Network security provider Bit9 today disclosed a critical data breach that resulted in its own software being used to attack three of Bit9's clients.
Security blogger Brian Krebs was tipped off by a source earlier today (Feb. 8), prompting Waltham, Mass.-based Bit9 to post a statement of its own.
"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," read the statement, signed by company president and chief executive officer Patrick Morley.
"As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."
Most security companies defend computer systems by creating blacklists of known malicious software.
Bit9 takes the opposite approach — its clients' IT teams create "whitelists" of known good software, and then Bit9's products block everything else.
That's a powerful way to prevent "zero-day" attacks by unknown malware, and Bit9 is proud of being the only company to have blocked the super-sophisticated Flame spyware before its discovery last May.
But there's an inherent flaw in the whitelisting concept. Any piece of malware that managed to get itself on a whitelist would automatically be let into the affected system, no questions asked.
That's exactly what seems to have happened in this case. Even worse, because the attackers had stolen one of Bit9's own authentication certificates, the malware was able to penetrate the systems of more than one of Bit9's clients.
"Our investigation indicates that only three customers were affected by the illegitimately signed malware. We are continuing to monitor the situation," Morley wrote.
He added that the stolen certificate had been revoked and the holes in Bit9's systems patched.
Krebs, noting that Bit9's clients include many Fortune 500 companies, half the top 10 aerospace and defense companies and more than 20 government agencies, thinks Bit9 was not the ultimate target of this attack.
Rather, Krebs, and two experts he spoke to, said it was a means to an end, much as the March 2011 breach at RSA Security resulted in the compromise of RSA's authentication tokens and further breaches at RSA clients Lockheed Martin and other defense contractors.