Bit9 hacked, used to inject malware into customers’ networks

Security vendor Bit9 has been hit by a serious security breach of its own network.

Intruders broke into a core part of the company’s service and used its own trusted digital certificates to create pre-authorised malware.

The result, apparently, was that a small number of customers got infected with malware that wasn’t merely missed by Bit9’s detection algorithms, but was actively endorsed by its protection system.

It’s always tricky to write about compromises and problems with competitors’ products, but please bear with me here. I’ll try to be as balanced as I can.

As a colleague wryly and compactly pointed out the other day when Kaspersky hit the news by cutting customers off from the internet with a dodgy update, “John 8:7.”

Bit9’s case is a bit different because the company eschews traditional security and anti-malware techniques and instead favours whitelisting.

→ I’m not a fan of that name because at least some people find it offensive, and because there is a much clearer, self-descriptive alternative: allowlisting. Likewise, blacklisting is much more directly rendered as blocklisting. Simply put, blocklisting aims to recognise known bad stuff and to stop it. Allowlisting aims to recognise known good stuff and to stop everything else.

For what it’s worth, Bit9 has done the right and honourable thing, and ‘fessed up on its website.

The company is still keeping the precise details close to its chest, as it’s entitled to, but has offered a general overview that’s pretty clear. Call me old-fashioned, but that counts for a lot.

I’m not entirely convinced by the entire explanation, however.

Bit9’s observation that “this incident was not the result of an issue with our product,” for instance, is a trifle misleading.

I think I know what they mean, and why they said it, but the truth is simple: Bit9’s service made the wrong call.

It misrecognised malware as good software (a false negative, in industry jargon) and let an infection through.

Conceptually, this is no different (in industry jargon, it had a similar failure mode) to what happens when a traditional anti-virus fails to spot malware as malware.

The truth is that any programmatic means of analysing another program and predicting its behaviour must be imperfect.

Regular readers of Naked Security will have heard me pronouncing on this matter before. That’s because I’m a big fan of Alan Turing, who studied this very issue back in the 1930s, before digital computers even existed.

It’s known as the Entscheidungsproblem (usually rendered into English as the Halting Problem), and it pretty much says that any security software must, at least occasionally, make mistakes.

It’s become fashionable recently to bash anti-virus software harder than ever, decrying it as reactive, behind-the-times and even as “digital homeopathy.” (Even I had to smile at that tweet.)

Allowlisting is often trumpeted as the preferred, scientific, simpler, cleaner, greener approach.

There’s a lot to be said for that, if you can reliably predict in advance the complete list of software files you will need on your computers, and if you don’t make any mistakes in ensuring that everything on the list really is good.

Of course, the pace of change is swift enough these days that you need to keep updating the list of known good stuff, and that’s where errors can creep in.

In practice, modern anti-virus software doesn’t rely on (indeed, hasn’t relied on for about two decades already) a purely reactive, list-of-known-badness approach.

Today’s anti-malware solutions aren’t merely blocklists, and if you buy one and engage only its pure-play blocklisting parts, you’re missing a trick.

Several tricks, in fact.

Similarly, any decent product that claims to work by permitting only known-good stuff doesn’t rely entirely on allowlisting.

If a file is already known to be bad, you’d be silly not to use that information to ban the file so it never gets onto your allowlist by mistake!

No security solution can be perfect, because no solution can decide all the answers.

That’s why defence in depth is really important, and why you should run a mile from any security vendor who still makes claims like “never needs updating” or “all others are imposters.”

To the Bit9 crew: when I read the part where you wrote that “the threat from malicious actors is very real, extremely sophisticated, and that all of us must be vigilant,” I felt your pain, brothers and sisters.

We may have varying approaches and differing opinions, but we’re on the same side here.

I hope you catch the villains behind this, or at least find out more about the who, what and why…