Categories: Hacking

VeriSign Hacked. Why?

No peace in the cyber space, day after day we read that the computer systems for major corporations and governments are compromised due repeated cyber attacks. This time it was the prestigious Verisign, a name that is our mind we link to the concept of “strong security”, but we are learning that the total security is just an utopia.

The company should defend user’s websites from attacks and form intercepting and hijacking of their traffic.

Once more the situation is really serious, a company that offers security services for authentication has been hacked repeatedly by hackers who stole undisclosed information from the internal infrastructure. After the Symantec case, another company that lives of security is victim of its business, that is the demonstration of how are dangerous the new cyber threats and how burdensome is their impact under an economic profile. The news of VeriSign attacks has been revealed in a quarterly U.S. Securities and Exchange Commission filing in October, but what is puzzling, in my opinion,  is that the ex CIO Ken Silva, in charge during last three years until November 2010, said he had not learned of the intrusion until contacted by Reuters. Securities and Exchange Commission Form 10-Q has clarified that security staff has immediately responded to the attacks but has failed to alert top management until September 2011.

In written Senate testimony on Tuesday, U.S. Director of National Intelligence James Clapper called the known certificate breaches of 2011 “a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking.” Others have said SSL as a whole is no longer trustworthy and effective.

Since Q2 2010 Verisign Inc., the company who issued the SEC filing, is no longer associated with authentication or SSL certificates infact going through the product rebranding, Symantec actually owns and runs the authentication business. 

Symantec Corp, which has kept the brand name on VeriSign products, immediately took the distances through a statement by the pokesman Nicole Kenyon :

“there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”

“Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing. Also, Verisign Inc., the company who issued the SEC filing, is no longer associated with authentication or SSL certificates.”

In the specific case several attacks have been successfully conducted against the Verisign, the first one occurred in 2010 according to a report by Reuters, at the Reston, Virginia based firm. The structure is responsible to reverifies the integrity of top-level domains including all .gov, .com and .net addresses and also it is one of the main provider for Secure Sockets Layer (SSL) authentication certificates, used by most financial sites to ensure the their legitimacy. VeriSign hold sensitive information of a huge quantity of customers, and also its registry services that dispense website addresses would also be a desirable target.

By now we’ve made ​​a clear idea of how important are the certificates within a PKI infrastructure and why the Certification Authorities have been subject to constant attacks, at stake is more than the survival of a protocol like or a technology company, on these services infact is based most of the infrastructures of governments and worldwide leading institutions.

VeriSign’s official have declare “do not believe these attacks breached the servers that support our Domain Name System network”, but in light of what happened recently is normal to feed a lot of doubts about the statements provided.

The situation is embarrassing and dangerous, the systems of Verisign receive more than 50 billion queries daily and their responses are used by users to be addressed to sites that interest them, including government web site. The impairment of these mechanisms could lead to the redirection of requests to bogus sites with serious conseguences and not just this, the compromise of the model itself raises the risk of interception of emails and confidential documents that pass through channels of communication theory, sure.

Eloquent commentary by Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency.
“Oh my God” “That Could Allow people to imitate Almost any company on the Net”

“assume that it was a nation-state attack that is persistent, very difficult to eradicate and very difficult to put your hands around, so you can’t tell where they went undetected.”

Why steal a certificate or attack a Certification Authority?
Let’s try to answer:

Malware production – Installation for certain types of software could needs that its code is digitally signed with a trusted certificate. By stealing the certificate of a trusted vendor reduces the possibility that the malicious software being detected as quickly. That is exactly what happend for Stuxnet virus.

Economic Frauds – digital signature give a warranty on who signed a document and you can decide if you trust the person or company who signed the file and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer of an identity theft, let’s imagine which could be the implication.

Some bot, like happened for the banking with Zeus malware, could be deployed to steal steal site certificates so that they can fool web browsers into thinking that a phishing site is a legitimate bank web site.

Cyber warfare – Criminals or governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered and intercepted. That is for example what occurred in the DigiNotar case … companies like Facebook, Google and also agencies like CIA, MI6 were targeted in Dutch government certificate hack.

We expect hard times …

Pierluigi Paganini

References

http://www.huffingtonpost.com/2012/02/02/verisign-hack_n_1249275.html

http://securityaffairs.co/wordpress/647/cyber-crime/2011-cas-are-under-attack-why-steal-a-certificate.html

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.