In the immortal words of radiohead: “You do it to yourself...and that’s why it really hurts.” Security
is surely feeling those words after being hacked late last week when attackers targeted computers within Bit9’s own network that weren’t protected by Bit9’s own software.
In the aftermath, Bit9 CEO Patrick Morley wrote in a blog post:
Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.
Ouch, indeed. Certainly, someone is getting fired over this. Not only is that oversight terribly embarrassing on its own, it compromises Bit9’s brand and reputation to the point that it may affect the company’s bottom line.
For what it’s worth, the issue does not appear to be with Bit9’s product, according to Morley. Bit9’s protection combats malware
by helping companies whitelist
applications that are deemed safe (and thus assume that all others are threats) with digitally signed certificates, as opposed to the traditional anti-malware approach of trying to identify and eliminate threats as they come.
The problem with the direct hack of Bit9 is that the cybercriminals obtained the ability to sign certificates and simply signed malware. Once signed, the malware could freely run amok in and around any network protected by Bit9 software.
Morley stated that only three of its customers were affected, but that the company has taken steps to rectify the situation including revoking the affected certificate and acquiring a new one, protecting all of its machines internally, adding a malware patch, and monitoring for harshes from any illegally signed malware.