I usually don't cross-post from my Ashimmy.com blog to my Network World blog. But after what happened to security firm Bit9 today, I thought it was important enough to post this in both places. We should never forget that what happened here could happen to any of us.
“Two thousand years ago the proudest boast was civis Romanus sum ["I am a Roman citizen"]. Today, in the world of freedom, the proudest boast is "Ich bin ein Berliner!"... All free men, wherever they may live, are citizens of Berlin, and, therefore, as a free man, I take pride in the words "Ich bin ein Berliner!" ~ President John F. Kennedy, Berlin, June 1963
I, along with many of you, were horrified when we read Brian Krebs post today about security firm Bit9 being the victim of a hacking attack that distributed malware into their customers' networks, which was digitally signed by Bit9 themselves. Bit9 has confirmed this with a blog post of their own detailing what happened.
As you have probably read, it seems some of Bit9 assets were not protected with Bit9 software itself. They were compromised and allowed the perps to do their evil deed. As Jeremiah Grossman says in Brian’s article, obviously Bit9 was only the means to the end in this attack. By using Bit9 as a conduit into their customers, including some sensitive government networks and Fortune 100 companies, they were able to infiltrate, and we don’t know what the full results of that are yet. Nevertheless, this is probably every security company’s worst nightmare. When the security company becomes the risk, it is not a good thing.
Shortly thereafter, I started seeing posts on my Facebook timeline from friends in the security business putting up memes with things like “Why the F*^k is my security vendor sending me digitally signed malware”? But I am sure the Bit9 folks are asking themselves the same question. In fact, as my friend Don Macvittie said in a comment on one of those memes, it is a bad day to be over there.
How right Don is. It is a bad day to be at Bit9. I have friends who work there. My heart goes out to them. This is not the first time a security company has been hacked. It happened to RSA not too long ago and it has happened before that. Here is a news flash: it will happen again too.
In fact, it can and does happen to any one of us. We are all one step away. Part of being in the security profession is that we are high-profile targets for hackers to make a statement. I know this firsthand from when I was hacked years ago. It really can be anyone of us. There is no joy in security-ville about one of our own being subjected to this.
I am sure there will be salespeople at competitors of Bit9 who will try to move on the Bit9 customers by leading with this story. I say a pox upon them. Anyone who stoops to such tactics to make a sale are beneath the standards that should be acceptable in our industry.
The security industry has matured over the years. At least I hope so. At times like this we should close ranks as an industry. We should say as John F. Kennedy said back in 1963. On days like today we are all Bit9ers. That is the message that we should send as industry to the type of people who do this. We stand together and are more committed then ever to stopping these criminals from committing this kind of cybercrime. On this day, the security industry should stand and say “Ich bin ein Bit9er."