VeriSign admits multiple hacks in 2010, keeps details under wraps
Claims its DNS network wasn't breached, but mum on whether SSL certificates were compromised
Computerworld - VeriSign, the company responsible for guiding most of the world's Internet users to the correct websites and once the largest encryption certificate issuing authority, has acknowledged that it was successfully hacked several times in 2010.
The admission was disclosed last fall in a VeriSign filing with the U.S. Securities and Exchange Commission (SEC), but did not come to light until today when Reuters reported on its investigation of new SEC guidelines on such disclosures.
"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," said VeriSign in the quarterly report it filed with the SEC in October 2011.
VeriSign confirmed that the attacker made off with data and claimed that it had put new defensive measures into place.
"This could be very, very significant," said Rob Rachwald, director of security strategy at Imperva, depending on exactly what hackers stole from VeriSign.
Prior to August 2010, VeriSign was the world's largest SSL (secure socket layer) certificate issuing authority. In May of that year, Symantec announced it would acquire VeriSign's authentication business, including SSL certificate generation, for $1.2 billion. The acquisition was finalized Aug. 9, 2010.
"If a root [SSL] certificate was compromised, or the attackers acquired information about SSL certificates, users are completely open to attack," said Subhash Tantry, the CEO of FoxT, which provides access management software to enterprises.
Unfortunately, said Rachwald and Noa Bar Yosef, a senior security strategist with Imperva, there is not enough information available to know just how bad the situation might be.
"Details are really lacking," said Bar Yosef, "And this is a problem I see time and again, where a company suffers from a breach but they keep quiet about what actually happened."
Other than to say that it does not believe the attacks hacked the servers which support its Domain Name System (DNS) network, VeriSign was vague about almost every aspect of the breaches -- even whether the additional defenses it erected had been adequate.
"Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign admitted in the 10-K filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."
The lack of information about SSL prompted some experts to worry that hackers had acquired legitimate-looking certificates, or stolen information critical to the certificate issuing process.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts