VeriSign admits multiple hacks in 2010, keeps details under wraps

VeriSign, the company responsible for guiding most of the world's Internet users to the correct websites and once the largest encryption certificate issuing authority, has acknowledged that it was successfully hacked several times in 2010.

The admission was disclosed last fall in a VeriSign filing with the U.S. Securities and Exchange Commission (SEC), but did not come to light until today when Reuters reported on its investigation of new SEC guidelines on such disclosures.

"In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers," said VeriSign in the quarterly report it filed with the SEC in October 2011.

VeriSign confirmed that the attacker made off with data and claimed that it had put new defensive measures into place.

"This could be very, very significant," said Rob Rachwald, director of security strategy at Imperva, depending on exactly what hackers stole from VeriSign.

Prior to August 2010, VeriSign was the world's largest SSL (secure socket layer) certificate issuing authority. In May of that year, Symantec announced it would acquire VeriSign's authentication business, including SSL certificate generation, for $1.2 billion. The acquisition was finalized Aug. 9, 2010.

"If a root [SSL] certificate was compromised, or the attackers acquired information about SSL certificates, users are completely open to attack," said Subhash Tantry, the CEO of FoxT, which provides access management software to enterprises.

Unfortunately, said Rachwald and Noa Bar Yosef, a senior security strategist with Imperva, there is not enough information available to know just how bad the situation might be.

"Details are really lacking," said Bar Yosef, "And this is a problem I see time and again, where a company suffers from a breach but they keep quiet about what actually happened."

Other than to say that it does not believe the attacks hacked the servers which support its Domain Name System (DNS) network, VeriSign was vague about almost every aspect of the breaches -- even whether the additional defenses it erected had been adequate.

"Given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information," VeriSign admitted in the 10-K filing . "In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

The lack of information about SSL prompted some experts to worry that hackers had acquired legitimate-looking certificates, or stolen information critical to the certificate issuing process.

Tantry said one source had told him that a root certificate had, in fact, been compromised.

If criminals did steal one or more SSL certificates, they could use them to conduct "man-in-the-middle" attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly intercepted. Or they could use them to "secure" fake websites that seem to be legitimate copies of popular Web services, using the bogus domains to steal information or plant malware.

Symantec, which began issuing SSL certificates under the VeriSign brand in the second half of 2010, denied that any hack had taken place on its watch.

"The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec [from VeriSign] were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing," a Symantec spokeswoman said today.

Symantec declined to comment further on the VeriSign hacking admission.

If SSL certificates were stolen or VeriSign's issuing process compromised, it would not be the first instance of such an attack.

"2011 was the year of SSL breaches," noted Bar Yosef, referring to the hacking of several certificate authorities, or CAs, last year, including Comodo last March and DigiNotar in July 2011 .

Steps taken during those incidents by operating system and browser vendors -- which revoked the stolen certificates -- may not be possible here, said Rachwald. "It would be like unscrambling an egg," he said, referring to the sheer quantity of certificates that VeriSign issued prior to mid-2010.

And nothing can be done without more information, added Bar Yosef.

"VeriSign had enough time to inform everyone," she said, pointing out the long gap between the 2010 hacks and VeriSign's admission of them last October. "We need that information to decide what to do."

In fact, VeriSign's security team hid the breaches from the company's senior management, the document filed with the SEC confirmed. "The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements," VeriSign claimed.

According to the SEC filing, company executives were not told of the 2010 attacks until September 2011.

The SEC issued guidelines in October 2011 that pushed companies to report hacking attacks.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about security in Computerworld's Security Topic Center.