Report Reveals Hackers Attacked Verisign Repeatedly In 2010
Confidence in the security industry has been rocked by reports of multiple breaches in the world’s flagship infrastructure protector.
VeriSign, the company charged with safeguarding more than half the world’s web sites, has admitted it was hacked repeatedly in 2010. The infrastructure services giant attempted to bury its guilty secret in its quarterly Securities and Exchange Commission (SEC) filing in October, but the revelation has found a wider audience after a Reuters report yesterday.
The damaging news has rocked confidence across the world as the integrity of Web addresses ending in .com, .net and .gov is under question.
VeriSign Didn’t Give It to Us Straight – Gov
VeriSign executives deny the attacks breached the servers supporting its Domain Name System (DNS) network, but could rule out that breaches might affect any of the 50 billion queries it processes daily.
Now there are fears in the security channel that hackers will use stolen data to direct victims to faked sites and intercept email. “That could allow people to imitate almost any company on the Net,” said Stewart Baker, former assistant secretary of the Department of Homeland Security.
The VeriSign attacks were only recently discovered in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.
It’s Very Serious Indeed Says Ex Verisign CTO
Ken Silva, who was VeriSign’s chief technology officer for three years until November 2010, said the vague language in the SEC filing indicated that VeriSign “probably can’t draw an accurate assessment” of the damage.
If Verisign’s SSL processes were corrupted, the implications wold be very serious indeed, said security consultant Dmitri Alperovich, president of Asymmetric Cyber Operations. “You could create a Bank of America certificate or Google certificate that is trusted by every browser in the world,” he said.
Symantec, which now owns Verisign’s certification business, played down these fears. “There is no indication that the breach was related to the acquired SSL product production systems,” said spokeswoman Nicole Kenyon.