VeriSign Discloses Successful Attack

Back in October of last year, I wrote here about the publication of new guidance, from the US Securities and Exchange Commission [SEC], that suggests circumstances under which public corporations may need to disclose cyber attacks, or potential attacks.  Reuters has examined a group of corporate filings since the guidance was issued, and has found that VeriSign, the Internet registrar, was the target of successful attacks back in 2010.   This disclosure is significant, because VeriSign operates the DNS root name servers for the top-level .com, .net, and .gov domains.

The disclosure was made in VeriSign’s quarterly 10-Q filing with the SEC,  on 28 October 2011, for the quarter ended 30 September 2011.   (The disclosure itself is on page 33 of the filing.  The Central Index Key for VeriSign in the SEC’s EDGAR database is 0001014473.)

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated.

As the statement says, the company does not believe that its DNS servers were affected, but some (unspecified) information was stolen.  As Reuters points out, this is not as reassuring as one might wish, given the importance of the DNS services VeriSign provides.

VeriSign’s domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept email from federal employees or corporate executives, though classified government data moves through more secure channels.

In addition to its DNS services, VeriSign was a major Certificate Authority, providing digital certificates to a large number of institutions.  (It sold that business to Symantec Corp. in 2010, although Symantec has kept the VeriSign brand name for its certificate business.)  As we saw with the attack against the Dutch Certificate Authority DigiNotar, this raises the possibility that the attackers gathered enough information to enable them to issue bogus certificates, create fraudulent Web sites, and digitally sign malicious software.

Given the lack of specific information in VeriSign’s disclosure, it is impossible to know what was compromised, or what kinds of mischief has happened, or might happen in the future.   But there has been a feeling for some time among security professionals that the whole Certificate Authority system has some fundamental flaws, and this news is very far from reassuring.

3 Responses to VeriSign Discloses Successful Attack

  1. Allen says:

    Unfortunately, many people are associating the breach at Verisign, Inc. with the brand of SSL Certificates that Symantec acquired. SSL, or HTTPS encryption, remains today as the most secure method to protect online data in transit.

    I work at Symantec and can confirm that The Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.

  2. Rich says:

    Thanks for the update, Allen. Statements in 10-Q filings tend to be rather general and non-specific, and VeriSign’s was no exception. Bogus certificates are possible following a security breach, but I know of no evidence to suggest that any have appeared in this case; I am glad to hear that Symantec’s facilities were not affected.

    The general questions about certificate use are not with the SSL/HTTPS mechanism, which is fine as far as I know, but with the process of selecting and vetting Certificate Authorities.

  3. […] Unfortunately, we have seen a number of problems with this system, ranging from the hacks of VeriSign, and of the Dutch CA DigiNotar, to the use of a certificate, stolen from the Malaysian government, […]

%d bloggers like this: