Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bit9 Hacked, Stolen Certs Used To Sign Malware

Posted by Soulskill on from the that-seems-like-a-bad-plan dept.

tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."

15 of 65 comments (clear)

  1. LOL by MrLeap · · Score: 5, Funny

    "Our software is good, so good -- infact, that if we had used it ourselves our software wouldn't have been hacked.". That's one way to preserve confidence I suppose, use recursion.

    1. Re:LOL by symbolset · · Score: 2

      Ironic but not new. Also applies to the "most critical" systems: military systems, banking systems, power infrastructure including nuclear power plants, Los Alamos National Laboratory where nuclear weapons are simulated on supercomputers and so on. The US Army uses Vista. The Fed was recently hacked. We all know about the malware and exploits circulating for SCADA that does power plant control, and the published hard wired root passwords for the systems including routers and firewalls. Los Alamos has a long history of losing the most secret data - as well as failing their background check systems. The more important it is it seems, the less secure it is.

      The NSA, CIA and NRO apparently have got their act together. That's nice. The FBI, middling to fair. In general though if we really tick somebody off with nation-state level budgets and serious nerd skills, we're hosed. Unfortunately that "ticking off" is almost certain to occur if it hasn't happened already.

      --
      Help stamp out iliturcy.
  2. Revoke the keys, issue new ones by TheRealMindChild · · Score: 3, Informative

    Revoke the keys, issue new ones, and contact all of your clients on how to update. Check and mate.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    1. Re:Revoke the keys, issue new ones by mlts · · Score: 4, Insightful

      Even better:

      Buy HSMs. Issue new keys with the private keys stored in the security modules, and the access to who gets access to sign data tightly restricted and audited.

      Any production security outfit storing private key material on something that is not a hardened appliance is just asking for it.

    2. Re:Revoke the keys, issue new ones by gmuslera · · Score: 2

      The steps should see revoke keys, make sure you closed all the holes used to break in (and anything potentially similar), and then start isuing new ones and give a migration plan for them, Extra points if you give your clients the name of whatever is in the same business, you are there to give solutions, if your one is not safe, giving alternatives is better than just declaring that there is none.

    3. Re:Revoke the keys, issue new ones by sunderland56 · · Score: 2

      Revoke the keys and issue new ones. Contact all your former clients and try to convince them that you aren't total morons, and that they should continue to be your customers. Give the new kews to the handful that are stupid enough to stay.

    4. Re:Revoke the keys, issue new ones by swillden · · Score: 2

      Slightly off-topic, but is there something as a "Software-HSM" that can be loaded into ie an ESX server-host, that's presented as a HSM to the VM?

      Probably, but if so it would be vulnerable to hypervisor exploits, which do exist.

      If you have important keys put them in a hardware security module. Ideally, a FIPS 140-2 Level 4 certified device (level 3 is good enough, but level 4 devices don't cost any more), in a physically-secured location, with tightly-configured logical access control. If you must use VMs, get network-enabled HSMs and have your VMs talk to them.

      Had Bit9 done something like that, a network intrusion could still potentially have enabled the attackers to sign some things, but they couldn't have gotten hold of the actual key material. Plus, with appropriate auditing on the HSMs, Bit9 would have known exactly how their keys were used which may have enabled damage control less extreme than generating new keys and distributing them to every client.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. Just stupid by Anonymous Coward · · Score: 3, Informative

    Why was this system connected to the internet either directly through the main lan or an unsecured vlan?

    We have basic white papers and common sense security plans to stop this kind of thing.

  4. Dog Food by Anonymous Coward · · Score: 4, Funny

    Not Eaten Here

  5. Re:Serves them right by vux984 · · Score: 4, Insightful

    I hate fuckers who make software designed to prevent computer users from using their computer.

    What they are developing is really not fundamentally different from something like SELinux.

    DRM is only evil because someone who is not the computer owner is unilaterally dictating what you can do with it.

    Secureboot, SE Linux, and this stuff from bit9 are all tools that enable the owner of the computer to dictate what software is allowed to run on it.

    Why shouldn't the owner decide that flash shall not have access to the internet? Or that flash shall not run. period.

    The only time any of this is evil is when the owner isn't in control.

  6. "Product was not compromised"? by Jorgensen · · Score: 4, Insightful

    Impressive:

    There is no indication that this was the result of an issue with our product.

    Well... technically right, but the "product" people buy is not just the software: It is the whole package, which includes the on-going maintenance of whitelists, signing binaries and whatnot. And that appears to have been badly compromised.

    We are continuing to monitor the situation.

    Surely, if the product is that great, then you can relax, right? Isn't that what you're selling to your customers? "Security in a box?" (I know. Security is an on-going process, but not if you ask sales)

    While our investigation shows our product was not compromised, we are finalizing a product patch that will automatically detect and stop the execution of any malware that illegitimately uses the certificate

    Repetition Repetition... "product not compromised" ... except that it no longer provided any protection against those evil hackers?

    I think I'm getting my head around doublespeak - will be useful when I respond to bugs...

    1. Re:"Product was not compromised"? by alcourt · · Score: 3, Insightful

      I had a long chat with one of their sales types a couple weeks ago. The sales person had to talk to backline engineering, but confirmed the next day that yes, the bypass I outlined in under two minutes to evade the tool completely would in fact work and their software was designed in precisely the way as to make support from OS and hardware vendors very difficult on Linux.

      I tried to push them into the more useful area of logging what is done rather than trying to declare a known whitelist. Under their current scheme, a sysadmin couldn't write a custom shell script to their home dir and run it without going through twenty blessings first. Tweak that shell script? Won't run, even without privilege. I was not impressed.

      --
      "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
  7. Re:Serves them right by Anonymous Coward · · Score: 5, Informative

    I hate fuckers who make software designed to prevent computer users from using their computer. This applies whether the software claims to be white-hat anti-malware stuff or outright admits it's a tool-of-the-devil locked bootloader or DRM tool.

    A company has every right to lock down their own computers. Dumbass employees with Admin rights = disaster!! This software is similar to SUA + AppLocker (deny all) + whitelisted certs and it's a solid approach.

  8. Who was the real target? by Midnight_Falcon · · Score: 3, Insightful

    Just like the RSA hack..the infiltrators here appear to be just after signing certificates. They must have an objective to hack a client that uses Bit9 systems and thus required whitelisting. That means that some client of Bit9 is about to get seriously compromised.

  9. Re:Serves them right by Anonymous Coward · · Score: 2, Informative

    A company has every right to lock down their own computers.

    The right, certainly. But turning a computer into a glorified cash register running only "approved" apps is a terrible move, even when you own it. Sure, you prevent malware. You also prevent everything else.

    From the summary:
    Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms

    This has nothing to do with consumer toys or personal computers. It's to do with gov't/corp workstations. It prevents employees from accidentally installing unsigned updates and plugins. It prevents spies, defectors or hackers from stealing the "secret sauce". The integrity of the certs is crucial to its effectiveness.

    Removing rights from your own Windows acct. is not a bad idea and can be comfortable with tools like SuRun

    (I'm the same AC that you replied to)