Security Firm Bit9 Hacked, Forgot to Use Own Security Software

Security Firm Bit9 Hacked, Forgot to Use Own Security Software

In the immortal words of radiohead: “You do it to yourself...and that’s why it really hurts.” Security company Bit9 is surely feeling those words after being hacked late last week when attackers targeted computers within Bit9’s own network that weren’t protected by Bit9’s own software.

In the aftermath, Bit9 CEO Patrick Morley wrote in a blog post:

Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.

Ouch, indeed. Certainly, someone is getting fired over this. Not only is that oversight terribly embarrassing on its own, it compromises Bit9’s brand and reputation to the point that it may affect the company’s bottom line.

Bit9

For what it’s worth, the issue does not appear to be with Bit9’s product, according to Morley. Bit9’s protection combats malware by helping companies whitelist applications that are deemed safe (and thus assume that all others are threats) with digitally signed certificates, as opposed to the traditional anti-malware approach of trying to identify and eliminate threats as they come.

The problem with the direct hack of Bit9 is that the cybercriminals obtained the ability to sign certificates and simply signed malware. Once signed, the malware could freely run amok in and around any network protected by Bit9 software.

Morley stated that only three of its customers were affected, but that the company has taken steps to rectify the situation including revoking the affected certificate and acquiring a new one, protecting all of its machines internally, adding a malware patch, and monitoring for harshes from any illegally signed malware.
+1
+ -

I am not too sure what's embarrassing about it, aside from the fact some goober forgot to install it to some machines. It's not like the software installs itself, and all this does is prove that it works.

+1
+ -

Rob, to illustrate why that's embarrassing: When I was a child, I toured a firehouse with my class. During the little Q&A session, I asked what they would do if the firehouse were to catch fire. They all laughed at me. But this is a case of the firehouse catching fire. Yes, they reacted quickly to put out the fire, but they're also the ones who left the stove on with a roll of paper towels sitting on the burner.

+1
+ -

One word best describes this amazing feat of stupid... DOH!

+1
+ -

It may take a while for them to clean the egg off of their faces.

Login or Register to Comment
Post a Comment
Username:   Password: