Authentication Giant VeriSign Hacked Repeatedly in 2010
The VeriSign logo as of February 2012.
CREDIT: VeriSign, Inc.
Update: VeriSign has released a public statement about the data breach. See below.
VeriSign, the Internet infrastructure company at the heart of the World Wide Web, was hacked repeatedly in 2010 by attackers who stole undisclosed but potentially critical information.
According to a report by Reuters, the previously undisclosed breaches took place in 2010 at the Reston, Va.-based firm, which verifies the integrity of top-level domains including all .com and .net addresses and until recently was one of the largest providers of Secure Sockets Layer (SSL) authentication certificates, used by most financial sites to ensure the legitimacy of sites beginning with "https."
"Oh my God," said Stewart Baker, formerly of the Department of Homeland Security and the National Security Agency, when told by Reuters of the breach. "That could allow people to imitate almost any company on the Net."
VeriSign told Reuters its executives "do not believe these attacks breached the servers that support our Domain Name System network," but it did not rule out the possibility of such an attack.
Compromising a Domain Name System (DNS) server could be catastrophic, as these servers verify that a site's Internet Protocol address — for example, 22.214.171.124 — matches up with what users type in to their browsers, such as "www.securitynewsdaily.com."
If an outside party tampered with a company's DNS servers, especially those as powerful as VeriSign's, that could potentially mean millions of people navigating to sites like Google and Amazon, or to their online banking websites, would actually be landing on spoofed, malicious sites controlled by the perpetrators.
In August 2010, VeriSign sold its authentication-certificate business to security-software giant Symantec. Authentication certificates, also known as SSL certificates, are issued to online retailers and other companies that sell products and provide services online. Those companies use the certificates to verify their identities to Web browsers. For example, an authentication certificate known to belong to Amazon proves to your browser that you're logged into the Amazon website.
Were the information about both the DNS server verification and the authentication certificates to fall into the wrong hands, malicious parties could "spoof" large parts of the Internet and World Wide Web.
"You could create a Bank of America certificate or Google certificate that is trusted by every browser in the world," Dmitri Alperovitch, head of Asymmetric Cyber Operations, LLC, and until recently vice president of threat research at Symantec's main rival, McAfee, told Reuters.
The Reuters report did not say if the data breach occurred before or after VeriSign transferred its authentication-certificate business to Symantec. SecurityNewsDaily could not reach VeriSign for comment.
"There is no indication that the 2010 corporate network security breach mentioned by VeriSign, Inc. was related to the acquired SSL product production systems," a Symantec spokeswoman told Reuters.
The VeriSign attacks came to light in a U.S. Securities and Exchange Commission filing in October that followed new SEC guidelines on disclosing security breaches to investors.
The report, Reuters said, indicated that VeriSign's security personnel responded to the attack at the time, but did not tell top executives until September 2011. The man who had been VeriSign's chief technology officer until November 2010 only learned of the breach when contacted by Reuters.
Update: Later on Thursday, VeriSign released a public statement about the data breach.
"After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain Name System (DNS) was compromised," the statement reads in part.
"We have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish. In 2005, Verisign engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS," it continues. "All DNS zone files were and are protected by a series of integrity checks including real-time monitoring and validation. Verisign places the highest priority on security and the reliable operation of the DNS."