CEH site hacked
Comments
-
BGraves Member Posts: 339That is the entire content of the reply I received. I don't know who provided that information to the course mentor though.
-
bryguy Member Posts: 190emerald_octane wrote: »For MSISA students I let the course mentor know that the site is out of commission (if she doesn't already). If they continue offering the course I hope they allow future students to get the hard copy of the iClass course material rather than the stream only option. That or offer the GIAC GCIH exams instead.
I was debating on posting on the MSISA community board, but figured by the time I posted it, it would probably be back up and running. Sadly, it appears to be still down. Did you use the book material at all for your studies? My course mentor said that book pertained to CHIHV7 material, and to focus more on the video content. -
emerald_octane Member Posts: 613I didn't look at the book material because I try not to use materials for exams updated after the pub date; in this case 2010 . For CHFI the iClass videos are more than sufficient. The instructor talks way too long in them to talk about personal experience, but the slides will give you enough information. If you take CEH then CHFI then you should be able to tackle the exam after a brief review of the material.
-
cyberguypr Mod Posts: 6,928 ModAt least we now know someone from EC Council is checking Twitter:CyberGuyPR,
You have a new follower on Twitter.
Amber Williams
@AmberWECC
I am the Manager of Strategic Initiatives at EC-Council and am interested in all things information security!
Albuquerque, NM · http://www.eccouncil.org/ciso -
colemic Member Posts: 1,569 ■■■■■■■□□□She followed me as well but hasn't posted anything... @mcole1008Working on: staying alive and staying employed
-
Chivalry1 Member Posts: 569I think I would call BS on that... clearly unauthorized access occurred ON TOP of the web defacement. The passport and Snowden's recommendation letter prove that. Would you mind posting the entire content of the email (redacted)?
I agree....definitely BS. They have not made the first announcement concerning the hack. At one point I considered the Ec-council incident handler certification. But after their reaction or non-reaction to this incident there is no way I would even consider any more of there certification tracks; only SANS. I think the attacker pointed out that it was more than a URL redirect...considering he posted internal sensitive information (IE the Passport & DOD Letter). And not just any piece of sensitive information but the infamous Eric Snowdens. WOW....just admit it Ec-Council you have been completed r00ted!! The attacker has multiple levels of access. And with saying all of that...the website is still down!!!"The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
Lostpacket Member Posts: 25 ■■■□□□□□□□The original web content is still there and intact. It's a DNS hijack.
If you want to see proof, edit your hosts file and add the entry to 66.111.3.186 www.eccouncil.org
Add 64.147.99.90 iclass.eccouncil.org to get into your iclass stuff and 64.147.99.91 ilabs.eccouncil.org to get to your labs.
What most likely happened is their info @ account was compromised allowing access to all password resets for registrar login to make DNS changs as well as access to all of the passports of military people like Snowden who had submitted their identification to request authorization to sit for the exam.
A cached copy of webmail.eccouncil.org proves they use Google Apps which explains the screenshot. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□I think I would call BS on that... clearly unauthorized access occurred ON TOP of the web defacement. The passport and Snowden's recommendation letter prove that. Would you mind posting the entire content of the email (redacted)?
It isn't a defacement - The 'real' eccouncil.org is hosted with the New York Internet Company. The attacker simply changed the DNS record to point to an Ecatel server. Thus far we have no evidence the attacker modified the web content on eccouncil's web server.
Now I agree completely this attack could have leaked sensitive information - But this isn't a defacement.
Additionally I'm kind of puzzled at the sudden turn from C|EH to GIAC certification because of this Incident. The world-class incident handler Instructors and unrivaled content SANS boasts weren't enough on their own? The two weren't even close to begin with. Cost is always a factor, but nobody has mentioned that in this thread. -
JDMurray Admin Posts: 13,091 AdminCost is always a factor, but nobody has mentioned that in this thread.
-
cyberguypr Mod Posts: 6,928 ModIn the grand scheme of things this incident is nothing. My beef is how they handled, or should I say, mishandled, the whole thing. To this date there has been zero statement from them.
-
Chivalry1 Member Posts: 569cyberguypr wrote: »In the grand scheme of things this incident is nothing. My beef is how they handled, or should I say, mishandled, the whole thing. To this date there has been zero statement from them.
I agree with this statement because we as IT security professionals know that certain procedures & protocols have not been followed by regarding handling of this incident by EC-Council. Regardless of the mode of attack utilized by the hacker, EC-Council has an "ethical" responsibility of informing the public. After the last website attack EC-Council launched a marketing CEH campaign to put them back on track. But I think this one will cause long-term reputation damage and will affect revenue. And I am talking from a personal standpoint as a "certification" customer; I am not alone in my opinion."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
colemic Member Posts: 1,569 ■■■■■■■□□□If this was just a simple redirect, shouldn't they have fixed it by now? We're going on three days... I don't know what the longest defacement on record is but we are well past the average recovery time.Working on: staying alive and staying employed
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□We know it's a DNS hijack and not a defacement because, as I said before, eccouncil.org is legitimately hosted with The New York Internet Company, and now the DNS record points to a hosting provider well-known to be cybercrime friendly. It's right there in black and white.
-
colemic Member Posts: 1,569 ■■■■■■■□□□While I get that, I just don't see why this is taking so long to fix.Working on: staying alive and staying employed
-
impelse Member Posts: 1,237 ■■■■□□□□□□LOL, Hacking+ I love thatStop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
It is your personal IPS to stop the attack. -
xenodamus Member Posts: 758From their Facebook page:
RE: February 22nd, 2014 Security Breach on EC-Council
On February 22nd, 2014 at approximately 8PM EST, the domainwww.eccouncil.org was redirected to an ISP in Finland. Immediately EC Council's Internal Security Response team initiated a comprehensive investigation.
EC-Council’s Security Team has confirmed no access to any EC-Council Servers was obtained, the domain redirection was done at the DNS Registrar and traffic was re-routed from Authentic EC-Council Servers to a Host in Finland known for hosting other illegal websites. EC-Council immediately began exercises in security precaution to fortify against any further attempts. EC-Council immediately opened cases with the United States FBI as well as international Law Enforcement to apprehend this individual and launched a full analysis of third party vendors where the security breach was allowed.
The affected records reside with a Third-Party, ICANN certified DNS Registrar and though EC-Council has terminated service there and moved, DNS propagation will take some time. During the DNS propagation period, eccouncil.org will be unavailable to the public. While EC-Council Servers remained untouched and running, the third-party DNS registrar remained affected through the day on Sunday February 23rd and into the morning Monday February 24th. EC-Council in Cooperation with domestic and foreign Law Enforcement as well as Judicial Systems will continue to investigate the incident.
EC-Council will release additional information through its official Facebook page as well as LinkedIn as details come available.CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V -
JDMurray Admin Posts: 13,091 AdminDNS history shows the original address of www.eccouncil.org to be 66.111.3.186. Hitting that IP with HTTP gives a 404 error. Hitting it with HTTPS redirects back to the bogus www.eccouncil.org site. So I do believe the ECC's servers are offline, probably due to the incident response that is being perform now by--and I'm purely guessing at this--the FBI.
-
JDMurray Admin Posts: 13,091 AdminOn the plus side, www.certifiedhacker.com and juggyboy.com come are still up. At least ECC students still have something to practice aiming their hacking tools at.
-
SephStorm Member Posts: 1,731 ■■■■■■■□□□the big story i didnt see on the first page of this thread, Snowden's unencrypted password, and the credentials of numerous individuals were stored somewhere unencrypted, and unprotected (personally I'll be proposing those ID's be removed after validation/verification, theres no reason to keep them.), this is after it was revealed years ago that EC-Council was storing user credentials for the member forum in clear text (That members original post was deleted...) anyway years later I was able to retrieve my password again in cleartext. I wonder if this will force any changes? Knowing ECC, probably not.
-
davedk Registered Users Posts: 1 ■□□□□□□□□□It's finally back online, after 3 day and I am not impressed at all!!!!!
-
colemic Member Posts: 1,569 ■■■■■■■□□□@Sephstorm, where would Snowden's password be compromised? The way it used to work (I sent in the letter in 2010 to be verified to sit for the test, you just had to email them a picture ID and the letter... it just shows that they are just archiving everything in gmail, instead of deleting that sensitive information.I also found this on their site, and find I to be a bit comical: CEH VS SANS and absolutely untrue as well.Working on: staying alive and staying employed
-
LeifAlire Member Posts: 106http://toolbar.netcraft.com/site_report?url=http://www.eccouncil.org&refresh=1#history_table
Netcraft Link to E-Council site showing DNS history2015 Goals: VCP-550 - CISA - 70-417 -
colemic Member Posts: 1,569 ■■■■■■■□□□academia.eccouncil.org isn't back up yet, so still waiting...Working on: staying alive and staying employed
-
Khaos1911 Member Posts: 366"[h=5]Update: 2/25/14 07:00
[/h]
DNS Propagation is still in process around the world however major DNS providers have updated to the new data. With respect to our release yesterday, our Internal Response team has been closely monitoring our third party vendors.
EC-Council has launched an international cooperative effort with law enforcement entities based on information uncovered during our analysis of this incident. Our cooperation with Law Enforcement is two-fold. First is to establish subpoena’s on third party vendors where computer crimes took place, second is for justice.
We would like to thank the many Information Security professionals who openly keep the community informed, DNS Hijacking is illegal. We will work with the authorities to ensure to the best of our ability the individual(s) responsible are held accountable.
This is a clear example of what we have always taught; No one can ever be completely secure. Although EC-Council servers remained untouched, a vulnerability in our third party DNS vendor led to this DNS Hijacking incident, rendering our main website unavailable for a short period of time.
While this investigation is ongoing and subpoenas will take time, we are dedicated to keep our customers and partners apprised of all progress." -
emerald_octane Member Posts: 613This is annoying. They keep saying "our servers were untouched". Ok, whatever. Please explain the Gmail interface and passport that was shown. They're cutely avoiding the issue and it looks bad on them.
-
JDMurray Admin Posts: 13,091 AdminIf what was compromised was a Gmail account and DNS information controlled by a DNS registrar, then "their servers" were not touched. However, it is possible that information ECC controlled in other origanization's servers was improperly secured by ECC itself. This is the issue that hasn't been publicly addressed yet. ECC may be still thinking "who owns physical boxes" rather than "who controls what information in the virtual cloud."