Internet infrastructure services firm VeriSign has admitted that it was the victim of numerous data breaches in 2010, but top-level managers were not notified immediately.
The firm confirmed the breaches after US reports highlighted the fact that the attacks had been mentioned in a report filed with the Securities and Exchange Commission (SEC) in October 2011.
In the filing, VeriSign said that in 2010, it "faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers."
The company, which is the main operator for web addresses ending in .com and .net, did not reveal exactly when the 2010 attacks took place or what type of data may have been lost or compromised, but said management had been informed of the breaches months later in September 2011.
“Clearly something went very wrong inside VeriSign if the-powers-that-be were not informed of the breaches,” said Graham Cluley, senior consultant at security firm Sophos.
The fact that administrators responded to the attacks but did not inform their management until 2011 shows just how important comprehensive disclosure legislation is, said Paul Vlissidis, technical director at NGS Secure, an NCC Group company.
Clearly something went very wrong inside VeriSign if the-powers-that-be were not informed of the breaches
Graham Cluley, Sophos
“As it becomes more normal for organisations to be transparent and honest about data breaches, stigma will be lessened and, crucially, those organisations will be able to take swift, responsive action,” he said.
VeriSign said in the filing it was unaware of any incidents in which information extracted in the hacks was used, but admitted that "given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information".
Domain name system attacked
A successful attack on the company's domain name system (DNS), which converts web addresses into IP addresses, could have allowed cyber criminals to redirect users attempting to visit popular sites, and potentially infect surfers with malware and intercept communications, Cluley wrote in a blog post.
But a statement issued by the firm this week said: “After a thorough analysis of the attacks, VeriSign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the domain name system was compromised.”
In 2005, VeriSign claimed to have implemented real-time validation systems to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS.
“All DNS zone files were and are protected by a series of integrity checks, including real-time monitoring and validation. VeriSign places the highest priority on security and the reliable operation of the DNS,” the company said.
“The news revealing that VeriSign was compromised should not be a surprise to anyone,” said Jeff Hudson, chief executive of enterprise key and certificate management firm, Venafi.
Internet authentication flawed
“There’s a yawning gap in the internet authentication industry, because there are no security or quality standards sitting over the 1,500 plus certificate authorities, and this needs to change,” said Vlissidis.
The fact that these organisations are breached despite taking extraordinary measures to protect themselves, said Hudson, means that businesses should recognise that these kinds of breaches will continue.
“These targets are all trusted third-party providers of certificates, services, or secure tokens; technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide,” said Hudson.
There’s a yawning gap in the internet authentication industry, because there are no security or quality standards sitting over the 1,500 plus certificate authorities, and this needs to change
Paul Vlissidis, NGS Secure
When certificate authorities are compromised, hackers could create and issue phoney certificates that would allow them to intercept all the traffic coming to a website.
In such cases, said Hudson, certificates previously issued by compromised certificate authorities need by be revoked, and knowing the specific provenance of every certificate in use within an organisation is critical in ensuring the timely re-issue of certificates to minimise downtime.
Organisations should have recovery plans in place to replace any certificate or service that has been compromised and get it done within hours, not days or weeks, he said. This can be achieved by having multiple third-party providers so that if one is compromised, organisations can switch quickly to another.
Certificate management is also important to prevent unexpected server shut downs when certificates issued by authorities such as VeriSign to enable secure data transfer expire.
To maintain security and trust, the certificates have a limited lifespan. Computer systems will shut down if certificates expire and are not renewed automatically, as happened in 2008 at Nippon Airways when the cryptographic certificate issued for authentication of check-in terminals had expired. Computer terminals were prevented from communicating with key systems at the airline.