Bit9 Hacked, Stolen Certs Used To Sign Malware 65
tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."
LOL (Score:5, Funny)
Re: (Score:1)
Yeah, and they monitor their networks 24x7 but missed someone hacking in through the very few computers that didn't have the software, not touching any others that did have the software, rooting around to figure out things, issued certificates and then sent malware to their customers. Right.
Re: (Score:1)
Re: (Score:3)
Ironic but not new. Also applies to the "most critical" systems: military systems, banking systems, power infrastructure including nuclear power plants, Los Alamos National Laboratory where nuclear weapons are simulated on supercomputers and so on. The US Army uses Vista. The Fed was recently hacked. We all know about the malware and exploits circulating for SCADA that does power plant control, and the published hard wired root passwords for the systems including routers and firewalls. Los Alamos has a
Revoke the keys, issue new ones (Score:4, Informative)
Re:Revoke the keys, issue new ones (Score:5, Insightful)
Even better:
Buy HSMs. Issue new keys with the private keys stored in the security modules, and the access to who gets access to sign data tightly restricted and audited.
Any production security outfit storing private key material on something that is not a hardened appliance is just asking for it.
Re: (Score:3)
Slightly off-topic, but is there something as a "Software-HSM" that can be loaded into ie an ESX server-host, that's presented as a HSM to the VM?
Probably, but if so it would be vulnerable to hypervisor exploits, which do exist.
If you have important keys put them in a hardware security module. Ideally, a FIPS 140-2 Level 4 certified device (level 3 is good enough, but level 4 devices don't cost any more), in a physically-secured location, with tightly-configured logical access control. If you must use VMs, get network-enabled HSMs and have your VMs talk to them.
Had Bit9 done something like that, a network intrusion could still potentially have en
Re: (Score:1)
Meh, there hasn't been an OS level remote root exploit in *nix's in eons ...
Just having a service on a commodity *nix PC which only has a single open port to take data, signs it and spits it out would be secure against network attacks.
Re: (Score:1)
No it wouldn't, you idiot.
If it were like you say, then anyone who hacks the network it is connected to can then send requests to it to be signed, and you're just as insecure as if you had the private keys stolen.
Re: (Score:3)
Re: (Score:3)
Revoke the keys and issue new ones. Contact all your former clients and try to convince them that you aren't total morons, and that they should continue to be your customers. Give the new kews to the handful that are stupid enough to stay.
Smooth Move (Score:1)
Let me guess: these Bit9 geniuses are all ex-RSA employees?
Better Yet Buy Bit11 (Score:1)
Because 11 is better than 10 or even 9!
Re: (Score:1)
Well, you'll have to compete with my company, Bitn+1.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I thought 'bit11' is the same as '11b', or 3.
Re:Serves them right (Score:5, Insightful)
I hate fuckers who make software designed to prevent computer users from using their computer.
What they are developing is really not fundamentally different from something like SELinux.
DRM is only evil because someone who is not the computer owner is unilaterally dictating what you can do with it.
Secureboot, SE Linux, and this stuff from bit9 are all tools that enable the owner of the computer to dictate what software is allowed to run on it.
Why shouldn't the owner decide that flash shall not have access to the internet? Or that flash shall not run. period.
The only time any of this is evil is when the owner isn't in control.
Some owners allegedly can't be trusted (Score:2)
The only time any of this is evil is when the owner isn't in control.
Several fans of game consoles and Apple consumer electronics would claim that some individual hardware owners can't be trusted not to disable security to see dancing animals [wikipedia.org], and taking control away from them is in their own good. They tend to pop up every time the Android trojan story of the week breaks or the Ouya project reaches another milestone.
Re: (Score:2)
Several fans of game consoles and Apple consumer electronics would claim that some individual hardware owners can't be trusted not to disable security to see dancing animals, and taking control away from them is in their own good.
I'm sure you would even agree that this is true for some individual hardware owners, perhaps even most of them.
But the solution is not to take it away from them per se, but rather to easily enable them to delegate it to a 3rd party they trust.
The problem with, say, Apple, is that i
Capabilities (Score:2)
The reason viruses are such a problem is that blacklisting simply can't work, and "detecting malicious activity" is HARD.
Ultimately, capabilities [wikipedia.org] are the real answer to "detecting malicious activity". OLPC Bitfrost protections, Android permissions, Ubuntu AppArmor, and Mac App Store entitlements work by characterizing the threat model, finding which actions are sensitive, and giving applications just enough privileges to do their work. AppArmor whitelists the parts of the file system that an application can see. Android permissions have been criticized as being yet another extra screen that the user just taps through to see t
Re: (Score:2)
if the only way for a process to acquire a file handle is to ask a designated file chooser service for one, then all your arbitrary access problems go away
I mentioned OLPC Bitfrost and Mac App Store sandbox, which do in fact make this the only way to acquire a file handle outside the application's own jail.
Re: (Score:2)
my impression of these 'capabilities' protections is that they are not nearly specific enough to be of much use in practice.
I download a cloud contact sync program and it asks for permission to connect to the internet, and permission to scan my contacts.
So then it sends my contacts to a 3rd party spam outfit.
It asks for the ability to send/read sms because it has a feature to send contacts to other app users via sms. Cool.
So it sends copies of all my sms messages to a 3rd party. And sends sms advertising sp
Re: (Score:2)
a cloud contact sync program [...] sends my contacts to a 3rd party spam outfit
If your sync provider is sharing user information with a spam outfit, then it's violating a reasonable privacy policy. One solution is to use applications that aren't limited to one sync provider but instead let the user specify the sync provider's API URL. This way, you could choose which sync provider to use or even run your own on a home server. But I'd agree with you that alongside the Internet privilege, which means "This application can connect to all hosts", systems should offer finer-grained control
Re: (Score:2)
So what's the correct solution, other than solutions that pose a substantial entry barrier to non-malicious students and hobbyists?
Ok.
An operating system control system that allows the user to define app profiles that dictate what hosts it can connect to, what parts of the filesystem can be read / written, etc, etc. is the first part.
The 2nd part is letting e.g. antivirus / antimalware / new-category-of-security-solution providers hook into that system, so that end users can simply subscribe to app profiles
Re: (Score:2)
Re: (Score:2)
The problem is that Microsoft had the manufacturers use an implentation that's hard to use for non-Microsoft OS's.
How so? Any hardware vendor that wishes to release linux preinstalled hardware will have no difficulty whatsoever.
The only part that is 'harder' is taking windows pre-installed hardware and converting it to another operating system. And that is ENTIRELY THE POINT OF SECURE BOOT -- that there is something preventing arbitrary unknown software booting up with the PC... whether a rootkit, or the ne
Re:Serves them right (Score:5, Informative)
I hate fuckers who make software designed to prevent computer users from using their computer. This applies whether the software claims to be white-hat anti-malware stuff or outright admits it's a tool-of-the-devil locked bootloader or DRM tool.
A company has every right to lock down their own computers. Dumbass employees with Admin rights = disaster!! This software is similar to SUA + AppLocker (deny all) + whitelisted certs and it's a solid approach.
Re: (Score:1)
The right, certainly. But turning a computer into a glorified cash register running only "approved" apps is a terrible move, even when you own it. Sure, you prevent malware. You also prevent everything else.
Re: (Score:2, Informative)
The right, certainly. But turning a computer into a glorified cash register running only "approved" apps is a terrible move, even when you own it. Sure, you prevent malware. You also prevent everything else.
From the summary:
Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms
This has nothing to do with consumer toys or personal computers. It's to do with gov't/corp workstations. It prevents employees from accidentally installing unsigned updates and plugins. It prevents spies, defectors or hackers from stealing the "secret sauce". The integrity of the certs is crucial to its effectiveness.
Removing rights from your own Windows acct. is
Re: (Score:2)
It also prevents employees from deliberately installing useful items. It means they have to do their work on the computer in exactly the way that work has always been done; if they think some tool will make things easier or more efficient, that's just tough because they can't install it.
Imagine if you had to do everything i
Must have been the US govt (Score:2)
Just stupid (Score:3, Informative)
Why was this system connected to the internet either directly through the main lan or an unsecured vlan?
We have basic white papers and common sense security plans to stop this kind of thing.
Re: (Score:2)
Because admins want to ssh into it with their home laptops they browse for porn with?
Re: (Score:2)
Why was this system connected to the internet either directly through the main lan or an unsecured vlan?
Well, having just finished Ghost in the Machine, my bet is some genius in big9's IT dep't got a phone call that went "Hi, this is Bob from AccountTemps and I need you to change your password on the repository server so we can verify our updated security patch is working..."
Dog Food (Score:4, Funny)
Not Eaten Here
Sounds like Bit 9.5 is in order (Score:1)
Re: (Score:2)
"Product was not compromised"? (Score:5, Insightful)
Impressive:
Well... technically right, but the "product" people buy is not just the software: It is the whole package, which includes the on-going maintenance of whitelists, signing binaries and whatnot. And that appears to have been badly compromised.
Surely, if the product is that great, then you can relax, right? Isn't that what you're selling to your customers? "Security in a box?" (I know. Security is an on-going process, but not if you ask sales)
Repetition Repetition... "product not compromised" ... except that it no longer provided any protection against those evil hackers?
I think I'm getting my head around doublespeak - will be useful when I respond to bugs...
Re:"Product was not compromised"? (Score:4, Insightful)
I had a long chat with one of their sales types a couple weeks ago. The sales person had to talk to backline engineering, but confirmed the next day that yes, the bypass I outlined in under two minutes to evade the tool completely would in fact work and their software was designed in precisely the way as to make support from OS and hardware vendors very difficult on Linux.
I tried to push them into the more useful area of logging what is done rather than trying to declare a known whitelist. Under their current scheme, a sysadmin couldn't write a custom shell script to their home dir and run it without going through twenty blessings first. Tweak that shell script? Won't run, even without privilege. I was not impressed.
Who was the real target? (Score:4, Insightful)
Re: (Score:1)
I think that's how they discovered the issue...
FTFS:
" The attackers then sent signed malware to at least three of Bit9's customers"
One basket for the eggs (Score:1)
What a shame. The truly bullshit "security" companies (as opposed to the moderately bullshit ones line bit9) will go on making money with AV software, while someone who sort of tried to do things right (whitelists) is utterly clobbered. But they did fuck up.
Ok, so you didn't run your own wares, kind of like back when (and maybe this is still the case) OpenBSD was hosted on Solaris systems. ;-)
Beyond that, though, we see another failure here, and it's one that it also shared by most of today's HTTPS proble
I think we need a better security model. (Score:2)
CAs keep getting hacked recently. How can I place my trust on CAs these days? Perhaps the browser should inform the users about certificate change for individual websites, similar to SSH?
Re: (Score:2)
Did not run their own software. (Score:2)
Re: (Score:2)
Re: (Score:2)
When folks don't use their own products it's because the product is shit. Do you think Microsoft compiles Windows with Visual Studio?
Firstly, regardless of what I think of Windows, I actually believe they do use Visual Studio, see the discussion here:
http://stackoverflow.com/questions/7381392/compiler-used-to-build-windows-7 [stackoverflow.com]
Secondly, Visual Studio is a quite acceptable IDE, and could very well be the best software product they ever made.
Re: (Score:2)