The response from the company spokesperson doesn't reflect well on the organization.
The comments are often more enlightening than the article itself: ================================================ Yeah, like I just said. https://www.ssllabs.com/ssltest/analyze.html?d=www.eventid.net HTTP server signature Microsoft-IIS/6.0 Windows Server 2003 on the Internet almost two years after it became unpatchable because it went EOL. But it’s got a SHA256 cert on it so we’re good, right? ================================================ After further reading, the man himself commented on the article: I am the owner of the site that Brian is highlighting in his blog entry. He sent me an email on Feb 9 asking for details about our security notice. I was preparing an answer, though RSA had not yet released their article and I was under NDA with them and I had to think about can be disclosed. This morning I received another email from Brian: “contact me today or else” – I was adding more info to my response for his Feb 9 email and I did a quick check to see if RSA made their whitepaper public (it wasn’t a few days ago) when I found that Brian went ahead and published this, though I think it is still “today”. I doubt that any answer would’ve made any difference. We worked with RSA and provided a relevant part of the information in their Kingslayer whitepaper . I’ve been in contact with the author and discussed many aspects of the attack and its aftermath. We didn’t make any “deal” with RSA, they asked us to sign an NDA about their research and volunteered not to mention the company name though anyone can easily find it by searching some of the details in their document (and this blog post is living proof). I was asked to review the whitepaper before being published and I had no problem with it – what happened, happened. If Brian did talk to the authors, he didn’t mention that we fully cooperated with RSA and did all that’s been asked from us (but that would’ve been against the spirit of this blog post). The notification on the site is what RSA recommended. We don’t keep a list of EvLog users, anyone can download it. It is easy for a bank, for a social site, etc. to identify their users. Not so easy when your software is free to download. How many of us are using Linux and when is the last direct email that we received about a security problem with it? Other software is mentioned in the blog as “potentially” compromised. It was not compromised – is there a notification? No. This was an attack strictly directed at EvLog from what RSA estimated to be a state-sponsored threat actor. Of course we were not perfect in handling this. In hindsight is much easier to criticize. Should we now start plastering our sites with pop-ups about EvLog being the victim of an attack in 2015? Brian thinks that unless you do this, you are trying to “bury” an attack. Maybe he is right, maybe not. I don’t see any notices on Yahoo’s main page, on Target, on government sites, etc. RSA itself was breached – can anyone navigate to a security notice from their main page? Unless you heard about it and Google it you cannot find any notification. Is there a complain about this? On our site, the security notice is surely not buried. It is on the EvLog home page with an IMPORTANT label next to it. We didn’t have to do this. Whoever feels like throwing the first stone, good for you, you are a better company. We are still learning from our mistakes. On Wed, Feb 22, 2017 at 9:24 AM, Micheal Espinola Jr < [email protected]> wrote: > Eye openingly scary. > > -- > Espi > > > On Tue, Feb 21, 2017 at 10:37 PM, Kurt Buff <[email protected]> wrote: > >> https://krebsonsecurity.com/2017/02/how-to-bury-a-major-brea >> ch-notification/ >> > >
