Yep. As much as I have used eventid.net for a lot of my troubleshooting, this episode has soured me on the idea that I could use his software...
Kurt On Wed, Feb 22, 2017 at 11:19 AM, Micheal Espinola Jr < [email protected]> wrote: > Maybe he is right, maybe not. > > > ... > > It is on the EvLog home page with an IMPORTANT label next to it. > > > I almost expected him to finish-up with, "bfytw". > > > -- > Espi > > > On Wed, Feb 22, 2017 at 10:56 AM, Sean Martin <[email protected]> > wrote: > >> The response from the company spokesperson doesn't reflect well on the >> organization. >> >> The comments are often more enlightening than the article itself: >> >> ================================================ >> Yeah, like I just said. >> >> https://www.ssllabs.com/ssltest/analyze.html?d=www.eventid.net >> >> HTTP server signature Microsoft-IIS/6.0 >> >> Windows Server 2003 on the Internet almost two years after it became >> unpatchable because it went EOL. >> >> But it’s got a SHA256 cert on it so we’re good, right? >> >> ================================================ >> >> After further reading, the man himself commented on the article: >> >> I am the owner of the site that Brian is highlighting in his blog entry. >> He sent me an email on Feb 9 asking for details about our security notice. >> I was preparing an answer, though RSA had not yet released their article >> and I was under NDA with them and I had to think about can be disclosed. >> This morning I received another email from Brian: “contact me today or >> else” – I was adding more info to my response for his Feb 9 email and I did >> a quick check to see if RSA made their whitepaper public (it wasn’t a few >> days ago) when I found that Brian went ahead and published this, though I >> think it is still “today”. I doubt that any answer would’ve made any >> difference. >> >> We worked with RSA and provided a relevant part of the information in >> their Kingslayer whitepaper . I’ve been in contact with the author and >> discussed many aspects of the attack and its aftermath. We didn’t make any >> “deal” with RSA, they asked us to sign an NDA about their research and >> volunteered not to mention the company name though anyone can easily find >> it by searching some of the details in their document (and this blog post >> is living proof). I was asked to review the whitepaper before being >> published and I had no problem with it – what happened, happened. If Brian >> did talk to the authors, he didn’t mention that we fully cooperated with >> RSA and did all that’s been asked from us (but that would’ve been against >> the spirit of this blog post). The notification on the site is what RSA >> recommended. We don’t keep a list of EvLog users, anyone can download it. >> It is easy for a bank, for a social site, etc. to identify their users. Not >> so easy when your software is free to download. How many of us are using >> Linux and when is the last direct email that we received about a security >> problem with it? >> >> Other software is mentioned in the blog as “potentially” compromised. It >> was not compromised – is there a notification? No. This was an attack >> strictly directed at EvLog from what RSA estimated to be a state-sponsored >> threat actor. >> >> Of course we were not perfect in handling this. In hindsight is much >> easier to criticize. Should we now start plastering our sites with pop-ups >> about EvLog being the victim of an attack in 2015? Brian thinks that unless >> you do this, you are trying to “bury” an attack. Maybe he is right, maybe >> not. I don’t see any notices on Yahoo’s main page, on Target, on government >> sites, etc. RSA itself was breached – can anyone navigate to a security >> notice from their main page? Unless you heard about it and Google it you >> cannot find any notification. Is there a complain about this? On our site, >> the security notice is surely not buried. It is on the EvLog home page with >> an IMPORTANT label next to it. We didn’t have to do this. >> >> Whoever feels like throwing the first stone, good for you, you are a >> better company. We are still learning from our mistakes. >> >> On Wed, Feb 22, 2017 at 9:24 AM, Micheal Espinola Jr < >> [email protected]> wrote: >> >>> Eye openingly scary. >>> >>> -- >>> Espi >>> >>> >>> On Tue, Feb 21, 2017 at 10:37 PM, Kurt Buff <[email protected]> wrote: >>> >>>> https://krebsonsecurity.com/2017/02/how-to-bury-a-major-brea >>>> ch-notification/ >>>> >>> >>> >> >
