VeriSign, maintainer of internet's DNS, warns it was repeatedly hacked

[nsane.forums]

VeriSign, the company that manages a key internet database for routing traffic to websites and email addresses, exposed private information after being hacked on multiple occasions in 2010, the company quietly disclosed late last year.

While executives with the Reston, Virginia company said they don't believe servers that maintain the DNS (domain name system) were breached, they couldn't rule out the possibility. They also warned that they couldn't guarantee steps taken to remediate the breach would succeed. What's more, the attacks, which came to light in an article published by Reuters on Tuesday, didn't come to the attention of managers in a timely manner.

“The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purposes of assessing any disclosure requirements,” VeriSign said in an Securities and Exchange filing in October. The tersely worded disclosure didn't say how many incidents occurred, when they happened or what information was obtained by the attackers.

Ken Silva, VeriSign's chief technology officer until November 2010, told reporter Joseph Menn he didn't learn of the breaches until contacted by the Reuters journalist. Based on the vague language in the filing, Silva speculated that VeriSign executives “probably can't draw an accurate assessment” of the damage.

Over the past few years, hackers have increased attacks on companies that help secure networks used by government agencies and corporations. Last March, RSA, whose two-factor SecurID tokens are used by 40 million employees to access sensitive networks, said a highly sophisticated hack exposed sensitive information that could compromise their effectiveness. A later attack on defense contractor Lockheed Martin was aided by the theft of the confidential data.

A raft of companies that issue SSL (secure sockets layer) certificates used to verify the authenticity of millions of websites have also been successfully targeted. Among them is DigiNotar, a Netherlands-based certificate authority whose digital imprimatur was used to mint counterfeit credentials used to spy on some 300,000 Google Mail users, most of whom were located in Iran.

Until September 2010, VeriSign ran its own certificate issuing business. A spokeswoman for Symantec, which purchased the operation from VeriSign, told Reuters “there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”

View: Original Article

[DKT27]

VeriSign Hacked: What We Don't Know Might Hurt Us

VeriSign didn't exactly 'disclose' the breach, and the few details buried in the SEC filing create more questions than they answer. Without more to go on, it is hard to know what the risk is.

VeriSign – the company behind the root DNS servers that provide the foundation for the Web, and formerly the largest encryption certificate authority – has revealed that it was repeatedly hacked in 2010. Details are sparse thus far, but the revelation calls into question the security of the Internet itself.

Let’s start with what (little) we know. The disclosure did not happen as a result of VeriSign discovering the breach and taking responsible, proactive action to alert customers and address the situation. No, VeriSign buried the information in a quarterly Securities and Exchange Commission (SEC) filing as if it was just another mundane tidbit.

Depending on what was hacked or compromised, much of the Internet could be at risk.

IT staff at VeriSign allegedly discovered the compromise in 2010, but hid the incident from upper management until sometime in 2011. VeriSign itself may not be at fault for the initial delay in disclosure, but it appears that a significant amount of time has passed since VeriSign executives learned of the breach, and yet the company still tried to sneak the information covertly in an SEC filing.

Melih Abdulhayoglu, CEO of Comodo – a competitor in the certificate authority arena –said, “Only VeriSign knows the answer to why they waited so long to disclose the hack, but I assume that revealing this information would be damaging and they thought they could keep it quiet, thus ignoring the disclosure guidelines the SEC has put in place.”

John Gossels, President of SystemExperts, had some stronger words. “It is unfathomable that, given Verisign’s position in this industry, someone in the company did not report damaging attacks to senior management for more than a year. The delay in reporting the attacks put its customers at risk.”

The million dollar question right now is “at risk of what?,” or perhaps “how much risk?” So far, there aren’t really enough details being shared publicly to determine how concerned we should really be. The risks involved are a function of exactly what was hacked, or what information was compromised, and we don’t have those details.

Oliver Lavery, Director of Security Research and Development for nCircle, is frustrated at the lack of more specific information. “The appalling thing at this point is there is still no clarity about potential compromise of the x.509 certificate hierarchy. That would be potentially much more catastrophic than DNS, because DNS tampering is comparatively easy to detect.”

The certificate authority business of VeriSign was acquired by Symantec in 2010, so depending on the timing of the attacks it seems feasible that the certificate encryption keys could have been exposed. Lavery asks, “Can we trust any site using Verisign SSL certificates? Without more clarity, the logical answer is no.”

Symantec declined to comment directly on news of the VeriSign breach, but a spokesperson did assert, “The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.”

nCircle CTO Tim ‘TK’ Keanini points out that the hack itself isn’t the crux of the problem. No network is impervious, and a company as high-profile as VeriSign is a prime target. The key is that organizations need to do more to foster an environment where honesty and disclosure are valued. If the fear of negative consequences is greater than the incentive for quick disclosure and response, you end up with a situation where IT staff would rather hide evidence of a breach.

:view: View: Original Article