Website Security Insurer Verisign Itself Was Hacked Multiple Times In 2010

Must Read

Aadhaar-PAN Card linking Deadline Extends!

: The deadline for linking Aadhaar with PAN has been extended by six months, from September 30, 2021 to...

Average Salary Hike In India: 8.6% In 2022, IT Sector Will Offer the Highest [REPORT]

The latest Deloitte’s Workforce and Increment Trends 2021 survey has addressed salary increment by industry, bonus or variable pay plans,...

Sony Zee Merger In India: Could Change the Dynamics of Indian Media Industry!

India's two biggest media networks Sony Pictures Networks India (SPNI) and Zee Entertainment Enterprises Ltd. (ZEEL) announced their merger,...

VeriSign- the company behind the root DNS servers that provide the foundation for the Web and formerly the largest encryption certificate authority, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov – has revealed that it was repeatedly hacked in 2010. Details are spare thus far, but the revelation calls into question the security of the internet itself.

The company’s domain-name system processes as many as 50 billion queries daily. Stealing information from it could let hackers direct people to fake sites and intercept emails from federal employees or corporate executives, though classified government data moves through more secure channels.

Stewart Baker, former assistant secretary of the Department of Homeland Security said: ”Oh my god, that could allow people to imitate almost any company on the Net.”

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filling in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The breach occurred sometime last year but has only been made publicly on reporting security breaches to investors.


IT staffs at VeriSign allegedly discovered the compromise in 2010, but hidden the incident from upper management until sometime in 2011. VeriSign itself may not be at fault for the initial delay in the disclosure, but it appears that a significant amount of time has passed since VeriSign executives learned of the breach, and yet the company still tried to sneak the information covertly in an SEC filing.

Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer (SSL) certificates – use to encrypt data to travel from website to server in secured mode, that begins with “https” – which was getting used by many internet properties including most financial sites and some email and other communications portals. The certificate authority business of VeriSign was acquired by Symantec in 2010; so depending on the timing of the attacks it seems feasible that the certificate encryption keys could have been exposed.

Symantec declined to comment directly on news of the VeriSign breach, but a spokesperson did assert, “The Trust Services (SSL), User Authentication and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.”

VeriSign which is now owned by Symantec Inc, posted a message on its site that states the company is changing its name again in April 2012.

“In April 2012, all VeriSign seals will automatically update to the Norton Secured Seal, combining the power of the VeriSign checkmate with the value of the Norton name. The combination of these leading companies will help assure your customers that your website is safe from search to browse to buy and sign-in.”

VeriSign declined multiple interview requests, and senior employees said privately that they had not been given any more details than were in the filing. One said it was impossible to tell if the breach was the result of a concerted effort by a national power, though that was a possibility.

No network is impervious, and a company as high-profile as VeriSign is a prime target. The key is that organizations need to do more to foster an environment where honesty and disclosure are valued. If the fear of negative consequences is greater than the incentive for quick disclosure and response, you end up with a situation where IT staff would rather hide evidence of a breach.



Please enter your comment!
Please enter your name here

Latest News

The YouTube Partner Program: Build An Audience of Subscribers

Since it first launched in 2005, YouTube has grown to become the king of online streaming video by democratizing...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded and unparalleled...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter, with a...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one of the...

More Articles Like This