Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

"Not sure what was stolen"

"It's too soon to say."

Re:"Not sure what was stolen"

[Reasonable+Facsimile]

http://qkme.me/35vpka

Re:"Not sure what was stolen"

[Zamphatta]

If it's just "too soon to say" and nothing more, then every one of their security people should be fired & replaced with competent people. Why? Because 2012 should not be "too soon" after hacks in 2010, to know what was stolen. If they don't know, it's probably because the hackers were excellent at hiding their tracks on the system. Actually, it better be the reason, 'cause any other reason would mean incompetence at Verisign.

Re:"Not sure what was stolen"

[neonKow]

That looks exactly like a link I should click on.

Re:"Not sure what was stolen"

Here you go, buddy: the actual image in question. The original source site is run by a buddy of mine, fancy finding it linked in a /. post.

Who is "Versign"?

[jduhls]

Like the subject says: Who is "Versign"? /first post please?!?!?!

Re:Who is "Versign"?

Like the subject says: Who is "Versign"? /first post please?!?!?!

It's a company started by John Galt.

Re:Who is "Versign"?

[AnInkle]

Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...

Re:Who is "Versign"?

[K.+S.+Kyosuke]

Like the subject says: Who is "Versign"? /first post please?!?!?!

It's the company formerly known as Verisign that has been hacked and had some characters stolen by hackers, including an 'i' in its name.

Re:Who is "Versign"?

Verisign, dumbfuck.

Re:Who is "Versign"?

[Hawke]

Verisign runs the top-level domain DNS servers for com, net, edu, cc, name, and a few other smaller ones. If you lookup gmail (ignoring caching), you have to ask Verisign-owned servers where the google DNS servers are, so you can ask those servers what the gmail IP address is. For the security of the internet: it's pretty important.

Until late 2010, Verisign also ran the dominant SSL business. That red circle with the black digitized check at the bottom of your bank's web page? Yeah, that. The SSL business was sold to Symantec, are are trying to slowly rebrand. For the security of the internet, SSL is also kinda important.

Re:Who is "Versign"?

[Hawke]

(Yes, I know that my reply is missing the joke. I thought it was important to post anyway)

Re:Who is "Versign"?

[ackthpt]

Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...

Prevents you from contacting them and interrupting their meetings, the ones where they all give each other big raises for "actualizing" and stuff, also allows them to keep their scheduled tee times.

"Grandfather, you are old and senile, we can no longer take care of you. So we are sending you to an executive position at Verisign.

Re:Who is "Versign"?

[tgd]

(Yes, I know that my reply is missing the joke. I thought it was important to post anyway)

Nice recovery!

Re:Who is "Versign"?

No worries "there was no evidence that system was affected".

It seems everything is fine.

Re:Who is "Versign"?

Why the hell would anyone buy anything security related from Symantec?

Re:Who is "Versign"?

[SmurfButcher+Bob]

...'cause they currently use McAfee?

Am I Supposed to Care?

[kyrio]

Am I supposed to care about their hack? I don't trust Symantec or Verisign.

Re:Am I Supposed to Care?

So, I guess you don't visit any .com or .net websites, ever? Since, you now, Verisign runs both of those TLDs.

Re:Am I Supposed to Care?

They admit to having such crappy security, it makes you wonder, what the hackers are stealing right now. Guess we'll find out in another two years.

Maybe there should be some kind of credibility rating for companies like these, just like their credit rating. Because honestly, their vict ... erm customers will keep on paying them without even knowing what happened.

Re:Am I Supposed to Care?

[muon-catalyzed]

Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business. Also they manage .COM and .NET domain system. It has always been feared that if they get hacked the internet economy might collapse. Even now it is perhaps better just to play it down and figure out how to lower their influence..

Re:Am I Supposed to Care?

[Jawnn]

Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business.

[citation needed]

Re:Am I Supposed to Care?

[janeuner]

[citation needed]

This is like requesting citation for the assertion that most traffic tickets are written by police.

If you don't know how to check the certificate chains that authenticate Regions, US Bank, Discover, TurboTax, E-Trade, etc, then Slashdot really isn't for you.

Re:Am I Supposed to Care?

[icebraining]

Verisign alone might not, but Symantec (which now owns the "trust" business of Verisign), has 41.72% of the market, according to Netcraft: http://www.symantec.com/about/news/release/article.jsp?prid=20110526_01

Re:Am I Supposed to Care?

[hobarrera]

I have never heard about any of the above organizations you mention above, so they're probably *not* "most of the internet".
The EFF Observatory proyect has some interesting research on this sort of information. You should check it.

Re:Am I Supposed to Care?

41.72% ?

So, in fact, "most of those SSL certificates" are NOT sold by Verisign.

Re:Am I Supposed to Care?

[basecastula+]

Really?

weird

[Trepidity]

Leaving aside probable bad judgment on the security team's part in not informing management, doesn't a company like Verisign have standardized/mandatory issue tracking policies in place so it wouldn't even be a question of judgment on a team's part to inform management? Management should have a system in place to make sure they know what's going on security-wise in a business whose entire selling point is security.

Re:weird

[sycodon]

"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

Re:weird

[ackthpt]

"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

Followed by the Penn State University Board of Trustees attempting to sack them all, just in case that covered things and made everything alright.

Re:weird

[xeno314]

Yeah, management doesn't want to have to look at anything like that except for maybe a demo of how cool it is. As long as they aren't being bombarded by board members or customers, they probably don't really care what's going on.

Re:weird

American Business 101.

Those managers did their homework.

Re:weird

[PraiseBob]

I think the result is that the people in charge of the security team, and the top management need to be fired. Security is their core business, and lack of communication about something so integral to their business indicates that the top management are such monstrous assholes that they've created a seriously dysfunctional corporate culture where communication doesn't happen.

The security team had a huge failure. Management had an outright catastrophe. Management needs to be replaced entirely, which may well have happened already with Symantec buying them.

Re:weird

[SmurfButcher+Bob]

Security is not their core business. Security Theater is their core business.

Re:weird

HAHA. Management knew. I've heard that an engineers phone recorded three separate conversations at the time.

Live the dream S.

What was stolen?

[Kickasso]

The letter "i", apparently.

Re:What was stolen?

[Sockatume]

And twelve months, if we're to believe it was 2010 last year.

Re:What was stolen?

The letter "i", apparently.

It wasn't stolen, it's just that they were violating Apple's patent & trademark on the letter "i".

Who's next?

[FrankPoole]

So RSA, Symantec and Verisign have all been hacked. Who's next? Kaspersky? Fortinet? Check Point?

Re:Who's next?

[sakdoctor]

The self-appointed gate keeper, and purveyors of security are always the first to get hacked.

Re:Who's next?

[neonKow]

Oh stop being melodramatic. How are they even close to the first to get hacked? Nearly every other industry has already been hacked.

2010 or last year?

[Racemaniac]

If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?

Re:2010 or last year?

[ackthpt]

If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?

It was last year, last year, but this year it's last year's last year.

Hope that's clear enough now.

Re:2010 or last year?

[eternaldoctorwho]

Doctor, is that you?

"cannot pin down what data was stolen"

[K.+S.+Kyosuke]

No way! This is so 20th century! In Star Trek: Enterprise, the Suliban were able to detect that the stolen data disks hadn't been duplicated. Clearly, it's high time to finally develop a method that would allow us to detect that we're not the only ones who have some piece of information.

Re:"cannot pin down what data was stolen"

[LordLimecat]

And here I thought slashdot was anti DRM.

Re:"cannot pin down what data was stolen"

[Thuktun]

Clearly, it's high time to finally develop a method that would allow us to detect that we're not the only ones who have some piece of information.

If such a technology ever arrives, you can bet that either the RIAA/MPAA invented it or they'll be on it like flies on sewage.

Uncertainty is refreshing

[s.o.terica]

I'm actually impressed that they're admitting that they don't know. It seems wildly implausible that most statements about what was stolen during any given network hack are actually definitive.

Re:Uncertainty is refreshing

[tqk]

I'm actually impressed that they're admitting that they don't know.

I'm impressed they're admitting they've never heard of logservers. You know, those servers that're damned near inaccessible and do nothing but accept log event reports from all the other servers on their network?

Either that, or their backup regime sucks.

Re:Uncertainty is refreshing

[postbigbang]

Finding ways around syslogs are all the rage these days. It requires stealth. Oh, wait....

My take is that this is a genuine catastrophe. If they can't figure out what happened, there is a systematic failure that's a near death-blow. Security is what Verisign and Symantec sell. Both have been compromised, and neither of them knew what or the extent of it, and didn't in at least one case, inform management. If I were their board(s), I'd be lawyering up about now.

Re:Uncertainty is refreshing

What boggles me is the fact that they didn't change out their keys immediately.

If I had an unknown intrusion at a CA, first thing I'd be doing is generating a new root key, getting that into all the Web browsers, then revoking and generating new keys in the hierarchy.

Even keys in a HSM are not hack-proof. One major Linux distro maker has someone compromise an ID on a HSM and generate a valid signature for a ssh package. At least that distro maker had a prompt response and put out a revocation mechanism so that ssh package wouldn't be accepted it it ever got slipped into a repository.

Re:Uncertainty is refreshing

[dgatwood]

If I had an unknown intrusion at a CA, first thing I'd be doing is generating a new root key, getting that into all the Web browsers, then revoking and generating new keys in the hierarchy.

And causing millions of IE6 users to no longer be able to access their online banking. For a service of this size, the revocation costs are huge.

Besides, if they designed their systems in even a halfway competent manner, stealing the private key through a hack should be essentially impossible. A properly designed key signing service involves a standalone signing server that runs no services other than the signing service. The signing service accepts incoming connections, reads data in a byte at a time until either an EOF marker is reached or a certain number of bytes have been read, then sends back a signed copy of that data, then closes the connection. There is basically no way that such a service can be hacked (barring incredibly stupid programming) because it has essentially zero attack surface. Therefore, there should be essentially zero possibility of the private key being compromised (theoretical timing attacks on the key notwithstanding).

The worst case scenario is that they signed some things that they shouldn't have. However, even if they did, the CA should have an offline log that cannot feasibly be compromised (on the signing server itself), which means that the bogus keys can be revoked individually instead of revoking the master key that signed them.

Stealing customer data is somewhat more plausible—email addresses, mailing addresses, phone numbers, billing data, etc. Stealing the private key is pretty unlikely unless the CA is incompetent.

Re:Uncertainty is refreshing

re: "unless the CA is incompetent."

And your point is?????

Oh...

[sycodon]

Forgot the FTFY, or whatever the hell the acronym is.

from the losing-the-moral-high-ground dept.

No, that happened when Symantec bought their certificate business.

Should change their name

[ackthpt]

From Verisign to Yieldsign

Reminds me of Uplink's subtitle

Trust is a weakness.

Wah?

"Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011"
Bullllllshit

Dangling participle?

[THE_WELL_HUNG_OYSTER]

Symantec, which bought its certificate business in 2010, "its" refers to Verisign, not Symantec. Is there a more proper term for this (I know it's not a dangling participle)?

Re:Dangling participle?

Possessive pronoun.

Re:Dangling participle?

Deliberately misinterpreting an unexceptional structural ambiguity that impairs no one's understanding at all?

Re:Dangling participle?

[SockPuppetOfTheWeek]

The proper technical term for it is "pronoun hell".

So how come......

Where is the bands of online zealots complaining that it took them so long to announce it like they did with sony when they waited A WEEK. Where is the governments saying they should have reported it sooner? Where are the thousands who blamed sony personally for getting?

Why is it no one lays siege to a company getting hacked except sony?

Used to work there when it happened

Yes they run a very important part of the internet.

Yes are they filled to the brim with IT knowledge.

However, when this event occurred it was I that rebuilt their constellation of DNS and TLD servers. Bull$hit they didn't know it happened. I used to work for Ken Silva.

Bunch of liars.

Re:Used to work there when it happened

Then I probably know you.

Isn't this the continuation of the time VeriSign was breached in 2008 because of an unpatched FTP server facing the Internet? The hack was traced all the way to a certain jump host that used to live in LS3 on an IBM x336. You know, the jump host with complete access to every server around the world. The one that started with an R and ended with a P? Yeah, that jump host.

Oh, and lots of other places throughout the network also. They got everywhere.

I was working for Brad Verd at that time. His ingenious solution was to run chkrootkit and rkhunter on every server around the world. I was one of the people that had to do this. We even had That French Woman(TM) running it on every server in BR, and totally f'ing it up. Yeah, that fixed the problem! Go Brad!

I'm pretty sure that this incident was never reported, which was probably illegal. I was told not to say anything for fear of my job. However, since I no longer work there...I don't need to keep silent.

Re:Used to work there when it happened

Hey John. How's it going? When did they let you go?

Re:Used to work there when it happened

[yuhong]

Good thing Ken Silva left VeriSign in Nov 2010, and notice it was after he left that the incident was finally reported.

Re:Used to work there when it happened

No, pushed out for incompetence. That's what happens after an internal investigation.

They're focused on the team

[Jay+L]

There is no "i" in VerSign.

Well, I mean sure, there's the other one, but there's no first "I".

I mean, yes, technically that second one becomes the first one, but.. Look, there just isn't.

If they can't say

[russotto]

I pretty much have to assume the worst: All their certificates were compromised and all their data was acquired. If they can't demonstrate these things didn't happen, they need to revoke and re-issue all their certificates, and re-sign those of their customers.

Re:If they can't say

Certs are only part of the issue... Verisign owns the DNS servers that control .com .net and .gov TLDs. If they were compromised the attackers could essentially own the Internet. Traffic to any domain could be re-routed, and if done right, with little notice by anyone. This is potentially a MAJOR breach.

Re:If they can't say

[basecastula+]

Just in time for tax season here in the US. Imagine getting 250 million credentials

Re:If they can't say

[Lanboy]

If someone had a copy of the Verisign root public keys, it doesn't matter if the providers get new keys, your browser would trust any certificate created by these keys. So if you connect to a website encrypted by certificates from a different CA, a man in the middle attack presenting a newly minted certificate using the stolen keys would not raise any alarm in any SSL browser that trusts that verisign root certificate. Which essentially means every browser in the world.

Not only would every provider need to get new certificates and intermediates, every end user browser would need to be patched to no longer trust the compromised x509 root keys.

People are still using internet explorer 6.0 . Good luck on that one.

I wonder if this has anything to do with why Verisign was so hot to change their root keys (10/10/2010) , though they stated that this was for the 2048bit keylength that will be manditory 1/1/2014 .

Re:If they can't say

[yuhong]

AFAIK IE uses the Windows SChannel built into to the OS. Thus the trusted CA lists etc are part of Windows.

Just one more nail...

[Cornwallis]

In 2009 Heartland Payment systems admitted to being hacked (150m+ credit card numbers swiped) and told the world at the exact moment the world was watching Oblama get inaugurated so nobody would notice...

TJX allows itself to be compromised for years...

Verisign - the keeper of the keys gets hacked and finally admits it...

Gee Uncle Roy! My moral compass is starting to swivel away from any notion to ever do the right thing again.

Verisign supports terrorism

[Nyder]

Verisign got hacked and didn't disclose it, so since they are hiding it, according to the new FBI flyer, then obviously, they are supporting terrorism.

I demand this company gets sent to Gitmo.

if you don't, then you are a terrorist also.

What really scares me...

[Shoten]

...is that the writer of the article doesn't have the slightest goddamned clue what he's talking about.

The attacks were serious because data stolen from Verisign's DNS could allow attackers to intercept unencrypted communications and redirect traffic to malicious web sites.

No, boy wonder. The DNS servers are not really the issue here. The issue is the PKI infrastructure which Verisign issues, and in particular the fact that Verisign is one of the few CAs that can issue Extended Verification (EV) certs. That a writer from a security-centric publication would not realize that Verisign is a major CA...or, in light of the events of the past 6 months what can happen when a CA gets hacked...is really fucking scary to me. He's supposed to be informing other people.

Re:What really scares me...

easy, spaghetti dick. the guy who wrote the article isnt surfing slashdot comments hoping for some more open-zipper wit from an unemployed guy that still lives in his parents basement.

if you see EV certs as being more important than owning DNS, you're just as retarded as your comment makes you out to be.

Re:What really scares me...

Apparently controlling 2 of the 13 root DNS servers is no big deal to you?

If they got the keys to the Verisign PKI root cert

[Lanboy]

If the root PKI private keys were lifted from the site then whoever had them could create valid ssl certificates for any DNS hostname that every browser and ssl stack in the world would view as real. If the same users were able to put themselves in the correct place in the network or be able to do a successful DNS poisoning attack, they would then be able to undetectably capture all data protected by the SSL public key infrastructure. So pretty much all internet data would be suspect.

I assume that this did not happen, as these super hackers would have access to huge swaths of the accounts and sensitive user information for for every e-commerce site in the world. You know your bank accounts and paypal and apple ids and credit card info. Those tax returns you do online, ssl vpns, ipsec vpns secured with x509 certificates, corporate mail, stock brokerage accounts. They would be able to relay mail undetectably thru every mail server that permits relay with authentication. Nothing major. I personally would put my money in a sock in my bedroom, but nothing major.

Money Socks

[Dareth]

I would suggest you take a pair of socks and divide your money evenly between them so that you don't lose more than half your net worth.

I know I got about 50 socks in my sock drawer right now, but very very few matching pairs for some reason!

I'm so glad

[smash]

... that our entire security infrastructure for the internet is in the hands of such honest, open and competent individuals.

Not stolen, shared

[sita]

I thought we learnt this from the *AA against the world debate. Stealing is taking something away from the owner denying him the use of it. Nothing was taken away from Verisign. Somethings may have been shared, which may or may not take some future business away from Verisign, since people can now get their own trusted SSL certs. Copyright wasn't meant to be eternal, they have had their time limited monopoly on those keys. Society will profit as prices for EV certs will now go through the floor. Verisign can always do live performances or merchandize or something.

Verisign, Inc.statemet

[AllenKelly]

I work for Symantec and wanted to clarify that Verisign, Inc. was compromised, not the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec. Symantec was NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing. Here is the Verisign, Inc. statement on the 2010 security breach - vrsn.cc/AwJBFb

VRSN is not SYMC.

[AllenKelly]

I work for Symantec and just wanted to clarify that the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.