February 3, 2012
VeriSign Confirms Multiple Security Breaches In 2010
VeriSign Inc. has confirmed that its computers and servers were repeatedly hacked in 2010, and that those responsible for the breach might have compromised critical information relating to the Internet's domain name system (DNS), Reuters reported on Thursday.
“We have investigated and do not believe these attacks breached the servers that support our domain name system network,” VeriSign said in a quarterly October 2011 filing with the Securities and Exchange Commission (SEC).The disclosure, which was a result of new SEC guidelines on reporting security breaches to investors, contradicts previous statements the Reston, Virginia-based company made last year denying such a breach had occurred.
VeriSign is responsible for ensuring the integrity of Internet addresses ending in .com, .net and .gov, which include more than half the world's websites. The company´s DNS network provides the foundation for the Web by ensuring people arrive at the correct numeric Internet Protocol address when they type in a web address.
VeriSign´s DNS processes as many as 50 billion queries each day, and any breach of the system could have serious consequences. For instance, stolen information about the DNS network could give hackers the ability to direct people to fake or fraudulent websites, or to intercept email from government employees or corporate executives.
"That could allow people to imitate almost any company on the Net,” said Stewart Baker, former assistant secretary of the Department of Homeland Security, during an interview with Reuters.
In addition to its DNS services, VeriSign offers a variety of other services where security is vital, such as protecting customers' websites from cyberattacks, managing web traffic and researching international cybercriminals.
Because of this important role, VeriSign would naturally possess sensitive data on customers, and its registry services that dispense website addresses is an attractive target for hackers.
Ken Silva, VeriSign's former chief technology officer from 2007-2010, told Reuters that VeriSign could probably not draw an accurate assessment of the damages from the breaches given the time elapsed since the attack.
Baker told Reuters VeriSign's description of the incident would likely lead people to assume that a nation-state was behind the attack, and that the breach is “persistent, very difficult to eradicate and very difficult to put your hands around, so you can't tell where they went undetected."
VeriSign´s SEC filing said its security staff responded to the attack soon after it had occurred, but failed to alert company executives until September 2011.
The documents contain no disclosures about a continuing investigation.
Prior to August 2010, VeriSign was one of the largest providers of Secure Sockets Layer (SSL) certificates, which Web browsers look for when connecting people to sites with addresses beginning in "https.” This includes the websites of most financial firms as well as some email and other communications portals.
If the SSL processes were corrupted, "you could create a Bank of America certificate or Google certificate that is trusted by every browser in the world," said security consultant Dmitri Alperovich, president of Asymmetric Cyber Operations, in an interview with Reuters.
VeriSign sold its certificate business in the summer of 2010 to Symantec Corp., which has maintained the VeriSign name on those products.
U.S. Director of National Intelligence James Clapper told the U.S. Senate on Tuesday that the known certificate breaches of 2011 were "a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking."
In part of its SEC filing describing risk factors, VeriSign said it was a frequent target of "the most sophisticated form of attacks," and that some were "virtually impossible to anticipate and defend against."
Some experts say SSL may no longer reliable and effective.
Even if VeriSign's certificates were not compromised, a significant breach "means that prevention is futile," said Alperovich, adding that he hoped new cybersecurity laws would ensure further disclosures, and bring assistance to companies who fell victim to these types of attacks.
New legislation related to cybersecurity is expected to reach the Senate floor later this month.
On the Net: