VeriSign has admitted that it was breached, although it did not believe the attacks breached the servers that support its Domain Name System (DNS) network.
According to Reuters, VeriSign has been hacked repeatedly by outsiders who stole undisclosed information from the internet infrastructure company.
In a quarterly report to the US Securities and Exchange Commission, the company admitted that it "faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers" in 2010.
It said: “The company's information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks.
“However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the company is unaware of any situation in which possibly [extracted] information has been used, we are unable to assure that such information was not or could not be used in the future.”
It admitted that the attacks were not sufficiently reported to the company's management at the time that they occurred, for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011.
VeriSign's DNS processes as many as 50 billion queries daily, and any information stolen from it could let hackers direct people to faked sites and intercept email from US federal employees or corporate executives, although classified government data moves through more secure channels.
The certification division was acquired by Symantec in May 2010. Nicole Kenyon, a spokesperson for Symantec, said: “There is no indication that the 2010 corporate network security breach mentioned by VeriSign was related to the acquired SSL systems.”
Cyber security expert Melissa Hathaway, who has worked with presidents George W Bush and Barack Obama, said: “This breach, along with the RSA breach, puts the authentication mechanisms that are currently being used by businesses at risk. There appears to be a structured process of hunting those who provide authentication services.”
A spokesperson for VeriSign said it would make no further comment.
Rob Rachwald, director of security strategy at Imperva, said: “This shouldn't surprise anyone. While a growing number of web applications are delivered over the HTTPS protocol (HTTP over SSL), attackers are increasingly focusing their attacks against the various components of SSL.
“We are seeing a rise in attacks which target the worldwide infrastructure that supports SSL. We expect these attacks to reach a tipping point in 2012 which, in turn, will invoke a serious discussion about real alternatives for secure web communications. The VeriSign attack highlights that the tipping point may have actually arrived in 2011.”