Whoops: Bit9 Security Firm Hacked (used by US Government & Fortune 100 firms)

[menotu]

Brian Krebs 8 February 2013 (krebsonsecurity)

Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head. Antivirus software, for example, seeks to identify and quarantine files that are known bad or strongly suspected of being malicious. In contrast, Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.

https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

And from Bit9

In brief, here is what happened. Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product.  Our investigation also shows that our product was not compromised.

We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.

https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/

[Nok]

Whoops indeed. Yet another case of "do as we say, not as we do."

[Just17]

So, which would be worse for them  ........  to admit to a failure of their product .........  or .......... to admit to not installing their product in part of their own environment .......... ?

......  it would make me wonder .......

[Crow]

Probably someone that wanted to install Ares 

[menotu]

A bit more info from Brian Krebs - 20 February 2013

Bit9 Breach Began in July 2012

Malware Found Matches Code Used Vs. Defense Contractors in 2012

Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors

Earlier this month, KrebsOnSecurity broke the story of the breach at Waltham, Mass.-based Bit9, which involved the theft of one of the firm’s private digital certificates. That certificate was used to sign malicious software, or “malware” that was then sent to three of the company’s customers. Unlike antivirus software, which tries to identify and block known malicious files, Bit9′s approach helps organizations block files that aren’t already digitally signed by the company’s own certificates.

After publishing a couple of blog posts about the incident, Bit9 shared with several antivirus vendors the “hashes” or unique fingerprints of some 33 files that hackers had signed with the stolen certificate. KrebsOnSecurity obtained a list of these hashes, and was able to locate two malicious files that matched those hashes using Virustotal.com — a searchable service and database that lets users submit suspicious files for simultaneous scanning by dozens of antivirus tools.

The first match turned up a file called “media.exe,” which according to  Virustotal  was compiled and then signed using Bit9′s certificate on July 13, 2012. The other result was a Microsoft driver file for an SQL database server, which was compiled and signed by Bit9′s cert on July 25, 2012.

Asked about these findings, Bit9 confirmed that the breach appears to have started last summer with the compromise of an Internet-facing Web server, via an SQL injection attack. Such attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server.

Full blog

SQL injection

[frazelle09]

i saw this "we failed to install our own product on a handful of computers within our network." and

burst out laughing!  -- too much!

Have a great evening! 

[Tony]

Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product.  Our investigation also shows that our product was not compromised.

Firstly, I have a sneaking suspicion that Bit9 may have had their 'product installed' on all "computers within our network." It does seem a bit (pun intended  ) too much of an oversight, to be taken seriously to not install your "Product" on your Network, for testing and Data gathering, and development tasks.
I don't know their procedure in the work place but wouldn't, ...
Their Primary objective be to run, test, and sell their product so how could it not be installed.

There'd be people in their office sitting twiddling their thumbs I suggest, who would instantly realise they had no work to do. What else would they be doing on their Computers ? Playing  Solitaire ? Something is amiss here.
I can't qualify my hunch, so have to take Bit9's word on this don't we ?

As Just17 wisely says:

So, which would be worse for them  ........  to admit to a failure of their product .........  or .......... to admit to not installing their product in part of their own environment .......... ?

......  it would make me wonder .......