EC|Council Portal Security Issues

no, you are not. They are unprofessional, but that is a different issue.

The question for me is whether the account information can be easily acquired by a third party, ie could the system be tricked into revealing the contents of the database without the user's email being compromised. Whatever your view on the issue however, we all have the right to hold them to a standard, and expect the company to address those issues in a timely manner.

I see you are in the Army in SC. Are you at Sumter?

Also, how do I send a private message on here instead of going off the topic of the thread?

ptilsen

I would agree that it is not professional at all. It's no different than storing un-encrypted PANs on the justification that network and server room are locked down (which is no justification at all). It's maybe a slight step above saying "we don't need antivirus; we have a firewall!".

In a related story, I've noticed certificate errors on ECC's web site before.

Strangely the personal message function seems to be missing... at least in the old way. It looks like you have to go to your profile center and send 1 from there.

Daniel333

EC Council has always been the Nigerian Price of IT certifications imho.

ChooseLife

the4tress wrote: »

Am I overreacting?

No, and thank you for sharing this information. Both the original issue and ECCouncil's inability to acknowledge it speak louder than all the marketing buzzwords filling their sites.

Yeah, they still haven't replied with their policy on storage of personal information yet.

Wow, instead of fixing the problem they just deleted my posts where I pointed out the problems. They are censoring anything that points out their shortcomings. Now this is a new low...

Here is the link. You can see their reply to me, but my posts are gone. WTF?

https://portal.eccouncil.org/forum//forum_posts.asp?TID=1280&PN=1&TPN=3

Any way for non-certified peeps to see?

EC-Council Certification Portal- Member and Delta Portals issues_1330715877833.jpg

I don't know if this violates some sort of agreement I signed with them, but at this point I don't really care. They are doing some really shady stuff and I think it needs to be brought to the attention of those that are thinking about getting the certification, or those that are already certified.

Here is a screenshot of the forum post. The first one is where my post was, and the second one is the following page where somebody said they saw it and had a similar issue before.

<edit>I guess TechExams resizes uploaded images so they were really crappy and you couldn't see the text. I put them in my Dropbox if you want to check them out. http://goo.gl/rhafZ and http://goo.gl/fJeui</edit>

There are 2 deleted posts. One directly before, and one directly after yuri's post where he says:

Hi,

Because of the flexibility to the users EC-Council provides password to the concerned members though E-mails and the password will be sent to registered E-mail ID's only.

The company keeps user information secure and confidential. The user passwords are stored in very secured way following EC-Council's strict confidentiality rules and regulations.

You can keep all your EC-Council certifications active with the help of Continuing Profession Education provided by EC-Council.

In the first post I talked about how I was able to figure out that they are storing passwords in clear text. The second one is quoted in my original post here. Nothing vulgar or abusive which would justify removing the post.

EC-Council Certification Portal- Member and Delta Portals issues_1330715894320.jpg

I don't know about others but that is way too small to read. cut N past the text maybe?

Yeah, I realized it after I posted the message. I edited the post with a link to the screenshots in my Dropbox. Sorry.

Here they are: http://goo.gl/rhafZ and http://goo.gl/fJeui.

I don't see in the screenshots what your original posts said...

Right, because they deleted the posts.

I guess they delete anything that is critical or negative towards them, even if it is justified.

Well, what exactly did you post? I am not doubting you, but how do you know it was stored in plaintext?

I forget exactly what I posted the first time. My second post is quoted in the first post of this thread (it was also deleted).

If you go to the EC|Council portal and click "Forgot my password" and enter your email it will send you your password. This proves that they are storing the password in clear text. The proper way is for them to create a hash (preferably salted) of your password and store that in their database. Then when you log in, it will hash your password again (from the login) and compare it to the hash stored in the database. When you click "Forgot my password" they should send you a link asking you to reset the password, not send you the actual password.

- Ryan

I read his original post as well, I can confirm it is missing, and another member on the portal claims they had similar issues previously.

the4tress wrote: »

I don't know if this violates some sort of agreement I signed with them, but at this point I don't really care. They are doing some really shady stuff and I think it needs to be brought to the attention of those that are thinking about getting the certification, or those that are already certified.

Anyone who owns a Web site has the legal right to determine what is displayed on the site and the legal responsibility for displaying it. This sometimes requires the editing/removal of public posts made in a discussion forum by members of the Web site. We occasionally need to do this here at TechExams.net for a variety of reasons. I hope you don't think the moderation of our forums is "shady stuff" too.

Well I don't know what you guys have deleted, but from what I have seen on the EC|Council portal is that they delete anything that is negative towards them. I assume that you delete anything vulgar or abusive here, which is expected. But if I point out a problem with security on an infosec certifying organization's forum (which the whole thread is about the problems with the portal) and they delete it because they don't want others to know what they are doing, then I call that shady (pardon the run-on sentence).

I personally feel that it is important others know that their information is not properly protected. I expect a higher security standard from an organization that is rated on DoD 8570 for network defense.

the4tress wrote: »

I expect a higher security standard from an organization that is rated on DoD 8570 for network defense.

That is not what DoD 8570.01 is for. It is only a listing of certifications that meet certain educational criteria for the DoD's Information Assurance programs. Having a cert on this list is not in any way a rating of a certification vendor itself. For that you need ISO/IEC 17024, for which the EC-Council has met the qualifications. If you think that the EC-Council deleting posts from its public discussion forums is in violation of ISO/IEC 27024, you should file a complaint with the ISO.

Now I generally agree with 4tress's assessment of the situation, however, I would note that ECC could/should sensor material they consider a threat or harmful to the site's security. I however, would have handled the situation differently, editing the information from the post and leaving a moderation message in its place, or deleting the thread and notifying the author of the reason for the deletion.

SephStorm wrote: »

Now I generally agree with 4tress's assessment of the situation, however, I would note that ECC could/should sensor material they consider a threat or harmful to the site's security. I however, would have handled the situation differently, editing the information from the post and leaving a moderation message in its place, or deleting the thread and notifying the author of the reason for the deletion.

This is my first time ever doing something like this, so all advice is appreciated. What should I do differently next time. I agree 100% with JDMurray saying that I should take the information to another location, like ISO, but do you think I should have posted on their forums (which was about problems with their forum) about the issue? Should I not have posted here? I decided to post here because of the large community you have who may be affected by this an not know about it.

Again, I know I may have gone about this the wrong way, but I also feel that EC|Council should take better security measures with personal information.

Also, as an IT certification community, are you interested in knowing that your password may be stored in clear text on a site? I personally use a different password for every site, but many users don't.

Thanks for any advice!

- Ryan

I'm just guessing, but if the EC-Council seems to delete any post with negative content, they would delete any post you make that is a complaint. Best to PM or email the two guys that run ECC. Their info is on LinkedIn.com.

Also, you have no control over the security used by any Web site. You therefore use any Web site at your own risk (read any site's EULA). Your plan of using a different (and strong) password on every Web site is the best safeguard you can employ short of not registering on the Web site at all. As to other users, you can try to warn and educate people about poor password management, but you can't make then do it.

What I would have done? I would have contacted ECC probably Jay B on Linkedin. Then I would have posted it in the community if a reasonable response wasnt given within a reasonable time period. The concept is similar to "Ethical Disclosure" of vulnerabilities found in products.

ChooseLife

I just came across this:
EC-Council – CEH – Unethical Behavior | ethicalhack3r (make sure to check out official response from Jay Bavisi in the comments)

It was a last straw for me, EC-Council now looks like a total joke.

Chivalry1

This type of behavior from EC-Council is not surprising. Although I am a fan of the CEH 7 and the wealth of knowledge it covers; I am not impressed by the company. After receiving my CEH I attempted to log into there EC-Council portal but received a SSL certificate error due to an 1 month old outdated certificate. Sorry I don't supply user credentials to sites with invalid certificates. I gladly closed my browser until they decided to correct the issue.

Honestly, I am not surprised. I am surprised the poster got so much contact with Jay, My experience with him has been somewhat the same, he talks to you, seems to take things seriously, then he pushed me off to one of his employees, who before long leaves you out to dry.

tpatt100

I felt the same way when I was taking one of the CWNP exams for wireless. I went to research the topics and found several broken links. If you are supposed to be a vendor neutral certification program you better make sure your web presence is top notch because that is pretty much your main exposure to the public.

I also found another basic vulnerability on their site. If you enter a correct username, but incorrect password it says the password for that user is incorrect. That makes it much easier to harvest usernames, and then in turn guess passwords for those users.