This page contained some of the companies that had subscribers to www.eventid.net between 2001-2009. Due to abuse, the page content has been removed on Feb 23, 2017. If you wish to receive the content of the page prior to Feb 23, 2017, please email us at firstname.lastname@example.org along with a reason for this request.
The information in the page was used by Brian Krebs in one of his blog posts to imply that a vast majority of the organizations from which our subscribers come have been affected by the attack against our EvLog software between Apr 9-26 2015 and we somehow managed to hide this "major breach" by "burying" the breach notice in our website. The security notice was posted on the EvLog homepage and kept there until March 2018. Mr. Krebs was not happy that we only had a notice, he expected a big press announcement, with the news that the vast majority of of banks, universities, financial institutions, military organizations and government institutions were fully compromised by our little log analysis utility between Apr 9-15, 2105. Reading the post and its sensational claims, one may think that this could be the largest breach in history. As ridiculous as it may sound, many took his words for granted, not bothering to think about it.
As far as we know none of these companies that were listed with subscribers have been affected. None of them reported any breach, contacted us or RSA. Most would be bound by their security policies to make a breach public. EvLog was compromised for 2 weeks in April 2015. This list was with subscribers (not EvLog users) between 2001-2009, EvLog 3 was released in 2015. The typical subscription to www.eventid.net lasts between 1 and 3 years. We built EvLog hoping that it will bring an increase in subscriptions but that has not been the case as most of the users of our site are only interested in the Windows event logs troubleshooting information and nothing else.
RSA sinkholed the domains used by the compromised EvLog in 2016 and had full knowledge of the owners of the IP subnets making DNS requests for these domains. In fact, the domains were used by other malware monitored by RSA before EvLog and this is how they identified the case that they presented in their whitepaper. RSA has not shared with us any details in regards to the owners of the IP subnets making calls to those domains.
RSA did not consider these attacks a major breach and they have not released any official information to the public until end of February 2017. In fact, it was only our website that had a notification (worded by RSA) on the product webpage. RSA asked us to sign an NDA in regards to their research. They have only used the details in a whitepaper (that we have been asked to review several times) at their conference in February 2017. RSA did not disclose in their whitepaper that many of the details described there were provided by us. RSA used the information related to IP addresses making requests towards the sunken domains to offer digital forensics professional services. Their whitepaper also ends with an RSA product that is supposed to protect users from such attacks. As far as we can tell, this attack was just an advertising opportunity for RSA and they did not consider this a significant event worth making public at the time of the discovery.
A breach did occur, at least one organization has been compromised, we made some mistakes but this was not a "major breach" with the disclosure "buried" in our site like Brian Krebs implies in his blog. He sent us a stern email (not even a "Hello") mid February asking why the "breach" was not in the news and demanding full details (though he already had the RSA whitepaper and was given tips by the RSA researchers in order to identify our company - so much for signing NDAs with RSA, shameful, really, so no need to congratulate Mr. Krebs on his detective skills, RSA gave him all the information). Even so, we did intend to answer him but wanted to wait for RSA to make their whitepaper public (not willing to ruin their presentation by having a site like Kreb's posting details before the presentation). Mr. Krebs sent us an ultimatum one morning, "answer me today or else" and went on to publish his post within minutes.
By any comparison criteria, this was a very limited, narrow attack, targeting smaller companies (that would use a little monitoring freebie utility like EvLog). The proof is that there is nothing in the news except Mr. Krebs' post and the sites that copy his posts as "news".
As of April 2018, there are still no reports of any related security incident affecting the companies mentioned by Mr. Krebs as victims of our "major breach". Proof again that in their hunt for clicks and likes, journalists like Kregs engage in sensationalized reporting without any regard for facts.
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.