VeriSign hit by hackers

<i>"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."</i><p>Does anyone else feel this line is more suited to a Hollywood movie than a Reuters release?

I don't understand why we trust lone authentication services. They are single points of failure. SSL Certificates should be validated by a <i>collection</i> of independent certificate authorities. If not all of the authorities agree on the certificate, that's a sign there is hacking going on - or a sign that not all of the services have synchronized the certificate.<p>If we do it this way, a hacker who wants to try to imitate a site can't get away with compromising just one certificate authority. They'd have to compromise <i></i>all<i></i> of them, which (if there are enough) would be nearly impossible.

Another day, another APT reported by some company integral to the technological infrastructure of the US (and the world in this case). When will we take real, substantive action on this issue?

As an aside, registrar interactions with Verisign have several security layers involved to prevent someone from accessing and changing domain dns (we deal with this as a registrar). Of course those methods are only as secure as the particular registrar defenses are. As are the nameservers used in any particular domain.

The reuters article provides no details about the security breach, so I did some digging. The most I could find was VeriSign's original SEC filing at <a href="http://www.sec.gov/Archives/edgar/data/1014473/000119312511285850/d219781d10q.htm" rel="nofollow">http://www.sec.gov/Archives/edgar/data/1014473/0001193125112...</a><p>From the filing: <i>We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.</i><p><i>In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.</i><p><i>The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.</i><p>It's interesting to note that the SEC issued guidelines on the reporting of security breaches on October 13th, 2011 ( <a href="http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm" rel="nofollow">http://www.sec.gov/divisions/corpfin/guidance/cfguidance-top...</a> ) and VeriSign's SEC filing was released about two weeks later on October 28th, 2011. It could be the case that the security breach wasn't actually a major one, but because the SEC guidelines were so new they thought it prudent to mention even a minor security breach.<p>From this filing, there's no way to know the severity of the breach, which is why I think it's unfair for reuters to make this seem like a bigger deal than it might actually be. (They mention the RSA security breach which <i>was</i> a huge deal, and they suggest the attack was done by a "nation-state".) It reads like an article written by Nancy Grace.<p>Of course it <i>could</i> be the case that this was a major attack carried out by China, but it could also be a mundane attack on a public web server that wouldn't have made the news if not for the timing of the recent SEC guidelines. There's just no way to know from the information available.

Am I the only that wonders if Symantec is the right company to be in control of verisign???<p>To me it seems that there would be a little bit of a conflict of interest around owning an antivirus company and the tool that tells you a site is who they say they are.<p>I know this sounds a little crazy, but think about it before you downvote me.

This article doesn't have much details on what the actually attack involved. Anyone have actual details. I would assume that VeriSign has a very segregated network and a breach somewhere would have a hard time propagating to their more important things like their CA signing server and .com stuff.