VeriSign claims that the attack it suffered in 2010 has not compromised the integrity of the Domain Name System (DNS).
As revealed yesterday, VeriSign reported suffering a number of "successful attacks" against its corporate network in 2010. It said it was "unaware of any situation in which possibly [extracted] information had been used", but it was unable to be sure that such information was not or could not be used in the future. It also revealed that the attacks were not reported to the company's management until September 2011.
In a statement, VeriSign said it has a number of security mechanisms deployed in its network to ensure the integrity of the zone files published, and in 2005 it engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS.
“All DNS zone files were and are protected by a series of integrity checks including real-time monitoring and validation. VeriSign places the highest priority on security and the reliable operation of the DNS,” it said.
Symantec, which acquired the certification division in May 2010, said there was no indication that the 2010 breach was related to the acquired SSL systems.
In a statement, Fran Rosch, vice-president of trust services and SSL at Symantec, and previously vice-president of authentication at VeriSign, said: “Just as VeriSign stated that there was no impact to their production environment, I stand behind Symantec's statement that Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the breach.
“Unfortunately, many people are associating the breach at VeriSign with the brand of SSL certificates that Symantec acquired, begging the question ‘Is SSL dead?'. SSL, or HTTPS encryption, remains today as the most secure method to protect online data in transit.
“Symantec Trust Services and Identity and Authentication solutions continue to provide unparalleled levels of security, not only in terms of our products, but in terms of how we protect the systems that protect you and your customers.”
Catalin Cosoi, chief security researcher at BitDefender, said: “It is reassuring that there was not a breach of the servers that support their DNS, but not ruling it out completely and leaving enough place for doubt means that we still need to wait for a complete assessment of the incidents.
“If the SSL process were corrupted, you could easily create a Bank of America certificate that will be trusted by every browser in the world, raising phishing attacks to whole new level.
“VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites. A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems.”
Cosoi said the story reminded him of the DigiNotar attack from last year, when fake certificates were issued and used to impersonate Gmail and other critical services.
“What's worrying is that the attackers could have generated valid software-signing certificates for smaller, less-known companies and use them to sign malware. By the time VeriSign realises that the respective company did not request the certificate, some nasty rootkits could be long since in the wild,” he said.
“DigiNotar went bankrupt in less than one month after grasping the extent of the breach. The implications of a hack against the world's most important enterprise trust seller are yet to be determined.”
Paul Vlissidis, technical director at NGS Secure, an NCC Group company, said: “There's a yawning gap in the internet authentication industry, because there are no security or quality standards sitting over the 1,500-plus certificate authorities, and this needs to change.
“The other problem is, of course, the huge time lapse between the hacks themselves and their disclosure. The fact that administrators responded to the attacks but did not inform their management until 2011 shows just how important comprehensive disclosure legislation is.
“As it becomes more normal for organisations to be transparent and honest about data breaches, stigma will be lessened and, crucially, those organisations will be able to take swift, responsive action. Effective information security depends on efficient incident response as well as protection.”