It’s never good to make a mistake. An ironic mistake, however, can be all the more painful. Today, Bit9, a network security firm, reported a breach of its network. The issue was first reported by Krebs on Security, citing a source that had been informed by the firm.
Bit9 noted in a public blog post that it had alerted its customers ahead of the general public, making Krebs’ source likely a customer of Bit9. What Krebs was informed of was quite unsettling: “malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9′s own encryption keys [Emphasis unadded].”
What went wrong? According to Bit9 itself, it made the most classic of all flubs: it failed to install security software – its own – on several machines on its network. This led to a quick inversion of its regular security tools: “[the] malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware.”
That squares with what Krebs was told. Bit9 reported that only three of its customers were affected by the issue, but that it is still digging into the issue, as in its view, even a single customers affected is “clearly too many.”
This sort of mistake is notable in part for the apparent sophistication of the malware, in that it used Bit9’s signing tools against themselves, but also because as a security firm, such an error is inexcusable.
However, and let this be a lesson in damage control: if you make a mistake, tell everyone who needs to know first, as you set it straight, and then quickly inform the public. In doing that you can stay ahead of the news cycle. Not the best day for Bit9, but given their swift management of the problem, if they have contained it as they think, should escape from this all but unscathed.
Top Image Credit: Mike Shelby