Bit9 Compromised Because They Weren’t Watching the Network
Bit9 is a very reliable security system whereby only authorized software, validated by digital signatures, can operate within an environment. It relies on whitelisting billions of known good files and disallowing anything not on the list to run. Its a good control system, but it should never be considered a bullet-proof solution. There are thousands of supposedly “good” pieces of software that can be abused to subvert security controls.
From the Reg here:
IT security biz Bit9’s private digital certificates were copied by hackers and used to cryptographically sign malware to infect the company’s customers.
The software-whitelisting firm’s certificates were swiped when its core systems were hacked last week. The intruders then signed malicious code and distributed it to the company’s corporate clients.
A number of Bit9’s customers were subsequently infected by the malware because the software was – thanks to the purloined certificates – regarded as safe by networks guarded by Bit9’s technology.
Bit9 confessed to the breach in a blog post on Friday, blaming the incident of an “operational oversight” and human error that exposed its core systems to attack, rather than any shortcomings with the security services it sells.
Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.
Bit9 said that its subsequent investigation discovered that three of its customers were affected by the illegitimately signed malware. It’s continuing to monitor the situation. In the meantime its has revoked the compromised certificate and patched up its previously insecure systems.
Bit9 has already revoked their old certificate and can now detect the known forged malware. Their ability to move and respond to this issue is probably the fastest I’ve ever seen for a major vendor. And they didn’t try to spin their way out of it. They claimed that they failed to install their own Bit9 software on a few key internal systems, which is how the hackers were able to take advantage of vulnerabilities.
The bigger problem, however, was not the lack of control systems, but the lack of eyes on glass watching their network behavior. Suspicious outbound FTP, SSH or SSL connections could be easily and quickly identified as untrusted, and those digital certs had to leave the network somehow. When solid control systems are in place, you need only monitor that they are operational. Then watch the network for any traffic that occurs despite those control systems.
