How to Bury a Major Breach Notification

[tao]

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies. Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure. This post is an attempt to remedy that.

 

Please read details at:

 

Ref:  < https://krebsonsecurity.com/2017/02/how-to-bury-a-major-breach-notification/ >

 

[straycat19]

3 hours ago, adi said:

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest companies. Incredibly, the report did not name the affected software, and the vendor in question has apparently chosen to bury its breach disclosure. This post is an attempt to remedy that.

 

Please read details at:

 

Ref:  < https://krebsonsecurity.com/2017/02/how-to-bury-a-major-breach-notification/ >

 

 

If you read the article, and the company's response, and the comments and responses to the comments (You have to read it all to get a full understanding), then you might well believe that the article is unnecessary drama.  There are some good points in the response and comments concerning other breaches, such as Yahoo.  Where one response notes they didn't announce any of the breaches on their site at the time and one comment that stated that they put an announcement on their login page.  So if you didn't have an account and login you had no notice of the breaches.  Is that burying the fact that they  had the breach any more than EVlog is accused of burying theirs because they at least posted a security notification (with the word notification misspelled).  Other information that is being trounced on such as their list of users/companies, etc is no worse than any other site.  How many sites with 'security' software or 'cleaning' software have all these logos from websites and organizations claiming to state how good their software is and in many cases even listing organizations that use it?  And how accurate or up to date is that data?  It isn't.  There have been cases where a website, for example PCMag, tested a software package 10 years ago and gave it a good rating, maybe even Editor's Choice (EC), and have since said it was junk, but the software page still lists the PCMag EC logo.  And there may be a list of companies who bought the software, but in reality none of them use it any more.  You have to take all this information in perspective, and just because the information was released at RSA, doesn't mean it was any more important or accurate. Security conferences typically have a lot of information on security breaches, that is why they exist, and some of them become overly dramatic.

[tao]

52 minutes ago, straycat19 said:

... You have to take all this information in perspective, and just because the information was released at RSA, doesn't mean it was any more important or accurate. Security conferences typically have a lot of information on security breaches, that is why they exist, and some of them become overly dramatic.

Yes, of course.  All information must be taken in perspective; and all information must be taken with a pinch (or a bucket) of salt.  And overly-dramatic drama is everywhere, it seems, especially on the iNet.