Bit9 Concedes It Let Its Guard Down in Breach

3 Customers Affected by Intrusion of Security Provider's Network
Bit9 Concedes It Let Its Guard Down in Breach

Bit9 says its failure to install its own information security products to detect intrusions on its network has resulted in a breach, causing the issuance of digital certificates that were used illegitimately to sign malware affecting three customers.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

President and Chief Executive Patrick Morley, in a Bit9 blog post, characterizes the failure as an "operational oversight," adding that its products were not compromised. "We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," he says.

Bit9 says it had notified affected customers - Morley didn't identify them - and has reached out to all of its customers to ensure them they are no longer vulnerable to malware associated with the affected certificate.

Big9 claims as its customers more than 20 U.S. federal agencies, five of the top 10 aerospace and defense companies and three of the top 10 banks. The company's core offering consists of trust policies that identify approved software to run on customers' networks and detects untrusted software to keep off of clients' systems.

Bit9's confidence in its offerings was expressed last August in a statement that contrasts to its new concession about the breach. That 2012 statement referenced Bit 9 as the only company to stop the Flame malware [see Massive, Advanced Cyberthreat Uncovered] and RSA breach attack [see RSA Breach Costs Parent EMC $66.3 Million], Marley is quoted as saying: "We're on the machine, watching everything going on, and if we do not trust the software that tries to run, we'll stop it."

Bit9 Chief Technical Officer Harry Sverdlove promises that the company will be as transparent as it can be about the breach of its network.

"We have already shared the cryptographic hashes of all the files we know were signed maliciously, both with our customers and with the security community," Sverdlove says in a blog post. "We will share more intelligence at the right time - network information, tactics, files and hopefully more."

Sverdlove says there are limits on transparency. "We're not going to share details that will compromise our customers or violate confidentiality, nor are we going to share details that will compromise our own security," he says. "For anyone who has ever been involved in an investigation of this type, you know that absolute or complete information is not always possible, so I can't promise that every puzzle piece will be revealed. That is the plain and simple truth."

Here are steps Bit9 says it has taken to prevent further misuse:

  • Revoked the affected certificate and acquired a new one;
  • Eliminated the operational issue that led to the illegal access to the certificate and ensured Bit9 is installed on all of our physical and virtual machines;
  • Finalizing a product patch that will automatically detect and stop the execution of any malware that illegitimately uses the certificate;
  • Monitoring the Bit9 Software Reputation Service for hashes from the illegitimately signed malware.

To ensure customers its networks are secure, Morley says the company operates a complete security stack and security operations center with a full-time staff monitoring all activity and has third-party auditors conduct regular audits.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.