Verisign Fesses Up About 2010 Hack Attacks
Verisign has alarmed the online security industry with its reluctant disclosure of repeated hack attacks on its network in 2010.
The infrastructure company supports key servers of the Internet's backbone, serving as Top Level Domain host for .com, .org and .gov.
That it was repeatedly penetrated in 2010 was first quietly disclosed in a Securities and Exchange Commission filing in October 2011. This week, as furor over the revelation hit critical mass, the company issued a statement acknowledging the attacks.
Verisign said that its nonproduction corporate network was penetrated, but that it has thoroughly analyzed the attacks and does not believe the operational integrity of the Domain Name System was compromised.
Verisign also pointed to a number of security mechanisms deployed in its network, claiming they ensure the integrity of the zone files it publishes.
"In 2005, Verisign engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS," it said in its statement.
The DNS zone files are protected by a series of integrity checks including real-time monitoring and validation, it also said.
Verisign did not respond to our request to comment for this story.
Not Enough Information
Despite Verisign's reassurances, there is not enough information available to decide whether the breaches caused real damage or not, according to Graham Cluley, senior technology consultant with Sophos.
"We simply don't know what data might have been taken from Verisign," he told the E-Commerce Times.
What is most disturbing is the revelation that even though the hacks were discovered in 2010, senior management didn't learn of them until September 2011, he said.
"Clearly, proper processes need to be put in place to inform bosses about hacks rather than sweep them under the carpet," Cluley said. "Other firms might be wise to put in place systems to ensure that any security breach is properly documented and brought to senior managers' attention."
Indeed, while details about what data was compromised are desperately needed, how Verisign conducted itself should also be a focus, said Robert Siciliano, a consultant and identity theft expert.
Of greatest concern is "the lack of transparency and delayed notification," he told the E-Commerce Times.
Based on the information available, Siciliano is not willing to conclude that the attacks did not compromise security.
"From the little details we have, the nature of these attacks could affect the entire Domain Name System, which messes with the integrity of the whole Internet," he said, "but based on new reports, it seems even Verisign doesn't seem to equivocally know. That's concerning."
Don't Worry, It Happens Often
On the other hand, attacks on Verisign's network are expected and probably happen often -- and there's no reason to think that puts every Internet user at risk, said John Viega, executive vice president of product and engineering at Perimeter E-Security.
"First, Verisign follows WebTrust operating guidelines, which means that the proverbial keys to the kingdom are not generally available over the Internet, or over local networks. It's all kept in a 'clean room,'" he told the E-Commerce Times.
"Second, those keys are stored in hardware modules that cannot be retrieved, even if the computer with the hardware installed is compromised," Viega noted.
The bottom line is that there just isn't sufficient information about the breach to form any judgment about what may have been exposed or how, said Neil Roiter, research director at Corero Network Security.
It's natural to raise concerns because of Verisign's critical responsibility, he told the E-Commerce Times, but the company's statement that it does not believe the root servers supporting DNS were impacted is somewhat reassuring.
Verisign is well aware that "a successful attack against the DNS infrastructure could have very serious global consequence, enabling attackers to bring down websites or redirect Web users to sites of their choosing," he said.
"In order to reassure users of the existence of a true authentication process," he said, "an organization such as the National Strategies for Trusted Identities in Cyber Space must be brought in to confirm entities are who and what they claim to be."