In October 2011, Internet infrastructure firm VeriSign released its usual quarterly report. Buried in the 50-page filing to the SEC was the revelation that the company had been breached multiple times the previous year.
The incidents came to light only today, when news service Reuters found the information during an investigation of whether public companies were disclosing breach incidents in their financial statements. VeriSign’s account of the incidents carried few details, and the company refused additional comment.
In the filing, VeriSign stated, “In 2010, the company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our DNS (Domain Name System) network.”
VeriSign manages the Domain Name System for the .com and .net top-level domains, as well as the .name, .cc, and .tv domains. In addition, at the time of the attacks, the company sold and managed a large digital signature service, selling SSL and EV (extended validation) signatures that are used to secure websites and email and to sign code. The Internet security business unit was sold to Symantec in 2010.
Although the announcement comes after the revelation of breaches in 2011 of other Internet infrastructure firms — such as the now-defunct DigiNotar, rival Comodo, and security giant RSA — the VeriSign hacks occurred months before those breaches. If VeriSign had disclosed the attacks in 2010, Comodo and other hacked firms might have been able to improve their own security in time to detect the attacks they experienced in 2011, said Melih Abdulhayoglu, Comodo’s CEO.
“We would have been on a higher alert, it would have changed a lot of things,” Abdulhayoglu noted. “I’m sure that other CAs [certificate authorities] would have taken the hint and done something about it.”
With the breach of DigiNotar and Comodo, attackers gained the ability to issue valid digital signatures, undermining the security used to authenticate code, websites, and email. In the Comodo breach, the attackers issued fewer than a dozen signatures for major domains and were caught quickly. In the DigiNotar incident, attackers issued many more signatures and were not immediately caught.
Symantec, which bought VeriSign’s certificate authority division in 2010, stated that the attacks did not impact those services: “The trust services, user authentication, and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in theVeriSign quarterly filing.”