Williams, who now runs his own outfit, Rendition Infosec, said to start with SolarWinds had claimed that the breach timeline was limited to the March-June period.
I am really unhappy with SolarWinds’ SEC filing about their breach. Let me explain why.— Jake Williams (@MalwareJake) December 15, 2020
First, they claim (without any details released to their customers either) that the breach timeline was limited to Mar-Jun 2020. 1/https://t.co/c2ihZnO7iA pic.twitter.com/NzdmDcHxpA
As iTWire reported, this morning other researchers have pointed out that SolarWinds' FTP credentials were being leaked on GitHub in November 2019 and the company was yet to remove the compromised binary from its own website.
Said Williams: "I’m not saying they’re wrong. I understand the document is geared to regulators and investors. I’m just saying they’re making a statement on which security folks are basing decisions.
"They need to explain how they are limiting to this timeframe. Show your work. Anything less is valuing share price over customer safety."
Williams, once part of the now disbanded Tailored Access Operations unit at the NSA, America's premier spook agency, said he had spoken to a few organisations who were thinking of staying put because of this specific timeframe declaration.
"Clarity is needed," he insisted. "This smells to me like 'no specific evidence of any other dates where compromise is known'.
Williams said he was also concerned that SolarWinds was calling the incident a vulnerability, rather than a breach as it was.
"This isn’t 'Jake just being pedantic'. Software supply chain attacks are complex and customers are confused. This off-label use of 'vulnerability' isn’t helping," he pointed out.
He also took issue with the fact that SolarWinds had claimed that it was the Orion build process had been compromised, rather than the source code.
"But they don’t really explain how/why they believe this," said Williams. "I’m left with more questions than answers after reading due to apparent inconsistencies in knowledge required for claims.
"I strongly suspect that down the road we’ll be using this as a case study in breach PR failures. I also suspect we’ll see the SEC revise disclosure requirements in situations like this. Telling investors incredible tales and ignoring customers should be a losing move."
However he said there should be some latitude shown as the area was something of an uncharted one. "But to give SolarWinds their due, this is a fairly uncharted territory with a publicly traded company being implicated in a supply chain attack, potentially leading to the breach of customers. They’re writing the playbook as they execute it, with no template to draw from," he added.