Skip the navigation

VeriSign admits multiple hacks in 2010, keeps details under wraps

Claims its DNS network wasn't breached, but mum on whether SSL certificates were compromised

February 2, 2012 03:33 PM ET

Computerworld - VeriSign, the company responsible for guiding most of the world's Internet users to the correct websites and once the largest encryption certificate issuing authority, has acknowledged that it was successfully hacked several times in 2010.

The admission was disclosed last fall in a VeriSign filing with the U.S. Securities and Exchange Commission (SEC), but did not come to light until today when Reuters reported on its investigation of new SEC guidelines on such disclosures.

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," said VeriSign in the quarterly report it filed with the SEC in October 2011.

VeriSign confirmed that the attacker made off with data and claimed that it had put new defensive measures into place.

"This could be very, very significant," said Rob Rachwald, director of security strategy at Imperva, depending on exactly what hackers stole from VeriSign.

Prior to August 2010, VeriSign was the world's largest SSL (secure socket layer) certificate issuing authority. In May of that year, Symantec announced it would acquire VeriSign's authentication business, including SSL certificate generation, for $1.2 billion. The acquisition was finalized Aug. 9, 2010.

"If a root [SSL] certificate was compromised, or the attackers acquired information about SSL certificates, users are completely open to attack," said Subhash Tantry, the CEO of FoxT, which provides access management software to enterprises.

Unfortunately, said Rachwald and Noa Bar Yosef, a senior security strategist with Imperva, there is not enough information available to know just how bad the situation might be.

"Details are really lacking," said Bar Yosef, "And this is a problem I see time and again, where a company suffers from a breach but they keep quiet about what actually happened."

Other than to say that it does not believe the attacks hacked the servers which support its Domain Name System (DNS) network, VeriSign was vague about almost every aspect of the breaches -- even whether the additional defenses it erected had been adequate.

"Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign admitted in the 10-K filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

The lack of information about SSL prompted some experts to worry that hackers had acquired legitimate-looking certificates, or stolen information critical to the certificate issuing process.



Our Commenting Policies