VeriSign Discloses Successful Attack

February 3, 2012

Back in October of last year, I wrote here about the publication of new guidance, from the US Securities and Exchange Commission [SEC], that suggests circumstances under which public corporations may need to disclose cyber attacks, or potential attacks.  Reuters has examined a group of corporate filings since the guidance was issued, and has found that VeriSign, the Internet registrar, was the target of successful attacks back in 2010.   This disclosure is significant, because VeriSign operates the DNS root name servers for the top-level .com, .net, and .gov domains.

The disclosure was made in VeriSign’s quarterly 10-Q filing with the SEC,  on 28 October 2011, for the quarter ended 30 September 2011.   (The disclosure itself is on page 33 of the filing.  The Central Index Key for VeriSign in the SEC’s EDGAR database is 0001014473.)

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated.

As the statement says, the company does not believe that its DNS servers were affected, but some (unspecified) information was stolen.  As Reuters points out, this is not as reassuring as one might wish, given the importance of the DNS services VeriSign provides.

VeriSign’s domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept email from federal employees or corporate executives, though classified government data moves through more secure channels.

In addition to its DNS services, VeriSign was a major Certificate Authority, providing digital certificates to a large number of institutions.  (It sold that business to Symantec Corp. in 2010, although Symantec has kept the VeriSign brand name for its certificate business.)  As we saw with the attack against the Dutch Certificate Authority DigiNotar, this raises the possibility that the attackers gathered enough information to enable them to issue bogus certificates, create fraudulent Web sites, and digitally sign malicious software.

Given the lack of specific information in VeriSign’s disclosure, it is impossible to know what was compromised, or what kinds of mischief has happened, or might happen in the future.   But there has been a feeling for some time among security professionals that the whole Certificate Authority system has some fundamental flaws, and this news is very far from reassuring.

%d bloggers like this: