Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen

← Back to Stories (view on slashdot.org)

Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen

Posted by timothy on Thursday February 2, 2012 @04:39AM from the losing-the-moral-high-ground dept.

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

27 of 85 comments (clear)

Min score:

Reason:

Sort:

"Not sure what was stolen" by Anonymous Coward · 2012-02-02 04:41 · Score: 3, Insightful

"It's too soon to say."
1. Re:"Not sure what was stolen" by Reasonable+Facsimile · 2012-02-02 04:54 · Score: 2
  
  http://qkme.me/35vpka
Am I Supposed to Care? by kyrio · 2012-02-02 04:42 · Score: 2, Insightful

Am I supposed to care about their hack? I don't trust Symantec or Verisign.
1. Re:Am I Supposed to Care? by muon-catalyzed · 2012-02-02 05:13 · Score: 3, Interesting
  
  Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business. Also they manage .COM and .NET domain system. It has always been feared that if they get hacked the internet economy might collapse. Even now it is perhaps better just to play it down and figure out how to lower their influence..
2. Re:Am I Supposed to Care? by janeuner · 2012-02-02 06:22 · Score: 2
  
  [citation needed]
  This is like requesting citation for the assertion that most traffic tickets are written by police.
  If you don't know how to check the certificate chains that authenticate Regions, US Bank, Discover, TurboTax, E-Trade, etc, then Slashdot really isn't for you.
3. Re:Am I Supposed to Care? by icebraining · 2012-02-02 06:50 · Score: 2
  
  Verisign alone might not, but Symantec (which now owns the "trust" business of Verisign), has 41.72% of the market, according to Netcraft: http://www.symantec.com/about/news/release/article.jsp?prid=20110526_01
  
  --
  Dilbert RSS feed
weird by Trepidity · 2012-02-02 04:43 · Score: 4, Insightful

Leaving aside probable bad judgment on the security team's part in not informing management, doesn't a company like Verisign have standardized/mandatory issue tracking policies in place so it wouldn't even be a question of judgment on a team's part to inform management? Management should have a system in place to make sure they know what's going on security-wise in a business whose entire selling point is security.

--
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
1. Re:weird by sycodon · 2012-02-02 04:49 · Score: 4, Funny
  
  "Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"
  
  --
  When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
2. Re:weird by PraiseBob · 2012-02-02 05:50 · Score: 2
  
  I think the result is that the people in charge of the security team, and the top management need to be fired. Security is their core business, and lack of communication about something so integral to their business indicates that the top management are such monstrous assholes that they've created a seriously dysfunctional corporate culture where communication doesn't happen.
  
  The security team had a huge failure. Management had an outright catastrophe. Management needs to be replaced entirely, which may well have happened already with Symantec buying them.
What was stolen? by Kickasso · 2012-02-02 04:44 · Score: 5, Funny

The letter "i", apparently.
1. Re:What was stolen? by Sockatume · 2012-02-02 04:52 · Score: 4, Funny
  
  And twelve months, if we're to believe it was 2010 last year.
  
  --
  No kidding!!! What do you say at this point?
2010 or last year? by Racemaniac · 2012-02-02 04:47 · Score: 2

If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?
1. Re:2010 or last year? by ackthpt · 2012-02-02 04:53 · Score: 4, Informative
  
  If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?
  It was last year, last year, but this year it's last year's last year.
  Hope that's clear enough now.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
2. Re:2010 or last year? by eternaldoctorwho · 2012-02-02 05:42 · Score: 2
  
  Doctor, is that you?
Re:Who's next? by sakdoctor · 2012-02-02 04:49 · Score: 2

The self-appointed gate keeper, and purveyors of security are always the first to get hacked.
Uncertainty is refreshing by s.o.terica · 2012-02-02 04:49 · Score: 2

I'm actually impressed that they're admitting that they don't know. It seems wildly implausible that most statements about what was stolen during any given network hack are actually definitive.
1. Re:Uncertainty is refreshing by tqk · 2012-02-02 06:07 · Score: 2
  
  I'm actually impressed that they're admitting that they don't know.
  I'm impressed they're admitting they've never heard of logservers. You know, those servers that're damned near inaccessible and do nothing but accept log event reports from all the other servers on their network?
  Either that, or their backup regime sucks.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
2. Re:Uncertainty is refreshing by dgatwood · 2012-02-02 11:02 · Score: 3, Informative
  
  If I had an unknown intrusion at a CA, first thing I'd be doing is generating a new root key, getting that into all the Web browsers, then revoking and generating new keys in the hierarchy.
  And causing millions of IE6 users to no longer be able to access their online banking. For a service of this size, the revocation costs are huge.
  Besides, if they designed their systems in even a halfway competent manner, stealing the private key through a hack should be essentially impossible. A properly designed key signing service involves a standalone signing server that runs no services other than the signing service. The signing service accepts incoming connections, reads data in a byte at a time until either an EOF marker is reached or a certain number of bytes have been read, then sends back a signed copy of that data, then closes the connection. There is basically no way that such a service can be hacked (barring incredibly stupid programming) because it has essentially zero attack surface. Therefore, there should be essentially zero possibility of the private key being compromised (theoretical timing attacks on the key notwithstanding).
  The worst case scenario is that they signed some things that they shouldn't have. However, even if they did, the CA should have an offline log that cannot feasibly be compromised (on the signing server itself), which means that the bogus keys can be revoked individually instead of revoking the master key that signed them.
  Stealing customer data is somewhat more plausible—email addresses, mailing addresses, phone numbers, billing data, etc. Stealing the private key is pretty unlikely unless the CA is incompetent.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Re:Who is "Versign"? by AnInkle · 2012-02-02 04:50 · Score: 3, Informative

Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...
Re:Who is "Versign"? by K.+S.+Kyosuke · 2012-02-02 04:51 · Score: 4, Funny

Like the subject says: Who is "Versign"? /first post please?!?!?!
It's the company formerly known as Verisign that has been hacked and had some characters stolen by hackers, including an 'i' in its name.

--
Ezekiel 23:20
Re:Who is "Versign"? by Hawke · 2012-02-02 04:57 · Score: 4, Informative

Verisign runs the top-level domain DNS servers for com, net, edu, cc, name, and a few other smaller ones. If you lookup gmail (ignoring caching), you have to ask Verisign-owned servers where the google DNS servers are, so you can ask those servers what the gmail IP address is. For the security of the internet: it's pretty important.
Until late 2010, Verisign also ran the dominant SSL business. That red circle with the black digitized check at the bottom of your bank's web page? Yeah, that. The SSL business was sold to Symantec, are are trying to slowly rebrand. For the security of the internet, SSL is also kinda important.
Re:Who is "Versign"? by ackthpt · 2012-02-02 05:00 · Score: 2

Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...
Prevents you from contacting them and interrupting their meetings, the ones where they all give each other big raises for "actualizing" and stuff, also allows them to keep their scheduled tee times.
"Grandfather, you are old and senile, we can no longer take care of you. So we are sending you to an executive position at Verisign.

--

A feeling of having made the same mistake before: Deja Foobar
Used to work there when it happened by Anonymous Coward · 2012-02-02 05:27 · Score: 3, Interesting

Yes they run a very important part of the internet.
Yes are they filled to the brim with IT knowledge.
However, when this event occurred it was I that rebuilt their constellation of DNS and TLD servers. Bull$hit they didn't know it happened. I used to work for Ken Silva.
Bunch of liars.
If they can't say by russotto · 2012-02-02 05:57 · Score: 2

I pretty much have to assume the worst: All their certificates were compromised and all their data was acquired. If they can't demonstrate these things didn't happen, they need to revoke and re-issue all their certificates, and re-sign those of their customers.
1. Re:If they can't say by Lanboy · 2012-02-02 09:25 · Score: 2
  
  If someone had a copy of the Verisign root public keys, it doesn't matter if the providers get new keys, your browser would trust any certificate created by these keys. So if you connect to a website encrypted by certificates from a different CA, a man in the middle attack presenting a newly minted certificate using the stolen keys would not raise any alarm in any SSL browser that trusts that verisign root certificate. Which essentially means every browser in the world.
  Not only would every provider need to get new certificates and intermediates, every end user browser would need to be patched to no longer trust the compromised x509 root keys.
  People are still using internet explorer 6.0 . Good luck on that one.
  I wonder if this has anything to do with why Verisign was so hot to change their root keys (10/10/2010) , though they stated that this was for the 2048bit keylength that will be manditory 1/1/2014 .
Verisign supports terrorism by Nyder · 2012-02-02 07:39 · Score: 2

Verisign got hacked and didn't disclose it, so since they are hiding it, according to the new FBI flyer, then obviously, they are supporting terrorism.
I demand this company gets sent to Gitmo.
if you don't, then you are a terrorist also.

--
Be seeing you...
Re:Who is "Versign"? by SmurfButcher+Bob · 2012-02-02 19:27 · Score: 2

...'cause they currently use McAfee?

--

help me i've cloned myself and can't remember which one I am