
VeriSign hit by hackers - megamark16
http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202
======
andrewheins
_"Oh my God," said Stewart Baker, former assistant secretary of the Department
of Homeland Security and before that the top lawyer at the National Security
Agency. "That could allow people to imitate almost any company on the Net."_

Does anyone else feel this line is more suited to a Hollywood movie than a
Reuters release?

~~~
Terretta
I found it refreshing -- an official didn't try to downplay the issue. The
reporter likely included the comment verbatim for that very reason, as in,
"OMG, this is super serial."

------
fragsworth
I don't understand why we trust lone authentication services. They are single
points of failure. SSL Certificates should be validated by a _collection_ of
independent certificate authorities. If not all of the authorities agree on
the certificate, that's a sign there is hacking going on - or a sign that not
all of the services have synchronized the certificate.

If we do it this way, a hacker who wants to try to imitate a site can't get
away with compromising just one certificate authority. They'd have to
compromise __all __of them, which (if there are enough) would be nearly
impossible.

~~~
EGreg
Well, how do you distribute trust? Do you have a quorum or something?

Consider this ... what if I wanted to introduce doubt that X is really
verified, and thereby hurt their business. How can you avoid me doing stuff
like that? Besides harsh laws of course.

~~~
nknight
> _Well, how do you distribute trust? Do you have a quorum or something?_

Basically, yes.

> _Consider this ... what if I wanted to introduce doubt that X is really
> verified, and thereby hurt their business. How can you avoid me doing stuff
> like that? Besides harsh laws of course._

By not trusting _you_.

Right now, what happens is the browser and/or OS vendor determines a set of
certificate authorities to declare "trusted", and all certificates they issue
are simply assumed to be valid.

Instead, we could require, say, three signatures, each from different
authorities, to invoke the normal "this is a secure connection to a properly-
identified website" behavior.

But each of those authorities was still determined by the vendor to be
trustworthy. It's still going to be the likes of e.g. VeriSign, Comodo,
StartSSL, etc.. It's not going to be _you_.

~~~
EGreg
But what if Verisign really doesn't like Bank of America, can they cast doubt
on their websites now?

~~~
nknight
No, but if they could and did, their business would come to an abrupt end when
browsers stopped trusting them anyway.

~~~
EGreg
What if everyone did it to some company

~~~
nknight
That is in no way different than the current situation. If all of the dozens
of trusted certificate authorities the world over has decided that they
shouldn't provide certs for company X, you should probably be looking to
company X for the problem, rather than the authorities.

In any case, users have always had the option of modifying the trust
infrastructure or even ignoring it entirely.

~~~
EGreg
Let me rephrase. What if every cert authority might do it to some company
(different companies for different cert authorities)

How would you even know if they did?

------
hendzen
Another day, another APT reported by some company integral to the
technological infrastructure of the US (and the world in this case). When will
we take real, substantive action on this issue?

~~~
marshray
_When will we take real, substantive action on this issue?_

Got any new ideas? (seriously)

~~~
hendzen
Perhaps some kind of cyber-warfare non-proliferation treaty akin to START.
Nation states agree to not launch APTs against eachother, and pledge to
prosecute any of their citizens that launch such attacks independently.

~~~
marshray
What would you do when there are still targeted attacks launched via
compromised systems from random unrelated countries used as proxies?

------
larrys
As an aside, registrar interactions with Verisign have several security layers
involved to prevent someone from accessing and changing domain dns (we deal
with this as a registrar). Of course those methods are only as secure as the
particular registrar defenses are. As are the nameservers used in any
particular domain.

------
pittsburgh
The reuters article provides no details about the security breach, so I did
some digging. The most I could find was VeriSign's original SEC filing at
[http://www.sec.gov/Archives/edgar/data/1014473/0001193125112...](http://www.sec.gov/Archives/edgar/data/1014473/000119312511285850/d219781d10q.htm)

From the filing: _We experienced security breaches in the corporate network in
2010 which were not sufficiently reported to Management._

 _In 2010, the Company faced several successful attacks against its corporate
network in which access was gained to information on a small portion of our
computers and servers. We have investigated and do not believe these attacks
breached the servers that support our Domain Name System (“DNS”) network.
Information stored on the compromised corporate systems was exfiltrated. The
Company’s information security group was aware of the attacks shortly after
the time of their occurrence and the group implemented remedial measures
designed to mitigate the attacks and to detect and thwart similar additional
attacks. However, given the nature of such attacks, we cannot assure that our
remedial actions will be sufficient to thwart future attacks or prevent the
future loss of information. In addition, although the Company is unaware of
any situation in which possibly exfiltrated information has been used, we are
unable to assure that such information was not or could not be used in the
future._

 _The occurrences of the attacks were not sufficiently reported to the
Company’s management at the time they occurred for the purpose of assessing
any disclosure requirements. Management was informed of the incident in
September 2011 and, following the review, the Company’s management concluded
that our disclosure controls and procedures are effective. However, the
Company has implemented reporting line and escalation organization changes,
procedures and processes to strengthen the Company’s disclosure controls and
procedures in this area. See Item 4 “Controls and Procedures” in Part I of
this report._

It's interesting to note that the SEC issued guidelines on the reporting of
security breaches on October 13th, 2011 (
[http://www.sec.gov/divisions/corpfin/guidance/cfguidance-
top...](http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm) )
and VeriSign's SEC filing was released about two weeks later on October 28th,
2011. It could be the case that the security breach wasn't actually a major
one, but because the SEC guidelines were so new they thought it prudent to
mention even a minor security breach.

From this filing, there's no way to know the severity of the breach, which is
why I think it's unfair for reuters to make this seem like a bigger deal than
it might actually be. (They mention the RSA security breach which _was_ a huge
deal, and they suggest the attack was done by a "nation-state".) It reads like
an article written by Nancy Grace.

Of course it _could_ be the case that this was a major attack carried out by
China, but it could also be a mundane attack on a public web server that
wouldn't have made the news if not for the timing of the recent SEC
guidelines. There's just no way to know from the information available.

~~~
larrys
You said:

"I think it's unfair for reuters to make this seem like a bigger deal than it
might actually be"

The filing says:

"the Company faced several successful attacks against its corporate network in
which access was gained to information on a small portion of our computers and
servers"

The headline was:

"Key Internet operator VeriSign hit by hackers"

This wasn't the lead story on the nightly news. It was a Reuters article with
a fair headline for what happened. The mere fact that they reported it in
their filings but didn't disclose it to company management is a problem right
there.

~~~
endersshadow
This delightful fear-mongering quote from a former DHSer is in the article:

"Oh my God," said Stewart Baker, former assistant secretary of the Department
of Homeland Security and before that the top lawyer at the National Security
Agency. "That could allow people to imitate almost any company on the Net."

The point is that this was a small attack that affected a very small part of
the company that they don't believe has any lasting implications to their
business. You get an article with quotes like that from such a small attack,
and it makes you raise an eyebrow.

~~~
count
Heh, isn't that what the RSA breach was at first, too?

------
Cyndre
Am I the only that wonders if Symantec is the right company to be in control
of verisign???

To me it seems that there would be a little bit of a conflict of interest
around owning an antivirus company and the tool that tells you a site is who
they say they are.

I know this sounds a little crazy, but think about it before you downvote me.

------
nkassis
This article doesn't have much details on what the actually attack involved.
Anyone have actual details. I would assume that VeriSign has a very segregated
network and a breach somewhere would have a hard time propagating to their
more important things like their CA signing server and .com stuff.

~~~
marshray
The (reported) fact that they were hacked repeatedly in 2010 and the CTO at
that time (claims he) didn't learn of it until Reuters called him for a
comment doesn't exactly paint a reassuring picture.

I bet Symantec is a little irritated that they bought the VeriSign^TM CA
business in 2010. Are they going to want their money back?

If they can't prove there was no compromise of the private keys, will Symantec
reissue the 30 year VeriSign root certs?

EDIT: The SEC filing is here (keyword "breach")
[https://investor.verisign.com/secfiling.cfm?filingID=1193125...](https://investor.verisign.com/secfiling.cfm?filingID=1193125-11-285850&CIK=1014473)

Interesting how the filing mentions the threat to their DNS business. Perhaps
the potential risk to the root CA is no longer considered relevant since
they've sold it?

~~~
lawnchair_larry
_I bet Symantec is a little irritated that they bought the VeriSign^TM CA
business in 2010. Are they going to want their money back?_

Whatever security problems Verisign has had, Symantec's are far worse.

