back to article Ethical hacker backer hacked, warns of email ransack

The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked. The EC-Council said the same hackers who ran the DNS poisoning attack that resulted in the defacement of its website in late February had also managed to access the control panel for its website after breaking into the …

COMMENTS

This topic is closed for new posts.
  1. Don Jefe
    Happy

    Surely nobody was surprised by this? Sure, it sucks, but if you announce to the world you are the 'good guys' then of course the 'bad guys' are going to attack you. That's what bad guys do you know. If they didn't do that they wouldn't be the bad guys now would they?

  2. Andrew Commons

    Ethical Hacking <> Any Idea of Governance

    Amusing.

    They may be certified to hack you but they have no $%$^ idea how to protect you.

    Cloud comes with a whole range of risks that are very difficult to address. They obviously did not employ their own 'skills' on their own Cloud provider.

    Or maybe they did...which gives you a lot of confidence in their 'certified' graduates.

  3. Santa from Exeter
    FAIL

    Security primer needed?

    "The organisation – whose tagline is Hackers are here. Where are you? – asks members to submit sensitive data such as passport details as part of its registration process"

    By e-mail? How secure - not!

    1. Anonymous Coward
      Anonymous Coward

      Re: Security primer needed?

      I thought that, but then I re-read that line. You have to submit personal data during registration, but it doesn't say this is done by email; that line is just pointing out that the organisation also holds personal data and thus some concern that they've been breached.

      Chances are high that the personal data was nowhere near the email stuff, so not exposed.

  4. Pascal Monett Silver badge
    FAIL

    "EC-Council uses a cloud service provider for enterprise email"

    What could possibly go wrong ?

    Well, this. You outsource your security to someone else = you're only as secure as they are.

    Brilliant demonstration.

    1. Captain DaFt

      Re: "EC-Council uses a cloud service provider for enterprise email"

      Well actually, when you outsource your security to someone else, you're only as secure as the lowest bidder that they outsourced the job to.

    2. Wzrd1

      Re: "EC-Council uses a cloud service provider for enterprise email"

      "You outsource your security to someone else = you're only as secure as they are."

      You insource, your security is as good as your staff and CIO budget.

      Six of one, half dozen of the other. At least with a cloud provider, there is incentive to spend more on security, as the provider would lose many clients if they failed in security.

  5. moiety

    With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach.

    This doesn't sound very likely. Surely with admin access they would be able to get at all the accounts.

    1. James O'Shea

      Err... the operative phrase is "before the EC-Council security team was able to respond to the breach". They might have spotted the breach while it was on-going and moved fast enough to block things before all accounts could be ransacked. Remember, it takes time to download stuff. Depending on how much data was in each account, and how fast the upload speed on the site was/how fast the download speed on the hacker's side was, the hackers may have been interrupted before getting it all.

      Now, exactly how big 'a small number" is, well, that's open to question. Ten? A hundred? A thousand? A 100,000? If you use Obi-wan Kenobi's point of view, a small number could be just about any number you like. Personally, if I had my data on that site (and I don't) I'd want some actual hard numbers on this. But that's me.

  6. mIRCat
    Mushroom

    The pool on the roof must have a leak.

    Mess with the best, die lik... What? We've been hacked? My that is embarrassing.

    It does beg the question why they wouldn't have kept their online presence more... in house?

  7. Destroy All Monsters Silver badge
    Windows

    "EC-Council strives to set a very high bar"

    FUCK! Can't reach the drinks from down here.

    It's hard being a midget.

    Could someone please ... give me a little push?

    1. Captain DaFt

      Re: "EC-Council strives to set a very high bar"

      Well, they needed a high bar so that they could reach the drinks whilst perched on their high horses.

  8. ElReg!comments!Pierre Silver badge

    Ah the "Ethical Hacker" cert...

    Of course very few of the people who fail for the "Certified Ethical Hacker" scheme are hackers. Or ethical, for that matter. These guys are running a succesful scam aimed at media types and would-be bamboozzlers wishing to provide "security audit and training" services to clueless companies.

    For a quick and non-exhaustive review of where the wunderschön people at the ec council come from:

    http://attrition.org/errata/charlatan/ec-council/

    https://s.arciszewski.me/blog/2014/02/ec-council-incident-response

    No wonder they get hacked from time to time. You can either paint a big red target on your back _or_ be absolutely devoid of gorm, but not both.

  9. Mike Moyle Silver badge

    Requisite Monty Python reference is attached

    Those responsible for hacking the people who have just been hacking have been hacked.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019