Stealing The Keys: Bit9 Breach Means It’s Time To Throw Out Old Thinking About Security Products

Written by Frank Hayes
February 13th, 2013

In another sign that investing in security isn’t enough, three customers of security vendor Bit9 ended up with malware in their systems. This happened after a digital code-signing certificate was stolen from the vendor—and that, in turn, happened because Bit9 failed to use its own product on some of its systems.

Never mind the physician-heal-thyself aspect of this incident (which is a little tough for us because, well, Bit9 did do exactly what it tells its customers not to). More to the point, it’s another sign that retailers need to stop trusting security and start thinking securely.

On February 8, Bit9 notified its customers that it neglected to install its product on some computers in its internal network. The result: Cyberthieves broke in and got access to code-signing certificates, which were then used by the thieves to create signed malware. That malware was then injected into the systems of the three publicly unidentified Bit9 customers. Bit9 revoked the certificate and has since sent customers a patch to block any software signed with it.

It’s not clear whether Bit9 or the infected customers discovered the problem first, and Bit9 didn’t respond when we asked. What is clear is that Bit9 was targeted to get access to those certificates. The vendor says its investigation shows nothing else in its systems was touched. And the Bit9 breach was only an end to a means—getting into the systems of those customers. In effect, the thieves got around Bit9’s very sturdy locks by breaking into the locksmith’s shop and stealing the keys.

It’s a problem unnervingly reminiscent of the 2011 breach at EMC’s (NYSE:EMC) RSA subsidiary that raised questions about how secure RSA customers would be. Once again, the basic security technology was solid. And yet thieves broke into the vendor to get what they needed to attack customers.

That signals the need for a different way of thinking about security products. You can do all the product vetting you want, and you could still be at risk if the security product doesn’t fail but the vendor’s security does. And that, in turn, is out of your hands.

Add to that new reality the fact that your systems are constantly being automatically probed by the bad guys—and so are the systems of your vendors—and a new flow chart for attacks becomes pretty clear. Is there a vulnerability? If so, use it. If not, what security products are being used? Is there a vulnerability at any of those vendors? If so, use it to steal something to use in attacking the original target. If not, you’re safe—this week.

All of which means you still need those security products. You just can’t trust them, at least not by themselves and without supervision. Layering multiple security products always makes attacks harder, but even defense-in-depth isn’t enough under that constant probing. You need to have security admins reviewing logs more frequently, looking for patterns that automated filters won’t catch.

You also need to assume that there will be failures, and that you need plans in place for dealing with them, even if they appear to be unsuccessful. Attackers are so far ahead of the security game from even a decade ago that you must expect your security products to fail. You can’t count on them anymore—a shift in thinking that, going forward, will make security a lot more challenging.

By which we mean “miserable and expensive,” but you already knew that.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.