Ethical hacking kits, which provide a variety of tools for penetration testing, password theft and guides to virus development, are being sold on eBay.Three hacking courses were being auctioned on Thursday, according to Tier-3, a UK-based behavioral analysis vendor.
Calling this "a serious development," Geoff Sweeney, Tier-3's CTO, noted, "It basically puts high-level hacking tools, including surreptitious trojan loaders and website-hacking utilities, into the hands of almost any internet user providing they have an eBay and PayPal account."
At least one of the courses, “Certified Ethical Hacker CEH+ v5 Training,” may be a pirated version of courseware developed and sold by the International Council of Electronic Commerce Consultants (EC-Council), a member-supported professional association headquartered in Albuquerque, N.M.
That course, which the EC-Council sells for £197, was available on eBay for £20.
"I would suspect it's piracy," Jesus Carrasco, director of business development for EC-Council, said. "I can't imagine buying courseware for £197 and starting bidding at £20."
Carrasco said that the EC-Council sells the course, which trains students in website-penetration testing and other ethical hacking skills, as a self-study option. The group also stages a five-day boot camp-style class. He said the organisation carefully forwards to the FBI the personal information of students who take its courses and pass its certification processes.
"We're strictly compliant with that," Carrasco said.
In addition to the EC-Council course, Tier-3 reported that other ethical hacking tools were available on the web auction giant.
These products, which provide a wealth of hacking utilities for "educational purposes," are bad news for organisations trying to protect their systems, said Tier-3's Sweeney.
A spokeswoman for eBay said that its policy is to not remove an item for sale if it is not illegal, and the company did not believe that selling the hacking kits was breaking any laws. The company would, however, remove copyrighted material not being sold by the copyright holder, she said.
This isn't the first time hacking aids have found their way out of underground sites and onto the mainstream internet. In April 2006 Websense warned that Russian hackers were selling do-it-yourself hacking kits for £10.