VeriSign admits 2010 hack

The security company is hacked in 2010 but the details are only just emerging, calling the CA system into question again.

Security

VeriSign's network was hacked repeatedly in 2010, but the company does not believe its DNS servers were hit.

The company, which is the registry officer for websites ending in .com, .net and .gov, admitted to the breaches in a quarterly US Securities and Exchange Commission filing in October, Reuters found.

If the VeriSign DNS network or Secure Sockets Layer (SSL) certificate data was compromised, it could have allowed hackers to pose as official websites and dupe users out of valuable data. They could theoretically pose as a bank and gain truly important information.

The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit.

Symantec, which bought Verisign's SSL certificates business in 2010, claimed data relating to acquired products was not stolen in the breach.

"Symantec takes the security and proper functionality of its solutions very seriously," a spokesperson told IT Pro.

"The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."

Ken Silva, who was VeriSign's chief technology officer until November 2010, said he did not know about the breach until contacted by Reuters. Furthermore, senior executives were not informed until September 2011.

"All in all, we need more details to see what exactly happened during those consecutive breaches and what data was actually stolen," said head of the Bitdefender Online Threats Lab, Catalin Cosoi, in a blog post.

"The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit. This would potentially yield a huge level of data that could be exploited for financial gain. However, it's important to remember that a strong anti-phishing solution will keep you protected."

Hackers have been going after security firms in earnest in recent times. In particular though, certificate authorities (CAs) have been targeted as they allow hackers to pose as official web services.

When CA DigiNotar was hit last year, it ended up going out of business because of the repercussions.

"These targets are all trusted third-party providers of certificates, services, or secure tokens -technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide," said Jeff Hudson, CEO of certificate management company Venafi.

"The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped."

There are alternatives to the CA system, however. Noted researcher and now Twitter employee Moxie Marlinspike has offered something known as the 'Convergence' model.

With the model, users are handed the SSL certificates directly, before asking a number of "trust notaries" to download it too. It then relies on consensus from these notaries to authenticate the web transaction.

To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries.

Read on for our look at whether the CA system can survive.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021