Sophos Cloud Optix
The website for EC-Council, a US-based issuer of security certifications, was defaced over the weekend with Edward Snowden’s passport, an email from Snowden to the council dated 2010, and a message jeering at the council and its purported habits of password reuse.
The message:
Defaced again? Yep, good job reusing your passwords morons jack67834#
owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/
-Eugene Belford
P.S It seems like lots of you are missing the point here, I'm sitting on thousands of passports belonging to LE (and .mil) officials
The attacker’s or attackers’ sign-off name, Eugene Belford, is that of the evil computing genius in the movie “Hackers”, also known as “The Plague”.
The council issues a host of certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), and License Penetration Tester (LPT).
“Eugene Belford” apparently doesn’t think very highly of those certifications.
The attacker left a link to an attrition.org page that lists a number of prior vulnerabilities, a previous hack, and criticism of the organisation from the education and information security professions, including “taking shortcuts usually reserved for students, by plagiarizing content from other sources and including it in their commercial offerings.”
Fighting the urge to say this was deserved. EC council is yet another cert. mill looking at profit and not progress.
The DNS poisoning attack was initiated not on the EC-Council servers, but rather on the the ICANN Accredited DNS Registrar that held the registry of the domain. Law enforcement around the world need to take a closer look at how DNS works and understand that relying on 3rd parties to manage DNS can be a hazard. Granted that EC-Council needs to do some work to be more secure, how does that differ from the millions of other companies and websites live on the Internet? 100% Security does NOT exist and all companies and security professionals strive towards that elusive goal.
Following this attack, EC-Council will be the better off it and will improve its security posture, however, this sort of attack also raises the question, that maybe (as explained in the certifications of C|EH and C|HFI) defence in-depth should also include 3rd party partnerships? ICANN also needs to be audited so that other companies and websites can be rest assured that this sort of attack can be avoided. Therefore, lets not just point fingers and blame and say profit over progress! Security should be a collaborative effort with ALL parties and lets all strive towards this!