CEH site hacked

124

Comments

  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    @emerald Agree 100%. And still no indication that they will do any kind of breach notification.
    Working on: staying alive and staying employed
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    JDMurray wrote: »
    If what was compromised was a Gmail account and DNS information controlled by a DNS registrar, then "their servers" were not touched. However, it is possible that information ECC controlled in other origanization's servers was improperly secured by ECC itself. This is the issue that hasn't been publicly addressed yet. ECC may be still thinking "who owns physical boxes" rather than "who controls what information in the virtual cloud."
    Agree, and if that is the case they are being very facetious, and I still don't see how they think they can skirt around breach notification requirements.
    Working on: staying alive and staying employed
  • emerald_octaneemerald_octane Member Posts: 613
    I cannot.
    believe.
    i'm even.
    typing this.

    But did the registrars goof AGAIN? I was able to access the site an hour ago, now a new message is up.

  • IristheangelIristheangel Mod Posts: 4,133 Mod
    OUCH. Now that's embarrassing.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    That is the Ecatel server. Maybe DNS hasn't propagated?
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    that's funny right there... site is up for me though
    Working on: staying alive and staying employed
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    I was able to get to the site earlier but now I can't.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    ROFL... up for me in multiple browsers on my laptop, ipad on a different wireless network shows the cute note - try IE in a InPrivate session and see if it comes up... this is going to be epic by the time the guy leaves them alone...
    Working on: staying alive and staying employed
  • 5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    It appears they have moved to CloudFlare
  • JDMurrayJDMurray Admin Posts: 13,099 Admin
    ECC seems to be working fine now. And yes, their new IP addresses are at CloudFlare.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Hm. Cloudfare has a rep for being a receptive host to DDoSrs. Kind of ironic.
    Working on: staying alive and staying employed
  • sojournsojourn Member Posts: 61 ■■□□□□□□□□
    22:32 GMT and it's down again.

    http://www.eccouncil.org

    CEH TEST1)Did ec council just get owned again?a) Absolutelyb) Yesc) Definitelyd) No2) Is EC council staff incompetent?a) Absolutelyb) Yesc) Definitelyd) No3) Was personal data compromised in the hacka) Absolutelyb) Yesc) Definitelyd) No
    
  • Chivalry1Chivalry1 Member Posts: 569
    Although they are communicating this incident as a simply URL Redirect, what about the sensitive data that was contained in the Google Apps email? Exactly how much personal data was contained within Google Apps that the hacker had complete access to? If DOD sensitive information was there within the Google Apps email, I can only imagine information about us regular people. ECCouncil is trying to downplay this event...but I am not buying it.

    Yes and the site is still down!!
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • bryguybryguy Member Posts: 190
    Doesn't look good...

    >whois eccouncil.org
    Domain Name:ECCOUNCIL.ORG
    Domain ID: D81180127-LROR
    Creation Date: 2001-12-14T10:13:06Z
    Updated Date: 2014-02-25T22:10:08Z
    Registry Expiry Date: 2020-12-14T10:13:06Z
    Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R140-LROR)
    Sponsoring Registrar IANA ID: 460
    WHOIS Server:
    Referral URL:
    Domain Status: clientDeleteProhibited
    Domain Status: clientHold
    Domain Status: clientUpdateProhibited
    Registrant ID:WN18134984T
    Registrant Name:domain has
    Registrant Organization:this
    Registrant Street: been
    Registrant City Owned
    Registrant State/Province:NM
    Registrant Postal Code:423443
    Registrant Country:MY
    Registrant Phone:+603.78800000
    Registrant Phone Ext:
    Registrant Fax: +603.78800000
    Registrant Fax Ext:
    Registrant Email Owned@mail.kp
    Admin ID:WN18134985T
    ...
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Chivalry1 wrote: »
    Although they are communicating this incident as a simply URL Redirect

    DNS hijacking != url redirect. There was no 'redirect' taking place. Standard DNS query received a standard DNS response; it just happened to be a response provided by a bad guy.
    what about the sensitive data that was contained in the Google Apps email?

    It's easy - Assume your personal information was stolen. Don't wait to find out that it was or wasn't.
    ECCouncil is trying to downplay this event...but I am not buying it.

    Their initial reponse to the public was horrible, I agree with you - The fact that they were targeted is/was very public and they didn't need to wait more than a couple of hours to put out a canned response.
    Yes and the site is still down!!

    From my perspective the DNS resolution now points to the correct provider, The New York Internet Company; but I receive an HTTP 404 response.

    Dealing with the nitty gritty of the Incident and working with multiple service providers / law enforcement will have its own version of red tape. ESPECIALLY since the rumor of leaked government information is in the cards. For all we know the feds walked into the data center with a warrant, and stripped The New York Internet Company of infrastructure which was hosting eccouncil's stuff.

    Do I think they did a "good" job responding to the Incident from a public perspective? No. Will a potential breach involving federal employee information take more than two days to handle? Yes.
  • JDMurrayJDMurray Admin Posts: 13,099 Admin
    colemic wrote: »
    Hm. Cloudfare has a rep for being a receptive host to DDoSrs. Kind of ironic.
    Also true of GoDaddy, Rackspace, Comcast, Microsoft, Amazon EC2...icon_rolleyes.gif
    YFZblu wrote: »
    DNS hijacking != url redirect. There was no 'redirect' taking place. Standard DNS query received a standard DNS response; it just happened to be a response provided by a bad guy.
    Isn't it called "DNS Poisoning" when a DNS database has been corrupted with bogus information? I would guess "DNS Hijacking" to be the poisoning of DNS response messages in-transit, possibly by an MitM, or by flooding with spoofed, bogus request messages in with the genuine responses.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I always associated DNS cache poisoning with an attacker manipulating vulnerabilities in the DNS protocol itself (race conditions, for example) to record a bad entry. But I get your basic premise, and I'm not opposed to considering a better term for it.

    Primarily I want to impress upon people the importance in the differences between redirect, server defacement, and what happened here with DNS.
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    Perhaps "Domain hijacking" is the correct term for what his attacks seems to be? That is the one I have heard in reference to taking control of domain info at a registrar level.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    @JD only mentioned it because krebs did a few days ago. :)
    Working on: staying alive and staying employed
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Good point. The interwebs keep using the term "defacement" for the EC Council issue when it's clear this is not what's going on. And that's techies/infosec aficionados. I can't even imagine what the mainstream media would call it. Most likely a "DNS hacking worm virus" or some other ridiculous sensationalist term.


    Normally you see these used used interchangeably:
    - DNS hijacking/redirection
    - DNS spoofing/poisoning/MiTM

    The easy way to differentiate DNS hijacking vs. poisoning is that for hijacking you have a "good" response to the client's DNS query, meaning you get a legitimate authoritative answer coming from the appropriate server. This gets quickly confusing because after a successful DNS hijacking operation the attacker basically redirects the name to whichever IP he chooses. On the other hand, with cache poisoning you are getting a fake response the attacker injected, from a machine he controls, when there is still a real authoritative answer somewhere upstream (that the client obviously can't get to).

    OK, maybe that wasn't that easy.

    Anyway, gotta go study for my CEH now icon_mrgreen.gif
  • varelgvarelg Banned Posts: 790
    the site is nowhere to be found. Torpedoed. Wow... re-sharing this news with both my IT and non-IT friends, simply because it is HILARIOUS!
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Great summary of the ordeal: https://s.arciszewski.me/blog/2014/02/ec-council-incident-response
    Lying: Always a Bad Strategy
    Here's the kicker. EC Council claims that EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained. Yet they remain oddly silent on the claim that the hacker has thousands of .gov and .mil passports, or the screenshot snippet which contained the email from Edward Snowden.

    Let's return to r000t's claim that the person who hacked EC Council was Zeekill from HTP. If he's correct, this is the same person who allegedly managed to hide a persistent rootkit on PandaSecurity even after r000t told them about it. If he had access to your servers, unless you were watching the TCP streams as the incident was going on (unlikely, given the slow response time to this security incident), you probably wouldn't see any evidence of it. Criminal or not, this person clearly knows their ****.

    So in other words... EC Council: Don't piss on your customers' legs and tell them it's raining.

    EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained? Does your Security Team consist of morons who were duped into paying for your worthless certifications? I'm guessing the answer to that question is, "Yes."
  • 5ekurity5ekurity Member Posts: 346 ■■■□□□□□□□
    I just want to point out that currently, you can claim their domain name for $11.59 a year...any takers?
  • QordQord Member Posts: 632 ■■■■□□□□□□
    Oh man, this just keeps getting better! The word debacle seems most fitting.
  • Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    this is just beyond comprehension at this point.
    Working on: staying alive and staying employed
  • bryguybryguy Member Posts: 190
    $ whois eccouncil.org
    Domain Name:ECCOUNCIL.ORG
    Domain ID: D81180127-LROR
    Creation Date: 2001-12-14T10:13:06Z
    Updated Date: 2014-02-26T14:17:49Z
    Registry Expiry Date: 2020-12-14T10:13:06Z
    Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R140-LROR)
    Sponsoring Registrar IANA ID: 460
    WHOIS Server:
    Referral URL:
    Domain Status: clientDeleteProhibited
    Domain Status: clientUpdateProhibited
    Registrant ID:WN18134984T
    Registrant Name:Technical Support
    Registrant Organization:EC-Council
    Registrant Street: 6330 Riverside Plaza Ln NW
    Registrant City:Albuquerque
    Registrant State/Province:NM
    Registrant Postal Code:87120

    Looks like they got their domain back.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Still isn't up for me... makes me wonder if their servers actually did get compromised.
    Working on: staying alive and staying employed
Sign In or Register to comment.