Tuesday, March 29, 2016

Open letter to EC Council

Dear EC Council,

Your website is hacked.  Your website has been hacked - for a long time.  Way too long for any "security" training/accreditation company.  You probably know I have a generally low opinion of your CEH and CHFI certifications, but please don't let that stand between us.

Your handling of the security of your website is hurting our industry.  If a professional licensing board for doctors were giving bogus prescriptions from their website for weeks, it would hurt doctors.  Same thing for any professional group.

In the infosec profession, we started first by laughing at your misfortune of being hacked (again).  It is sort of ironic when a security company gets hit - and even more ironic when the incident response sucks.  Then some of us started a pool as to how long it would take before you cleaned the site.  But now, most of us have just given up hope that you'll actually do something.

This is no longer funny.  To that end, I'd like you to know that I can not longer stand idly by while you continue to serve malware from your website.  Instead of continuing to laugh at you (which is tempting), Rendition Infosec is offering our assistance, free of charge, to help you clean your web server and stop serving malware.  We can even help you investigate the original breach if you actually desire to do so.

Please seriously consider this offer.  If you don't want us, for goodness sake, get help from someone.
You are making our industry look bad.  Period.  If you let Rendition clean your server, I promise not to joke about CEH for at least a month.  It will be hard, but I can do it.

Sincerely,
Jake Williams
Founder, Rendition Infosec

6 comments:

  1. Jake,

    If you try to shift your perception towards how the EC Council responsible person

    ( if any such person exists )

    you probably agree that

    - getting your biz website pwned is not fun

    - having people laugh at you is not much fun either

    - taking into consideration to make use of the offered free support from someone laughing at you and calling you a hurt to the ITSec industry is probably more then unlikely

    The industry is not only looking bad because of a certification vendor being unable to cope properly with their website pwned and pwning it´s visitors, it´s looking bad because

    - snakeoil and the eternal promise of silver bullets

    - they sell hammers so all problems naturally can only be nails

    - arrogance and ignorance of partners or competitors problems

    - little to none of the vendors drink their own medicine / practice what they preach

    - lack of respect and ignorance of the hacker spirit to help each other learn by explaining and understanding stuff

    So with all due respect, I am not sure what is worse, vendors such as EC or staminus getting their pants pulled down in public, or what I appear to be witnessing here, making use of the fact to draw attention to your business.

    This practice is something I have seen Michael O´Leary from Ryanair apply very successfully, he rather gets press because of a scandal then pay for ads.

    If the ITSec community wants to make the world a safer place, we probably are best advised to take Schadenfreude off the list of how we respond to ITSec Industries incidents.

    As the professional that I assume you are, you know that a motivated adversary with a proper skillset, solid toolbox and enough time on hand can get any website / server pwned.

    I agree that the handling of the incident by EC Council was poor - but maybe they are just a small hut selling pieces of paper that people can get after ticking boxes in a test about stuff from a book they read to convince some HR that they are fit for a job?


    ReplyDelete
    Replies
    1. I'm not going to address your snake oil and silver bullets comments. It has nothing to do with the EC Council issue and if you read the blog regularly, you know I feel largely the same way.

      As for the EC Council letter, you don't see me with an open letter to anyone else that's been breached, in IT security or not. EC Council have already been accused by many of being charlatans in our industry (check out attrition.org). The problem I have here more than anything else is that EC Council holds themselves out as security experts. You couldn't possibly certify anyone as a security expert without yourself first being a security expert. If you're a security expert, your site doesn't get popped and serve malware for weeks. I saw jokes about the site serving malware from Twitter (with them explicitly tagged) more than a week ago. The lack of any response is inexcusable and tarnishes our industry.

      Honestly, I wish EC Council would just fade away and become a footnote in the history of security certifications. But since that's not going to happen, we as an industry need to police our own. We can't possibly get others to respond seriously to security challenges if we can't call out stupid when we see it.

      The CEH exam costs $500. There are obscene number of people with this cert worldwide. US DoD alone funds more than 10k exams/year for its personnel. Even if EC Council only gets $100/exam, that's $1 million from DoD alone, not counting for training, material licensing, etc. I just can't feel bad for an organization that fleeces that much money from our industry and can't do an incident response.

      I feel bad for those who get hacked and can't mount an effective response due to lack of funds. EC Council simply isn't in that position. They are charlatans, a scourge on our industry, and just don't care.

      Delete
    2. They desire every bit of ire they are getting. They have known for months their website is vulnerable. I know because I and many others personally reported this to EC Council employees but were ignored. I have no problem with the public shaming they are getting right now. Their handling of this isn't just poor, it's appalling. Most of your comment has nothing to do with EC Council so I'll just ignore it as an off topic rant.

      Delete
  2. well, it is not the first security certification website being pwned: http://pwnedwebsites.com/pwned.php?start=25

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. I've used Kaspersky anti-virus for a couple of years, and I would recommend this solution to you all.

    ReplyDelete

Note: Only a member of this blog may post a comment.