CEH site hacked

Chivalry1

This is truly shameful for eccouncil as a Information Security organization. Its sad because I truly enjoyed doing the CEH certification and penetration course. The course and certification curriculum offers a person a lot to learn. But apparently they don't apply whats taught. I took notice to there website being a target when the portal had a SSL certificate expire. Also....I wonder how the DOD will respond with CEH being on the 8570 directive.

Plus the hacker was able to obtain passport information and a DOD letter. This shows the attacker has multiple levels of access. The reputation as a Information Security organization will be damaged as a result of this hack. All in All I still think the CEH taught me more than MANY of the other certification I have passed. ECCOUNCIL if you are reading this....get it together!!! To be down this long is just ridicilous.

impelse

It is true, but remember YOU WILL BE HACK, the question is when and what are you doing to mitigate the risk or respond with DRP.....

cyberguypr

Meanwhile at the EC Council offices:

wizkies

site still down. what a shame. hackers vs hackers.

impelse

cyberguypr wrote: »

Meanwhile at the EC Council offices:

LOL, they do not have on-call.

JDMurray

Hey, has anyone alerted Brian Krebs about this? I don't see attrition.org mentioned in any of his blog articles, but stolen passport info seems to be something he'd be interested in covering.

And why would anyone in the US gov send a photocopy of their US passport to a security training company based in Pakistan?

emerald_octane

Chivalry1 wrote: »

Also....I wonder how the DOD will respond with CEH being on the 8570 directive.

I agree. I am not anywhere near DoD requirements but I thought the CEH would be a good bid for the future if I decided to. No longer. I'll keep CEH and CHFI up to date but I probably won't take any more eccouncil exam. This, plus my ongoing issues with the iClass...yeah...
ISC^2, GIAC and ISACA certs for me moving forward.

Edit: And, if it were a simple DNS redirect that were going on here, ok, I can understand that. But what's up with the passports thing? That's what makes me the most nervous and where the most harm comes from. On the left is a gmail interface; and it looks like it might belong to someone/something of eccouncil (cehapp?).

Doubtful, but what if there were sniffed credentials for an account in the eccouncil.org domain with some administrative power or linked to something like the password reset for the dns server. So many questions.

colemic

impelse wrote: »

LOL, they do not have on-call.

cant tell since the site is still down but i believe that is a requirement as part of their redonkulous 'application review' process, if you attempt the test without going through an official channel or course.

krebs is aware he retweeted a comment yesterday.


Will be interesting to see their booth at RSA... that could be awkward.

saw on twitter that someone wants to either take ceh off their resume, or change it to CEHLOL.

What effect will this have on them long-term? They have been nothing short of craptacular in dealing with this so far.

Lostpacket

emerald_octane wrote: »

I agree. I am not anywhere near DoD requirements but I thought the CEH would be a good bid for the future if I decided to. No longer. I'll keep CEH and CHFI up to date but I probably won't take any more eccouncil exam. This, plus my ongoing issues with the iClass...yeah...
ISC^2, GIAC and ISACA certs for me moving forward.

Edit: And, if it were a simple DNS redirect that were going on here, ok, I can understand that. But what's up with the passports thing? That's what makes me the most nervous and where the most harm comes from. On the left is a gmail interface; and it looks like it might belong to someone/something of eccouncil (cehapp?).

Doubtful, but what if there were sniffed credentials for an account in the eccouncil.org domain with some administrative power or linked to something like the password reset for the dns server. So many questions.

My guess is that Eccouncil uses Google Apps for their email (which is in my opinion an excellent choice) and that the info @ account was compromised because there would likely be thousands of similar emails (with passport images) from other .mil guys there too.

If I'm right, somebody should have had their 2 step verification enabled...

emerald_octane

Lostpacket wrote: »

My guess is that Eccouncil uses Google Apps for their email (which is in my opinion an excellent choice) and that the info @ account was compromised because there would likely be thousands of similar emails (with passport images) from other .mil guys there too.

Yep. Considering passport numbers and all that good stuff are PII, they will probably have to start gearing up the breach notify letters as well.

wes allen

5:30AM, still redirected.

Don't think they would fall under US/EU breach notification laws, so don't know if they will feel the need for sending letters?

If the attacker gained control of the gmail account that was used for the DNS registrar, they could have transferred ownership, rather then just a simple change of nameserver or www info, which,if so, might take awhile to straighten out, esp if it is a small registrar. From the screenshots posted, It looks like the attacker does have access to that account, so you would have to assume they have access to anything send to that account as well.

Master Of Puppets

My opinion of EC-Council was not that high but I was still thinking of getting the CEH at some point. Now, I'm not so sure. This truly is worth a chuckle

Asif Dasl

Here's a blog post about who done it! A 15 year old kid!

I can't remember if I emailed an application to ECCouncil for CEH, I had planned on doing it but it fell by the wayside...

colemic

wes allen wrote: »

5:30AM, still redirected.

Don't think they would fall under US/EU breach notification laws, so don't know if they will feel the need for sending letters?

I would think they would since they just announced TODAY they have received 501c3 status as a nonprofit org.http://www.prweb.com/releases/certifiedethicalhacker/computernetworkdefense/prweb11588227.htm Priorities, right? ;)edit: this may just be for the 'eccouncil foundation' looking for more info to confirm. I first saw this on twitter this morning

tpatt100

I think I am most disappointed by the poor/lack of response.

colemic

from Univeristy tuition fee for the year 2013 | EC-Council University - if you are wanting to go through the Master of Security Science program, AV software is recommended but not required. mind.blown

BGraves

As a current WGU student working on the CEH class/exam....this is slightly frustrating! Not being able to access the iclass/ilabs is a bit sad...
Concur about lack of response...

colemic

You can't get into ilabs through WGU? Wow. Brought down harder than I thought if their online stuff is toast as well.

emerald_octane

iLabs are toast. I have my CFHI exam today and planned on labbing encase over the weekend. guess not.

bigdogz

This is just a disgrace. It is still down as of 11:40 am Eastern time.

5ekurity

Maybe they need SEC504? But seriously, an IR plan for this type of organization should include some type of PR response or acknowledgement that something is happening. Nothing is 100% secure but they can save a lot of face by having the appropriate response measures in place and essentially practicing what they preach.

emerald_octane

For MSISA students I let the course mentor know that the site is out of commission (if she doesn't already). If they continue offering the course I hope they allow future students to get the hard copy of the iClass course material rather than the stream only option. That or offer the GIAC GCIH exams instead.

phoeneous

I wonder if his dad is going to ground him lolz.

colemic

from twitter: does (should) WGU consider this a breach of student information? I don't know... I don't know how the info is passed to eccouncil prior to taking the exam. any thoughts?

5ekurity

I don't think you can tell at this point. It would depend on the type of data transmitted to EC-Council, how and where the data is stored, and evidence that the data was accessed or otherwise tampered with. EC-Council remaining quiet is probably the worst thing they can be doing right now.

BGraves

As a current student, I'm not 100% sure what information WGU gives ECCouncil. I guess it's probably time to get in touch with the course mentor...

colemic

When the smoke clears, it would still probably be appropriate for WGU to notify students that the info EC-Council has may be compromised, and suggest steps to take.

BGraves

From the course mentor:

"Just got an email that included the following statement

NO STUDENT INFO WAS STOLEN - the hacker just redirected the EC-Council site; the servers were never penetrated"

emerald_octane

hmmmmmmm then I wonder if the gmail interface, snowden passport were just a rouse?

colemic

I think I would call BS on that... clearly unauthorized access occurred ON TOP of the web defacement. The passport and Snowden's recommendation letter prove that. Would you mind posting the entire content of the email (redacted)?