There is nothing so ironic as when a security firm is hacked, and the latest to be the victim of that ignominy is Bit9, it was reported on Friday. Far worse than being a consumer-level company that saw its security fail, Bit9 provides software and network security services to the U.S. government and at least 30 Fortune 100 firms.
Bit9 is a leading provider of “application whitelisting," which is a sort of reverse implementation of what you might consider the typical implementation of fighting malware. Rather than attempting to detect and quarantine malicious programs and files, Bit9's service assists companies in develping custom lists of software that are approved and digitally signed to ensure they are safe for their employees to use.
However, on Friday, Bit9 revealed to its customers that its own -- that's right, Bit9's -- network had been breached by a cyberattack. The attack was detected after Bit9 received reports from some customers indicating that malware had been detected inside of their own Bit9-protected networks, malware that was digitally signed by Bit9′s own encryption keys.
How could this happen? It could only happen if Bit9's own computers were subverted for use by malware-vendors, which then used them to digitally sign their malware. And that happened because Bit9 made a huge mistake: If failed to install its own security software on several of its own systems.
After informing its customers, Bit9 went public with a blog post. It wrote:
Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised.
It seems obvious that the attack on Bit9 was a means to an end. By corrupting Bit9's systems in such a way that they could sign their own malware as legitimate, the attackers were able to subvert the whitelisting process and bend it to their will.
After all, whitelisting doesn't really say that an app is safe. All it says is that an app is approved, or seemingly approved.