The security firm Bit9 defended its response to a hack of its own network last week and promised to release more information to the public about what happened – just not quite yet.
In a blog post dated Saturday, February 9, the company’s CTO, Harry Sverdlove, said that the company responded promptly to the attack and contacted customers as soon as it completed its own investigation of the hack, which allowed unknown assailants to sign malicious programs using a Bit9 code signing server. That malware was subsequently released on networks of Bit9 customers.
Sverdlove said the company’s “first and foremost priority was to inform our customers quickly and directly,” and that the company did so “as soon as we understood and had mitigated the attack, and we were able to provide actionable advice.”
The blog post by Sverdlove, just a day after a post by Bit9 CEO Patrick Morley that disclosed the breach, seems intended to head off controversy about the timing of the company’s disclosure. A blog post by the security reporter Brian Krebs of Krebsonsecurity.com on Friday created the impression that Bit9 came forward only after being contacted by Mr. Krebs.
Sverdlove said the company was preparing a public statement at the time Krebs first contacted it regarding the breach. The company delayed its announcement to give it time to work with customers, he said.
“Our first and foremost priority was to inform our customers quickly and directly. As soon as we understood and had mitigated the attack, and we were able to provide actionable advice, we reached out to our customers…Discussing the details of the incident without first providing our customers with the necessary information would be irresponsible.”
The company, he said, would be providing more information about the hack in the future. As it stands, few facts are known about how Bit9 was compromised, how long the compromise lasted or who the targets of the attack were.
In a blog post, Bit9′s CEO, Patrick Morley, said that only three of the company’ s customers were affected. Those customers identified malware on their networks that had been signed by one of Bit9′s code signing servers. The lapse was the result of a breach on Bit9′s own network. The machines that were compromised were not running Bit9′s software, Morley said.
Bit9 and Morley put the blame on lax security by the firm, itself. “We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9,” he wrote.
The breach is especially significant because Bit9′s customer base is made up of high-profile and security conscious organizations. They include government agencies, leading defense contractors and leading firms in the energy, retail and financial services sectors.