By William Knowles @c4i
March 12, 2013
We have been following the compromise, Web defacement, and subsequent silence of EC-Council for a couple of weeks now. On February 22nd the Albuquerque, NM-based EC-Council Web site was broken into and defaced three separate times. If you hold a certification from EC-Council your confidential information is rumored to have been stolen during this period.
After the EC-Council administrators wrested back control of their site the first time, a known password was used to deface the Web site again. The second defacement showed the mail from Edward Snowden’s Yokota Air Base email address requesting an exam code, along with a copy of his U.S. Passport and a letter signed by John A. Niescier, an Information Security Officer with the Department of Defense Special Representative, Japan.
All told, the website was compromised three times in a single week.
Conspiracy rumors abound about who attacked the EC-Council Web site. Foreign training companies, Secret Squirrels, The Chinese, The Russians, Non-state actors were all considered possible suspects. However, the folks at r000t’s blag did some digging and their conclusions provide pretty damning evidence identifying the likely culprit.
Since the attack, EC-Council has kept a very low profile, InfoSec News has reached out several times to Founder Jay Bavisi for a comment, but the attempts have fallen on deaf ears. Now nearly three weeks later, the EC-Council finally commented on the attack.
InfoSec News asked Mark Bernheimer, Former CNN correspondent and founder of MediaWorks Resource Group, a media training and consulting firm, for his insight into what the EC-Council should be doing.
“If there’s even an appearance that a Web site has been hacked, particularly a security company’s site, the only way to manage the crisis is to address the issue candidly and immediately.”
“Once a website has been hacked, and user data potentially compromised, it is too late to change that reality. The company can only manage the crisis through a careful, responsive public relations strategy. Ignoring inquiries isn’t the ideal approach.”
“A data breach –or even the perception of a data breach– demands an immediate, proactive PR strategy on the part of the victimized company. Get all the bad news out immediately, rather than encouraging rumor and speculation. This is the approach Target undertook after it suffered its own breach late last year.”