VeriSign Hit by Hackers in 2010

Photo: a_sorense/Flickr

Internet giant VeriSign was hacked repeatedly in 2010 resulting in the theft of undisclosed information and raising questions about the integrity of security certificates issued by the company as well as its domain name service.

The breaches were disclosed in vague language in a Securities and Exchange Commission filing last October in accordance with new SEC guidelines requiring companies to report intrusions to investors, according to Reuters.

The filing doesn’t say when in 2010 the breaches occurred, but administrators didn’t alert top management until September 2011, although the document indicates administrators were aware of, and responded to, the breaches shortly after they occurred in 2010. The company’s former chief technology officer, Ken Silva, who was with VeriSign until November 2010, was unaware of the breaches until Reuters contacted him for its story.

VeriSign told Reuters the company did “not believe these attacks breached servers that support our Domain Name System Network.” DNS is responsible for delivering web surfers to the correct sites they’re seeking. DNS converts requested URLs, such as www.amazon.com, into the correct IP address so that users trying to reach the retailer will have their browsers directed to that company’s website.

A breach of the DNS network could allow attackers to redirect users to malicious web pages or redirect and intercept e-mail communications.

Just as important are the security certificates that VeriSign issued at the time. Such certificates verify the legitimacy of secure web pages such as https://google.com, so that browsers know they’ve reached a legitimate site. An attacker who manages to subvert a certificate-issuing authority can issue a bogus certificate that would allow him to pose as a legitimate site and trick people into entering usernames and passwords into an impostor site.

VeriSign sold its certificate-issuing business to Symantec in August 2010. A Symantec spokeswoman told Reuters that “there is no indication” that the breach “was related to the acquired SSL product production systems.” The spokeswoman did not indicate how the company could be sure this part of the business was not affected, however.

VeriSign would not be the first certificate authority hacked. Dutch certificate authority DigiNotar was hacked in July 2011. The attackers were able to obtain several hundred fraudulent certificates for top internet entities such as Google, Mozilla, Yahoo and even the privacy and anonymizing service Tor.

Fraudulent certificates also played an important role in the super worm Stuxnet, which used certificates stolen from two companies in Taiwan. The authors of the worm, which was designed to attack centrifuges in Iran’s uranium enrichment program, used the certificates to sign a driver in their malware so that systems the worm was trying to infect would believe that the malicious file was a legitimate one from these two companies.