> > Maybe he is right, maybe not.
... It is on the EvLog home page with an IMPORTANT label next to it. I almost expected him to finish-up with, "bfytw". -- Espi On Wed, Feb 22, 2017 at 10:56 AM, Sean Martin <[email protected]> wrote: > The response from the company spokesperson doesn't reflect well on the > organization. > > The comments are often more enlightening than the article itself: > > ================================================ > Yeah, like I just said. > > https://www.ssllabs.com/ssltest/analyze.html?d=www.eventid.net > > HTTP server signature Microsoft-IIS/6.0 > > Windows Server 2003 on the Internet almost two years after it became > unpatchable because it went EOL. > > But it’s got a SHA256 cert on it so we’re good, right? > > ================================================ > > After further reading, the man himself commented on the article: > > I am the owner of the site that Brian is highlighting in his blog entry. > He sent me an email on Feb 9 asking for details about our security notice. > I was preparing an answer, though RSA had not yet released their article > and I was under NDA with them and I had to think about can be disclosed. > This morning I received another email from Brian: “contact me today or > else” – I was adding more info to my response for his Feb 9 email and I did > a quick check to see if RSA made their whitepaper public (it wasn’t a few > days ago) when I found that Brian went ahead and published this, though I > think it is still “today”. I doubt that any answer would’ve made any > difference. > > We worked with RSA and provided a relevant part of the information in > their Kingslayer whitepaper . I’ve been in contact with the author and > discussed many aspects of the attack and its aftermath. We didn’t make any > “deal” with RSA, they asked us to sign an NDA about their research and > volunteered not to mention the company name though anyone can easily find > it by searching some of the details in their document (and this blog post > is living proof). I was asked to review the whitepaper before being > published and I had no problem with it – what happened, happened. If Brian > did talk to the authors, he didn’t mention that we fully cooperated with > RSA and did all that’s been asked from us (but that would’ve been against > the spirit of this blog post). The notification on the site is what RSA > recommended. We don’t keep a list of EvLog users, anyone can download it. > It is easy for a bank, for a social site, etc. to identify their users. Not > so easy when your software is free to download. How many of us are using > Linux and when is the last direct email that we received about a security > problem with it? > > Other software is mentioned in the blog as “potentially” compromised. It > was not compromised – is there a notification? No. This was an attack > strictly directed at EvLog from what RSA estimated to be a state-sponsored > threat actor. > > Of course we were not perfect in handling this. In hindsight is much > easier to criticize. Should we now start plastering our sites with pop-ups > about EvLog being the victim of an attack in 2015? Brian thinks that unless > you do this, you are trying to “bury” an attack. Maybe he is right, maybe > not. I don’t see any notices on Yahoo’s main page, on Target, on government > sites, etc. RSA itself was breached – can anyone navigate to a security > notice from their main page? Unless you heard about it and Google it you > cannot find any notification. Is there a complain about this? On our site, > the security notice is surely not buried. It is on the EvLog home page with > an IMPORTANT label next to it. We didn’t have to do this. > > Whoever feels like throwing the first stone, good for you, you are a > better company. We are still learning from our mistakes. > > On Wed, Feb 22, 2017 at 9:24 AM, Micheal Espinola Jr < > [email protected]> wrote: > >> Eye openingly scary. >> >> -- >> Espi >> >> >> On Tue, Feb 21, 2017 at 10:37 PM, Kurt Buff <[email protected]> wrote: >> >>> https://krebsonsecurity.com/2017/02/how-to-bury-a-major-brea >>> ch-notification/ >>> >> >> >
