VeriSign admits 2010 hack

News 3 Feb, 2012

The security company is hacked in 2010 but the details are only just emerging, calling the CA system into question again.

VeriSign’s network was hacked repeatedly in 2010, but the company does not believe its DNS servers were hit.

The company, which is the registry officer for websites ending in .com, .net and .gov, admitted to the breaches in a quarterly US Securities and Exchange Commission filing in October, Reuters found.

If the VeriSign DNS network or Secure Sockets Layer (SSL) certificate data was compromised, it could have allowed hackers to pose as official websites and dupe users out of valuable data. They could theoretically pose as a bank and gain truly important information.

The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit.

Symantec, which bought Verisign’s SSL certificates business in 2010, claimed data relating to acquired products was not stolen in the breach.

“Symantec takes the security and proper functionality of its solutions very seriously,” a spokesperson told IT Pro.

“The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.”

Ken Silva, who was VeriSign's chief technology officer until November 2010, said he did not know about the breach until contacted by Reuters. Furthermore, senior executives were not informed until September 2011.

“All in all, we need more details to see what exactly happened during those consecutive breaches and what data was actually stolen,” said head of the Bitdefender Online Threats Lab, Catalin Cosoi, in a blog post.

“The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit. This would potentially yield a huge level of data that could be exploited for financial gain. However, it's important to remember that a strong anti-phishing solution will keep you protected.”

Hackers have been going after security firms in earnest in recent times. In particular though, certificate authorities (CAs) have been targeted as they allow hackers to pose as official web services.

When CA DigiNotar was hit last year, it ended up going out of business because of the repercussions.

“These targets are all trusted third-party providers of certificates, services, or secure tokens -technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide,” said Jeff Hudson, CEO of certificate management company Venafi.

“The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped.”

There are alternatives to the CA system, however. Noted researcher and now Twitter employee Moxie Marlinspike has offered something known as the 'Convergence' model.

With the model, users are handed the SSL certificates directly, before asking a number of “trust notaries” to download it too. It then relies on consensus from these notaries to authenticate the web transaction.

To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries.

Read on for our look at whether the CA system can survive.