The EC-Council or ‘The International Council of E-Commerce Consultants’ as they like to call themselves offer a range of different services, mostly in the field of Information Security training and certifications. One of their certifications, the Certified Ethical Hacker (CEH) claims to aspire to training ‘ethical’ hackers.
“CEHv7 provides a comprehensive ethical hacking and network security-training program to meet the standards of highly skilled security professionals.”
What I have found is the way the EC-Council promote their CEH is less than ethical and damn right unethical.
A comment left on my blog quite a while ago (2010/04/20 at 6:18 am), looked fairly authentic, however, when investigating a little further it was clear to me that the comment was in fact SPAM.
“smith said…
Hey folks, Thanks for sharing your views,article includes a very good information about the ethical hacking, the most interesting job in the field of computer security is being an ethical hacker,so i striven into the field of CEH, for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
The above comment was made from the following IP address which originates in Hyderabad, India, 202.53.11.130. The EC-Council’s India office is in the same city, http://www.eccouncil.org/contact_us.aspx. The email address left was smith.dyer@gmail.com.
After a few google searches its easy to spot the widespread use of spamming by the EC-Council to promote their Certified Ethical Hacker (CEH) certification.
“Hi , i would say you to prefer the field of CEH, i would definitely say that the most interesting job in the field of security is being an Ethical Hacker,so you are already in the networking field of Networking field from the past 14 months so prefer CEH, for more information on professional training and Certification for CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
“Thanks for an insightful post. These tips are really helpful.
Having SSID in the Google is malicious Check out this for more
http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
http://jack-mannino.blogspot.com/2010/02/issa-dc.html
“Gunter,
Thanks for sharing such a nice information, yes even i too agree that NASA needs to get these sites secure as soon as possible.insecurity is growing briskly whilst advanced technology and networks. Hackers are more comprehensive, so there is a need of CEH(Certified Ethical Hacker) for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
http://technicalinfodotnet.blogspot.com/2009/12/couple-of-nasagov-sites-hacked.html
“Great Post!
Thanks for sharing such a nice article,it highlights a lot of the issues extant today.
Obviously,insecurity is growing briskly whilst advanced technology and networks. Hackers are more comprehensive,crumble the risk as a penetration tester and even get more.
For more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
“Gunter,
Thanks for sharing such a nice information, yes even i too agree that NASA needs to get these sites secure as soon as possible.insecurity is growing briskly whilst advanced technology and networks. Hackers are more comprehensive, so there is a need of CEH(Certified Ethical Hacker) for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
http://www.feedage.com/feeds/15076503/technicalinfonet-blog
The list goes on and on, try your own Google searches, I’m certain you will find more, if you do, post them in the comments!
To me it seems more likely to be a person than a bot spamming the internet for the EC-Council as the comments are fairly unique however all have the same motive. The comments are usually left under the ‘smith’ username or a variant there of.
smith_dyer’s CNET profile is another example to the extent of the spamming, http://www.cnet.com/8705-4_1-0-2.html?username=smith_dyer
All the comments I have seen seem to be from February to May of 2010. A quote from the EC-Council’s own ‘Code of Ethics’, “Ensure ethical conduct and professional care at all times on all professional assignments without prejudice.”.
I had heard that the CEH certification has a bad reputation within the industry, I have never seen any of their material so I haven’t judged them personally before. What seems to me as blatant spamming by them puts into question their own ethics and integrity. How can a company offering such a certification be engaged in that kind of behavior, even if that behavior was only over a few months (I have no evidence to suggest it was any longer), their behavior is inexcusable.
I have emailed the EC-Council to see if they would like to pass comment, I will post their response, If I get one, in an update on this post. I’m not sure if I will get a response as they state on their website that they only reply to ‘company email addresses’ and not GMail, Yahoo, Hotmail,etc.
UPDATE 28.11.11 19:09 —
(Please note that the EC-Council blog post was changed by them however their original response can still be found in the comments section and via Google Cache.)
Jay Bavisi replied to this blog post in the comments section and on the EC-Council blog found here: http://www.eccouncil.org/blog/?p=86
UPDATE 29.11.11 02:11 —
I have spoken to Jay Bavisi on Skype about some further evidence that was given to me. He told me that he takes these matters extremely seriously and will launch an investigation as soon as possible. After speaking to Jay, it would seem to me that it was not behavior that is used by EC-Council and instead could possibly be down to some rouge individuals. Jay said he would pass further public comment once he has further evidence from his investigation, as the incidents seem to be two years old, evidence may be on the light side. I can honestly say that I found Jay to be a nice guy and believe him and his intentions.
UPDATE 29.11.11 20:00 —
Hopefully this will be my last update in this issue.
Early this morning a friend came across some evidence which directly linked the EC-Council to the SPAM left on my blog and across the Internet. With this concrete evidence, I contacted Jay Bavisi on the email address he left when he posted his comment on my blog. I told him that I had the evidence and asked if he would publicly apologize for his reply to my post. He replied within 20 minutes saying that he took this kind of behavior seriously within his organization however he saw no reason to apologize to me. I sent him the evidence.
He replied,
“Thank you for this information.
I have no reason to doubt your integrity but I would like to chat with you to explain something that I rather not write about.
If you could give me a number to call you, lets chat for 5 minutes to clear this up.”
We exchanged Skype accounts and I rang him. He explained to me that he had been made aware of the SPAM by a competitor of the EC-Council at around the same time it was being circulated (around 2 years ago). EC-Council SPAM had been left on the competitors web site and it looks as things got ugly. He told me that he thought my blog post may have been somehow related to that incident with his competitor which he named (I will not name them).
The above explains some of the oddness of his reply to my blog post.
He said that he believed it could have been a rouge employee of EC-Council from his India office. He promised me he would investigate and make a public statement within 24 hours. I gave him the benefit of the doubt and agreed. The conversation ended with me thinking he was a nice guy and a man of his word.
Around 16 hours later, I emailed Jay again, asking if he knew what time he would be posting his public statement. He replied, saying that they had been investigating all day and not come up with much evidence linking the SPAM to a specific employee (he believed one employee may have been impersonating another). He said that he may get back to me within 48 hours.
I told him that this was unacceptable, he gave me his word. A large corporation had publicly questioned my ethics after pointing out their own wrong doing. I told him that I would post the evidence I had within a few hours of his email. Up until posting this post I haven’t had a response.
A hacker group called TeaMp0isoN had leaked the r00tsecurity.org forum database last year which happened to contain the IP addresses of the users when they registered. One of those IP addresses was the same one that left the SPAM on my blog. The IP address belonged to the ‘rkvishwakarma’ username, who had registered with the ‘rajkumar@eccouncil.org’ email address, a long time employee of EC-Council.
http://www.gonullyourself.org/ezines/TeaMp0isoN/TeaMp0isoN%201.txt
Jay had told me that he thought it would unlikely that this particular employee was the culprit and he thought that it could possibly be another employee impersonating him.
I am very disappointed in the way the EC-Council have conducted themselves in this matter. I understand that there are investigations going on by others about other serious claims made about EC-Council. After this experience I have lost all faith in them. I hope Jay does make a public comment on this, I hope that it is better than how they have conducted themselves up until now, but somehow I doubt it.
I’d like to thank everyone for their support.
32 Responses
[...] (http://www.ethicalhack3r.co.uk/security/ec-council-ceh-unethical-behavior/) [...]
Ryan,
We read your comments on your blog and found your allegations to be baseless.
We ask that you post our response on your blog to ensure that both sides of the story is represented.
We wish to make a couple of points :
Firstly Our office in Hyderabad is not even a sales office. It is a back office. Global Sales teams are based in our corporate headquarters in Albuquerque and EMEA leadership teams are based in Kuala Lumpur.
Also shocking is that the post that you are complaining about was apparently in Feb and May of 2010 and that no one has written to us since then about this matter. What drew your attention to this after almost 2 years (In case you did not notice, we are coming up in Feb 2012 in three months), especially when you claim that these activities only lasted a few months ?
Was it a bitter competitor that had no other way to showcase their dwindling leadership than to trump up these baseless allegations against a rising and popular certification body ?…. or perhaps it was a pure co-incidence.
I would not even waste my time thinking that EC-Council will ever endorse such behavior.
EC-Council has grown to what it is today by acting ethically and running a sound organization and there is no need for us to resort to such tactics when there is an abundant amount of intellectual capability at EC-Council. We have 450 partners in 87 countries …..assuming it was even a training partner who did this !
Your allegations here of our teams using such tactics are not well accepted by any member of our team. These tactics are not condoned by myself or any member of our management.
While it can be difficult to rein in sales folks, especially in a global setting such as ours, this is exactly why the communication channels are so important and I wished that you would have written to us prior to posting this baseless blog.
I may argue that the fact that you have tried us without even trial in itself can be seen as a tactic to increase your web hits and limelight in an unethical matter. Any ethical person would have raised this with EC-Council prior to posting fictional theories on the web.
Since you have researched our ethical policies with a lot of depth, you could have made one call to our office in Albuqueurque.
Did you? Why not?
We have many representatives, many evangelists who believe in our approach globally, if I find any evidence of your allegation, I will be happy to reprimand any such individual immediately.
We will continue to uphold the same standards we always have, we will continue to compete with vigor, and competing certification organizations can take comfort in knowing they have a competitor who will always act ethically, keep communications open and get ahead by providing a strong product, not using “below the belt” tactics.
You will also never see EC-Council compare the products of other competitors on our website as we believe in our own innovative strength and we find it unnecessary to win by “throwing the competitor under the bus”. People are intelligent and they know what is right for them.
The fact that you mentioned in the same breath ” I had heard that the CEH certification has a bad reputation within the industry…” smells funny to me personally.
Bad reputation? Really? Is that why we are now the worlds largest advanced technical certification provider ( over 50,000 certified professionals and growing) ? …..Or is that the reason we have 450 training locations in 87 countries and that our certifications are part of the DoD 8570 directive and meet all NSA CNSS standards ? I can go on but it will sound like an EC-Council commercial.
If you has not reviewed our material, may I suggest that you do so, before you pass any hearsay.
Hearsay is not admissible in the court of law and neither is it permissible in the court of public opinion.
I trust you had an enjoyable thanksgiving holidays and wish you all the best.
Thank You,
Regards,
Jay Bavisi
President and Chief Executive Officer,
EC-Council
6330 Riverside Plaza Ln NW
Suite 210, Albuquerque
NM 87120, USA
CEH: for people too dumb to figure out nmap on their own…
BTW “Hearsay is not admissible in the court of law and neither is it permissible in the court of public opinion.” = actually anything is permissable in the court of public opinion, or would be if such a thing existed. I can just picture the scene now, “Your honour, I propose that Jay Bavisi, just made himself, and indeed the organisation he represents sound totally douche-like, and failed to realise how negative publicity can be quickly generated by behaving like a petulant child online”
“Quite correct counsel… would the jury of seasoned industry professionals and amused onlookers please disregard Mr Bavisi’s outburt. Baliff, take him down”…
Jay,
It doesn’t matter where your head office is. The point is that the IP address that spammed my blog came from the same city as one of the EC-Councils offices. It also doesn’t matter ‘when’ the spam was placed on my blog. What brought my attention to the spam comment was a comment by someone else on the same blog post, why does this matter anyway?. Of course I post blog posts to attract visitors, why does this matter?
My ‘claim’ as you put it is clearly backed by facts, why do you not address the facts that I have pointed out? Where have all those spam comments come from? They are clearly promoting EC-Council material. Bitter competition? From whom? What evidence do you have to support this?
I sent an email to two of EC-Council email addresses from my personal GMail account. Your websites states that you do not reply to free email accounts, I have not received any reply to my emails. Why should I go to the effort of ringing you? If I had and not got anywhere, would you have said that I should have written you a letter?
Why would I care if hearsay was admissible in court of law or not, I am merely stating what I have been told by the many of the Security industry, openly, on Twitter. I am entitled to express my own opinions based on the opinions of of others that I respect.
Maybe you should start by looking into and launching an investigation as to who and why the spam was left on my blog and all over the internet. How can you be so sure a member of staff hasn’t done it without even conducting an investigation. Or that a competitor has done it without conducting an investigation?
I have allowed you to reply on my blog, but you have disabled comments on yours.
> I may argue that the fact that you have tried us without even trial in itself can be seen as a tactic to increase your web hits and limelight in an unethical matter. Any ethical person would have raised this with EC-Council prior to posting fictional theories on the web.
You can (and have) said many things, but don’t try to frame the discussion to mean that anyone that does something you don’t like as ‘unethical’. It just makes you look like a step away from ligatt levels of doucheness. Ethical behaviour by CEH or not, your cert is an industry joke and isn’t worth the cornflakes box it came in.
Jay, why is your “Head Office” in an Albuquerque strip mall, when both you and your partner live overseas? Must be a very long commute, Jay.
[...] was drawn to a write up entitled “EC-Council – CEH – Unethical Behavior” by Ryan Dewhurst (@ethicalhack3r) where he discussed some rather peculiar blog spam [...]
Also, there’s EC Council spam on twitter right now.
[...] saw today on Twitter a blog post about possible unethical behavior from the EC Council (and their response). As soon as I started to read it, my (admittedly hairy) eyebrows started to [...]
[...] was drawn to a write up entitled “EC-Council – CEH – Unethical Behavior” by Ryan Dewhurst (@ethicalhack3r) where he discussed some rather peculiar blog spam patterns. I [...]
“EC-Council has grown to what it is today by acting ethically …”
We’ll take note of this as we work on http://securityerrata.org/, as one tip we received recently suggests this is false. Hopefully, we can investigate the tipster’s claims in the coming weeks.
Jay, when someone posts evidence of the claims they’re making you can no longer call those claims baseless. A baseless claim would be that the CEH is a wonderful certification. Why is this baseless? For the exact reasons you said it’s so great; 50,000 holders of a cert means that it’s too easy and the value of the cert then drops.
Also as far as I can tell there aren’t any other companies that offer certifications based in the exact city where all of the spam is originating. While I can’t make a claim without proof, it seems a little too coincidental that all the CEH spam is originating from a city with an EC-Council office.
I’d also like to argue that while you say that Ryan is being unethical in posting his blog, you’re more unethical by taking the low road and having an outburst. An ethical and reasonable response would have been a retort that didn’t try to discredit your accuser.
In the end, Jay, by having an outburst like that and not at least investigating, you’ve shown to our industry that EC-Council is in fact not ethical and cares only about saving face and throwing others under the bus. I won’t say that you’ll lose any business because all of the smart people in infosec already know to stay clear of EC-Council.
Dear Jay,
I am having to post my comment here because comments are closed on your blog. I’m not a PR expert by any stretch of the imagination, but your response is rather emotional and hence why you’ve probably done more damage to your brand than the article written by Ryan.
One could have opted to say something along the lines of:
“Ryan, thank you for bringing this issue to our attention via your blog. We do not condone or have knowingly undertaken shady marketing practices. I, as CEO am taking this matter very seriously and have launched a full investigation and will keep you updated as this progresses.”
With a simple and short response, you’ve acknowledged the issue that exists. Maintained professionalism and integrity and set expectations because things like this would obviously take some time to look into.
Outbursts tend to not work well for anyone. A great example is this, where a PR guy got into an argument with a blogger… and well… lets just say it didn’t end too well for the PR company. http://thebloggess.com/2011/10/and-then-the-pr-guy-called-me-a-fucking-bitch-i-cant-even-make-this-shit-up/
A few years back, I passed the CEH exam. It was scheduled for 2 hours, prometric-type testing.
I walked out of the exam with a high 80% pass mark in less than 12 minutes.
This was 4/5 years ago (if memory serves) I don’t know if the exam has matured much since them but I felt it was at best worthless and at worst, hugely misleading.
I have subsequently been approached by companies trying to sell me the services of the CEH qualified pen-testers. The do NOT get my business and the DO get told why.
Jay, this appears to be going “angry villager”. I think (and I could be wrong) that the overwhelming number of people that read this blog, are less than impressed with either your ‘qualification’, or indeed your ‘response’. I suspect (again, I could be wrong) that you may have been having a bad day, and trust that you will reconsider your tantrum. Ryan raises some good points (born out by evidence at least when it comes to spammage – which may or may not be coming from your organisation, but most probably is) and a mature response would be to investigate and respond accordingly. Not bitch like a douche. Still it’s your baby, and this could explain why most of the security industry (on either side of the hat equation) think CEH is a joke (apart from Greg Evans who loves it, but doesn’t actually count)… Much love and pie
Ok…Since people are talking about the worth of the certification. Let me just provide my two cents. So here is how I took this cert..Went to an authorized training partner, asked them about the cert. They said it was 25k INR and guaranteed pass. Excellent !! So there was this 4 days training where the trainer clearly had no idea what he was teaching. And then there was this exam or a joke of an exam – open book, open internet, even the trainer completed the rest of my questions. So while I had the cert, I was laughing at the circus that this cert is. This was some 1 yr back, and this is how people in India get the cert. Its a real shame that this cert is somewhat popular.
OFFICIAL EC-COUNCIL STATEMENT RE: EC-Council – CEH – Unethical Behavior: We are taking this matter very seriously. EC-Council in no way supports, condones, or permits this type of unethical behavior. At this time, there is a lack of conclusive evidence that suggests these postings were made or endorsed by EC-Council’s employees or affiliates. Due to the nature of these allegations an investigation is being conducted. Should any findings be conclusive, EC-Council will handle accordingly. EC-Council enforces and adheres to a strict Code of Conduct, and we expect our partners, affiliates and competitors to uphold the same standards.
CEH and CHFI offered by EC-COUNCIL were a big lame joke in the security industry. Most of the Infosec experts do not even recognise these 2 certificates. The trainers do not know what they are teaching. Students are given lot of exam dumps after the training to make sure they can pass the test successfully. Furthermore, students were able to discuss in the exam room, refer to various books and surfing Google while taking the exam. This is really pointless. Most of the students that took CEH and CHFI were just certified but not qualified. CEH and CHFI are just wasting of money and time. Bunch of useless craps inside .. Anyway, this is my 2 cents.
Jay, your spam is ALL OVER TWITTER, right now, as you type. (Prediction: pinned on a former/fictional employee)
To the person above me- I have heard this as well. I have also been told (have not investigated the claim yet) that this privilege is only afforded those who spring for the ‘training,’ but not hose who simply pay for the testing.
To the person above me – The exam dumps are exactly the same (90%) as the real exam. Students are required to memorize the dumps and vomit the answers out in the real test. This is completely pointless and useless. Students passed happily without knowing anything and proclaimed themselves as a hacker. In real life, they know shit.
Prediction:
** server breached and someone used it to send spam mails ?
** contractor send spam mails ?
** ghosts with random name trying to send spam mails ?
“Jay had told me that he thought it would unlikely that this particular employee was the culprit and he thought that it could possibly be another employee impersonating him.”
Yeah – looks like your employees are “adhering to a strict code of conduct” right there.
Seeing as (at the time of writing) 295 results can be found on google for the term:
“check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”
I would hardly call this isolated or likely to be a rogue employee or former employee. I seriously doubt that it could be considered to be from a rival company as there would be no point in that company bringing so much attention to a compettitor if the don’t use it to discredit them. Let’s face it, if that was the case then they certainly would not leave it nearly 2 years before doing so.
I am of the opinion that EC-Council was fully aware of this practice, and even instructed employees to do so.
We all can guess that the outcome of their enquiry will be that it was a former employee acting on ther own initiative, a rogue contractor or a misguided former employee.
Their CEH certification is a joke cert within the industry and the only use for it is as a means to get past HR and get to the people that know enough about real certifications and experience for a chance at an interview. I know of many many people that are ashamed to have this qualification, but the only reason they do is the HR hurdle it enables you to get past.
P_Budgie: Not unlike CISSP, Security+, any other certification that doesn’t require a practical, or most college degrees for that matter are all mostly to get past the HR hurdle. It’d be great if there were more certs out there both affordable, containing a practical, and attainable without even someone’s who’s done offsec for a living having to carve out a month of their life to pass it. If EC Council is spamming blogs, yeah, that does deserve a callout. Like any cert, especially one delivered by contractors, whether the cert for an individual means anything has more to do with who was doing the instructing, and whether the person actually has the background to absorb it all. I don’t think even EC Council would dispute CEH being an entry level certification. I know there are some good training providers that are partnered with them, but I’m also sure there are a lot of bootcamp pass the test mills as described above.
I have one of those CEH certs. I knew it was a joke (especially when you hold it next to a cert like a CISSP) when I took the test. I only did it because it was cheap. I always have to laugh at guys that pull out this cert as if they somehow know something. It is because these guys are just about getting your money and not much else that I decided to forego making the CEH part of my upcoming ethical hacking class. I’m going spend my class time teaching real world stuff like metasploit and wifi hacking and not waste time with CEH nonsense.
best laugh of this thread so far: “I have one of those CEH certs. I knew it was a joke (especially when you hold it next to a cert like a CISSP) when I took the test”
bu wha hahah. CISSP is only good to impress employers that don’t know dick about security and then get you more cash.
No wonder you fuckers can’t keep your networks secure. keep up the good work!
It’s not the fault of hackers, but of businesses not wanting to spend money or time on threats, instead looking for the cheapest, most minimally experienced hire.
In my opinion..they are just another example of a big company picking the pockets of people who lack the base knowledge to find this out all on their own. All wrapped in a dream of a great job ‘hacking’….if you cant figure out nmap on u own, you might as well not even get into the field…
Hello to all experts,
If CEH is not worth and if people really are interested in this field then can any of you
suggest any other institute/CERT, which is according to all of you is real/worth?
Even i am interested in this field and want to learn.yes google is there but for me institute works better.
[...] هائلة إذا ما قورنت بالإصدارات السابقة. هناك الكثير من الانتقادات لهذه الشهادة واتهامات باحتوائها على مواد [...]
Information about security tools and hacking tools http://www.securitytube-tools.net :D
[...] VCP4, MCSA, CCNA:Sec, ITIL v3 Today 05:22 AM #26 I just came across this: EC-Council – CEH – Unethical Behavior | ethicalhack3r (make sure to check out official response from Jay Bavisi in the comments) It was a last straw for [...]
Here is a thread I started on TechExams about how EC|Council stores the passwords for their forum in clear text. This is what put me over the edge…
http://www.techexams.net/forums/ec-council-ceh-chfi/74780-ec-council-portal-security-issues.html