Comments on: Bit9 Breach Began in July 2012

By: Anthony Maw

Anthony Maw — Wed, 27 Feb 2013 06:34:51 +0000

I don’t believe anything I read or hear anymore. For all we know, Mandiant, et al, could be a US Government (read NSA, CIA) front company fingering those “Chinese” as a cover story and distraction for their own intense domestic surveillance programs against US and other “western” citizens.

By: JimV

JimV — Mon, 25 Feb 2013 21:54:41 +0000

The Chinese government (at all levels) adheres to basic principles in the delivery of propaganda and countering any truthful revelations which expose the inner workings of their security organizations, and among the most basic of principles is the one below:

“…the rank and file are usually much more primitive than we imagine. Propaganda must therefore always be essentially simple and repetitious. The most brilliant propagandist technique will yield no success unless one fundamental principle is borne in mind constantly…it must confine itself to a few points and repeat them over and over.”
– Joseph Goebbels, Nazi Propaganda Minister.

In the West, they’re usually referred to as “talking points”.

By: Derek

Derek — Mon, 25 Feb 2013 21:25:28 +0000

And here I thought that the Mandiant report was as close to “conclusive evidence” as one could get. The Chinese denials are quite laughable. Do they expect us to think they are completely innocent?

By: Derek

Derek — Mon, 25 Feb 2013 21:23:04 +0000

Thanks Terry, I was going to say the exact same thing. The distinctions between keys and certificates still seems to be lost on some folks…

By: AlphaCentauri

AlphaCentauri — Mon, 25 Feb 2013 05:12:16 +0000

“The Chinese government has vehemently and consistently denied any sponsorship or encouragement of such attacks. Responding to a story about Chinese hackers suspected of breaking into networks of The Washington Post (another story first featured on KrebsOnSecurity), the Chinese Defense Ministry was quoted as saying, ‘It is unprofessional and groundless to accuse the Chinese military of launching cyber attacks without any conclusive evidence.’”

That’s not t vehement denial. That’s a “non-denial denial.

By: Terry

Terry — Fri, 22 Feb 2013 19:51:18 +0000

I get accused of being anal-retentive, but I would really like to see a stop to the phrase “theft of private digital certificates” for 2 reasons: 1) digital certificates are public, not private, and they are meant to be public 2) the thing that was stolen that was of use in this case was the “private signing key”. It is important (well, at least to anal-retentive me) to be clear on this point as there is an extremely cheap security mechanism to protect against private key theft – it’s called a Hardware Security Module (HSM). Had Bit9′s staff had the presence of mind to put the private key on an HSM it would have been impossible for it to be stolen (short of walking into the server room and physically taking the HSM and doing a Vulcan mind-meld on the Bit9 sysadmin to get the activation PIN). HSMs were once considered rocket surgery, but no longer. They are cheap enough they can be bought on a credit card, come in USB-attached models, and easy to install. So wake up security geeks – stop trusting the OS to protect the real keys to the kingdom.

By: Nick P

Nick P — Fri, 22 Feb 2013 01:04:16 +0000

It was probably a bogus number. Indicates nothing. The Stuxnet job was joint US and Israeli work. Different sources say different things about who did the main job. The network might be ours, might be theirs. We know they do espionage against their allies. Why not an APT infrastructure that *might* be them and *might* be a third party “acting on their own’?

By: Nick P

Nick P — Fri, 22 Feb 2013 00:56:50 +0000

RSH is right about him overstating the importance of Bit9′s software. They *might* have compromised it for this reason. They might have not. That they got in via one of the most common and easily beaten vulnerabilities isn’t saying much. Plus, I’ve said before that the critical signing system should have been guarded from untrustworthy parts of their network.

@ RSH

RSH, did you read that report by Mandiant that Krebs reference? I really liked it. They did a good job on attribution, mapping out capabilities, identifying some specific people, etc. Doesn’t nullify the threat, but it’s bounds above the normal approach: “A chinese IP! Omg, state hackers, cyber war, blah!”

By: Jay K.

Jay K. — Thu, 21 Feb 2013 23:46:06 +0000

According to the article, the offending software was “compiled then signed”, meaning it’s not the original software that was used. Is the article claiming that this is what happened or are they claiming Microsoft’s signed driver was compromised and redistributed?

I don’t know about “media.exe”, but the PHP driver used is open source and can be downloaded and compiled by anyone. However, Microsoft provides a version for download that is signed by their own certificate.

By: JimV

JimV — Thu, 21 Feb 2013 21:24:06 +0000

That certainly looks like the building shown in the BBC video.