VeriSign admits multiple hacks in 2010, keeps details under wraps
Claims its DNS network wasn't breached, but mum on whether SSL certificates were compromised
Computerworld - VeriSign, the company responsible for guiding most of the world's Internet users to the correct websites and once the largest encryption certificate issuing authority, has acknowledged that it was successfully hacked several times in 2010.
The admission was disclosed last fall in a VeriSign filing with the U.S. Securities and Exchange Commission (SEC), but did not come to light until today when Reuters reported on its investigation of new SEC guidelines on such disclosures.
"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," said VeriSign in the quarterly report it filed with the SEC in October 2011.
VeriSign confirmed that the attacker made off with data and claimed that it had put new defensive measures into place.
"This could be very, very significant," said Rob Rachwald, director of security strategy at Imperva, depending on exactly what hackers stole from VeriSign.
Prior to August 2010, VeriSign was the world's largest SSL (secure socket layer) certificate issuing authority. In May of that year, Symantec announced it would acquire VeriSign's authentication business, including SSL certificate generation, for $1.2 billion. The acquisition was finalized Aug. 9, 2010.
"If a root [SSL] certificate was compromised, or the attackers acquired information about SSL certificates, users are completely open to attack," said Subhash Tantry, the CEO of FoxT, which provides access management software to enterprises.
Unfortunately, said Rachwald and Noa Bar Yosef, a senior security strategist with Imperva, there is not enough information available to know just how bad the situation might be.
"Details are really lacking," said Bar Yosef, "And this is a problem I see time and again, where a company suffers from a breach but they keep quiet about what actually happened."
Other than to say that it does not believe the attacks hacked the servers which support its Domain Name System (DNS) network, VeriSign was vague about almost every aspect of the breaches -- even whether the additional defenses it erected had been adequate.
"Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign admitted in the 10-K filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."
The lack of information about SSL prompted some experts to worry that hackers had acquired legitimate-looking certificates, or stolen information critical to the certificate issuing process.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Firewall Buyers Guide Operate as the core of your network security infrastructure
- Getting Started With a Zero Trust Approach to Network Security The Traditional Approach to Network Security is Failing. View Now>>
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts