Bit9 operates the whitelist theory of security defense – allow only known good and block everything else. It is, in theory, an excellent security mechanism ranked at number 2 in the SANS list of Critical Security Controls; and Bit9 itself claims, with some credibility, to have been the only defense to have stopped Flame while it was still unknown. But the danger with whitelisting is that a false positive is effectively stamped as ‘good’ and given the keys to the system.
Since you cannot easily defeat a whitelist defense with traditional malware, attackers chose to use, rather than attack, that defense. On Friday, CEO Patrick Morley announced on the company blog, “a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.” Top of the list of a whitelist’s known good software, metaphorically at least, must be its own updates. Malware signed with Bit9’s code-signing certificates would automatically be allowed to run.
Ironically, Morley wrote that the attackers broke into Bit9 because it wasn’t heeding its own advice. “We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9,” wrote Morley.
Since discovering the breach Bit9 has revoked the compromised certificate and acquired a new one – and installed its own software on all of its physical and virtual servers to ensure it doesn’t happen again.
Morley believes that only 3 of the company’s 1000+ customers may have been affected. This implies that it was a targeted attack against specific customers, similar to the attack against RSA – an assumption made all the more likely given that Bit9’s customers include US military and intelligence agencies, and leading defense, oil and financial companies.
The company has received praise for owning up to its own failings in allowing the breach to happen. What it doesn’t do is name the three known affected customers, nor give any indication of the timings involved. Right now it is simply unknown which three customers were affected by malware given a free-pass by the forged certificates, nor for how long they were affected.