VeriSign Inc., the company responsible for assuring that more than half the world’s websites are authentic, was hacked multiple times in 2010, and the thieves succeeded in stealing information.
The company is one of the major pillars of the Internet, responsible for assuring the authenticity of many major websites that end in .com, .gov and .net. VeriSign also processes up to 50 billion web queries a day, defends companies’ websites against cyber attacks, and tracks international hackers.
Some computer security exerts worry that this could shake the very foundations of the Internet.
“It represents an attack on the rails of trust of the Internet,” says Brian McGinley, chief of data risk management for Identity Theft 911, Credit.com’s sister company. “This was the last bastion of what you could trust.”
The security breaches were reported in a quarterly filing in October 2011 with the Securities and Exchange Commission. The filing was first discovered by Reuters. According to VeriSign’s account, the company was the victim of “several successful attacks against its corporate network,” sometime in 2010.
VeriSign told federal regulators that its Domain Name System network—the part of the company that provides the domain services of many major websites—was probably not affected.
“We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network,” according to the company’s filing for the fourth quarter of 2011. VeriSign did not respond to calls seeking comment for this story.
But the announcement fell short of an ironclad guarantee, McGinley says. And it made clear that at least some data from its corporate computer systems was stolen, though the exact nature of that information remains unclear.
VeriSign’s prominence, and its importance to the safety of the Web, makes the breach especially troubling, according to some security experts.
“VeriSign is the major player in website authentication and registration,” says Ondrej Krehel, information security officer at Identity Theft 911. “It shows there’s a significant weakness among the companies that provide trust on the Internet. It calls into question trusted authentication and domain model on the Internet. Completely.”
Update: In 2010, Verisign, Inc, sold the portion of its business that provides secure authentication via secure certificates to Symantec. Symantec released a statement saying that the SSL certificate business it acquired from Verisign, Inc. was not impacted by the breach.
What Might this Mean?
The trouble is endemic to the fundamental architecture of the Web. When users click on a website, or on a hyperlink that would carry them to a secure website, their browser should automatically check the site’s security certificate to make sure that it’s authentic. If there’s a problem with the certificate, the browser may present a warning screen advising the user of possible security threats, or it may block access altogether.
If hackers gain access to those certificates however, they can make their own copy that looks exactly like the real thing. That would enable them to run a virtually fool-proof phishing scheme, diverting users to a fake website in order to steal account passwords, Social Security numbers and other valuable private data.
Hackers pulled off a similar successful attack in March 2011 against Comodo, a company that, like VeriSign once did, issues security certificates for websites. The attack was discovered and thwarted within hours, enough time for the hackers to copy the certificates of seven websites, according to a blog post by the company.
“If you have these certificates, you have the ability to recreate any trusted website,” McGinley says.
The attack on VeriSign was more worrisome, McGinley says, partly because the company is much larger than Comodo, and handles significantly more websites. VeriSign claims its information security group shut the breach down, and is doing its best to prevent similar attacks in the future. But the company remains unsure whether those steps will work.
“(G)iven the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information,” according to the filing.
Also, the company’s filing suggests that its internal reporting systems may have been faulty. “(T)he attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011,” even though the breaches occurred sometime in 2010, according to the report.
Perhaps even more troubling, there is little that consumers or legitimate companies can do to protect themselves from such an attack if in fact certificates were compromised, Krehel says. Since a fake website with a real certificate looks and functions just like the real thing, there’s no way for users to tell the difference. And it would be difficult for a large website like Google or Bank of America to detect such a scam, since hackers would likely divert too few users to be detected.
“In the digital world, a copy is as good as the original,” Krehel says. “And the real companies wouldn’t find it out. The bad guys are smart. Once they got what they need, they would shut it down.”
VeriSign acknowledges that its computers, which are central to the functioning of the Internet, remain vulnerable.
“The Company as an operator of critical infrastructure is frequently targeted and experiences a high rate of attacks. These include the most sophisticated form of attacks…making these attacks virtually impossible to anticipate and defend against,” according to the company’s disclosure. “Despite our security measures, our infrastructure may be vulnerable to physical break-ins, computer viruses, attacks by hackers or nefarious actors or similar disruptive problems.”
Image: ~Brenda-Starr~, via Flickr.com