Attacks/Breaches
2/11/2013
04:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors

Whitelisting company's breach the latest warning sign that security vendors are getting hit by advanced attackers, too

Bit9 is the latest victim in a series of high-profile security vendors that have been hit by targeted attacks that compromised their security technology. This is prompting calls for vendors to unite and share their information in order to better detect and protect against these attacks, which ultimately affect their customers and the overall security infrastructure, as well.

The whitelisting security vendor's CEO, Patrick Morley, late Friday announced via a blog post that the company had suffered a breach that exposed one of its digital code-signing certificates to the attackers, who then used it to sign malware, affecting three of its customers. Morley said an "operational oversight" led to the breach, with a handful of computers on its network running without the company's own product.

"We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," he said. "There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised," and the company revoked the compromised certificate and issued a new one.

Bit9 plans to issue a patch to automatically detect and stop execution of any malware that uses the phony certificate, and is monitoring its Software Reputation Service for hashes from that malware. The breach follows that of RSA two years ago, of certificate authorities such as DigiNotar and Comodo, as well as the Flame cyberespionage malware's attack on weak encryption used in Microsoft's Terminal Services, which led to the creation of rogue digital certificates posing as Microsoft-signed ones.

Security vendors -- like defense contractors, the financial services industry, and, now, the media -- are in the bull's eye of targeted attack campaigns as well. That, of course, should come as no surprise since their technology, if compromised, can then be used to help hack into their customers' networks. So like other vertical industries, security vendors need to band together and fight back by sharing attack information they get from their experiences, security experts say, even if it means potentially giving up a little competitive edge by sharing that attack information.

"When an industry as a whole is under attack, it needs to be rethinking these priorities," says Scott Crawford, managing research director at Enterprise Management Associates. "The security industry really needs to take a page from" the financial services industry's formalized intelligence-sharing, for example, he says.

"Security and technology vendors are going to compromised," says Crawford, who also blogged today that security vendors as a whole need to respond to this threat against them.

Some security vendors already do share information about attacks they have experienced or deflected -- but it's a mostly ad-hoc and fairly limited process. Websense, for example, is a member of several vetted lists and forums where vendors share information, says Chris Astacio, manager of security research for Websense.

"A certain amount of research and information gets shared [this way]," Astacio says. "These types of supply-chain attacks where security companies are attacked so the [attacker] can then take on a customer of theirs should garner the same amount of research and sharing of research" as malware research does.

Astacio says security vendors should band together in the face of targeted attack campaigns against their industry much like other vertical industries do. Attacks such as that of Bit9 and others demonstrate how advanced persistent threat (APT) actors are trying to get the goods from their ultimate targets via their security suppliers, he says. "They are going to be more brazen and brash," Astacio says.

The time has come for the security vendor community to step up and acknowledge the problem, security experts say. "Just because you're a security company doesn't mean you're immune or have a magic force field anyone can't get through," says Brian Honan of BH Consulting and a member of the Irish CERT. "You need to make sure you can't be used as a point to attack your clients because they trust you to keep them secure ... Bit9 didn't have their own software installed on their computers: That's a glaring issue."

More than likely Bit9 is not the only security company under attack right now, experts say. "If these are motivated attackers, they are not going to stop," Honan says. "They will just move on to the next target and opportunity and see how they can leverage it."

Bit9 didn't share many details of the impact on its three customers who received the signed malware, but the Bit9 digital signature could have allowed that malware to pass as Bit9-whitelisted application.

"So the malware would be recognized and accepted by the client's machine as legitimate, and it would then install malware on those machines," says Honan, who posted a blog today on lessons learned from the breach. "Then it would give the attackers remote access to those machines and some way to control those machines, and use them to maybe attack further."

[Certificate authority Turktrust details internal errors that led to phony digital certificates. See Errant Google Domain Traced To CA's Mistakes.]

Meanwhile, critics say whitelisting comes with its inherent weaknesses, such as keeping white lists "patched," notes John Prisco, president and CEO of Triumfant.

"You have to patch the application and therefore patch the whitelist. If you're not diligent about it, it can be exploited, as in the case of Bit9. Whitelisting is still based on prior knowledge; therefore it is susceptible. A system that is based on prior knowledge can always be exploited by a determined adversary," Prisco says. "Unless you have an anomaly-based analytics system on the endpoint that can see fundamental changes that can signal malware attacks, you will always be beaten."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Doug Finley
50%
50%
Doug Finley,
User Rank: Apprentice
2/22/2013 | 4:32:50 PM
re: Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors
John Prisco doesn't know whitelisting. What Bit9 does is a corrupted form of whitelisting. The attacker was permitted to install their malware because they had a valid certificate in spite of the fact that the malware was not authorized to execute on the endpoint it infected. Whitelists don't need certificates.

Deploying a patch means that the whitelist must be updated. There are automated methods for that, including integrated patch management/whitelisting. And no, whitelisting doesn't require prior knowledge, if by that term he means knowledge of the attacking software. Whitelisting's only prior knowledge requirement is to be able to uniquely identify all software authorized and intended to execute on that specific endpoint.

Did Bit9 really fail to even attempt to protect the machine hosting their certificates?- Really?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/13/2013 | 12:45:58 AM
re: Bit9 Breach Boosts Calls For Attack Intel-Sharing Among Targeted Security Vendors
I think intelligence-sharing among information security companies is a good idea, and should move beyond ad-hoc relationships to something more formal, like in the financial sector. I know it's embarrasing for security companies to admit they've been breached, but the fact is, no one is invulnerable, and simply pretending you are for marketing or image purposes is a mistake.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.