February 11, 2013, 3:20 PM —
Image credit: iStockphoto
When an APT calls
You know that classic 1970's horror film, "When A Stranger Calls?" That's the one where the babysitter, having put her three charges to bed, begins receiving harassing phone calls, asking (in the creepiest voice possible) "Have you checked on the children?" Increasingly alarmed, she calls the local police department, who are eventually able to trace the phone call. Only then does the babysitter learn that the calls are coming ... FROM INSIDE THE HOUSE!!
Well, some very security conscious firms lived through a real-life horror story like that last week, after the application whitelisting firm Bit9 called to inform them that a small number of their customers had discovered malware on their networks - malware that had been digitally signed by Bit9's encryption keys, following a hack of that company's network. (Cue the Psycho "slasher" music here.)
Of course, network hacks and malware infections happen all the time and aren't big news. Still, the implications of the Bit9 hack are huge. For one thing: the company sells software specifically designed to block malware infections. Bit9's "secret sauce" is a software reputation service that defines "good" applications and lets customers block everything and anything that isn't on the list - an approach known as "whitelisting." According to a blog post by Bit9's CEO on Friday, unknown assailants were able to gain control over systems within Bit9's network. The company it seemed, hadn't installed its own software on a "handful of computers within our network." The attackers used their foothold to gain access to one of Bit9's digital code-signing certificates, and use that to sign malicious software, which was then released on the networks of three Bit9 customers. Because the malware was digitally signed by Bit9, it was treated like a malicious program on those networks.
The full fallout from this incident hasn't been measured. As is so often the case, Bit9 dropped their bad news on a Friday afternoon. (Twitter did the same a week earlier with news of a hack that spilled access to 250,000 accounts).
The weekend gave the company some cover and a couple days respite, as the headlines were dominated by "Nemo," the "Blizzard of 2013" which buried much of New England this weekend.
But, with Monday, expect the questions to come fast and furious. Among the questions that are still unanswered: how long did attackers have access to Bit9's network and which customers were targeted? Bit9 counts leading financial services, energy and technology firms as customers, not to mention a number of government agencies. The nature of the malware still hasn't been discussed, nor the circumstances by which the attackers gained access to Bit9's network and the breadth of their access to the company's application signing infrastructure. In a blog post on Saturday, the company promised answers and more information - but only after it has completed its investigation of the incident.
Microsoft's blue moon megapatch
It's not clear why Microsoft's monthly Patch Tuesday is news anymore. It's kind of like reporting on the arrival of a full moon. But every so often the moon does warrant some coverage - say: it's really close, or there's a "blue moon" (two full moons in a single month). Something like that is happening this month with Microsoft, which is releasing a whopping 12 security patches covering 57 separate vulnerabilities in its software - five of them critical. As ITworld reported, that's just shy of the biggest patch ever - a 64 flaw whopper back in April, 2011. But what has everyone's attention is that Microsoft is pushing two, separate updates for its Internet Explorer web browser in the same patch cycle - a highly unusual occurrence. The fixes, covering IT versions 6 through 10, have security experts mystified and suggest that the software giant is wrapping an emergency "out of cycle" patch into its monthly update. "This is the first time I've seen them do this," Andrew Storms, director of security operations at nCircle told ITworld. "They've never released more than one update [for the browser] in a month."
For now, there are few details about the double patch, but we'll know more on Tuesday, when Microsoft publishes its monthly updates. Stay tuned.