CEH site hacked

BGraves · February 2014

That is the entire content of the reply I received. I don't know who provided that information to the course mentor though.

bryguy · February 2014

emerald_octane wrote: »

For MSISA students I let the course mentor know that the site is out of commission (if she doesn't already). If they continue offering the course I hope they allow future students to get the hard copy of the iClass course material rather than the stream only option. That or offer the GIAC GCIH exams instead.

I was debating on posting on the MSISA community board, but figured by the time I posted it, it would probably be back up and running. Sadly, it appears to be still down. Did you use the book material at all for your studies? My course mentor said that book pertained to CHIHV7 material, and to focus more on the video content.

emerald_octane · February 2014

I didn't look at the book material because I try not to use materials for exams updated after the pub date; in this case 2010 . For CHFI the iClass videos are more than sufficient. The instructor talks way too long in them to talk about personal experience, but the slides will give you enough information. If you take CEH then CHFI then you should be able to tackle the exam after a brief review of the material.

cyberguypr · February 2014

At least we now know someone from EC Council is checking Twitter:

CyberGuyPR,
You have a new follower on Twitter.

Amber Williams
@AmberWECC
I am the Manager of Strategic Initiatives at EC-Council and am interested in all things information security!
Albuquerque, NM · http://www.eccouncil.org/ciso

colemic · February 2014

She followed me as well but hasn't posted anything... @mcole1008

Chivalry1 · February 2014

colemic wrote: »

I think I would call BS on that... clearly unauthorized access occurred ON TOP of the web defacement. The passport and Snowden's recommendation letter prove that. Would you mind posting the entire content of the email (redacted)?

I agree....definitely BS. They have not made the first announcement concerning the hack. At one point I considered the Ec-council incident handler certification. But after their reaction or non-reaction to this incident there is no way I would even consider any more of there certification tracks; only SANS. I think the attacker pointed out that it was more than a URL redirect...considering he posted internal sensitive information (IE the Passport & DOD Letter). And not just any piece of sensitive information but the infamous Eric Snowdens. WOW....just admit it Ec-Council you have been completed r00ted!! The attacker has multiple levels of access. And with saying all of that...the website is still down!!!

Lostpacket · February 2014

The original web content is still there and intact. It's a DNS hijack.

If you want to see proof, edit your hosts file and add the entry to 66.111.3.186 www.eccouncil.org

Add 64.147.99.90 iclass.eccouncil.org to get into your iclass stuff and 64.147.99.91 ilabs.eccouncil.org to get to your labs.

What most likely happened is their info @ account was compromised allowing access to all password resets for registrar login to make DNS changs as well as access to all of the passports of military people like Snowden who had submitted their identification to request authorization to sit for the exam.
A cached copy of webmail.eccouncil.org proves they use Google Apps which explains the screenshot.

YFZblu · February 2014

colemic wrote: »

I think I would call BS on that... clearly unauthorized access occurred ON TOP of the web defacement. The passport and Snowden's recommendation letter prove that. Would you mind posting the entire content of the email (redacted)?

It isn't a defacement - The 'real' eccouncil.org is hosted with the New York Internet Company. The attacker simply changed the DNS record to point to an Ecatel server. Thus far we have no evidence the attacker modified the web content on eccouncil's web server.

Now I agree completely this attack could have leaked sensitive information - But this isn't a defacement.

Additionally I'm kind of puzzled at the sudden turn from C|EH to GIAC certification because of this Incident. The world-class incident handler Instructors and unrivaled content SANS boasts weren't enough on their own? The two weren't even close to begin with. Cost is always a factor, but nobody has mentioned that in this thread.

JDMurray · February 2014

YFZblu wrote: »

Cost is always a factor, but nobody has mentioned that in this thread.

Now that the cheaper (i.e. more inexpensive) alternative may have been eliminated, some people are resigning themselves to bite-the-bullet and fork out for the more expensive premium training because there is currently no other alternative to the CEH. I would suggest if CompTIA or (ISC)2 had ever performed a feasibility study for launching its own "Hacking+" certification, now is the time to start collecting SMEs, writing beta exam items, and get those pre-production wheels turning.

cyberguypr · February 2014

In the grand scheme of things this incident is nothing. My beef is how they handled, or should I say, mishandled, the whole thing. To this date there has been zero statement from them.

Chivalry1 · February 2014

cyberguypr wrote: »

In the grand scheme of things this incident is nothing. My beef is how they handled, or should I say, mishandled, the whole thing. To this date there has been zero statement from them.

I agree with this statement because we as IT security professionals know that certain procedures & protocols have not been followed by regarding handling of this incident by EC-Council. Regardless of the mode of attack utilized by the hacker, EC-Council has an "ethical" responsibility of informing the public. After the last website attack EC-Council launched a marketing CEH campaign to put them back on track. But I think this one will cause long-term reputation damage and will affect revenue. And I am talking from a personal standpoint as a "certification" customer; I am not alone in my opinion.

colemic · February 2014

If this was just a simple redirect, shouldn't they have fixed it by now? We're going on three days... I don't know what the longest defacement on record is but we are well past the average recovery time.

YFZblu · February 2014

We know it's a DNS hijack and not a defacement because, as I said before, eccouncil.org is legitimately hosted with The New York Internet Company, and now the DNS record points to a hosting provider well-known to be cybercrime friendly. It's right there in black and white.

colemic · February 2014

While I get that, I just don't see why this is taking so long to fix.

impelse · February 2014

LOL, Hacking+ I love that

xenodamus · February 2014

From their Facebook page:

RE: February 22nd, 2014 Security Breach on EC-Council

On February 22nd, 2014 at approximately 8PM EST, the domainwww.eccouncil.org was redirected to an ISP in Finland. Immediately EC Council's Internal Security Response team initiated a comprehensive investigation.

EC-Council’s Security Team has confirmed no access to any EC-Council Servers was obtained, the domain redirection was done at the DNS Registrar and traffic was re-routed from Authentic EC-Council Servers to a Host in Finland known for hosting other illegal websites. EC-Council immediately began exercises in security precaution to fortify against any further attempts. EC-Council immediately opened cases with the United States FBI as well as international Law Enforcement to apprehend this individual and launched a full analysis of third party vendors where the security breach was allowed.

The affected records reside with a Third-Party, ICANN certified DNS Registrar and though EC-Council has terminated service there and moved, DNS propagation will take some time. During the DNS propagation period, eccouncil.org will be unavailable to the public. While EC-Council Servers remained untouched and running, the third-party DNS registrar remained affected through the day on Sunday February 23rd and into the morning Monday February 24th. EC-Council in Cooperation with domestic and foreign Law Enforcement as well as Judicial Systems will continue to investigate the incident.

EC-Council will release additional information through its official Facebook page as well as LinkedIn as details come available.

JDMurray · February 2014

DNS history shows the original address of www.eccouncil.org to be 66.111.3.186. Hitting that IP with HTTP gives a 404 error. Hitting it with HTTPS redirects back to the bogus www.eccouncil.org site. So I do believe the ECC's servers are offline, probably due to the incident response that is being perform now by--and I'm purely guessing at this--the FBI.

cyberguypr · February 2014

Is that FBI agent CEH certified?

Iristheangel · February 2014

Naw, he has a CFHI

JDMurray · February 2014

On the plus side, www.certifiedhacker.com and juggyboy.com come are still up. At least ECC students still have something to practice aiming their hacking tools at.

SephStorm · February 2014

the big story i didnt see on the first page of this thread, Snowden's unencrypted password, and the credentials of numerous individuals were stored somewhere unencrypted, and unprotected (personally I'll be proposing those ID's be removed after validation/verification, theres no reason to keep them.), this is after it was revealed years ago that EC-Council was storing user credentials for the member forum in clear text (That members original post was deleted...) anyway years later I was able to retrieve my password again in cleartext. I wonder if this will force any changes? Knowing ECC, probably not.

davedk · February 2014

It's finally back online, after 3 day and I am not impressed at all!!!!!

BGraves · February 2014

Ah dang, back to studying I guess.....

colemic · February 2014

@Sephstorm, where would Snowden's password be compromised? The way it used to work (I sent in the letter in 2010 to be verified to sit for the test, you just had to email them a picture ID and the letter... it just shows that they are just archiving everything in gmail, instead of deleting that sensitive information.I also found this on their site, and find I to be a bit comical: CEH VS SANS and absolutely untrue as well.

JDMurray · February 2014

academia.eccouncil.org isn't back up yet, so still waiting...

LeifAlire · February 2014

http://toolbar.netcraft.com/site_report?url=http://www.eccouncil.org&refresh=1#history_table

Netcraft Link to E-Council site showing DNS history

colemic · February 2014

JDMurray wrote: »

academia.eccouncil.org isn't back up yet, so still waiting...

login page is up now.

Khaos1911 · February 2014

"

[h=5]Update: 2/25/14 07:00

[/h]
DNS Propagation is still in process around the world however major DNS providers have updated to the new data. With respect to our release yesterday, our Internal Response team has been closely monitoring our third party vendors.

EC-Council has launched an international cooperative effort with law enforcement entities based on information uncovered during our analysis of this incident. Our cooperation with Law Enforcement is two-fold. First is to establish subpoena’s on third party vendors where computer crimes took place, second is for justice.

We would like to thank the many Information Security professionals who openly keep the community informed, DNS Hijacking is illegal. We will work with the authorities to ensure to the best of our ability the individual(s) responsible are held accountable.

This is a clear example of what we have always taught; No one can ever be completely secure. Although EC-Council servers remained untouched, a vulnerability in our third party DNS vendor led to this DNS Hijacking incident, rendering our main website unavailable for a short period of time.

While this investigation is ongoing and subpoenas will take time, we are dedicated to keep our customers and partners apprised of all progress."

emerald_octane · February 2014

This is annoying. They keep saying "our servers were untouched". Ok, whatever. Please explain the Gmail interface and passport that was shown. They're cutely avoiding the issue and it looks bad on them.

JDMurray · February 2014

If what was compromised was a Gmail account and DNS information controlled by a DNS registrar, then "their servers" were not touched. However, it is possible that information ECC controlled in other origanization's servers was improperly secured by ECC itself. This is the issue that hasn't been publicly addressed yet. ECC may be still thinking "who owns physical boxes" rather than "who controls what information in the virtual cloud."

CEH site hacked

Comments