Application “whitelisting” offers an alternative to signature based malware protection. Rather than trying to spot the bad guys, the thinking goes, just identify a list of approved (whitelisted) applications, then block everything else.
But what happens when the whitelist, itself, becomes compromised? That’s the scenario that’s playing out with customers of whitelisting firm Bit9, which acknowledged a breach of its corporate network that allowed unknown assailants to gain control of an application code signing server. The acknowledgement came after Bit9 was contacted regarding the breach by Brian Krebs of Krebsonsecurity.com, which broke the news Friday.
Little is known about the incident. In a blog post, Bit9’s CEO, Patrick Morley, said that only three of the company’ s customers were affected. Those customers identified malware on their networks that had been signed by one of Bit9’s code signing servers. The lapse was the result of a breach on Bit9’s own network. The machines that were compromised were not running Bit9’s software, Morley said.
Bit9 and Morley put the blame on lax security by the firm, itself. “We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9,” he wrote.
The breach is bound to have ripple effects throughout Bit9’s customer base, which counts government agencies, leading defense contractors and high profile organizations in the energy, retail and financial services sectors as customers.
More details on this as they become available.