Verisign Admits Company Was Hacked In 2010, Not Sure What Was Stolen 85
mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."
"Not sure what was stolen" (Score:3, Insightful)
"It's too soon to say."
Re: (Score:2)
Re: (Score:2)
That looks exactly like a link I should click on.
Re: (Score:1)
Re: (Score:1)
Like the subject says: Who is "Versign"? /first post please?!?!?!
It's a company started by John Galt.
Re:Who is "Versign"? (Score:4, Informative)
Re: (Score:3)
Conspiracy! By misspelling their name in the title it won't be searchable later. And if it can't be googled it didn't happen...
Prevents you from contacting them and interrupting their meetings, the ones where they all give each other big raises for "actualizing" and stuff, also allows them to keep their scheduled tee times.
"Grandfather, you are old and senile, we can no longer take care of you. So we are sending you to an executive position at Verisign.
Re:Who is "Versign"? (Score:5, Funny)
Like the subject says: Who is "Versign"? /first post please?!?!?!
It's the company formerly known as Verisign that has been hacked and had some characters stolen by hackers, including an 'i' in its name.
They're focused on the team (Score:2)
There is no "i" in VerSign.
Well, I mean sure, there's the other one, but there's no first "I".
I mean, yes, technically that second one becomes the first one, but.. Look, there just isn't.
Re:Who is "Versign"? (Score:5, Informative)
Until late 2010, Verisign also ran the dominant SSL business. That red circle with the black digitized check at the bottom of your bank's web page? Yeah, that. The SSL business was sold to Symantec, are are trying to slowly rebrand. For the security of the internet, SSL is also kinda important.
Re: (Score:2)
Re: (Score:2)
(Yes, I know that my reply is missing the joke. I thought it was important to post anyway)
Nice recovery!
Re: (Score:1)
Why the hell would anyone buy anything security related from Symantec?
Re: (Score:3)
...'cause they currently use McAfee?
Am I Supposed to Care? (Score:2, Insightful)
Re: (Score:1)
So, I guess you don't visit any .com or .net websites, ever? Since, you now, Verisign runs both of those TLDs.
Re:Am I Supposed to Care? (Score:4, Interesting)
Re: (Score:2)
Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business.
[citation needed]
Re: (Score:3)
[citation needed]
This is like requesting citation for the assertion that most traffic tickets are written by police.
If you don't know how to check the certificate chains that authenticate Regions, US Bank, Discover, TurboTax, E-Trade, etc, then Slashdot really isn't for you.
Re: (Score:1)
I have never heard about any of the above organizations you mention above, so they're probably *not* "most of the internet".
The EFF Observatory proyect has some interesting research on this sort of information. You should check it.
Re: (Score:3)
Verisign alone might not, but Symantec (which now owns the "trust" business of Verisign), has 41.72% of the market, according to Netcraft: http://www.symantec.com/about/news/release/article.jsp?prid=20110526_01 [symantec.com]
Re: (Score:1)
weird (Score:5, Insightful)
Leaving aside probable bad judgment on the security team's part in not informing management, doesn't a company like Verisign have standardized/mandatory issue tracking policies in place so it wouldn't even be a question of judgment on a team's part to inform management? Management should have a system in place to make sure they know what's going on security-wise in a business whose entire selling point is security.
Re:weird (Score:5, Funny)
"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"
Oh... (Score:2)
Forgot the FTFY, or whatever the hell the acronym is.
Re: (Score:2)
"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"
Followed by the Penn State University Board of Trustees attempting to sack them all, just in case that covered things and made everything alright.
Re: (Score:1)
Re: (Score:3)
The security team had a huge failure. Management had an outright catastrophe. Management needs to be replaced entirely, which m
Re: (Score:2)
Security is not their core business. Security Theater is their core business.
What was stolen? (Score:5, Funny)
The letter "i", apparently.
Re:What was stolen? (Score:5, Funny)
And twelve months, if we're to believe it was 2010 last year.
Who's next? (Score:1)
Re: (Score:3)
The self-appointed gate keeper, and purveyors of security are always the first to get hacked.
Re: (Score:2)
Oh stop being melodramatic. How are they even close to the first to get hacked? Nearly every other industry has already been hacked.
2010 or last year? (Score:3)
If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?
Re:2010 or last year? (Score:5, Informative)
If it takes this long to get the article on slashdot, can't you at least edit it so it's correct?
It was last year, last year, but this year it's last year's last year.
Hope that's clear enough now.
Re: (Score:2)
"cannot pin down what data was stolen" (Score:2)
Re: (Score:2)
And here I thought slashdot was anti DRM.
Re: (Score:2)
Clearly, it's high time to finally develop a method that would allow us to detect that we're not the only ones who have some piece of information.
If such a technology ever arrives, you can bet that either the RIAA/MPAA invented it or they'll be on it like flies on sewage.
Uncertainty is refreshing (Score:3)
Re: (Score:3)
I'm actually impressed that they're admitting that they don't know.
I'm impressed they're admitting they've never heard of logservers. You know, those servers that're damned near inaccessible and do nothing but accept log event reports from all the other servers on their network?
Either that, or their backup regime sucks.
Re: (Score:2)
Finding ways around syslogs are all the rage these days. It requires stealth. Oh, wait....
My take is that this is a genuine catastrophe. If they can't figure out what happened, there is a systematic failure that's a near death-blow. Security is what Verisign and Symantec sell. Both have been compromised, and neither of them knew what or the extent of it, and didn't in at least one case, inform management. If I were their board(s), I'd be lawyering up about now.
Re:Uncertainty is refreshing (Score:4, Informative)
And causing millions of IE6 users to no longer be able to access their online banking. For a service of this size, the revocation costs are huge.
Besides, if they designed their systems in even a halfway competent manner, stealing the private key through a hack should be essentially impossible. A properly designed key signing service involves a standalone signing server that runs no services other than the signing service. The signing service accepts incoming connections, reads data in a byte at a time until either an EOF marker is reached or a certain number of bytes have been read, then sends back a signed copy of that data, then closes the connection. There is basically no way that such a service can be hacked (barring incredibly stupid programming) because it has essentially zero attack surface. Therefore, there should be essentially zero possibility of the private key being compromised (theoretical timing attacks on the key notwithstanding).
The worst case scenario is that they signed some things that they shouldn't have. However, even if they did, the CA should have an offline log that cannot feasibly be compromised (on the signing server itself), which means that the bogus keys can be revoked individually instead of revoking the master key that signed them.
Stealing customer data is somewhat more plausible—email addresses, mailing addresses, phone numbers, billing data, etc. Stealing the private key is pretty unlikely unless the CA is incompetent.
Should change their name (Score:2)
From Verisign to Yieldsign
Wah? (Score:1)
"Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011"
Bullllllshit
Dangling participle? (Score:1)
Re: (Score:1)
The proper technical term for it is "pronoun hell".
Used to work there when it happened (Score:3, Interesting)
Yes they run a very important part of the internet.
Yes are they filled to the brim with IT knowledge.
However, when this event occurred it was I that rebuilt their constellation of DNS and TLD servers. Bull$hit they didn't know it happened. I used to work for Ken Silva.
Bunch of liars.
Re: (Score:1)
Then I probably know you.
Isn't this the continuation of the time VeriSign was breached in 2008 because of an unpatched FTP server facing the Internet? The hack was traced all the way to a certain jump host that used to live in LS3 on an IBM x336. You know, the jump host with complete access to every server around the world. The one that started with an R and ended with a P? Yeah, that jump host.
Oh, and lots of other places throughout the network also. They got everywhere.
I was working for Brad Verd at that
Re: (Score:2)
Good thing Ken Silva left VeriSign in Nov 2010, and notice it was after he left that the incident was finally reported.
If they can't say (Score:3)
I pretty much have to assume the worst: All their certificates were compromised and all their data was acquired. If they can't demonstrate these things didn't happen, they need to revoke and re-issue all their certificates, and re-sign those of their customers.
Re: (Score:1)
Re: (Score:2)
If someone had a copy of the Verisign root public keys, it doesn't matter if the providers get new keys, your browser would trust any certificate created by these keys. So if you connect to a website encrypted by certificates from a different CA, a man in the middle attack presenting a newly minted certificate using the stolen keys would not raise any alarm in any SSL browser that trusts that verisign root certificate. Which essentially means every browser in the world.
Not only would every provider need to
Re: (Score:2)
AFAIK IE uses the Windows SChannel built into to the OS. Thus the trusted CA lists etc are part of Windows.
Re: (Score:2)
Verisign supports terrorism (Score:3)
Verisign got hacked and didn't disclose it, so since they are hiding it, according to the new FBI flyer, then obviously, they are supporting terrorism.
I demand this company gets sent to Gitmo.
if you don't, then you are a terrorist also.
What really scares me... (Score:2)
...is that the writer of the article doesn't have the slightest goddamned clue what he's talking about.
No, boy wonder. The DNS servers are not really the issue here. The issue is the PKI infrastructure which Verisign issues, and in particular the fact that Verisign is one of the few CAs that can issue Extended Verification (EV) certs.
If they got the keys to the Verisign PKI root cert (Score:1)
If the root PKI private keys were lifted from the site then whoever had them could create valid ssl certificates for any DNS hostname that every browser and ssl stack in the world would view as real. If the same users were able to put themselves in the correct place in the network or be able to do a successful DNS poisoning attack, they would then be able to undetectably capture all data protected by the SSL public key infrastructure. So pretty much all internet data would be suspect.
I assume that this did
Money Socks (Score:2)
I would suggest you take a pair of socks and divide your money evenly between them so that you don't lose more than half your net worth.
I know I got about 50 socks in my sock drawer right now, but very very few matching pairs for some reason!
I'm so glad (Score:2)
Not stolen, shared (Score:2)
I thought we learnt this from the *AA against the world debate. Stealing is taking something away from the owner denying him the use of it. Nothing was taken away from Verisign. Somethings may have been shared, which may or may not take some future business away from Verisign, since people can now get their own trusted SSL certs. Copyright wasn't meant to be eternal, they have had their time limited monopoly on those keys. Society will profit as prices for EV certs will now go through the floor. Verisign ca
Verisign, Inc.statemet (Score:1)
VRSN is not SYMC. (Score:1)