Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

"Not sure what was stolen"

"It's too soon to say."

weird

[Trepidity]

Leaving aside probable bad judgment on the security team's part in not informing management, doesn't a company like Verisign have standardized/mandatory issue tracking policies in place so it wouldn't even be a question of judgment on a team's part to inform management? Management should have a system in place to make sure they know what's going on security-wise in a business whose entire selling point is security.

Re:weird

[sycodon]

"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

What was stolen?

[Kickasso]

The letter "i", apparently.

Re:What was stolen?

[Sockatume]

And twelve months, if we're to believe it was 2010 last year.

Re:Who is "Versign"?

[AnInkle]

Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...

Re:Who is "Versign"?

[K.+S.+Kyosuke]

Like the subject says: Who is "Versign"? /first post please?!?!?!

It's the company formerly known as Verisign that has been hacked and had some characters stolen by hackers, including an 'i' in its name.

Re:2010 or last year?

[ackthpt]

If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?

It was last year, last year, but this year it's last year's last year.

Hope that's clear enough now.

Re:Who is "Versign"?

[Hawke]

Verisign runs the top-level domain DNS servers for com, net, edu, cc, name, and a few other smaller ones. If you lookup gmail (ignoring caching), you have to ask Verisign-owned servers where the google DNS servers are, so you can ask those servers what the gmail IP address is. For the security of the internet: it's pretty important.

Until late 2010, Verisign also ran the dominant SSL business. That red circle with the black digitized check at the bottom of your bank's web page? Yeah, that. The SSL business was sold to Symantec, are are trying to slowly rebrand. For the security of the internet, SSL is also kinda important.

Re:Am I Supposed to Care?

[muon-catalyzed]

Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business. Also they manage .COM and .NET domain system. It has always been feared that if they get hacked the internet economy might collapse. Even now it is perhaps better just to play it down and figure out how to lower their influence..

Used to work there when it happened

Yes they run a very important part of the internet.

Yes are they filled to the brim with IT knowledge.

However, when this event occurred it was I that rebuilt their constellation of DNS and TLD servers. Bull$hit they didn't know it happened. I used to work for Ken Silva.

Bunch of liars.

Re:Uncertainty is refreshing

[dgatwood]

If I had an unknown intrusion at a CA, first thing I'd be doing is generating a new root key, getting that into all the Web browsers, then revoking and generating new keys in the hierarchy.

And causing millions of IE6 users to no longer be able to access their online banking. For a service of this size, the revocation costs are huge.

Besides, if they designed their systems in even a halfway competent manner, stealing the private key through a hack should be essentially impossible. A properly designed key signing service involves a standalone signing server that runs no services other than the signing service. The signing service accepts incoming connections, reads data in a byte at a time until either an EOF marker is reached or a certain number of bytes have been read, then sends back a signed copy of that data, then closes the connection. There is basically no way that such a service can be hacked (barring incredibly stupid programming) because it has essentially zero attack surface. Therefore, there should be essentially zero possibility of the private key being compromised (theoretical timing attacks on the key notwithstanding).

The worst case scenario is that they signed some things that they shouldn't have. However, even if they did, the CA should have an offline log that cannot feasibly be compromised (on the signing server itself), which means that the bogus keys can be revoked individually instead of revoking the master key that signed them.

Stealing customer data is somewhat more plausible—email addresses, mailing addresses, phone numbers, billing data, etc. Stealing the private key is pretty unlikely unless the CA is incompetent.