VeriSign admits multiple hacks in 2010, keeps details under wraps
Claims its DNS network wasn't breached, but mum on whether SSL certificates were compromised
Computerworld - VeriSign, the company responsible for guiding most of the world's Internet users to the correct websites and once the largest encryption certificate issuing authority, has acknowledged that it was successfully hacked several times in 2010.
The admission was disclosed last fall in a VeriSign filing with the U.S. Securities and Exchange Commission (SEC), but did not come to light until today when Reuters reported on its investigation of new SEC guidelines on such disclosures.
"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," said VeriSign in the quarterly report it filed with the SEC in October 2011.
VeriSign confirmed that the attacker made off with data and claimed that it had put new defensive measures into place.
"This could be very, very significant," said Rob Rachwald, director of security strategy at Imperva, depending on exactly what hackers stole from VeriSign.
Prior to August 2010, VeriSign was the world's largest SSL (secure socket layer) certificate issuing authority. In May of that year, Symantec announced it would acquire VeriSign's authentication business, including SSL certificate generation, for $1.2 billion. The acquisition was finalized Aug. 9, 2010.
"If a root [SSL] certificate was compromised, or the attackers acquired information about SSL certificates, users are completely open to attack," said Subhash Tantry, the CEO of FoxT, which provides access management software to enterprises.
Unfortunately, said Rachwald and Noa Bar Yosef, a senior security strategist with Imperva, there is not enough information available to know just how bad the situation might be.
"Details are really lacking," said Bar Yosef, "And this is a problem I see time and again, where a company suffers from a breach but they keep quiet about what actually happened."
Other than to say that it does not believe the attacks hacked the servers which support its Domain Name System (DNS) network, VeriSign was vague about almost every aspect of the breaches -- even whether the additional defenses it erected had been adequate.
"Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign admitted in the 10-K filing. "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."
The lack of information about SSL prompted some experts to worry that hackers had acquired legitimate-looking certificates, or stolen information critical to the certificate issuing process.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!