Forgot your password?
typodupeerror
Security The Internet IT

Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen 85

Posted by timothy
from the losing-the-moral-high-ground dept.
mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."
This discussion has been archived. No new comments can be posted.

Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen

Comments Filter:
  • by Anonymous Coward on Thursday February 02, 2012 @12:41PM (#38903559)

    "It's too soon to say."

    • If it's just "too soon to say" and nothing more, then every one of their security people should be fired & replaced with competent people. Why? Because 2012 should not be "too soon" after hacks in 2010, to know what was stolen. If they don't know, it's probably because the hackers were excellent at hiding their tracks on the system. Actually, it better be the reason, 'cause any other reason would mean incompetence at Verisign.
  • by kyrio (1091003)
    Am I supposed to care about their hack? I don't trust Symantec or Verisign.
    • by Anonymous Coward

      So, I guess you don't visit any .com or .net websites, ever? Since, you now, Verisign runs both of those TLDs.

    • by muon-catalyzed (2483394) on Thursday February 02, 2012 @01:13PM (#38903989)
      Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business. Also they manage .COM and .NET domain system. It has always been feared that if they get hacked the internet economy might collapse. Even now it is perhaps better just to play it down and figure out how to lower their influence..
      • by Jawnn (445279)

        Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business.

        [citation needed]

  • weird (Score:5, Insightful)

    by Trepidity (597) <delirium-slashdot@hacki s h . o rg> on Thursday February 02, 2012 @12:43PM (#38903593)

    Leaving aside probable bad judgment on the security team's part in not informing management, doesn't a company like Verisign have standardized/mandatory issue tracking policies in place so it wouldn't even be a question of judgment on a team's part to inform management? Management should have a system in place to make sure they know what's going on security-wise in a business whose entire selling point is security.

    • Re:weird (Score:5, Funny)

      by sycodon (149926) on Thursday February 02, 2012 @12:49PM (#38903687)

      "Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

      • by sycodon (149926)

        Forgot the FTFY, or whatever the hell the acronym is.

      • by ackthpt (218170)

        "Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

        Followed by the Penn State University Board of Trustees attempting to sack them all, just in case that covered things and made everything alright.

    • by xeno314 (661565)
      Yeah, management doesn't want to have to look at anything like that except for maybe a demo of how cool it is. As long as they aren't being bombarded by board members or customers, they probably don't really care what's going on.
    • I think the result is that the people in charge of the security team, and the top management need to be fired. Security is their core business, and lack of communication about something so integral to their business indicates that the top management are such monstrous assholes that they've created a seriously dysfunctional corporate culture where communication doesn't happen.

      The security team had a huge failure. Management had an outright catastrophe. Management needs to be replaced entirely, which m
  • by Kickasso (210195) on Thursday February 02, 2012 @12:44PM (#38903607)

    The letter "i", apparently.

  • So RSA, Symantec and Verisign have all been hacked. Who's next? Kaspersky? Fortinet? Check Point?
    • The self-appointed gate keeper, and purveyors of security are always the first to get hacked.

      • by neonKow (1239288)

        Oh stop being melodramatic. How are they even close to the first to get hacked? Nearly every other industry has already been hacked.

  • by Racemaniac (1099281) on Thursday February 02, 2012 @12:47PM (#38903647)

    If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?

  • No way! This is so 20th century! In Star Trek: Enterprise, the Suliban were able to detect that the stolen data disks hadn't been duplicated. Clearly, it's high time to finally develop a method that would allow us to detect that we're not the only ones who have some piece of information.
    • And here I thought slashdot was anti DRM.

    • by Thuktun (221615)

      Clearly, it's high time to finally develop a method that would allow us to detect that we're not the only ones who have some piece of information.

      If such a technology ever arrives, you can bet that either the RIAA/MPAA invented it or they'll be on it like flies on sewage.

  • by s.o.terica (155591) on Thursday February 02, 2012 @12:49PM (#38903683)
    I'm actually impressed that they're admitting that they don't know. It seems wildly implausible that most statements about what was stolen during any given network hack are actually definitive.
    • by tqk (413719)

      I'm actually impressed that they're admitting that they don't know.

      I'm impressed they're admitting they've never heard of logservers. You know, those servers that're damned near inaccessible and do nothing but accept log event reports from all the other servers on their network?

      Either that, or their backup regime sucks.

      • Finding ways around syslogs are all the rage these days. It requires stealth. Oh, wait....

        My take is that this is a genuine catastrophe. If they can't figure out what happened, there is a systematic failure that's a near death-blow. Security is what Verisign and Symantec sell. Both have been compromised, and neither of them knew what or the extent of it, and didn't in at least one case, inform management. If I were their board(s), I'd be lawyering up about now.

  • From Verisign to Yieldsign

  • by Anonymous Coward

    "Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011"
    Bullllllshit

  • Symantec, which bought its certificate business in 2010, "its" refers to Verisign, not Symantec. Is there a more proper term for this (I know it's not a dangling participle)?
  • by Anonymous Coward on Thursday February 02, 2012 @01:27PM (#38904163)

    Yes they run a very important part of the internet.

    Yes are they filled to the brim with IT knowledge.

    However, when this event occurred it was I that rebuilt their constellation of DNS and TLD servers. Bull$hit they didn't know it happened. I used to work for Ken Silva.

    Bunch of liars.

    • by Anonymous Coward

      Then I probably know you.

      Isn't this the continuation of the time VeriSign was breached in 2008 because of an unpatched FTP server facing the Internet? The hack was traced all the way to a certain jump host that used to live in LS3 on an IBM x336. You know, the jump host with complete access to every server around the world. The one that started with an R and ended with a P? Yeah, that jump host.

      Oh, and lots of other places throughout the network also. They got everywhere.

      I was working for Brad Verd at that

    • by yuhong (1378501)

      Good thing Ken Silva left VeriSign in Nov 2010, and notice it was after he left that the incident was finally reported.

  • by russotto (537200) on Thursday February 02, 2012 @01:57PM (#38904549) Journal

    I pretty much have to assume the worst: All their certificates were compromised and all their data was acquired. If they can't demonstrate these things didn't happen, they need to revoke and re-issue all their certificates, and re-sign those of their customers.

    • by Lanboy (261506)

      If someone had a copy of the Verisign root public keys, it doesn't matter if the providers get new keys, your browser would trust any certificate created by these keys. So if you connect to a website encrypted by certificates from a different CA, a man in the middle attack presenting a newly minted certificate using the stolen keys would not raise any alarm in any SSL browser that trusts that verisign root certificate. Which essentially means every browser in the world.

      Not only would every provider need to

      • by yuhong (1378501)

        AFAIK IE uses the Windows SChannel built into to the OS. Thus the trusted CA lists etc are part of Windows.

  • In 2009 Heartland Payment systems admitted to being hacked (150m+ credit card numbers swiped) and told the world at the exact moment the world was watching Oblama get inaugurated so nobody would notice...

    TJX allows itself to be compromised for years...

    Verisign - the keeper of the keys gets hacked and finally admits it...

    Gee Uncle Roy! My moral compass is starting to swivel away from any notion to ever do the right thing again.

  • by Nyder (754090) on Thursday February 02, 2012 @03:39PM (#38906337) Journal

    Verisign got hacked and didn't disclose it, so since they are hiding it, according to the new FBI flyer, then obviously, they are supporting terrorism.

    I demand this company gets sent to Gitmo.

    if you don't, then you are a terrorist also.

  • ...is that the writer of the article doesn't have the slightest goddamned clue what he's talking about.

    The attacks were serious because data stolen from Verisign's DNS could allow attackers to intercept unencrypted communications and redirect traffic to malicious web sites.

    No, boy wonder. The DNS servers are not really the issue here. The issue is the PKI infrastructure which Verisign issues, and in particular the fact that Verisign is one of the few CAs that can issue Extended Verification (EV) certs.

  • If the root PKI private keys were lifted from the site then whoever had them could create valid ssl certificates for any DNS hostname that every browser and ssl stack in the world would view as real. If the same users were able to put themselves in the correct place in the network or be able to do a successful DNS poisoning attack, they would then be able to undetectably capture all data protected by the SSL public key infrastructure. So pretty much all internet data would be suspect.

    I assume that this did

    • I would suggest you take a pair of socks and divide your money evenly between them so that you don't lose more than half your net worth.

      I know I got about 50 socks in my sock drawer right now, but very very few matching pairs for some reason!

  • ... that our entire security infrastructure for the internet is in the hands of such honest, open and competent individuals.
  • I thought we learnt this from the *AA against the world debate. Stealing is taking something away from the owner denying him the use of it. Nothing was taken away from Verisign. Somethings may have been shared, which may or may not take some future business away from Verisign, since people can now get their own trusted SSL certs. Copyright wasn't meant to be eternal, they have had their time limited monopoly on those keys. Society will profit as prices for EV certs will now go through the floor. Verisign ca

  • I work for Symantec and wanted to clarify that Verisign, Inc. was compromised, not the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec. Symantec was NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing. Here is the Verisign, Inc. statement on the 2010 security breach - vrsn.cc/AwJBFb
  • I work for Symantec and just wanted to clarify that the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.

New systems generate new problems.

Working...