“The Plague” returns to deface EC Council website

Update 3: 

The previous updates are below. After arriving in San Francisco for the RSA Conference, I thought I’d check-up on the EC-Council’s website. Not only is the defacement (DNS Redirect) still active, there is a new message. 

“Defaced again? Yep, good job reusing your passwords morons jack67834# 

owned by certified unethical software security professional

Obligatory link: http://attrition.org/errata/charlatan/ec-council/

-Eugene Belford

P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”

The EC-Council has remained silent so far, but the fact that they reused passwords while recovering from a security breach is troubling. Is this what they teach students? Also, what of the claims that the attacker has accessed sensitive and personal information? 

On Saturday, someone defaced the EC-Council’s website.

The defacement shows Edward Snowden’s passport, as well as a letter he sent to the organization in 2010, requesting an exam code to sit the C|EH (Certified Ethical Hacker) test.

Below the passport photo is a letter signed by John Niescier, the Information Security Officer at the DSRJ, who certified that Snowden – a former NSA contractor responsible for what’s arguably the largest leak of classified documents in history – had at least five years of InfoSec experience.

The defacement itself was signed by Eugene Belford (a.k.a. The Plague), a character from the movie “Hackers“ that is remembered as the evil corporate security officer who works for the Ellingson Mineral Company, home of “The Gibson” itself.

“…owned by certified unethical software security professional

-Eugene Belford”

The reasoning behind the defacement remains unknown.

The EC-Council has certified more than 60,000 security professionals; more than 13,000 of them hold a C|EH. However, since the organization’s founding in 2003, they have faced a wide variety of criticism from educators and security practitioners.

According to Attrition.org:

“The company not only runs an extensive certification program, they also operate a virtual university. This has not stopped them from taking shortcuts usually reserved for students, by plagiarizing content from other sources and including it in their commercial offerings.”

In 2012, while I was writing for SecurityWeek, I reported on the internal politics at the EC-Council, including the fact that they were investigating reports of embezzling by one of their own.

In 2013, the EC-Council website was found to be vulnerable to various methods of attack, including Cross-Site Scripting (XSS), and configuration errors allowed an outsider access to various internal documentation.

As of 11:00 p.m. EST on Saturday, February 22, the site remains defaced, and the Google cache of the domain hosts the defacement.

See larger image.

Header image: (C) 1995 United Artists

Update:

The defacement looks to be a DNS redirect.

93.174.88.0/21 is on AS 29073 owned by Ecatel Network in the UK. Hoster of such wonderful domains as ra.pe and https://t.co/SCXIaAXkvq

— Andrew Hay (@andrewsmhay) February 23, 2014

So eccouncil[dot]org used to be hosted on 66.111.3.186 (TTL: 3600)…as of 2/24/14 93.174.95.82 (TTL: 86400) answers

— Andrew Hay (@andrewsmhay) February 23, 2014

According to another Twitter post, that IP address has an interesting history.

Update 2:

More information on the EC-Council defacement. The IP address that is controlling the DNS for the domain was used earlier this month in an attack on a Flash-based game called Realm of the Mad God. In that attack, the game’s primary domain was being directed to a server that was pushing malware. [VirusTotal Report]