Attacks/Breaches
2/2/2012
01:35 PM
Connect Directly
RSS
E-Mail
50%
50%

VeriSign 2010 Hack: DNS Data Theft A Possibility

SEC data breach disclosure report triggers admission from VeriSign that attackers might have accessed sensitive domain name system data. What could they do with it?

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Several successful hacks of VeriSign's network, in 2010, might have compromised critical information relating to the Internet's domain name system (DNS).

According to information released by VeriSign in October 2011, "we have investigated and do not believe these attacks breached the servers that support our domain name system network." But the company didn't rule out that information relating to the DNS network wasn't stolen in the attacks, which occurred before some assets of the company were acquired by Symantec in 2010.

VeriSign helps manage the DNS--which enables IP addresses to be mapped to textual website names--as well as the ".com" top-level domain. But the company also provides user authentication services, offers website security services, conducts cybercrime research, and signs code, to authenticate updates from such software vendors as Microsoft and Adobe, as well as for Java.

[ Worst attacks last year? See 6 Worst Data Breaches Of 2011. ]

Thursday, however, Symantec said that the attackers definitely hadn't accessed certain critical systems. "The Trust Services (SSL), User Authentication (VIP), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign Inc. quarterly filing," spokeswoman Nicole Kenyon said via email. "Symantec takes the security and proper functionality of its solutions very seriously."

The VeriSign hacks were first reported Thursday by Reuters. Why the delay in the breaches coming to light? Although the attacks occurred in 2010, the company's security team apparently didn't report the incidents to the management team until September 2011. VeriSign then disclosed them to the Securities and Exchange Commission on Oct. 28, 2011, in the company's Form 10-Q Quarterly Report.

Recently released SEC guidelines now make such disclosures mandatory. Reuters said that in its review of 2,000 filings since that rule went into effect that mention breach risks, the VeriSign disclosure appears to be the worst.

"I think the SEC guidance is making material disclosures happen now, and will continue to happen in the future. So we'll find out about more and more of these types of incidents," said Anup Ghosh, CEO of browser security vendor Invincea, by phone.

Hack attacks are the leading cause of data breaches, and the attack against VeriSign's network likewise resulted in data being stolen. According to VeriSign's SEC filing, "information stored on the compromised corporate systems was exfiltrated." Although the company's security team noticed the intrusion shortly after it occurred and quickly "implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks," VeriSign's lack of specificity over what might have been stolen suggests that it simply doesn't know.

According to security experts, data breaches are now so widespread that being breached is a question of when, not if. "The fact that VeriSign was targeted? Not surprising at all. The fact that they were breached? Not surprising at all," said Ghosh. "I don't think VeriSign is at fault. This is the state of the security that we have at present. These guys are targets."

Some risks from a successful hack of VeriSign, however, are that attackers might be able to knock the DNS offline--thus taking down large parts of Internet--or redirect people to fake websites to infect their PCs with malware or steal financial information. "In this case, it looks like that wasn't the objective," said Ghosh. "It wouldn't surprise me if whoever breached their network was after corporate documents, like pending deals or sales. That would be of interest to China, for example."

The hack of VeriSign echoes 2011 attacks against certificate registrars Comodo and DigiNotar, both of which appeared to be executed by--or on behalf of--one or more nation states. Those attacks exposed fundamental weaknesses in the trust model underpinning the current use of SSL digital certificates for authenticating websites. Notably, by exploiting a certificate authority, an attacker can create fake digital certificates to spoof any website, as the hacker behind the Comodo attack apparently did with Google, Skype, and Mozilla websites. The result is a system based on trust, but which can't be trusted.

Interestingly, before news of the VeriSign breach surfaced, the VeriSign brand name was already slated to be partially phased out, for the assets that Symantec had acquired.. Beginning in April 2012, Symantec said that all VeriSign SSL seals would be rebranded as "Norton Secured Seals." After the change, Symantec said that the seals would be used by more than 100,000 websites in 165 countries.

The VeriSign hack makes this the second time in a month that a security-related company has been in the news, owing to its having suffered a past hack that was later discovered to have resulted in the exposure of sensitive data. The other company was Symantec, which recently rushed out a patch for pcAnywhere, its remote-access software, after hacktivist group Lords of Dharmaraja bragged about possessing the source code for some Symantec products.

Symantec initially dismissed that claim. But the company then discovered that in a 2006 security incident, attackers had apparently not just breached Symantec's servers, but stolen the source code in question, thus putting current users at risk of attack, should the attackers discover zero-day vulnerabilities in the code that they could exploit.

Heightened concern that users could inadvertently expose or leak--or purposely steal--an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. An Insider Threat Reality Check, a special retrospective of recent news coverage, takes a look at how organizations are handling the threat--and what users are really up to. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.