Sifting through 2,000 documents released by a U.S. Securities and Exchange Commission (SEC) filing back in October 2011, news-gathering organization Reuters has uncovered a dangerous hack of VeriSign that was kept quiet, if not secret, for more than two years.
VeriSign is responsible for authenticating all .com, .net and .gov root nameservers, among other things. The SEC filing revealing the VeriSign network breach was required under new government guidelines for reporting security breaches to investors.
According to the Reuters report, hackers were able to steal as-yet-undisclosed information from one or more of the VeriSign networks that supplies the infrastructure behind Internet security, certificate authentication and domain name authentication.
“The previously unreported breaches occurred in 2010 at the Reston, Va.-based company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov.,” according to Reuters.
VeriSign executives who would not comment publicly about the breach and how far it went, were quoted in the SEC filing as saying that “they did not believe” that servers supporting Domain Name System network were breached, although they did not categorically say they were not breached.
If they were breached the ramifications would be significant. For example, a user typing in Google’s or Amazon’s URL would be led to a bogus site. Once a user is led to the bogus site the hackers could easily collect financial and personal information from the victim.
In written testimony before the Senate on Tuesday, the U.S. Director of National Intelligence James Clapper made a vague reference to the VeriSign breach as well as naming RSA in a similar breach that occurred March 2011.
“Hackers are also circumventing network security by targeting companies that produce security technologies, highlighting the challenges to securing online data in the face of adaptable intruders,” said Clapper, adding the March 2011 breach of security firm RSA’s corporate network, “exfiltrated data on the algorithms used in its authentication system.”
In its news report Reuters made note of the fact that VeriSign’s Domain Name System administers and routes about 50 billion queries on a daily basis. Hacks to this network would allow the perpetrators to intercept e-mail not just from ordinary folks, so to speak, but because it also handles .gov domain names it could intercept data from federal employees as well.
“VeriSign would possess sensitive information on customers, and its registry services that dispense website addresses would also be a natural target,” according to Reuters.
Another open question is whether the attack was funded by a nation state or by criminals acting on their own. VeriSign executives who declined to speak on the record did say an attack by a national power was a possibility, adding there just wasn’t enough data available to determine the origins of the attack.
In his testimony Clapper cited, “vulnerabilities associated with IT supply chain for U.S. networks” as one of the greatest strategic challenges regarding cyberthreats.