Whitelists & Blackhats

The news yesterday and Monday was all about Telecom’s Xtra service and Yahoo. The media were outraged on behalf of everyone and a number of commentators took to the airwaves to tell us just how bad this was.

Honestly when I read the updated story in the Dom yesterday morning it did all seem just a little over the top. Front page news for a bit of targeted spam and a drive-by. The breach of Yahoo is admittedly not the best news although really, if the breach was that severe and not just some contacts database, would the worst we’ve seen of it be spam?

Anyway, what appears to have bypassed significant NZ media coverage at the same time is the much more significant compromise of Bit9 which was reported and acknowledged Friday (8th Feb) https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/.
Bit9 are a market leader in Application Whitelisting which is a technology that only allows execution of ‘known good’ applications and software. Instead of searching everything that runs for the bad apple (which is how your Antivirus software works), Bit9 maintains a whitelist of known good software and using its software on endpoints, it checks this list as each executable runs. If you’re not on the list, you’re not coming in.

Whitelisting as a technology is number 1 in the top 35 mitigating strategies for defending against targeted cyber intrusion as published by the Australian DoD and is a topic well understood by many security and IT professionals in New Zealand especially those in Government working with the Cyber Security Plan. It is looked on by the theoretical security community as a no brainer and by most pragmatic professionals as a great control providing you can balance the usability impacts with good processes for real time and flexible maintenance of the Whitelist. Used in combination with other preventive controls it can be very powerful, particularly in highly static environments (point of sale terminals for example).

The list maintained by Bit9 contains thousands of applications all of which have been inspected and certified as ‘Good Versions’ and then digitally signed by Bit9. When the Bit9 software agent sees an application starting, if it has a Bit9 digital signature then it is automatically trusted.

The breach at Bit9 last Friday was of a machine used for digital signing and the attackers were able to sign malicious applications using the Bit9 signature and distribute them to a small number of Bit9 customers meaning that this bad software would be allowed to run.

This. Is. A. Big. Deal.

This type of intrusion into the supply chain is a real concern because of the trust and reliance we place in the integrity of our software and systems downstream when using commercial off the shelf tools. When it’s a vendor of security tools and software (think RSA 2012) then it is especially worrying and Whitelisting tools are at a level of penetration where they are most heavily used by those with the most valuable or sensitive assets and hence those with the most to lose. Possibly the most concerning factor here would be the way in which the digital signature was so easily compromised. Those who work with public key infrastructure know that the concept of trust so vital to electronic transactions and non-repudiation is based on the absolute protection of the keys. Why the compromised keys were not in hardware or at least protected by strong authentication is troubling.

The positive aspect of this incident from my perspective is the vendor response to the problem. They admitted the issue, explained the cause (even though it made them look bad) didn’t spin it and provided a list of the actions they had taken to both recover and prevent it happening again. This clear acceptance of responsibility and description of the facts may well have contributed to this being a bit of a non-story when for the security community and the security industry this was highly significant. Something Telecom could learn from perhaps?

There is a nice post about this incident here which describes the irony behind the root cause: https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware