VeriSign- the company behind the root DNS servers that provide the foundation for the Web and formerly the largest encryption certificate authority, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov – has revealed that it was repeatedly hacked in 2010. Details are spare thus far, but the revelation calls into question the security of the internet itself.
The company’s domain-name system processes as many as 50 billion queries daily. Stealing information from it could let hackers direct people to fake sites and intercept emails from federal employees or corporate executives, though classified government data moves through more secure channels.
Stewart Baker, former assistant secretary of the Department of Homeland Security said: ”Oh my god, that could allow people to imitate almost any company on the Net.”
The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filling in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The breach occurred sometime last year but has only been made publicly on reporting security breaches to investors.
IT staffs at VeriSign allegedly discovered the compromise in 2010, but hidden the incident from upper management until sometime in 2011. VeriSign itself may not be at fault for the initial delay in the disclosure, but it appears that a significant amount of time has passed since VeriSign executives learned of the breach, and yet the company still tried to sneak the information covertly in an SEC filing.
Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer (SSL) certificates – use to encrypt data to travel from website to server in secured mode, that begins with “https” – which was getting used by many internet properties including most financial sites and some email and other communications portals. The certificate authority business of VeriSign was acquired by Symantec in 2010; so depending on the timing of the attacks it seems feasible that the certificate encryption keys could have been exposed.
Symantec declined to comment directly on news of the VeriSign breach, but a spokesperson did assert, “The Trust Services (SSL), User Authentication and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.”
VeriSign which is now owned by Symantec Inc, posted a message on its site that states the company is changing its name again in April 2012.
“In April 2012, all VeriSign seals will automatically update to the Norton Secured Seal, combining the power of the VeriSign checkmate with the value of the Norton name. The combination of these leading companies will help assure your customers that your website is safe from search to browse to buy and sign-in.”
VeriSign declined multiple interview requests, and senior employees said privately that they had not been given any more details than were in the filing. One said it was impossible to tell if the breach was the result of a concerted effort by a national power, though that was a possibility.
No network is impervious, and a company as high-profile as VeriSign is a prime target. The key is that organizations need to do more to foster an environment where honesty and disclosure are valued. If the fear of negative consequences is greater than the incentive for quick disclosure and response, you end up with a situation where IT staff would rather hide evidence of a breach.