Forgot your password?
typodupeerror
Security IT

Bit9 Hacked, Stolen Certs Used To Sign Malware 65

Posted by Soulskill
from the that-seems-like-a-bad-plan dept.
tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."
This discussion has been archived. No new comments can be posted.

Bit9 Hacked, Stolen Certs Used To Sign Malware

Comments Filter:
  • LOL (Score:5, Funny)

    by MrLeap (1014911) on Friday February 08, 2013 @06:49PM (#42838363)
    "Our software is good, so good -- infact, that if we had used it ourselves our software wouldn't have been hacked.". That's one way to preserve confidence I suppose, use recursion.
    • by Anonymous Coward

      Yeah, and they monitor their networks 24x7 but missed someone hacking in through the very few computers that didn't have the software, not touching any others that did have the software, rooting around to figure out things, issued certificates and then sent malware to their customers. Right.

    • It's ironic that many security companies probably have some of the worse security practices and policies in place.
      • by symbolset (646467) *

        Ironic but not new. Also applies to the "most critical" systems: military systems, banking systems, power infrastructure including nuclear power plants, Los Alamos National Laboratory where nuclear weapons are simulated on supercomputers and so on. The US Army uses Vista. The Fed was recently hacked. We all know about the malware and exploits circulating for SCADA that does power plant control, and the published hard wired root passwords for the systems including routers and firewalls. Los Alamos has a

  • by TheRealMindChild (743925) on Friday February 08, 2013 @06:49PM (#42838365) Homepage Journal
    Revoke the keys, issue new ones, and contact all of your clients on how to update. Check and mate.
    • by mlts (1038732) on Friday February 08, 2013 @06:52PM (#42838397)

      Even better:

      Buy HSMs. Issue new keys with the private keys stored in the security modules, and the access to who gets access to sign data tightly restricted and audited.

      Any production security outfit storing private key material on something that is not a hardened appliance is just asking for it.

      • Meh, there hasn't been an OS level remote root exploit in *nix's in eons ...

        Just having a service on a commodity *nix PC which only has a single open port to take data, signs it and spits it out would be secure against network attacks.

        • by Anonymous Coward

          No it wouldn't, you idiot.

          If it were like you say, then anyone who hacks the network it is connected to can then send requests to it to be signed, and you're just as insecure as if you had the private keys stolen.

    • by gmuslera (3436)
      The steps should see revoke keys, make sure you closed all the holes used to break in (and anything potentially similar), and then start isuing new ones and give a migration plan for them, Extra points if you give your clients the name of whatever is in the same business, you are there to give solutions, if your one is not safe, giving alternatives is better than just declaring that there is none.
    • Revoke the keys and issue new ones. Contact all your former clients and try to convince them that you aren't total morons, and that they should continue to be your customers. Give the new kews to the handful that are stupid enough to stay.

  • Let me guess: these Bit9 geniuses are all ex-RSA employees?

  • by Anonymous Coward

    Because 11 is better than 10 or even 9!

  • Because everyone knows there's no hacking threat. Right?
  • Just stupid (Score:3, Informative)

    by Anonymous Coward on Friday February 08, 2013 @07:13PM (#42838677)

    Why was this system connected to the internet either directly through the main lan or an unsecured vlan?

    We have basic white papers and common sense security plans to stop this kind of thing.

    • Because admins want to ssh into it with their home laptops they browse for porn with?

    • by cellocgw (617879)

      Why was this system connected to the internet either directly through the main lan or an unsecured vlan?

      Well, having just finished Ghost in the Machine, my bet is some genius in big9's IT dep't got a phone call that went "Hi, this is Bob from AccountTemps and I need you to change your password on the repository server so we can verify our updated security patch is working..."

  • Dog Food (Score:4, Funny)

    by Anonymous Coward on Friday February 08, 2013 @07:13PM (#42838685)

    Not Eaten Here

  • New and improved with 5% more bits!
  • by Jorgensen (313325) on Friday February 08, 2013 @07:35PM (#42838931) Homepage

    Impressive:

    There is no indication that this was the result of an issue with our product.

    Well... technically right, but the "product" people buy is not just the software: It is the whole package, which includes the on-going maintenance of whitelists, signing binaries and whatnot. And that appears to have been badly compromised.

    We are continuing to monitor the situation.

    Surely, if the product is that great, then you can relax, right? Isn't that what you're selling to your customers? "Security in a box?" (I know. Security is an on-going process, but not if you ask sales)

    While our investigation shows our product was not compromised, we are finalizing a product patch that will automatically detect and stop the execution of any malware that illegitimately uses the certificate

    Repetition Repetition... "product not compromised" ... except that it no longer provided any protection against those evil hackers?

    I think I'm getting my head around doublespeak - will be useful when I respond to bugs...

    • by alcourt (198386) on Friday February 08, 2013 @08:49PM (#42839547)

      I had a long chat with one of their sales types a couple weeks ago. The sales person had to talk to backline engineering, but confirmed the next day that yes, the bypass I outlined in under two minutes to evade the tool completely would in fact work and their software was designed in precisely the way as to make support from OS and hardware vendors very difficult on Linux.

      I tried to push them into the more useful area of logging what is done rather than trying to declare a known whitelist. Under their current scheme, a sysadmin couldn't write a custom shell script to their home dir and run it without going through twenty blessings first. Tweak that shell script? Won't run, even without privilege. I was not impressed.

  • by Midnight_Falcon (2432802) on Friday February 08, 2013 @07:54PM (#42839083)
    Just like the RSA hack..the infiltrators here appear to be just after signing certificates. They must have an objective to hack a client that uses Bit9 systems and thus required whitelisting. That means that some client of Bit9 is about to get seriously compromised.
    • by Anonymous Coward

      I think that's how they discovered the issue...

      FTFS:
      " The attackers then sent signed malware to at least three of Bit9's customers"

  • by Anonymous Coward

    What a shame. The truly bullshit "security" companies (as opposed to the moderately bullshit ones line bit9) will go on making money with AV software, while someone who sort of tried to do things right (whitelists) is utterly clobbered. But they did fuck up.

    Ok, so you didn't run your own wares, kind of like back when (and maybe this is still the case) OpenBSD was hosted on Solaris systems. ;-)

    Beyond that, though, we see another failure here, and it's one that it also shared by most of today's HTTPS proble

  • CAs keep getting hacked recently. How can I place my trust on CAs these days? Perhaps the browser should inform the users about certificate change for individual websites, similar to SSH?

    • by manu0601 (2221348)
      There are firefox extensions for that. But unless you are the operator of the service, what do you do if the certificate change? How do you know if the change is legit or not?
  • They say they got hacked because they did not run their own software. I see another reason: either one of the accredited operators of the signing infrastructure launched a malware on their signing machine (scaring), or the signing machine offered hackable services on the company network (scaring again).
    • When folks don't use their own products it's because the product is shit. Do you think Microsoft compiles Windows with Visual Studio?
      • by ecotax (303198)

        When folks don't use their own products it's because the product is shit. Do you think Microsoft compiles Windows with Visual Studio?

        Firstly, regardless of what I think of Windows, I actually believe they do use Visual Studio, see the discussion here:
        http://stackoverflow.com/questions/7381392/compiler-used-to-build-windows-7 [stackoverflow.com]

        Secondly, Visual Studio is a quite acceptable IDE, and could very well be the best software product they ever made.

      • by manu0601 (2221348)
        Well, they at least need a machine without their software to examine new software they are going to sign, don't they?

Practical people would be more practical if they would take a little more time for dreaming. -- J. P. McEvoy

Working...