EC-Council Update: 2/25/14 07:00
DNS Propagation is still in process around the world however major DNS providers have updated to the new data. With respect to our release yesterday, our Internal Response team has been closely monitoring our third party vendors.
EC-Council has launched an international cooperative effort with law enforcement entities based on information uncovered during our analysis of this incident. Our cooperation with Law Enforcement is two-fold. First is to establish subpoena’s on third party vendors where computer crimes took place, second is for justice.
We would like to thank the many Information Security professionals who openly keep the community informed, DNS Hijacking is illegal. We will work with the authorities to ensure to the best of our ability the individual(s) responsible are held accountable.
This is a clear example of what we have always taught; No one can ever be completely secure. Although EC-Council servers remained untouched, a vulnerability in our third party DNS vendor led to this DNS Hijacking incident, rendering our main website unavailable for a short period of time.
While this investigation is ongoing and subpoenas will take time, we are dedicated to keep our customers and partners apprised of all progress.
New free online software security training courses
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG, and Symantec Corp.
SAFECode recommends that product security managers use our training materials in the context of a broader software security process. We have published a number of free materials to help support that development and maturation of such a process, including our flagship work, Fundamental Practices for Secure Software Development. All of our published guidance and best practices are based on the real-world experiences of our member companies and have been proven effective across diverse development environments.
Starting your training here.
EC-Council Statement to Recent Security Breach
RE: February 22nd, 2014 Security Breach on EC-Council
On February 22nd, 2014 at approximately 8PM EST, the domain www.eccouncil.org was redirected to an ISP in Finland. Immediately EC Council’s Internal Security Response team initiated a comprehensive investigation.
EC-Council’s Security Team has confirmed no access to any EC-Council Servers was obtained, the domain redirection was done at the DNS Registrar and traffic was re-routed from Authentic EC-Council Servers to a Host in Finland known for hosting other illegal websites. EC-Council immediately began exercises in security precaution to fortify against any further attempts. EC-Council immediately opened cases with the United States FBI as well as international Law Enforcement to apprehend this individual and launched a full analysis of third party vendors where the security breach was allowed.
The affected records reside with a Third-Party, ICANN certified DNS Registrar and though EC-Council has terminated service there and moved, DNS propagation will take some time. During the DNS propagation period, eccouncil.org will be unavailable to the public. While EC-Council Servers remained untouched and running, the third-party DNS registrar remained affected through the day on Sunday February 23rd and into the morning Monday February 24th. EC-Council in Cooperation with domestic and foreign Law Enforcement as well as Judicial Systems will continue to investigate the incident.
EC-Council will release additional information through its official Facebook page as well as LinkedIn as details come available.
Original statement located on their FaceBook Page – https://www.facebook.com/ECCouncil
EC-Council Site Hacked, But There is a Bigger Issue Now…
Over the weekend, and as of today at 11:00am EST, EC-Council, the organization famous for administering the Certified Ethical Hacker (CEH) as well as the Computer Hacking Forensics Investigator (CHFI) had been hacked by an individual who claims to be a “certified unethical software security professional” going by the alias “Eugene Belford”. Eugene Belford was actually a character in the movie “Hackers” which came out in 1995 directed by Iain Softley as well as staring Angelina Jolie.
The hacked website was defaced with a picture of Edward Snowden’s passport and e-mail application for the CEH exam as shown here. In addition to the images the individual responsible for the site compromise, published the following message:
“owned by certified unethical software security professional -Eugene Belford”. Eugene Belford, is a character from the movie “Hackers”.
Then a few hours later updated the message to the following:
“owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/-Eugene Belford
P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”.
It did seem many individuals who followed this event in its early stages missed the point pertaining to the unauthorized access and control of personal identifiable information of EC-Council certified professionals now in someone else’s hand. And due to DoDD 8570 requirements many of these professionals are members of the US military, the FBI, and the National Security Agency just to name a few.
This assertion comes from EC-Council claim that it “has trained over 80,000 individuals and certified more than 30,000 security professionals from such fine organizations as the US Army, the FBI, Microsoft, IBM, and the United Nations”.
It is highly probably that passports and other photo ID details of approximately 30,000 security professionals who have either obtained or applied for EC-Council related certifications are now at risk after this compromise.
With the recent holiday breaches of 2013 so fresh in our minds, this is just another reminder about how safe is our information in the hand of others.
SecurityOrb.com has attempted to contact EC-Council but there was no response as of this publishing this article. SecurityOrb.com will continue to make attempts to obtain a statement as well as update any new findings we discover.
EC-COUNCIL Website has been Hacked, Snowden’s Passport on the Site
As of Saturday, February 22, 2014 at 8:00pm EST, it seems like the main website operated by EC-Council has been hacked. On the site is an image of Edward Snowden’s passport and text stating, “owned by certified unethical software security professional -Eugene Belford”. Eugene Belford, is a character from the movie “Hackers”.
Edward Snowden, the man who turned whistle-blower against the National Security Agency (NSA) and revealed its global spying program, was trained by EC-Council as a Certified Ethical Hacker (CEH).
The hack maybe a DNS hijacking attack, the information below kind of point that way:
Server: 75.75.75.75
Address: 75.75.75.75#53
Non-authoritative answer:
Name: eccouncil.org
Address: 93.174.95.82
As of Feb. 23, it seems as though EC-Council has not gained control of their website. An update was posted on the EC-Council site stating:
“owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/ -Eugene Belford
P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”
Cybersecurity Agreement Signed in Rockville, Maryland
Montgomery County Executive Isiah Leggett (D) joined Gov. Martin O’Malley (D) and Sen. Barbara Mikulski (D-Md.) came together to sign an agreement on Tuesday to establish a “National Cybersecurity Center of Excellence” in Rockville, MD.
The center will be a place where private businesses, academics and government can work together on ways to prevent hacking incidents such as the breach of credit card information at Target and Nieman Marcus last year.
The county also hopes it will stimulate the creation of new high-paying jobs in the cybersecurity sector.
