Bit9 Admits Systems Breach, Stolen Code-Signing Certificates


Whitelisting vendor Bit9 Friday announced a data security breach of its systems, warning that cybercriminals were able to gain access to its digital code-signing certificates, impacting three Bit9 customers.

Waltham, Mass.-based Bit9 said the intellectual property at the core of its application whitelisting software was not exposed in the breach. An attacker can use stolen digital code-signing certificates to enable them to create malware that can masquerade as Bit9's product.

"We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9," wrote Bit9 CEO Patrick Morley in a company blog post announcing the infiltration.

[Related: Data Breach Security From A To Z]

Morley said the incident stemmed from an "operational oversight," and information about the breach was first shared with customers before going public with the announcement. "We failed to install our own product on a handful of computers within our network," he said.

Any Bit9 customer affected should, at the very least, assume they now have malware on their systems, said Andrew Storms, director of security operations at San Francisco-based vulnerability and risk management vendor nCircle.

"Revoking certificates isn't a panacea because it takes time for systems to recognize the revocation," Storms said. "Naturally, attackers are trying to maximize this window by using the certificate to deliver whatever they want."

Morley did not disclose details about how the three customers were impacted or whether they experienced a serious data security breach as a result of the Bit9 breach. The company has revoked the certificate and acquired a new one, Morley said. Engineers are also preparing an update to stop the execution of any malware that attempts to use the certificate.

Morley also summarized the company's security processes, indicating that a security operation's center with a full-time staff monitors all system activity. Regular third-party audits are also conducted, he said.

"We share a common goal with our customers: defending against the malicious type of activity that caused this incident," Morley wrote. "We are committed to doing right by our customers and maintaining their full trust and confidence."

PUBLISHED FEB. 8, 2013

This story was updated on Feb. 8, 2013, at 3:30 p.m. PST, to include comments from nCircle's Andrew Storms made after press time.