VeriSign breach revelation raises questions of SSL cert, DNS compromise

By | February 03, 2012

Posted in: Network Security Trends

VeriSign breach revelation raises questions of SSL cert, DNS compromise

Joseph Menn of Reuters reported Thursday on an attack on VeriSign in 2010. He had picked up on a brief notice in VeriSign’s 10-Q SEC quarterly report. On page 33 of this 43 page document we find:

“In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers.... Information stored on the compromised corporate systems was exfiltrated.... In addition, although the company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

At the time of the successful penetrations, VeriSign had two critical infrastructure responsibilities: host the Top Level Domain servers for .com, .org, and .gov, and the issuing of digital certificates for SSL. VeriSign sold off the digital certificate business to Symantec later in 2010, but that is no assurance that information gleaned in an attack is not still useful to the attackers. Symantec, of course, has had its own issues recently with the admission they had only recently discovered some of their source code was stolen in 2006.

I wrote about the seriousness of attacks on certificate authorities previously on Security Bistro; I called it the most important breach of 2011 because it has disrupted the inherent trust in site certificates that is built in to every browser. The Comodohacker, who claims credit for the attack, aligns himself with the Iranian regime, which did indeed use newly minted SSL certificates to execute man-in-the-middle attacks against their own citizens. The threat is real, and these successful attacks against VeriSign are worrisome in the same way.

VeriSign’s DNS infrastructure is truly the primary plumbing of the Web. As such, it is almost continuously under attack. Distributed denial-of-service attacks against their root servers are frequent. VeriSign has had to build out redundant data centers across the globe and multiply redundant servers in each data center to take peak loads that are 10 times the average expected load.

But, an attacker who had access to VeriSign’s back-end systems could wreak havoc and could either take down websites or redirect them to fake sites at will. The implications, as Joseph Menn points out, are chilling. VeriSign’s security team took corrective measures and, hopefully, are now taking extraordinary precautions to prevent further incursions.

Joseph Menn of Reuters reported Thursday on an attack on VeriSign in 2010. He had picked up on a brief notice in VeriSign’s 10-Q SEC quarterly report. On page 33 of this 43 page document we find:

“In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers.... Information stored on the compromised corporate systems was exfiltrated.... In addition, although the company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

At the time of the successful penetrations, VeriSign had two critical infrastructure responsibilities: host the Top Level Domain servers for .com, .org, and .gov, and the issuing of digital certificates for SSL. VeriSign sold off the digital certificate business to Symantec later in 2010, but that is no assurance that information gleaned in an attack is not still useful to the attackers. Symantec, of course, has had its own issues recently with the admission they had only recently discovered some of their source code was stolen in 2006.

I wrote about the seriousness of attacks on certificate authorities previously on Security Bistro; I called it the most important breach of 2011 because it has disrupted the inherent trust in site certificates that is built in to every browser. The Comodohacker, who claims credit for the attack, aligns himself with the Iranian regime, which did indeed use newly minted SSL certificates to execute man-in-the-middle attacks against their own citizens. The threat is real, and these successful attacks against VeriSign are worrisome in the same way.

VeriSign’s DNS infrastructure is truly the primary plumbing of the Web. As such, it is almost continuously under attack. Distributed denial-of-service attacks against their root servers are frequent. VeriSign has had to build out redundant data centers across the globe and multiply redundant servers in each data center to take peak loads that are 10 times the average expected load.

But, an attacker who had access to VeriSign’s back-end systems could wreak havoc and could either take down websites or redirect them to fake sites at will. The implications, as Joseph Menn points out, are chilling. VeriSign’s security team took corrective measures and, hopefully, are now taking extraordinary precautions to prevent further incursions.

You May Also Be Interested In: