Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

EC-Council - A Lesson in Bad Incident Response

February 27, 2014 8:40 AM • Business, Opinion, Security

If you conduct business on the Internet, someone will try to hack you. If you're rich and fat, you will be targeted by opportunists seeking a quick buck. If you spend a lot of time bragging about your security, you will probably attract highly skilled and motivated adversaries. So logically, selling people certifications in information security would put you pretty high on the target list of a hacker looking to make a name for him/herself.

So, reasonably, we would expect (or at the very least hope) that the companies that sell these certifications are exemplars of the Industry they represent.

EC Council deface

Enter EC-Council

Sometime on our around February 22, 2014, an unknown hacker took control of the eccouncil.org domain name, and redirected it to a server at 93.174.95.82. A bunch of news stories were written about the whole ordeal, which can be summed up as thus:

  1. EC Council got hacked.
  2. Someone restored the DNS settings.
  3. The hacker hacked EC Council again and taunted the person in step 2 for password reuse — which is almost certainly one of the things that a "certified ethical hacker" should never do.

I happened to view both defacements (which means the hacker probably has my IP address now). I also viewed the page source and saw the following message on the first defacement:

  <!--htp6--!>

That's not a mere random arrangement of letters; it's the calling card of the attacker (a member of the Hack The Planet collective), as well as an announcement of a sixth edition of their ezines (#5 is hosted on Exploit DB).

Indeed, an estranged ex-memberfollower of HTP claims to know the identity of the perpetrator.

The second defacement (pictured to the right) included a reference to the IRC server at irc.gnaa.eu in the page source; although this was probably an attempt to flood their server with "newfags" in the page source.

Still with me? This is where things get stupid:

Two days later, the EC-Council regained control of their domain name and pointed it back to the original server. No press statements were posted, nothing on the front page indicates any sort of activity took place. Their Twitter feed has also been oddly quiet. EC-Council did, however, make a statement on their Facebook page:

RE: February 22nd, 2014 Security Breach on EC-Council

On February 22nd, 2014 at approximately 8PM EST, the domain www.eccouncil.org was redirected to an ISP in Finland. Immediately EC Council's Internal Security Response team initiated a comprehensive investigation.

EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained, the domain redirection was done at the DNS Registrar and traffic was re-routed from Authentic EC-Council Servers to a Host in Finland known for hosting other illegal websites. EC-Council immediately began exercises in security precaution to fortify against any further attempts. EC-Council immediately opened cases with the United States FBI as well as international Law Enforcement to apprehend this individual and launched a full analysis of third party vendors where the security breach was allowed.

The affected records reside with a Third-Party, ICANN certified DNS Registrar and though EC-Council has terminated service there and moved, DNS propagation will take some time. During the DNS propagation period, eccouncil.org will be unavailable to the public. While EC-Council Servers remained untouched and running, the third-party DNS registrar remained affected through the day on Sunday February 23rd and into the morning Monday February 24th. EC-Council in Cooperation with domestic and foreign Law Enforcement as well as Judicial Systems will continue to investigate the incident.

EC-Council will release additional information through its official Facebook page as well as LinkedIn as details come available.

a Host in Finland known for hosting other illegal websites

Swing and a miss! 93.174.95.82 falls in the subnet of the ECATEL network, which is in the Netherlands (NL), not Finland. That accusation is as accurate as saying Sabu was Canadian.

So, maybe it seems that the people who run the Certified Ethical Hacker academy aren't that great at forensics, OSINT, or basic detective work. Let's lower our expectations and maybe their next move won't be as painful.

Update: 2/25/14 07:00

DNS Propagation is still in process around the world however major DNS providers have updated to the new data. With respect to our release yesterday, our Internal Response team has been closely monitoring our third party vendors.

EC-Council has launched an international cooperative effort with law enforcement entities based on information uncovered during our analysis of this incident. Our cooperation with Law Enforcement is two-fold. First is to establish subpoena’s on third party vendors where computer crimes took place, second is for justice.

We would like to thank the many Information Security professionals who openly keep the community informed, DNS Hijacking is illegal. We will work with the authorities to ensure to the best of our ability the individual(s) responsible are held accountable.

This is a clear example of what we have always taught; No one can ever be completely secure. Although EC-Council servers remained untouched, a vulnerability in our third party DNS vendor led to this DNS Hijacking incident, rendering our main website unavailable for a short period of time.

While this investigation is ongoing and subpoenas will take time, we are dedicated to keep our customers and partners apprised of all progress.

Lying: Always a Bad Strategy

Here's the kicker. EC Council claims that EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained. Yet they remain oddly silent on the claim that the hacker has thousands of .gov and .mil passports, or the screenshot snippet which contained the email from Edward Snowden.

Let's return to r000t's claim that the person who hacked EC Council was Zeekill from HTP. If he's correct, this is the same person who allegedly managed to hide a persistent rootkit on PandaSecurity even after r000t told them about it. If he had access to your servers, unless you were watching the TCP streams as the incident was going on (unlikely, given the slow response time to this security incident), you probably wouldn't see any evidence of it. Criminal or not, this person clearly knows their shit.

So in other words... EC Council: Don't piss on your customers' legs and tell them it's raining.

EC-Council's Security Team has confirmed no access to any EC-Council Servers was obtained? Does your Security Team consist of morons who were duped into paying for your worthless certifications? I'm guessing the answer to that question is, "Yes."

Further Reading

Attrition.org Charatans Entry on EC Council

7 Comments on this Blog Post

Blog Archives Categories Latest Comments

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.