Networking optimize

VeriSign repeatedly hacked in 2010

Verisign was repeatedly attacked in 2010 but the extent of what was stolen is unknown, and the company didn't even own up to it until late 2011.
Internet infrastructure giant VeriSign was the victim of numerous security breaches in 2010, which Reuters uncovered in a quarterly U.S. Securities and Exchange Commission filing in October. Information was stolen, but what or how much is unknown as VeriSign remains tight-lipped, saying only:

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers ... We have investigated and do not believe these attacks breached the servers that support our Domain Name System ('DNS') network.

Even though the breaches were discovered in 2010, upper management wasn't notified until September 2011, says PCMag.com.

Security experts are having difficulty responding to the revelation as so much information is still unknown. Was the DNS network accessed? VeriSign's statement doesn't completely rule out the possibility. As TIME blogger Keith Wagstaff says: "I'd feel a lot better if they used the words ‘are certain' instead of ‘do not believe.'"

VeriSign used to be the world's largest SSL (secure socket layer) certificate issuing authority before selling the business to Symantec. Was a root SSL certificate compromised? Computerworld explains the risk:

If criminals did steal one or more SSL certificates, they could use them to conduct ‘man-in-the-middle' attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted. Or they could use them to ‘secure'fake websites that seem to be legitimate copies of popular Web services, using the bogus domains to steal information or plant malware.

Wagstaff sums it up:

The fact that a company this big and this central to the Internet would wait so long to reveal it had been attacked is unacceptable.

9 comments
OPITSTUDENT
OPITSTUDENT

As time goes on and attackers get better at what they do, security seems to be less secure. So the only question left to ask is, What do we do from here? P.S. I'm not a pro. I'm a novice just as JFuller05.

JCitizen
JCitizen

you will not be using their services if they use Verisign. That will get the ball rolling! It couldn't hurt to encourage the industry as a whole to adopt better models. Some folks I know join the IEEE or other groups to help improve the standards. I belong to a political action group called [i]Save the Internet[/i], and 'Consumer's Union' has a knack for trouble in this area too. We have made a difference in congress more than once.

plandok
plandok like.author.displayName 1 Like

Firstly, I was not surprised that Symantec is part of this system. They have had too many cases where software and services they provide are faulty or untrustworthy. Having said that, my comment as a security novice, is, like various regulators, there should be a central sort of body/ies which continually certify security requirements and that companies/organizations which deal in trust be required to provide proof of trustworthiness. It is too easy in the electronic world to ignore or find out about things which really don't exist. From Nixon to Kennedy, from telephones, iPhones or Blackberrys, information can be kept secret or "lost" if the users don't want it known. The only problem with the use of the "Internet" is that it is used and touted as a secure way of dealing with finance/money. Big money can be protected at any cost. It is the little person who has to judge his/her own activity. Few actually are aware of problems, especially when financial institutions make statements implying they will protect their individual clients from loss and then hide under small print or unintelligible legalese or onerous procedures. It has been ever thus except now personalities have been compromised which can ruin lives and reputations instead of just loss of a few dollars. And citizens are now almost required to use electronic means to live - to communicate and deal with governments, municipalities and with organizations like Google or Facebook. I'm wondering who you trust. All of us can't be nerds nor afford to buy new, supposedly safer technology and software. What to do Experts? I've been into computers for decades but as a small user and information provider and I don't understand much of what you are talking about let alone do something. I'd sure like a simple, intelligible answer.

Neon Samurai
Neon Samurai like.author.displayName 1 Like

If VeriSign didn't legally have to report it in the 10K filing, would we ever have heard about it? Mistakes happen and the CAs who got breached and publicly disclosed the event have weathered the storm. The CAs who delayed or tried to hide the breach have generally gone out of business. VeriSign may have been the first CA on the internet but that doesn't excuse the lack of public disclosure at the time of the event. Shame they have enough of the SSL protected internet held hostage that we can't simply remove them from the web browser's trusted list.

JCitizen
JCitizen

If they are going to hide the facts, then I don't have to trust a Verisign site. These firms are going to have to realize that reporting breaches actually adds to the trust picture. When LastPass even [b]suspected[/b] they had been breached, they immediately informed their clients. The actual problem turned out to be less damaging than originally gauged; but none-the-less, I was impressed, and will continue to trust LastPass more than most firms in existance now. I'm not surprised that Symantec is dropping the ball. PHFFT!

jfuller05
jfuller05

I've only covered surface level knowledge (Net+ and A+) of IT security so bear with me. [i]If criminals did steal one or more SSL certificates, they could use them to conduct ???man-in-the-middle??? attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted. Or they could use them to ???secure???fake websites that seem to be legitimate copies of popular Web services, using the bogus domains to steal information or plant malware.[/i] So does the above pertain to verisign protected sites only? Or all companies? Couldn't we avoid verisign protected sites for a while until they have all of this mess cleared up?

jfuller05
jfuller05

Your answers cleared up my thoughts on the issue.

Neon Samurai
Neon Samurai like.author.displayName like.author.displayName like.author.displayName 3 Like

To add to the comment above; all SSL protected domains are vulnerble because the browser only confirms if the domain/website certificate was signed by any CA it recognizes and browsers generally recognize all CAs unless the user has gone in and removed some. By default, your browser trusts Verisign or the Chineses Post Office because both are officially recognized as certificate authorities. The trust is centralizes with the CAs who repeatedly prove themselves to be untrustworthy. CAs early on also negotiated a deal that they could not be heald accountable for false positives between the user and the website; "sure we'll say that certificate is valid for that website but if it's not then that's not our fault" .. yet, that is the very business they claim to be in. With the prices they charge for higher levels of "secure" signed certificates, it's a confidence scam at best. What we need is a replacement like wide adoption of Convergence.IO which places trust under the control of the user while anonymizing the user's request to the notarieties. Multiple notarieties must agree that a certificate is valid so one rogue notariety or even nation state can't exploit the system; the user can just add more good notarieties and/or remove the bad ones.

tom.marsh
tom.marsh like.author.displayName like.author.displayName 2 Like

All CAs are vulnerable... It is the inherent flaw in the centralized-trust model that is popular in PKI right now. There are projects like Convergence.io which seeks to create a "distributed web of trust" model for PKI so as to allow users to determine when they're on the receiving end of a MITM attack. http://convergence.io/