress

Wow, instead of fixing the problem they just deleted my posts where I pointed out the problems. They are censoring anything that points out their shortcomings. Now this is a new low...

Here is the link. You can see their reply to me, but my posts are gone. WTF?

https://portal.eccouncil.org/forum//forum_posts.asp?TID=1280&PN=1&TPN=3

colemic

Any way for non-certified peeps to see?

the4tress

I don't know if this violates some sort of agreement I signed with them, but at this point I don't really care. They are doing some really shady stuff and I think it needs to be brought to the attention of those that are thinking about getting the certification, or those that are already certified.

Here is a screenshot of the forum post. The first one is where my post was, and the second one is the following page where somebody said they saw it and had a similar issue before.

<edit>I guess TechExams resizes uploaded images so they were really crappy and you couldn't see the text. I put them in my Dropbox if you want to check them out. http://goo.gl/rhafZ and http://goo.gl/fJeui</edit>

There are 2 deleted posts. One directly before, and one directly after yuri's post where he says:

Hi,

Because of the flexibility to the users EC-Council provides password to the concerned members though E-mails and the password will be sent to registered E-mail ID's only.

The company keeps user information secure and confidential. The user passwords are stored in very secured way following EC-Council's strict confidentiality rules and regulations.

You can keep all your EC-Council certifications active with the help of Continuing Profession Education provided by EC-Council.

In the first post I talked about how I was able to figure out that they are storing passwords in clear text. The second one is quoted in my original post here. Nothing vulgar or abusive which would justify removing the post.

colemic

I don't know about others but that is way too small to read. cut N past the text maybe?

the4tress

Yeah, I realized it after I posted the message. I edited the post with a link to the screenshots in my Dropbox. Sorry.

Here they are: http://goo.gl/rhafZ and http://goo.gl/fJeui.

colemic

I don't see in the screenshots what your original posts said...

the4tress

Right, because they deleted the posts.

I guess they delete anything that is critical or negative towards them, even if it is justified.

colemic

Well, what exactly did you post? I am not doubting you, but how do you know it was stored in plaintext?

the4tress

I forget exactly what I posted the first time. My second post is quoted in the first post of this thread (it was also deleted).

If you go to the EC|Council portal and click "Forgot my password" and enter your email it will send you your password. This proves that they are storing the password in clear text. The proper way is for them to create a hash (preferably salted) of your password and store that in their database. Then when you log in, it will hash your password again (from the login) and compare it to the hash stored in the database. When you click "Forgot my password" they should send you a link asking you to reset the password, not send you the actual password.

- Ryan

SephStorm

I read his original post as well, I can confirm it is missing, and another member on the portal claims they had similar issues previously.

JDMurray

the4tress wrote: »

I don't know if this violates some sort of agreement I signed with them, but at this point I don't really care. They are doing some really shady stuff and I think it needs to be brought to the attention of those that are thinking about getting the certification, or those that are already certified.

Anyone who owns a Web site has the legal right to determine what is displayed on the site and the legal responsibility for displaying it. This sometimes requires the editing/removal of public posts made in a discussion forum by members of the Web site. We occasionally need to do this here at TechExams.net for a variety of reasons. I hope you don't think the moderation of our forums is "shady stuff" too.

the4tress

Well I don't know what you guys have deleted, but from what I have seen on the EC|Council portal is that they delete anything that is negative towards them. I assume that you delete anything vulgar or abusive here, which is expected. But if I point out a problem with security on an infosec certifying organization's forum (which the whole thread is about the problems with the portal) and they delete it because they don't want others to know what they are doing, then I call that shady (pardon the run-on sentence).

I personally feel that it is important others know that their information is not properly protected. I expect a higher security standard from an organization that is rated on DoD 8570 for network defense.

JDMurray

the4tress wrote: »

I expect a higher security standard from an organization that is rated on DoD 8570 for network defense.

That is not what DoD 8570.01 is for. It is only a listing of certifications that meet certain educational criteria for the DoD's Information Assurance programs. Having a cert on this list is not in any way a rating of a certification vendor itself. For that you need ISO/IEC 17024, for which the EC-Council has met the qualifications. If you think that the EC-Council deleting posts from its public discussion forums is in violation of ISO/IEC 27024, you should file a complaint with the ISO.

SephStorm

Now I generally agree with 4tress's assessment of the situation, however, I would note that ECC could/should sensor material they consider a threat or harmful to the site's security. I however, would have handled the situation differently, editing the information from the post and leaving a moderation message in its place, or deleting the thread and notifying the author of the reason for the deletion.

the4tress

SephStorm wrote: »

Now I generally agree with 4tress's assessment of the situation, however, I would note that ECC could/should sensor material they consider a threat or harmful to the site's security. I however, would have handled the situation differently, editing the information from the post and leaving a moderation message in its place, or deleting the thread and notifying the author of the reason for the deletion.

This is my first time ever doing something like this, so all advice is appreciated. What should I do differently next time. I agree 100% with JDMurray saying that I should take the information to another location, like ISO, but do you think I should have posted on their forums (which was about problems with their forum) about the issue? Should I not have posted here? I decided to post here because of the large community you have who may be affected by this an not know about it.

Again, I know I may have gone about this the wrong way, but I also feel that EC|Council should take better security measures with personal information.

Also, as an IT certification community, are you interested in knowing that your password may be stored in clear text on a site? I personally use a different password for every site, but many users don't.

Thanks for any advice!

- Ryan

JDMurray

I'm just guessing, but if the EC-Council seems to delete any post with negative content, they would delete any post you make that is a complaint. Best to PM or email the two guys that run ECC. Their info is on LinkedIn.com.

Also, you have no control over the security used by any Web site. You therefore use any Web site at your own risk (read any site's EULA). Your plan of using a different (and strong) password on every Web site is the best safeguard you can employ short of not registering on the Web site at all. As to other users, you can try to warn and educate people about poor password management, but you can't make then do it.

SephStorm

What I would have done? I would have contacted ECC probably Jay B on Linkedin. Then I would have posted it in the community if a reasonable response wasnt given within a reasonable time period. The concept is similar to "Ethical Disclosure" of vulnerabilities found in products.

ChooseLife

I just came across this:
EC-Council – CEH – Unethical Behavior | ethicalhack3r (make sure to check out official response from Jay Bavisi in the comments)

It was a last straw for me, EC-Council now looks like a total joke.

Chivalry1

This type of behavior from EC-Council is not surprising. Although I am a fan of the CEH 7 and the wealth of knowledge it covers; I am not impressed by the company. After receiving my CEH I attempted to log into there EC-Council portal but received a SSL certificate error due to an 1 month old outdated certificate. Sorry I don't supply user credentials to sites with invalid certificates. I gladly closed my browser until they decided to correct the issue.

SephStorm

Honestly, I am not surprised. I am surprised the poster got so much contact with Jay, My experience with him has been somewhat the same, he talks to you, seems to take things seriously, then he pushed me off to one of his employees, who before long leaves you out to dry.

tpatt100

I felt the same way when I was taking one of the CWNP exams for wireless. I went to research the topics and found several broken links. If you are supposed to be a vendor neutral certification program you better make sure your web presence is top notch because that is pretty much your main exposure to the public.

the4tress

I also found another basic vulnerability on their site. If you enter a correct username, but incorrect password it says the password for that user is incorrect. That makes it much easier to harvest usernames, and then in turn guess passwords for those users.

JDMurray

They probably need to harden their, "I forgot my password" feature too. Implementing CAPTCHAs or progressive time-delayed responses is a cheap way to do that.