The hacker who slipped Edward Snowden’s passport photo and a dash of sneering onto a ethical-hacking certificate issuer’s site in February accomplished quite a bit more, it turns out.
As the company EC-Council (ECC) said in a notice to customers on Wednesday, beyond DNS poisoning, the hacker also managed to issue a password-reset to the council’s email service provider while the domain was still in his grasp and to maybe even poke his nose into some customers’ email accounts.
The EC-Council’s ongoing investigation has found that while the hacker had administrative access to its enterprise email – which it stores with a cloud service provider that it didn’t name – he was able to compromise about 2% of the council’s customer email accounts before its security team managed to wrest back control.
From the notice:
EC-Council uses a cloud service provider for enterprise email. Once the domain privilege was attained, the hacker then issued a password reset request to the email service provider. This circumvented EC-Council's best practices of using complex passwords and 2-factor authentication.
We have informed the service provider of this password reset policy vulnerability and are hopeful that they have already rectified it for the benefit of the IT community in general.
With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach. This resulted in unauthorized access to messages in those specific email boxes for a short duration of time.
So much for the EC-Council’s best-practices of using complex passwords and two-factor authentication (2FA).
Of course, Naked Security gives a hearty ‘yes indeedy’ to the concept of complex passwords -strong and unique for each service and website you use – and we consider it so important that it rates at No. 3 on our list of 3 essential security tasks.
At any rate, EC-Council says it’s transferred its domain to another registrar, changed policies on management of personal information, improved existing data retention policies, introduced 2FA for member portals, improved security procedures and systems, and plans to keep doing so in the weeks and months to come.
The hacker signed his taunting message as “Eugene Belford”, a name cribbed from the evil computing genius character in the movie “Hackers”, also known as “The Plague”.
In the defacement, he poked fun of the EC-Council for reusing passwords.
He also left a link to an attrition.org page that lists a number of prior vulnerabilities, a previous hack, and criticism of the organisation from the education and information security professions, including “taking shortcuts usually reserved for students, by plagiarizing content from other sources and including it in their commercial offerings.”
The council, which issues a slew of certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), and License Penetration Tester (LPT), hasn’t figured out if data was compromised in the exposed accounts.
If data was compromised, it would have been from those email accounts whose users sent personally identifiable information to EC-Council via email.
No credit card data was exposed, the council said.
It’s warning customers to stay alert for unauthorized use of anything they’ve shared with the council and to let the EC-Council know if they do find suspicious activity.