"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
Does anyone else feel this line is more suited to a Hollywood movie than a Reuters release?
I found it refreshing -- an official didn't try to downplay the issue. The reporter likely included the comment verbatim for that very reason, as in, "OMG, this is super serial."
No but I re-read that sentence three times because of how poorly it was written. I don't think I've ever read a news article where a quoted person's description bridged two facts with the phrase "and before that".
I don't understand why we trust lone authentication services. They are single points of failure. SSL Certificates should be validated by a collection of independent certificate authorities. If not all of the authorities agree on the certificate, that's a sign there is hacking going on - or a sign that not all of the services have synchronized the certificate.
If we do it this way, a hacker who wants to try to imitate a site can't get away with compromising just one certificate authority. They'd have to compromise all of them, which (if there are enough) would be nearly impossible.
Well, how do you distribute trust? Do you have a quorum or something?
Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.
Although this is perhaps an ill timed suggestion given that it is verisign in the news, I have long thought that DNSSEC would serve as a good mechanism for distributing public keys.
Perhaps in conjunction rather than opposition to the current CA system.
"SSL Certificates should be validated by a collection of independent certificate authorities"
That would greatly raise the cost of the SSL certificates. And I don't think that would be something that you could get the various providers to even agree on.
Another day, another APT reported by some company integral to the technological infrastructure of the US (and the world in this case). When will we take real, substantive action on this issue?
At this point, VeriSign might as well be an instrumentality of the US government. The answer to your question is "When we take substantive action on the brokenness of the US political system".
The question is why don't you ever hear about some huge Chinese or Russian website being hacked? It seems most of these types of high level intrusions can be traced back to those two countries.
We can only HOPE that somewhere the US has a Top Secret Cyber Warfare group that's so good they never get caught.
As an aside, registrar interactions with Verisign have several security layers involved to prevent someone from accessing and changing domain dns (we deal with this as a registrar). Of course those methods are only as secure as the particular registrar defenses are. As are the nameservers used in any particular domain.
From the filing: We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.
In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.
The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.
It's interesting to note that the SEC issued guidelines on the reporting of security breaches on October 13th, 2011 ( http://www.sec.gov/divisions/corpfin/guidance/cfguidance-top... ) and VeriSign's SEC filing was released about two weeks later on October 28th, 2011. It could be the case that the security breach wasn't actually a major one, but because the SEC guidelines were so new they thought it prudent to mention even a minor security breach.
From this filing, there's no way to know the severity of the breach, which is why I think it's unfair for reuters to make this seem like a bigger deal than it might actually be. (They mention the RSA security breach which was a huge deal, and they suggest the attack was done by a "nation-state".) It reads like an article written by Nancy Grace.
Of course it could be the case that this was a major attack carried out by China, but it could also be a mundane attack on a public web server that wouldn't have made the news if not for the timing of the recent SEC guidelines. There's just no way to know from the information available.
"I think it's unfair for reuters to make this seem like a bigger deal than it might actually be"
The filing says:
"the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers"
The headline was:
"Key Internet operator VeriSign hit by hackers"
This wasn't the lead story on the nightly news. It was a Reuters article with a fair headline for what happened. The mere fact that they reported it in their filings but didn't disclose it to company management is a problem right there.
>He said he hoped new legislation on cybersecurity, expected to reach the Senate floor this month, would call for more disclosures and bring more aid to companies under attack.
Uh huh.
Interesting that a large argument against SOPA was that it would break the security of the internet. Now we are getting stories claiming that the internet is already broken and we'll need new laws to fix it.
Expect the laws needed to fix the security of the internet to also include fixing the "evils" of copyright "theft".
Am I the only that wonders if Symantec is the right company to be in control of verisign???
To me it seems that there would be a little bit of a conflict of interest around owning an antivirus company and the tool that tells you a site is who they say they are.
I know this sounds a little crazy, but think about it before you downvote me.
This article doesn't have much details on what the actually attack involved. Anyone have actual details. I would assume that VeriSign has a very segregated network and a breach somewhere would have a hard time propagating to their more important things like their CA signing server and .com stuff.
The (reported) fact that they were hacked repeatedly in 2010 and the CTO at that time (claims he) didn't learn of it until Reuters called him for a comment doesn't exactly paint a reassuring picture.
I bet Symantec is a little irritated that they bought the VeriSign^TM CA business in 2010. Are they going to want their money back?
If they can't prove there was no compromise of the private keys, will Symantec reissue the 30 year VeriSign root certs?
Interesting how the filing mentions the threat to their DNS business. Perhaps the potential risk to the root CA is no longer considered relevant since they've sold it?
[+] [-] andrewheins|14 years ago|reply
Does anyone else feel this line is more suited to a Hollywood movie than a Reuters release?
[+] [-] Terretta|14 years ago|reply
[+] [-] joshuahedlund|14 years ago|reply
[+] [-] bradleyjg|14 years ago|reply
[+] [-] fragsworth|14 years ago|reply
If we do it this way, a hacker who wants to try to imitate a site can't get away with compromising just one certificate authority. They'd have to compromise all of them, which (if there are enough) would be nearly impossible.
[+] [-] EGreg|14 years ago|reply
Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.
[+] [-] bradleyjg|14 years ago|reply
Perhaps in conjunction rather than opposition to the current CA system.
[+] [-] larrys|14 years ago|reply
That would greatly raise the cost of the SSL certificates. And I don't think that would be something that you could get the various providers to even agree on.
[+] [-] hendzen|14 years ago|reply
[+] [-] marshray|14 years ago|reply
Got any new ideas? (seriously)
[+] [-] nknight|14 years ago|reply
[+] [-] kenrik|14 years ago|reply
We can only HOPE that somewhere the US has a Top Secret Cyber Warfare group that's so good they never get caught.
[+] [-] larrys|14 years ago|reply
[+] [-] pittsburgh|14 years ago|reply
From the filing: We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.
In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.
The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.
It's interesting to note that the SEC issued guidelines on the reporting of security breaches on October 13th, 2011 ( http://www.sec.gov/divisions/corpfin/guidance/cfguidance-top... ) and VeriSign's SEC filing was released about two weeks later on October 28th, 2011. It could be the case that the security breach wasn't actually a major one, but because the SEC guidelines were so new they thought it prudent to mention even a minor security breach.
From this filing, there's no way to know the severity of the breach, which is why I think it's unfair for reuters to make this seem like a bigger deal than it might actually be. (They mention the RSA security breach which was a huge deal, and they suggest the attack was done by a "nation-state".) It reads like an article written by Nancy Grace.
Of course it could be the case that this was a major attack carried out by China, but it could also be a mundane attack on a public web server that wouldn't have made the news if not for the timing of the recent SEC guidelines. There's just no way to know from the information available.
[+] [-] larrys|14 years ago|reply
"I think it's unfair for reuters to make this seem like a bigger deal than it might actually be"
The filing says:
"the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers"
The headline was:
"Key Internet operator VeriSign hit by hackers"
This wasn't the lead story on the nightly news. It was a Reuters article with a fair headline for what happened. The mere fact that they reported it in their filings but didn't disclose it to company management is a problem right there.
[+] [-] jamieb|14 years ago|reply
Uh huh.
Interesting that a large argument against SOPA was that it would break the security of the internet. Now we are getting stories claiming that the internet is already broken and we'll need new laws to fix it.
Expect the laws needed to fix the security of the internet to also include fixing the "evils" of copyright "theft".
[+] [-] Cyndre|14 years ago|reply
To me it seems that there would be a little bit of a conflict of interest around owning an antivirus company and the tool that tells you a site is who they say they are.
I know this sounds a little crazy, but think about it before you downvote me.
[+] [-] nkassis|14 years ago|reply
[+] [-] marshray|14 years ago|reply
I bet Symantec is a little irritated that they bought the VeriSign^TM CA business in 2010. Are they going to want their money back?
If they can't prove there was no compromise of the private keys, will Symantec reissue the 30 year VeriSign root certs?
EDIT: The SEC filing is here (keyword "breach") https://investor.verisign.com/secfiling.cfm?filingID=1193125...
Interesting how the filing mentions the threat to their DNS business. Perhaps the potential risk to the root CA is no longer considered relevant since they've sold it?