Comments on: Security Firm Bit9 Hacked, Used to Spread Malware

By: Christian Cooper

Christian Cooper — Thu, 07 Mar 2013 04:02:09 +0000

…..no matter how great your agent based security endpoint solutions are, they only protect what they can managed. If they had used an agent-less visibility and control solution like ForeScout’s CounterACT, they would have real-time detection of any non-compliant endpoints connecting to the network. They would have known that their whitelisting solution wasn’t deployed on the systems in question. Furthermore, they could then have auto-remediated the non-compliant endpoint at machine-speed….ohh well

By: Jason

Jason — Thu, 14 Feb 2013 20:06:07 +0000

I once heard this translated as “The cobbler’s children have no shoes.”

I now write software development tools, so as you might imagine I say this phrase quite often.

By: Christian

Christian — Thu, 14 Feb 2013 10:24:03 +0000

if this attack was targeted, how should their software help in any way?
i guess the hackers dont email their malware signatures to bit9 before they try to attack them
That their software wasnt installed everywhere is just a very lame excuse. It would show how limited such software products are.
You cant tell your customers, that your snakeoil isnt working

By: Karen

Karen — Thu, 14 Feb 2013 00:43:31 +0000

This story is so ridiculous, I can’t stop laughing. Really?? Bit9 didn’t follow its own protocols that it tells its customers to do? They deserved to get hacked! This should be a lesson for every company, federal agency, and business out there — make sure you use as many techniques as possible to keep your data as safe as possible. This snafu makes Bit9 look like a bunch of morons.

By: YummyBacon

YummyBacon — Tue, 12 Feb 2013 21:44:52 +0000

Forgive me for not being super-technical, but Bit9′s explanation does not jibe with my understanding for how infections occur. Perhaps Mr. Krebs or someone here can help.

Most malware infections occur on the desktop which the attacker then uses as a launch point for reconnaissance and to move laterally (e.g., RSA breach, Google Breach, etc) so White-listing software on the server in question should not really be relevant to the discussion. Its very unlikely that the hacker group would know exactly which server to go after and then try to install an executable directly on it.

To me, this looks more like a longer-term resident infection (like RSA) where the attackers were able to identify the exact machine over time with the “crown jewels” and then exfiltrate/modify the data there.

If this is the case, then which desktop at Bit9 got popped and how did that happen if their software was installed on all their machines?

OR maybe I am missing something. Thoughts?

By: mysteriousgeek

mysteriousgeek — Tue, 12 Feb 2013 06:03:59 +0000

yes indeed, you are right Cody. i think it is itself a big security flaw.

By: SeymourB

SeymourB — Tue, 12 Feb 2013 02:44:50 +0000

I’ll never forget the time McAfee blacklisted Windows XP’s svchost.exe (April 2010). I know entire companies that went offline as a result of that debacle. A local hospital actually shut their systems down and left them down after it had already knocked out a sizable portion of their systems. Not only didn’t McAfee go out of business, Intel announced their acquisition intent in August 2010.

While I know many AV programs have had similar woes, I’ve kept an ear out for McAfee’s woes ever since the days when I did phone tech support; they flagged one of our hundred-ish MB video files as containing an executable virus (that was contained inside its own dedicated executable – a couple KB in size. ah, those were the days). The phone just wouldn’t stop ringing…

By: Richard Steven Hack

Richard Steven Hack — Mon, 11 Feb 2013 23:16:33 +0000

I explicitly disagree with that post. The argument is overstated in order to tout their product over Bit9.

White-listing is a feasible approach if it’s done right. Many products don’t do it right. That doesn’t make it “impossible”.

White-listing is also not a panacea, merely one approach that can help.

By: rb

rb — Mon, 11 Feb 2013 17:50:55 +0000

Having source code (and time to review it) is only one piece of the pie. Can you trust your tool chain? How about your kernel? And don’t forget the hardware itself. Read Ken Thompson’s “Refections on Trusting Trust” if any of these ideas are new to you.

Finally, binaries from repositories can be (and have been) compromised.

By: Christoph

Christoph — Mon, 11 Feb 2013 10:33:34 +0000

Concerned IT professionals [and maybe even Bit9 customers] might be interested to read about the “The Absolute Impossibility of White-listing”
http://blogs.bromium.com/2013/02/08/the-absolute-impossibility-of-white-listing/