The EC-Council or ‘The International Council of E-Commerce Consultants’ as they like to call themselves offer a range of different services, mostly in the field of Information Security training and certifications. One of their certifications, the Certified Ethical Hacker (CEH) claims to aspire to training ‘ethical’ hackers.

"CEHv7 provides a comprehensive ethical hacking and network security-training program to meet the standards of highly skilled security professionals.”

What I have found is the way the EC-Council promote their CEH is less than ethical and damn right unethical.

A comment left on my blog quite a while ago (2010/04/20 at 6:18 am), looked fairly authentic, however, when investigating a little further it was clear to me that the comment was in fact SPAM.

"smith said…
Hey folks, Thanks for sharing your views,article includes a very good information about the ethical hacking, the most interesting job in the field of computer security is being an ethical hacker,so i striven into the field of CEH, for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”

The above comment was made from the following IP address which originates in Hyderabad, India, 202.53.11.130. The EC-Council’s India office is in the same city, http://www.eccouncil.org/contact_us.aspx. The email address left was smith.dyer@gmail.com.

After a few google searches its easy to spot the widespread use of spamming by the EC-Council to promote their Certified Ethical Hacker (CEH) certification.

"Hi , i would say you to prefer the field of CEH, i would definitely say that the most interesting job in the field of security is being an Ethical Hacker,so you are already in the networking field of Networking field from the past 14 months so prefer CEH, for more information on professional training and Certification for CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”

http://itknowledgeexchange.techtarget.com/itanswers/future-prospects-of-networking-and-security-courses/

"Thanks for an insightful post. These tips are really helpful.
Having SSID in the Google is malicious Check out this for more
http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”

http://jack-mannino.blogspot.com/2010/02/issa-dc.html

"Gunter,
Thanks for sharing such a nice information, yes even i too agree that NASA needs to get these sites secure as soon as possible.insecurity is growing briskly whilst advanced technology and networks. Hackers are more comprehensive, so there is a need of CEH(Certified Ethical Hacker) for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”

http://technicalinfodotnet.blogspot.com/2009/12/couple-of-nasagov-sites-hacked.html

"Great Post!
Thanks for sharing such a nice article,it highlights a lot of the issues extant today.
Obviously,insecurity is growing briskly whilst advanced technology and networks. Hackers are more comprehensive,crumble the risk as a penetration tester and even get more.
For more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”

http://www.marikenya.com/2009/07/increased-hacking-incidents-poses-need-for-information-security-courses/

"Gunter,
Thanks for sharing such a nice information, yes even i too agree that NASA needs to get these sites secure as soon as possible.insecurity is growing briskly whilst advanced technology and networks. Hackers are more comprehensive, so there is a need of CEH(Certified Ethical Hacker) for more information on CEH check this link http://www.eccouncil.org/certification/certified_ethical_hacker.aspx”

http://www.feedage.com/feeds/15076503/technicalinfonet-blog

The list goes on and on, try your own Google searches, I’m certain you will find more, if you do, post them in the comments!

To me it seems more likely to be a person than a bot spamming the internet for the EC-Council as the comments are fairly unique however all have the same motive. The comments are usually left under the ‘smith’ username or a variant there of.

smith_dyer’s CNET profile is another example to the extent of the spamming, http://www.cnet.com/8705-4_1-0-2.html?username=smith_dyer

All the comments I have seen seem to be from February to May of 2010. A quote from the EC-Council’s own ‘Code of Ethics’, "Ensure ethical conduct and professional care at all times on all professional assignments without prejudice.”.

I had heard that the CEH certification has a bad reputation within the industry, I have never seen any of their material so I haven’t judged them personally before. What seems to me as blatant spamming by them puts into question their own ethics and integrity. How can a company offering such a certification be engaged in that kind of behavior, even if that behavior was only over a few months (I have no evidence to suggest it was any longer), their behavior is inexcusable.

I have emailed the EC-Council to see if they would like to pass comment, I will post their response, If I get one, in an update on this post. I’m not sure if I will get a response as they state on their website that they only reply to ‘company email addresses’ and not GMail, Yahoo, Hotmail,etc.

UPDATE 28.11.11 19:09 —

(Please note that the EC-Council blog post was changed by them however their original response can still be found in the comments section and via Google Cache.)

Jay Bavisi replied to this blog post in the comments section and on the EC-Council blog found here: http://www.eccouncil.org/blog/?p=86

UPDATE 29.11.11 02:11 —

I have spoken to Jay Bavisi on Skype about some further evidence that was given to me. He told me that he takes these matters extremely seriously and will launch an investigation as soon as possible. After speaking to Jay, it would seem to me that it was not behavior that is used by EC-Council and instead could possibly be down to some rouge individuals. Jay said he would pass further public comment once he has further evidence from his investigation, as the incidents seem to be two years old, evidence may be on the light side. I can honestly say that I found Jay to be a nice guy and believe him and his intentions.

UPDATE 29.11.11 20:00 —

Hopefully this will be my last update in this issue.

Early this morning a friend came across some evidence which directly linked the EC-Council to the SPAM left on my blog and across the Internet. With this concrete evidence, I contacted Jay Bavisi on the email address he left when he posted his comment on my blog. I told him that I had the evidence and asked if he would publicly apologize for his reply to my post. He replied within 20 minutes saying that he took this kind of behavior seriously within his organization however he saw no reason to apologize to me. I sent him the evidence.

He replied,

"Thank you for this information.
I have no reason to doubt your integrity but I would like to chat with you to explain something that I rather not write about.
If you could give me a number to call you, lets chat for 5 minutes to clear this up.”

We exchanged Skype accounts and I rang him. He explained to me that he had been made aware of the SPAM by a competitor of the EC-Council at around the same time it was being circulated (around 2 years ago). EC-Council SPAM had been left on the competitors web site and it looks as things got ugly. He told me that he thought my blog post may have been somehow related to that incident with his competitor which he named (I will not name them).

The above explains some of the oddness of his reply to my blog post.

He said that he believed it could have been a rouge employee of EC-Council from his India office. He promised me he would investigate and make a public statement within 24 hours. I gave him the benefit of the doubt and agreed. The conversation ended with me thinking he was a nice guy and a man of his word.

Around 16 hours later, I emailed Jay again, asking if he knew what time he would be posting his public statement. He replied, saying that they had been investigating all day and not come up with much evidence linking the SPAM to a specific employee (he believed one employee may have been impersonating another). He said that he may get back to me within 48 hours.

I told him that this was unacceptable, he gave me his word. A large corporation had publicly questioned my ethics after pointing out their own wrong doing. I told him that I would post the evidence I had within a few hours of his email. Up until posting this post I haven’t had a response.

A hacker group called TeaMp0isoN had leaked the r00tsecurity.org forum database last year which happened to contain the IP addresses of the users when they registered. One of those IP addresses was the same one that left the SPAM on my blog. The IP address belonged to the ‘rkvishwakarma’ username, who had registered with the ‘rajkumar@eccouncil.org’ email address, a long time employee of EC-Council.

http://www.gonullyourself.org/ezines/TeaMp0isoN/TeaMp0isoN%201.txt

Jay had told me that he thought it would unlikely that this particular employee was the culprit and he thought that it could possibly be another employee impersonating him.

I am very disappointed in the way the EC-Council have conducted themselves in this matter. I understand that there are investigations going on by others about other serious claims made about EC-Council. After this experience I have lost all faith in them. I hope Jay does make a public comment on this, I hope that it is better than how they have conducted themselves up until now, but somehow I doubt it.

I’d like to thank everyone for their support.

Source of The Article :- Click Here