The website for EC-Council, an “International Council of E-Commerce Consultants,” was defaced on Sunday evening. The hacker, who went by Eugene Belford (named for the “thieving evil computer genius” from the movie Hackers) also claimed to have found “thousands of passports belonging to LE [Law Enforcement] (and .mil) officials” in the process of breaking into the site.

Eugene Belford wrote on the EC-Council homepage, “Defaced again? Yep, good job reusing your passwords morons jack67834#”. With respect to the claim that passport and other information was stolen, the hacker posted a photo of Edward Snowden's passport, along with an e-mail from him to the council from 2010.

EC-Council has long been an administrator of information security certification, and the organization's training programs are sometimes used by employers to get employees up to speed on certain skills. Some of EC-Council's certification programs include Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT).

Read 4 remaining paragraphs | Comments


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Yes, my social security number was on display to everyone I handed my college ID card to. I was young and stupid.

Through my tenure as a student at the University of Maryland from 2000 to 2004, my social security number also doubled as my student identification number. I'd use this number and a password whenever I logged into the college's online management system, Testudo, which I did for everything from course selection and monitoring grades to signing up for basketball tickets. (Go Terps! 2002 National Champs whooo!) I vaguely recall having the option to change my student ID number to something else, but neither I nor anyone I knew ever went to the trouble of doing so.

This state of affairs comes to my mind at the moment because of an e-mail I got earlier this week telling me that my alma mater "was the victim of a sophisticated computer security attack that exposed records containing personal information." My name, social security number, and birthday are likely part of a cache of nearly 310,000 leaked records belonging to students and staffers going back to 1998.

After reading the e-mail, I immediately reverted to journalist mode; surely a security breach of over 300,000 computerized student records was the kind of story that would be relevant to the readers of this site. When I consulted with Ars Security Editor Dan Goodin on how to cover it, though, the response was pretty lukewarm.

Read 8 remaining paragraphs | Comments



Healthcare Information Security: Still No Respect
When I first was introduced to the infosec subculture in the1990s, there seemed to be very few of us in healthcare provider organizations with official security roles. And we were mostly "stuckees" who just fell into the job. (You know, someone in ...

and more »

Posted by InfoSec News on Feb 23


By William Knowles
Senior Editor
InfoSec News
February 23, 2014

Today's defacement of the EC-Council (the second time this weekend) by
Eugene Belford (a.k.a. The Plague) threatens the compromise of the 60,000+
security professionals who currently hold CEH certifications.

Individuals who have achieved EC-Council certifications include the US
Army, the FBI,...
Microsoft on Sunday publicly acknowledged what leaks had shown, that the company will issue an update to Windows 8.1 this spring that provides more tools for owners of traditional PCs controlled by mouse and keyboard.
Mozilla and China-based chip maker Spreadtrum Sunday unveiled a chipset designed for $25 smartphones running the open source Firefox operating system.
After months of waiting, some of the first 64-bit tablets with Windows 8.1 and Intel's Bay Trail chips were announced by Hewlett-Packard.
Hewlett-Packard's latest Pavilion X360 hybrid will offer the design flexibility to be used as a tablet, laptop or "couch potato" device.
Lenovo's first Yoga tablet, introduced late last year, met with bad reviews, so the company hopes the second time's a charm with the Yoga Tablet 10 HD+.
Lenovo's S-series smartphones announced at Mobile World Congress have screen sizes from 4.7 inches to 5.3 inches, but none of them have LTE.
Comcast and Netflix have agreed to a multiyear deal that will speed streams from the video service to Comcast's U.S. broadband customers.

Friday Apple released an update to IOS, to versions 7.0.6 and 6.16, to fix an SSL Authentication flaw.  Indication is that this flaw is easily exploitable, so this update should be applied as soon as practical.  Apple has also indicated that this flaw also appears in OS X and that a patch is "coming soon".  In the meantime be careful where you browse with your OS X based machines.

Adam Langley at the ImperialViolet blog has created a test page to help you determine if your browser is vulnerable to this attack.  If you can load content from the test page you are at risk, an error indicates you should be ok.

 On my two OS X based machines with current versions of Firefox, Chrome and Safari, only Safari displayed the vulnerability. Both Chrome and Firefox appeared to be ok. Below is the Firefox output.

Chrome just displayed its "This webpage is not available" error.

Researchers have determined that the flaw is caused by an errant goto statement.  I realize that, although progress has been made, effective code review, code coverage,  and code regression process and tools continue to challenge software development, but this seems like an easy one to catch.


-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft will soon offer an update to its Windows Phone operating system that will bring a number of new features targeted at enterprise users.
Smartphone OS entrants hoping to chip away at the dominance of Android and iOS are heading to Barcelona for Mobile World Congress, facing a landscape that has changed since last year's show.
Samsung will soon put on sale two new smartwatches, the Gear 2 and the Gear 2 Neo, which both run its Tizen operating system instead of Android.
Internet Storm Center Infocon Status