Crooks steal security firm’s crypto key, use it to sign malware

Hackers broke into the network of security firm Bit9 and used one of its cryptographic certificates to infect at least three of its customers with digitally signed malware, the company said on Friday afternoon.

The compromise is striking because Bit9's "application whitelisting" approach allows virtually all digitally signed software to run on customers' networks and PCs. Stealing one of its credentials and using it to sign malware all but guarantees it will get a free pass on the systems of customers who use the service. Bit9 is contracted to help secure the networks of the US government and a variety of Fortune 500 companies. The breach was first reported by KrebsonSecurity reporter Brian Krebs.

"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," CEO Patrick Morley wrote in a blog post. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."

Read 8 remaining paragraphs | Comments