×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bit9 Says 32 Malicious Programs Whitelisted In Recent Hack

timothy posted about a year ago | from the nice-binary-number dept.

China 18

chicksdaddy writes "The security firm Bit9 released a more detailed analysis of the hack of its corporate network was part of a larger operation that was aimed a firms in a 'very narrow market space' and intended to gather information from the firms. The analysis, posted on Monday on Bit9's blog is the most detailed to date of a hack that was first reported on February 8 by the blog Krebsonsecurity.com, but that began in July, 2012. In the analysis, by Bit9 Chief Technology Officer Harry Sverdlove said 32 separate malware files and malicious scripts were whitelisted in the hack. Bit9 declined to name the three customers affected by the breach, or the industry segment that was targeted, but denied that it was a government agency or a provider of critical infrastructure such as energy, utilities or banking. The small list of targets — just three — and the fact that one malware program was communicating with a system involved in a recent 'sinkholing operation' raises the specter that the hack of Bit9 may have played a part in the recent attacks on Facebook, Twitter and Apple, though Bit9 declined to name the firms or the market they serve."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

18 comments

"Whitelisted" (1)

coldmist (154493) | about a year ago | (#43013633)

They were whitelisted? Meaning they are 'ok' and aren't infected? Or do you mean 'specifically named'?

The use of a 'whitelist' is usually a list of 'ok' or unaffected things, not just a specific list.

Incorrect use of the term here.

Re:"Whitelisted" (1)

quannah (2785809) | about a year ago | (#43013739)

Yes, they were incorrectly whitelisted:

the hack of Bit9, which sells application “whitelisting” technology

Re:"Whitelisted" (3, Informative)

hAckz0r (989977) | about a year ago | (#43014987)

Yes, Bit9 software is a default deny paradigm, and so anything that is allowed to run on your system needs to be explicitly allowed, so malware can't get onto your system so easily (buffer overflows are still possible). That being said, Bit9 did not protect one of their all important signing keys, so the hacker used it and signed a whole lot of bad stuff they had in their tool bag. The hacker thereby added all his malware to the permitted white-list because they were signed by an authority that is trusted by the software protecting the systems. Who could be more trusted than the software company who protects your computer?

hollywood bite me (0)

Anonymous Coward | about a year ago | (#43013641)

thats whom the bs is aimed at LOL only them idiots use that stuff oh and there bribed pandering politician buddies

Whitelist/blacklist (1)

concealment (2447304) | about a year ago | (#43013939)

I don't see these methods as being as effective as profiling programs based on their behavior and then negating them by dangerous behaviors, not by prior encounter.

Lists are too easily subverted, not only by hacks like this, but by misidentification and other errors. As someone who recently had to re-send a large number of emails because an "anti-spam" agency mistakenly categorized my mailhost as a spam attacker, I find the many false categorizations to be as damaging as the original fear.

Re:Whitelist/blacklist (1)

tlhIngan (30335) | about a year ago | (#43015031)

I don't see these methods as being as effective as profiling programs based on their behavior and then negating them by dangerous behaviors, not by prior encounter.

Lists are too easily subverted, not only by hacks like this, but by misidentification and other errors. As someone who recently had to re-send a large number of emails because an "anti-spam" agency mistakenly categorized my mailhost as a spam attacker, I find the many false categorizations to be as damaging as the original fear.

Well, this company sells whilelisting app services. In that customers pay them to subscribe to a whitelist of applications that can run on their PC. I'm fairly certain there are ways to install some app for LOB use as necessary.

It's not a generic solution for eveyrone, just those for a few companies paranoid about security and only wanting "their programs" running. Basically the list is small to begin with and most likely customized to the client.

Using heuristics for behavior tracking doesn't work - malware can act "pretty normal" and applications "pretty abnormal" which triggers them. For common examples - see all the times virus scanners delete some critical Windows files.

Effectively, the whitelist is a default deny for those who want it - malware can't run because they're blocked, but same as a user bringing in portable Firefox (even if Firefox is already on their PC - the PC one being signed, the portable one not signed by the proper key).

Re:Whitelist/blacklist (1)

hAckz0r (989977) | about a year ago | (#43015215)

Normally it is just the signed binaries that are permitted to run on the system, but an organization can add rules that permit unsigned code to run in certain circumstances. In that sense there is no published white-list, only cryptographic data that is being validated. To fix the problem Bit9 merely had to revoke a single signing key, but then all kinds of programs would stop running all at once. I have not heard yet what else exactly had been signed by that same key.

.
The trusted keys are distributed by the software, so this is very different than the SPAM blacklists that you are referring to.

System memory check summing has been done, but behaviour analysis is VERY cpu intensive, and as such nobody has come up with a commercial solution (to my knowledge) that can efficiently secure a system at runtime based of true system behaviour heuristics. This is a personal area of interest in my own research.

Re:Whitelist/blacklist (1)

dkf (304284) | about a year ago | (#43015217)

I don't see these methods as being as effective as profiling programs based on their behavior and then negating them by dangerous behaviors, not by prior encounter.

On systems where it is known what they should be doing, a lot of corporate desktops for example, whitelisting just those things required is far more effective: there's no need to try to figure out what is actually dangerous. It's following the principle that it is far easier to enumerate good behaviors than bad ones. Yes, that doesn't cover everything for all users but then it isn't a tool for everyone. On systems where it is applicable, it's a very good security measure.

Or would be if it wasn't for the publisher fouling up and letting the signing key out. Oops! (A system is only ever as secure as its weakest link. Always was. Always will be.)

THIS JUST IN: (0)

Anonymous Coward | about a year ago | (#43014711)

The companies affected were (in no particular order):

McDonalds, Burger King, and Taco Bell.

Re:THIS JUST IN: (0)

Anonymous Coward | about a year ago | (#43015251)

The Chinese are trying to copy our Junk food technology!
Before we know they'll be fat and diabetic just like us!

Clearly, this is an affront to our national security.

Really? (1)

Subgenius (95662) | about a year ago | (#43015423)

Wait a second. You mean that despite this company's security and operational protocols and supposed firewalls, they found that they had a server compromised by a SQL injection in 2012, took it offline, and then BROUGHT IT BACK ONLINE in 2013 w/o wiping it???

OR

They had a SQL injection on a server in 2012, never saw it but turned off the system anyway, and then brought the SAME system back up in 2013?

wow.

So very secret (0)

Anonymous Coward | about a year ago | (#43015479)

This is a story that is so secret we can't tell you exactly what happened or who it happened to. We can't tell you the exploit, the victim, or the perp. You should head over to our website and we will not tell you anything more about the incident. WTF?!

Side Effect (2)

ThatsNotPudding (1045640) | about a year ago | (#43016749)

The sad side effect of endless war, warrantless wiretapping, blatant disregard of the Rule of Law, is that I'm left to wonder if any of this is true, instead of just a False Flag operation to justify the final destruction of privacy and the true Internet.

Re:Side Effect (1)

Fnord666 (889225) | about a year ago | (#43017885)

The sad side effect of endless war, warrantless wiretapping, blatant disregard of the Rule of Law, is that I'm left to wonder if any of this is true, instead of just a False Flag operation to justify the final destruction of privacy and the true Internet.

You have officially earned your tinfoil hat. Welcome to the club.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...