CEH site hacked

colemic

@emerald Agree 100%. And still no indication that they will do any kind of breach notification.

colemic

JDMurray wrote: »

If what was compromised was a Gmail account and DNS information controlled by a DNS registrar, then "their servers" were not touched. However, it is possible that information ECC controlled in other origanization's servers was improperly secured by ECC itself. This is the issue that hasn't been publicly addressed yet. ECC may be still thinking "who owns physical boxes" rather than "who controls what information in the virtual cloud."

Agree, and if that is the case they are being very facetious, and I still don't see how they think they can skirt around breach notification requirements.

emerald_octane

I cannot.
believe.
i'm even.
typing this.

But did the registrars goof AGAIN? I was able to access the site an hour ago, now a new message is up.

Iristheangel

OUCH. Now that's embarrassing.

Asif Dasl

The site is still working over here... DNS propagation again?

cyberguypr

That is the Ecatel server. Maybe DNS hasn't propagated?

colemic

that's funny right there... site is up for me though

Iristheangel

I was able to get to the site earlier but now I can't.

colemic

ROFL... up for me in multiple browsers on my laptop, ipad on a different wireless network shows the cute note - try IE in a InPrivate session and see if it comes up... this is going to be epic by the time the guy leaves them alone...

5ekurity

It appears they have moved to CloudFlare

JDMurray

ECC seems to be working fine now. And yes, their new IP addresses are at CloudFlare.

colemic

Hm. Cloudfare has a rep for being a receptive host to DDoSrs. Kind of ironic.

sojourn

22:32 GMT and it's down again.

http://www.eccouncil.org

CEH TEST1)Did ec council just get owned again?a) Absolutelyb) Yesc) Definitelyd) No2) Is EC council staff incompetent?a) Absolutelyb) Yesc) Definitelyd) No3) Was personal data compromised in the hacka) Absolutelyb) Yesc) Definitelyd) No

Chivalry1

Although they are communicating this incident as a simply URL Redirect, what about the sensitive data that was contained in the Google Apps email? Exactly how much personal data was contained within Google Apps that the hacker had complete access to? If DOD sensitive information was there within the Google Apps email, I can only imagine information about us regular people. ECCouncil is trying to downplay this event...but I am not buying it.

Yes and the site is still down!!

bryguy

Doesn't look good...

>whois eccouncil.org
Domain Name:ECCOUNCIL.ORG
Domain ID: D81180127-LROR
Creation Date: 2001-12-14T10:13:06Z
Updated Date: 2014-02-25T22:10:08Z
Registry Expiry Date: 2020-12-14T10:13:06Z
Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R140-LROR)
Sponsoring Registrar IANA ID: 460
WHOIS Server:
Referral URL:
Domain Status: clientDeleteProhibited
Domain Status: clientHold
Domain Status: clientUpdateProhibited
Registrant ID:WN18134984T
Registrant Name:domain has
Registrant Organization:this
Registrant Street: been
Registrant City Owned
Registrant State/Province:NM
Registrant Postal Code:423443
Registrant Country:MY
Registrant Phone:+603.78800000
Registrant Phone Ext:
Registrant Fax: +603.78800000
Registrant Fax Ext:
Registrant Email Owned@mail.kp
Admin ID:WN18134985T
...

Asif Dasl

I figured it had to be the registrar that's causing this - maybe I'm wrong. But this link says the domain is "On hold (generic)"...

Eccouncil.org WHOIS, DNS, & Domain Info - DomainTools

Whois Search | Your Public Interest Registry

Edit - remember that guy that lost his twitter handle @N... maybe it's something similar to that? Copycat?

YFZblu

Chivalry1 wrote: »

Although they are communicating this incident as a simply URL Redirect

DNS hijacking != url redirect. There was no 'redirect' taking place. Standard DNS query received a standard DNS response; it just happened to be a response provided by a bad guy.

what about the sensitive data that was contained in the Google Apps email?

It's easy - Assume your personal information was stolen. Don't wait to find out that it was or wasn't.

ECCouncil is trying to downplay this event...but I am not buying it.

Their initial reponse to the public was horrible, I agree with you - The fact that they were targeted is/was very public and they didn't need to wait more than a couple of hours to put out a canned response.

Yes and the site is still down!!

From my perspective the DNS resolution now points to the correct provider, The New York Internet Company; but I receive an HTTP 404 response.

Dealing with the nitty gritty of the Incident and working with multiple service providers / law enforcement will have its own version of red tape. ESPECIALLY since the rumor of leaked government information is in the cards. For all we know the feds walked into the data center with a warrant, and stripped The New York Internet Company of infrastructure which was hosting eccouncil's stuff.

Do I think they did a "good" job responding to the Incident from a public perspective? No. Will a potential breach involving federal employee information take more than two days to handle? Yes.

JDMurray

colemic wrote: »

Hm. Cloudfare has a rep for being a receptive host to DDoSrs. Kind of ironic.

Also true of GoDaddy, Rackspace, Comcast, Microsoft, Amazon EC2...

YFZblu wrote: »

DNS hijacking != url redirect. There was no 'redirect' taking place. Standard DNS query received a standard DNS response; it just happened to be a response provided by a bad guy.

Isn't it called "DNS Poisoning" when a DNS database has been corrupted with bogus information? I would guess "DNS Hijacking" to be the poisoning of DNS response messages in-transit, possibly by an MitM, or by flooding with spoofed, bogus request messages in with the genuine responses.

YFZblu

I always associated DNS cache poisoning with an attacker manipulating vulnerabilities in the DNS protocol itself (race conditions, for example) to record a bad entry. But I get your basic premise, and I'm not opposed to considering a better term for it.

Primarily I want to impress upon people the importance in the differences between redirect, server defacement, and what happened here with DNS.

wes allen

Perhaps "Domain hijacking" is the correct term for what his attacks seems to be? That is the one I have heard in reference to taking control of domain info at a registrar level.

colemic

@JD only mentioned it because krebs did a few days ago.

cyberguypr

Good point. The interwebs keep using the term "defacement" for the EC Council issue when it's clear this is not what's going on. And that's techies/infosec aficionados. I can't even imagine what the mainstream media would call it. Most likely a "DNS hacking worm virus" or some other ridiculous sensationalist term.


Normally you see these used used interchangeably:
- DNS hijacking/redirection
- DNS spoofing/poisoning/MiTM

The easy way to differentiate DNS hijacking vs. poisoning is that for hijacking you have a "good" response to the client's DNS query, meaning you get a legitimate authoritative answer coming from the appropriate server. This gets quickly confusing because after a successful DNS hijacking operation the attacker basically redirects the name to whichever IP he chooses. On the other hand, with cache poisoning you are getting a fake response the attacker injected, from a machine he controls, when there is still a real authoritative answer somewhere upstream (that the client obviously can't get to).

OK, maybe that wasn't that easy.

Anyway, gotta go study for my CEH now

varelg

the site is nowhere to be found. Torpedoed. Wow... re-sharing this news with both my IT and non-IT friends, simply because it is HILARIOUS!

cyberguypr

Great summary of the ordeal: https://s.arciszewski.me/blog/2014/02/ec-council-incident-response

Lying: Always a Bad Strategy
Here's the kicker. EC Council claims that EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained. Yet they remain oddly silent on the claim that the hacker has thousands of .gov and .mil passports, or the screenshot snippet which contained the email from Edward Snowden.

Let's return to r000t's claim that the person who hacked EC Council was Zeekill from HTP. If he's correct, this is the same person who allegedly managed to hide a persistent rootkit on PandaSecurity even after r000t told them about it. If he had access to your servers, unless you were watching the TCP streams as the incident was going on (unlikely, given the slow response time to this security incident), you probably wouldn't see any evidence of it. Criminal or not, this person clearly knows their ****.

So in other words... EC Council: Don't piss on your customers' legs and tell them it's raining.

EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained? Does your Security Team consist of morons who were duped into paying for your worthless certifications? I'm guessing the answer to that question is, "Yes."

5ekurity

I just want to point out that currently, you can claim their domain name for $11.59 a year...any takers?

Qord

Oh man, this just keeps getting better! The word debacle seems most fitting.

Asif Dasl

Wow, it's Wednesday and the site is still down! Sorry but I have to laugh even if they have copy of my passport!

I can just hear them in the ECCouncil offices saying - "They did it again!"

colemic

this is just beyond comprehension at this point.

bryguy

$ whois eccouncil.org
Domain Name:ECCOUNCIL.ORG
Domain ID: D81180127-LROR
Creation Date: 2001-12-14T10:13:06Z
Updated Date: 2014-02-26T14:17:49Z
Registry Expiry Date: 2020-12-14T10:13:06Z
Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R140-LROR)
Sponsoring Registrar IANA ID: 460
WHOIS Server:
Referral URL:
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Registrant ID:WN18134984T
Registrant Name:Technical Support
Registrant Organization:EC-Council
Registrant Street: 6330 Riverside Plaza Ln NW
Registrant City:Albuquerque
Registrant State/Province:NM
Registrant Postal Code:87120

Looks like they got their domain back.

colemic

Still isn't up for me... makes me wonder if their servers actually did get compromised.