CEH site hacked
Comments
-
colemic Member Posts: 1,569 ■■■■■■■□□□If what was compromised was a Gmail account and DNS information controlled by a DNS registrar, then "their servers" were not touched. However, it is possible that information ECC controlled in other origanization's servers was improperly secured by ECC itself. This is the issue that hasn't been publicly addressed yet. ECC may be still thinking "who owns physical boxes" rather than "who controls what information in the virtual cloud."Working on: staying alive and staying employed
-
emerald_octane Member Posts: 613I cannot.
believe.
i'm even.
typing this.
But did the registrars goof AGAIN? I was able to access the site an hour ago, now a new message is up.
-
Asif Dasl Member Posts: 2,116 ■■■■■■■■□□The site is still working over here... DNS propagation again?
-
colemic Member Posts: 1,569 ■■■■■■■□□□that's funny right there... site is up for me thoughWorking on: staying alive and staying employed
-
colemic Member Posts: 1,569 ■■■■■■■□□□ROFL... up for me in multiple browsers on my laptop, ipad on a different wireless network shows the cute note - try IE in a InPrivate session and see if it comes up... this is going to be epic by the time the guy leaves them alone...Working on: staying alive and staying employed
-
JDMurray Admin Posts: 13,099 AdminECC seems to be working fine now. And yes, their new IP addresses are at CloudFlare.
-
colemic Member Posts: 1,569 ■■■■■■■□□□Hm. Cloudfare has a rep for being a receptive host to DDoSrs. Kind of ironic.Working on: staying alive and staying employed
-
sojourn Member Posts: 61 ■■□□□□□□□□22:32 GMT and it's down again.
http://www.eccouncil.orgCEH TEST1)Did ec council just get owned again?a) Absolutelyb) Yesc) Definitelyd) No2) Is EC council staff incompetent?a) Absolutelyb) Yesc) Definitelyd) No3) Was personal data compromised in the hacka) Absolutelyb) Yesc) Definitelyd) No
-
Chivalry1 Member Posts: 569Although they are communicating this incident as a simply URL Redirect, what about the sensitive data that was contained in the Google Apps email? Exactly how much personal data was contained within Google Apps that the hacker had complete access to? If DOD sensitive information was there within the Google Apps email, I can only imagine information about us regular people. ECCouncil is trying to downplay this event...but I am not buying it.
Yes and the site is still down!!"The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
bryguy Member Posts: 190Doesn't look good...
>whois eccouncil.org
Domain Name:ECCOUNCIL.ORG
Domain ID: D81180127-LROR
Creation Date: 2001-12-14T10:13:06Z
Updated Date: 2014-02-25T22:10:08Z
Registry Expiry Date: 2020-12-14T10:13:06Z
Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R140-LROR)
Sponsoring Registrar IANA ID: 460
WHOIS Server:
Referral URL:
Domain Status: clientDeleteProhibited
Domain Status: clientHold
Domain Status: clientUpdateProhibited
Registrant ID:WN18134984T
Registrant Name:domain has
Registrant Organization:this
Registrant Street: been
Registrant City Owned
Registrant State/Province:NM
Registrant Postal Code:423443
Registrant Country:MY
Registrant Phone:+603.78800000
Registrant Phone Ext:
Registrant Fax: +603.78800000
Registrant Fax Ext:
Registrant Email Owned@mail.kp
Admin ID:WN18134985T
... -
Asif Dasl Member Posts: 2,116 ■■■■■■■■□□I figured it had to be the registrar that's causing this - maybe I'm wrong. But this link says the domain is "On hold (generic)"...
Eccouncil.org WHOIS, DNS, & Domain Info - DomainTools
Whois Search | Your Public Interest Registry
Edit - remember that guy that lost his twitter handle @N... maybe it's something similar to that? Copycat? -
YFZblu Member Posts: 1,462 ■■■■■■■■□□Although they are communicating this incident as a simply URL Redirect
DNS hijacking != url redirect. There was no 'redirect' taking place. Standard DNS query received a standard DNS response; it just happened to be a response provided by a bad guy.what about the sensitive data that was contained in the Google Apps email?
It's easy - Assume your personal information was stolen. Don't wait to find out that it was or wasn't.ECCouncil is trying to downplay this event...but I am not buying it.
Their initial reponse to the public was horrible, I agree with you - The fact that they were targeted is/was very public and they didn't need to wait more than a couple of hours to put out a canned response.Yes and the site is still down!!
From my perspective the DNS resolution now points to the correct provider, The New York Internet Company; but I receive an HTTP 404 response.
Dealing with the nitty gritty of the Incident and working with multiple service providers / law enforcement will have its own version of red tape. ESPECIALLY since the rumor of leaked government information is in the cards. For all we know the feds walked into the data center with a warrant, and stripped The New York Internet Company of infrastructure which was hosting eccouncil's stuff.
Do I think they did a "good" job responding to the Incident from a public perspective? No. Will a potential breach involving federal employee information take more than two days to handle? Yes. -
JDMurray Admin Posts: 13,099 AdminHm. Cloudfare has a rep for being a receptive host to DDoSrs. Kind of ironic.DNS hijacking != url redirect. There was no 'redirect' taking place. Standard DNS query received a standard DNS response; it just happened to be a response provided by a bad guy.
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□I always associated DNS cache poisoning with an attacker manipulating vulnerabilities in the DNS protocol itself (race conditions, for example) to record a bad entry. But I get your basic premise, and I'm not opposed to considering a better term for it.
Primarily I want to impress upon people the importance in the differences between redirect, server defacement, and what happened here with DNS. -
wes allen Member Posts: 540 ■■■■■□□□□□Perhaps "Domain hijacking" is the correct term for what his attacks seems to be? That is the one I have heard in reference to taking control of domain info at a registrar level.
-
cyberguypr Mod Posts: 6,928 ModGood point. The interwebs keep using the term "defacement" for the EC Council issue when it's clear this is not what's going on. And that's techies/infosec aficionados. I can't even imagine what the mainstream media would call it. Most likely a "DNS hacking worm virus" or some other ridiculous sensationalist term.
Normally you see these used used interchangeably:
- DNS hijacking/redirection
- DNS spoofing/poisoning/MiTM
The easy way to differentiate DNS hijacking vs. poisoning is that for hijacking you have a "good" response to the client's DNS query, meaning you get a legitimate authoritative answer coming from the appropriate server. This gets quickly confusing because after a successful DNS hijacking operation the attacker basically redirects the name to whichever IP he chooses. On the other hand, with cache poisoning you are getting a fake response the attacker injected, from a machine he controls, when there is still a real authoritative answer somewhere upstream (that the client obviously can't get to).
OK, maybe that wasn't that easy.
Anyway, gotta go study for my CEH now -
varelg Banned Posts: 790the site is nowhere to be found. Torpedoed. Wow... re-sharing this news with both my IT and non-IT friends, simply because it is HILARIOUS!
-
cyberguypr Mod Posts: 6,928 ModGreat summary of the ordeal: https://s.arciszewski.me/blog/2014/02/ec-council-incident-responseLying: Always a Bad Strategy
Here's the kicker. EC Council claims that EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained. Yet they remain oddly silent on the claim that the hacker has thousands of .gov and .mil passports, or the screenshot snippet which contained the email from Edward Snowden.
Let's return to r000t's claim that the person who hacked EC Council was Zeekill from HTP. If he's correct, this is the same person who allegedly managed to hide a persistent rootkit on PandaSecurity even after r000t told them about it. If he had access to your servers, unless you were watching the TCP streams as the incident was going on (unlikely, given the slow response time to this security incident), you probably wouldn't see any evidence of it. Criminal or not, this person clearly knows their ****.
So in other words... EC Council: Don't piss on your customers' legs and tell them it's raining.
EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained? Does your Security Team consist of morons who were duped into paying for your worthless certifications? I'm guessing the answer to that question is, "Yes." -
5ekurity Member Posts: 346 ■■■□□□□□□□I just want to point out that currently, you can claim their domain name for $11.59 a year...any takers?
-
Qord Member Posts: 632 ■■■■□□□□□□Oh man, this just keeps getting better! The word debacle seems most fitting.
-
Asif Dasl Member Posts: 2,116 ■■■■■■■■□□Wow, it's Wednesday and the site is still down! Sorry but I have to laugh even if they have copy of my passport!
I can just hear them in the ECCouncil offices saying - "They did it again!" -
colemic Member Posts: 1,569 ■■■■■■■□□□this is just beyond comprehension at this point.Working on: staying alive and staying employed
-
bryguy Member Posts: 190$ whois eccouncil.org
Domain Name:ECCOUNCIL.ORG
Domain ID: D81180127-LROR
Creation Date: 2001-12-14T10:13:06Z
Updated Date: 2014-02-26T14:17:49Z
Registry Expiry Date: 2020-12-14T10:13:06Z
Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R140-LROR)
Sponsoring Registrar IANA ID: 460
WHOIS Server:
Referral URL:
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Registrant ID:WN18134984T
Registrant Name:Technical Support
Registrant Organization:EC-Council
Registrant Street: 6330 Riverside Plaza Ln NW
Registrant City:Albuquerque
Registrant State/Province:NM
Registrant Postal Code:87120
Looks like they got their domain back. -
colemic Member Posts: 1,569 ■■■■■■■□□□Still isn't up for me... makes me wonder if their servers actually did get compromised.Working on: staying alive and staying employed