Security firm Bit9 gets 'bit' after failing to install its own software
The anti-virus and security business is a tough one, fraught with competition and cutting-edge technology designed to not only stop current threats, but predict future ones via heuristics. It is also a place where minor errors can become high-profile issues. Like last year when Sophos detected its own files as a virus and began systematically deleting them, rendering its software useless to customers.
The latest blow below the waist for a security firm involves Bit9. In what can only be termed as "embarrassing", the company failed to install its very own security software on computers within its corporate network. The vulnerable systems were soon compromised.
The incident was explained by Bit9's Patrick Morley in a statement that read, in part, "Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware. There is no indication that this was the result of an issue with our product. Our investigation also shows that our product was not compromised".
In the company's defense, it did send out a warning to its customers before publishing this information, in case the attack had actually breached its security software. Then, after discovering the problem, it made the embarrassing information public as a warning to users -- almost like a PR-stunt of what can happen if you do not use its products, although I will give the firm the benefit of the doubt here, and this is why...
The company also had a security certificate compromised, allowing attackers to digitally sign malware. That is where things get really bad, really fast. Fortunately Bit9 claims that it has found only three customers who fell victim to the "verified" malware and Morely goes on to explain that "we have been working closely with all of our customers to ensure they are no longer vulnerable to malware associated with the affected certificate".
If the company is accurate in its reporting of only three customers being affected then it is very lucky to have dodged a bullet this time around. Bit9, along with Sophos, should stand as examples to other security firms of what can easily go wrong. Perhaps though, this field will never be exactly right -- it is an imperfect science and human error is always in play.