Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bit9 Hacked, Stolen Certs Used To Sign Malware

Posted by Soulskill on from the that-seems-like-a-bad-plan dept.

tsu doh nimh writes "Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered a compromise that cuts to the core of its business: helping clients distinguish known 'safe' files from computer viruses and other malicious software. A leading provider of 'application whitelisting' services, Bit9's security technology turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous. But in a blog post today, the company disclosed that attackers broke into its network and managed to steal the digital keys that Bit9 uses to distinguish good from bad applications. The attackers then sent signed malware to at least three of Bit9's customers, although Bit9 isn't saying which customers were affected or to what extent. The kicker? The firm said it failed to detect the intrusion in part because the servers used to store its keys were not running Bit9's own software."

10 of 65 comments (clear)

  1. LOL by MrLeap · · Score: 5, Funny

    "Our software is good, so good -- infact, that if we had used it ourselves our software wouldn't have been hacked.". That's one way to preserve confidence I suppose, use recursion.

  2. Revoke the keys, issue new ones by TheRealMindChild · · Score: 3, Informative

    Revoke the keys, issue new ones, and contact all of your clients on how to update. Check and mate.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    1. Re:Revoke the keys, issue new ones by mlts · · Score: 4, Insightful

      Even better:

      Buy HSMs. Issue new keys with the private keys stored in the security modules, and the access to who gets access to sign data tightly restricted and audited.

      Any production security outfit storing private key material on something that is not a hardened appliance is just asking for it.

  3. Just stupid by Anonymous Coward · · Score: 3, Informative

    Why was this system connected to the internet either directly through the main lan or an unsecured vlan?

    We have basic white papers and common sense security plans to stop this kind of thing.

  4. Dog Food by Anonymous Coward · · Score: 4, Funny

    Not Eaten Here

  5. Re:Serves them right by vux984 · · Score: 4, Insightful

    I hate fuckers who make software designed to prevent computer users from using their computer.

    What they are developing is really not fundamentally different from something like SELinux.

    DRM is only evil because someone who is not the computer owner is unilaterally dictating what you can do with it.

    Secureboot, SE Linux, and this stuff from bit9 are all tools that enable the owner of the computer to dictate what software is allowed to run on it.

    Why shouldn't the owner decide that flash shall not have access to the internet? Or that flash shall not run. period.

    The only time any of this is evil is when the owner isn't in control.

  6. "Product was not compromised"? by Jorgensen · · Score: 4, Insightful

    Impressive:

    There is no indication that this was the result of an issue with our product.

    Well... technically right, but the "product" people buy is not just the software: It is the whole package, which includes the on-going maintenance of whitelists, signing binaries and whatnot. And that appears to have been badly compromised.

    We are continuing to monitor the situation.

    Surely, if the product is that great, then you can relax, right? Isn't that what you're selling to your customers? "Security in a box?" (I know. Security is an on-going process, but not if you ask sales)

    While our investigation shows our product was not compromised, we are finalizing a product patch that will automatically detect and stop the execution of any malware that illegitimately uses the certificate

    Repetition Repetition... "product not compromised" ... except that it no longer provided any protection against those evil hackers?

    I think I'm getting my head around doublespeak - will be useful when I respond to bugs...

    1. Re:"Product was not compromised"? by alcourt · · Score: 3, Insightful

      I had a long chat with one of their sales types a couple weeks ago. The sales person had to talk to backline engineering, but confirmed the next day that yes, the bypass I outlined in under two minutes to evade the tool completely would in fact work and their software was designed in precisely the way as to make support from OS and hardware vendors very difficult on Linux.

      I tried to push them into the more useful area of logging what is done rather than trying to declare a known whitelist. Under their current scheme, a sysadmin couldn't write a custom shell script to their home dir and run it without going through twenty blessings first. Tweak that shell script? Won't run, even without privilege. I was not impressed.

      --
      "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
  7. Re:Serves them right by Anonymous Coward · · Score: 5, Informative

    I hate fuckers who make software designed to prevent computer users from using their computer. This applies whether the software claims to be white-hat anti-malware stuff or outright admits it's a tool-of-the-devil locked bootloader or DRM tool.

    A company has every right to lock down their own computers. Dumbass employees with Admin rights = disaster!! This software is similar to SUA + AppLocker (deny all) + whitelisted certs and it's a solid approach.

  8. Who was the real target? by Midnight_Falcon · · Score: 3, Insightful

    Just like the RSA hack..the infiltrators here appear to be just after signing certificates. They must have an objective to hack a client that uses Bit9 systems and thus required whitelisting. That means that some client of Bit9 is about to get seriously compromised.