Surely nobody was surprised by this? Sure, it sucks, but if you announce to the world you are the 'good guys' then of course the 'bad guys' are going to attack you. That's what bad guys do you know. If they didn't do that they wouldn't be the bad guys now would they?
The IT security certification body that runs the Certified Ethical Hacker programme has itself been hacked. The EC-Council said the same hackers who ran the DNS poisoning attack that resulted in the defacement of its website in late February had also managed to access the control panel for its website after breaking into the …
Thursday 13th March 2014 12:08 GMT Andrew Commons
Ethical Hacking <> Any Idea of Governance
They may be certified to hack you but they have no $%$^ idea how to protect you.
Cloud comes with a whole range of risks that are very difficult to address. They obviously did not employ their own 'skills' on their own Cloud provider.
Or maybe they did...which gives you a lot of confidence in their 'certified' graduates.
Thursday 13th March 2014 12:16 GMT Santa from Exeter
Thursday 13th March 2014 12:59 GMT Anonymous Coward
Re: Security primer needed?
I thought that, but then I re-read that line. You have to submit personal data during registration, but it doesn't say this is done by email; that line is just pointing out that the organisation also holds personal data and thus some concern that they've been breached.
Chances are high that the personal data was nowhere near the email stuff, so not exposed.
Thursday 13th March 2014 12:22 GMT Pascal Monett
Friday 14th March 2014 04:14 GMT Wzrd1
Re: "EC-Council uses a cloud service provider for enterprise email"
"You outsource your security to someone else = you're only as secure as they are."
You insource, your security is as good as your staff and CIO budget.
Six of one, half dozen of the other. At least with a cloud provider, there is incentive to spend more on security, as the provider would lose many clients if they failed in security.
Thursday 13th March 2014 12:41 GMT moiety
With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach.
This doesn't sound very likely. Surely with admin access they would be able to get at all the accounts.
Thursday 13th March 2014 14:50 GMT James O'Shea
Err... the operative phrase is "before the EC-Council security team was able to respond to the breach". They might have spotted the breach while it was on-going and moved fast enough to block things before all accounts could be ransacked. Remember, it takes time to download stuff. Depending on how much data was in each account, and how fast the upload speed on the site was/how fast the download speed on the hacker's side was, the hackers may have been interrupted before getting it all.
Now, exactly how big 'a small number" is, well, that's open to question. Ten? A hundred? A thousand? A 100,000? If you use Obi-wan Kenobi's point of view, a small number could be just about any number you like. Personally, if I had my data on that site (and I don't) I'd want some actual hard numbers on this. But that's me.
Thursday 13th March 2014 16:05 GMT Destroy All Monsters
Thursday 13th March 2014 16:14 GMT ElReg!comments!Pierre
Ah the "Ethical Hacker" cert...
Of course very few of the people who fail for the "Certified Ethical Hacker" scheme are hackers. Or ethical, for that matter. These guys are running a succesful scam aimed at media types and would-be bamboozzlers wishing to provide "security audit and training" services to clueless companies.
For a quick and non-exhaustive review of where the wunderschön people at the ec council come from:
No wonder they get hacked from time to time. You can either paint a big red target on your back _or_ be absolutely devoid of gorm, but not both.