Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

Re:Who is "Versign"?

[AnInkle]

Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...

Re:2010 or last year?

[ackthpt]

If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?

It was last year, last year, but this year it's last year's last year.

Hope that's clear enough now.

Re:Who is "Versign"?

[Hawke]

Verisign runs the top-level domain DNS servers for com, net, edu, cc, name, and a few other smaller ones. If you lookup gmail (ignoring caching), you have to ask Verisign-owned servers where the google DNS servers are, so you can ask those servers what the gmail IP address is. For the security of the internet: it's pretty important.

Until late 2010, Verisign also ran the dominant SSL business. That red circle with the black digitized check at the bottom of your bank's web page? Yeah, that. The SSL business was sold to Symantec, are are trying to slowly rebrand. For the security of the internet, SSL is also kinda important.

Re:Uncertainty is refreshing

[dgatwood]

If I had an unknown intrusion at a CA, first thing I'd be doing is generating a new root key, getting that into all the Web browsers, then revoking and generating new keys in the hierarchy.

And causing millions of IE6 users to no longer be able to access their online banking. For a service of this size, the revocation costs are huge.

Besides, if they designed their systems in even a halfway competent manner, stealing the private key through a hack should be essentially impossible. A properly designed key signing service involves a standalone signing server that runs no services other than the signing service. The signing service accepts incoming connections, reads data in a byte at a time until either an EOF marker is reached or a certain number of bytes have been read, then sends back a signed copy of that data, then closes the connection. There is basically no way that such a service can be hacked (barring incredibly stupid programming) because it has essentially zero attack surface. Therefore, there should be essentially zero possibility of the private key being compromised (theoretical timing attacks on the key notwithstanding).

The worst case scenario is that they signed some things that they shouldn't have. However, even if they did, the CA should have an offline log that cannot feasibly be compromised (on the signing server itself), which means that the bogus keys can be revoked individually instead of revoking the master key that signed them.

Stealing customer data is somewhat more plausible—email addresses, mailing addresses, phone numbers, billing data, etc. Stealing the private key is pretty unlikely unless the CA is incompetent.