VeriSign – the company behind the root DNS servers that provide the foundation for the Web, and formerly the largest encryption certificate authority – has revealed that it was repeatedly hacked in 2010. Details are sparse thus far, but the revelation calls into question the security of the Internet itself.
Let’s start with what (little) we know. The disclosure did not happen as a result of VeriSign discovering the breach and taking responsible, proactive action to alert customers and address the situation. No, VeriSign buried the information in a quarterly Securities and Exchange Commission (SEC) filing as if it was just another mundane tidbit.
IT staff at VeriSign allegedly discovered the compromise in 2010, but hid the incident from upper management until sometime in 2011. VeriSign itself may not be at fault for the initial delay in disclosure, but it appears that a significant amount of time has passed since VeriSign executives learned of the breach, and yet the company still tried to sneak the information covertly in an SEC filing.
Melih Abdulhayoglu, CEO of Comodo – a competitor in the certificate authority arena –said, “Only VeriSign knows the answer to why they waited so long to disclose the hack, but I assume that revealing this information would be damaging and they thought they could keep it quiet, thus ignoring the disclosure guidelines the SEC has put in place.”
John Gossels, President of SystemExperts, had some stronger words. “It is unfathomable that, given Verisign’s position in this industry, someone in the company did not report damaging attacks to senior management for more than a year. The delay in reporting the attacks put its customers at risk.”
The million dollar question right now is “at risk of what?,” or perhaps “how much risk?” So far, there aren’t really enough details being shared publicly to determine how concerned we should really be. The risks involved are a function of exactly what was hacked, or what information was compromised, and we don’t have those details.
Oliver Lavery, Director of Security Research and Development for nCircle, is frustrated at the lack of more specific information. “The appalling thing at this point is there is still no clarity about potential compromise of the x.509 certificate hierarchy. That would be potentially much more catastrophic than DNS, because DNS tampering is comparatively easy to detect.”
The certificate authority business of VeriSign was acquired by Symantec in 2010, so depending on the timing of the attacks it seems feasible that the certificate encryption keys could have been exposed. Lavery asks, “Can we trust any site using Verisign SSL certificates? Without more clarity, the logical answer is no.”
Symantec declined to comment directly on news of the VeriSign breach, but a spokesperson did assert, “The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.”
nCircle CTO Tim ‘TK’ Keanini points out that the hack itself isn’t the crux of the problem. No network is impervious, and a company as high-profile as VeriSign is a prime target. The key is that organizations need to do more to foster an environment where honesty and disclosure are valued. If the fear of negative consequences is greater than the incentive for quick disclosure and response, you end up with a situation where IT staff would rather hide evidence of a breach.