VeriSign didn't disclose that it had been successfully attacked several times in 2010 because the security team didn't tell management about the incidents until recently.
VeriSign,
the company responsible for the .com, .net and .gov domain spaces, acknowledged
in a recent filing with the Securities and Exchange Commission that it was
hacked several times in 2010. The company had not disclosed the incidents at
the time they occurred.
While
VeriSign admitted to the breaches in its quarterly filing with the SEC back in
October, the incident was not widely publicized until a Reuters report on Feb. 2. Reuters came across
the information as part of its research on the new SEC guidelines for
disclosing cyber-incidents, which was published in September.
The
SEC recommended companies disclose any security issues that pose a risk for
operations or incidents that can have material impact on the business.
"In
2010, the Company faced several successful attacks against its corporate
network in which access was gained to information on a small portion of our
computers and servers," VeriSign reported in the quarterly filing.
The
attackers successfully stole data during the breaches, and the company was "unable
to assure" that the information was not or could not be used by the
attackers. VeriSign claimed it has implemented new defensive measures to
prevent similar incidents.
While
VeriSign did not believe the attacks impacted the servers that are part of the
Domain Name System (DNS) infrastructure, it was vague about what had happened
or what was stolen. It is also not clear what defenses had been implemented and
whether they were effective. "We cannot assure that our remedial actions
will be sufficient to thwart future attacks or prevent the future loss of
information," VeriSign wrote in the 10-K filing.
It
also appears the security team hid the breaches from VeriSign senior management
when they occurred in 2010, and were not reported up the chain of command until
September 2011, according to the SEC filing.
"The
occurrences of the attacks were not sufficiently reported to the Company's
management at the time they occurred for the purpose of assessing any disclosure
requirements," VeriSign claimed.
VeriSign
did not respond to eWEEK's requests
for comment.
"VeriSign
has been the gold standard for authentication, how users know that they can
trust another party or system-but far from the gold standard on disclosure and
response," said Jonathan Gossels, president of SystemExperts. It is "unfathomable"
that the incidents were suppressed for more than a year, he said.
The
process broke down when the security team didn't keep the senior managers in
the loop, said Mandeep Khera, CMO of LogLogic. By not notifying senior
management, breach notification regulations were also bypassed, Khera said.
The
attacks against VeriSign "shouldn't surprise anyone" as attackers are
increasingly focusing their energies against the Secure Sockets Layer (SSL),
said Rob Rachwald, director of security strategy at Imperva. The attacks will
reach a "tipping point," at which point there will be a serious
discussion about real alternatives for securing Web communications, he said.
VeriSign's
authentication business, which includes generating SSL certificates, was
acquired in May 2010 by Symantec
for $1.28 billion. The deal was finalized Aug. 9, 2010. VeriSign's DNS
servers process billions of Web queries and direct Internet users to the
correct Website. It ensures the integrity of .com, .net and .gov domains.
Symantec
insists that the SSL business is secure. "The Trust Services (SSL), User
Authentication (VIP, PKI, FDS) and other production systems acquired by
Symantec were not compromised by the corporate network security breach
mentioned in the VeriSign, Inc. quarterly filing," Symantec said in an
emailed statement.
"If
the DNS network were breached it would potentially be bad news for many of the
world's websites-allowing cyber-criminals to redirect users attempting to visit
popular sites and potentially infect surfers with malware and intercept
communications," Graham Cluley, a senior technology consultant with
Sophos, wrote on the Naked
Security blog.
Shortly
after the DigiNotar breach in July, which was disclosed in September, Mozilla
sent letters to major certificate authorities (CAs) to demand
they audit their networks and assure the systems remain secure from
attackers. Mozilla implied that failure to comply with the request would result
in the CA being removed as a trusted authority from Firefox.
Symantec
had told Mozilla at the time that it was confident the systems had not been
affected by recent breaches, Fran Rosch, vice president of Trust Services at
Symantec, told eWEEK Sept. 9. The
company has invested in "the most robust and scalable" certificate
authentication, issuance, management and hierarchy infrastructure in the
industry, according to Rosch. "Our VeriSign, Thawte, GeoTrust and RapidSSL
roots remain secure," Rosch said.
As
there appears to be no immediate threat against Firefox users as a result of
this disclosure, Mozilla does not plan on taking any action at this time,
Mozilla said via email.
Email
Print
