VeriSign admits 2010 hack
The security company is hacked in 2010 but the details are only just emerging, calling the CA system into question again.


VeriSign's network was hacked repeatedly in 2010, but the company does not believe its DNS servers were hit.
The company, which is the registry officer for websites ending in .com, .net and .gov, admitted to the breaches in a quarterly US Securities and Exchange Commission filing in October, Reuters found.
If the VeriSign DNS network or Secure Sockets Layer (SSL) certificate data was compromised, it could have allowed hackers to pose as official websites and dupe users out of valuable data. They could theoretically pose as a bank and gain truly important information.
The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit.
Symantec, which bought Verisign's SSL certificates business in 2010, claimed data relating to acquired products was not stolen in the breach.
"Symantec takes the security and proper functionality of its solutions very seriously," a spokesperson told IT Pro.
"The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Ken Silva, who was VeriSign's chief technology officer until November 2010, said he did not know about the breach until contacted by Reuters. Furthermore, senior executives were not informed until September 2011.
"All in all, we need more details to see what exactly happened during those consecutive breaches and what data was actually stolen," said head of the Bitdefender Online Threats Lab, Catalin Cosoi, in a blog post.
"The worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit. This would potentially yield a huge level of data that could be exploited for financial gain. However, it's important to remember that a strong anti-phishing solution will keep you protected."
Hackers have been going after security firms in earnest in recent times. In particular though, certificate authorities (CAs) have been targeted as they allow hackers to pose as official web services.
When CA DigiNotar was hit last year, it ended up going out of business because of the repercussions.
"These targets are all trusted third-party providers of certificates, services, or secure tokens -technologies that are extensively used to authenticate and create trusted relationships on the internet and within organisations worldwide," said Jeff Hudson, CEO of certificate management company Venafi.
"The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped."
There are alternatives to the CA system, however. Noted researcher and now Twitter employee Moxie Marlinspike has offered something known as the 'Convergence' model.
With the model, users are handed the SSL certificates directly, before asking a number of "trust notaries" to download it too. It then relies on consensus from these notaries to authenticate the web transaction.
To add an additional layer of security, the user goes through a proxy notary so they will remain anonymous to the trust notaries.
Read on for our look at whether the CA system can survive.
Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.
He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.
-
Why Microsoft thinks diversity will keep security workers relevant in the age of agentic AI
News Improved AI skills and a greater focus on ensuring agents are secure at point of deployment will be key for staying ahead of attackers
By Rory Bathgate
-
Microsoft: get used to working with AI-powered "digital colleagues"
News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
By Nicole Kobie
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolen
Capita told the pension provider to “work on the assumption” that data had been stolen
By Ross Kelly
-
Gumtree site code made personal data of users and sellers publicly accessible
News Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
By Connor Jones
-
Pizza chain exposed 100,000 employees' Social Security numbers
News Former and current staff at California Pizza Kitchen potentially burned by hackers
By Danny Bradbury
-
83% of critical infrastructure companies have experienced breaches in the last three years
News Survey finds security practices are weak if not non-existent in critical firms
By Rene Millman
-
Identity Automation launches credential breach monitoring service
News New monitoring solution adds to the firm’s flagship RapidIdentity platform
By Praharsha Anand
-
Neiman Marcus data breach hits 4.6 million customers
News The breach took place last year, but details have only now come to light
By Rene Millman
-
Indiana notifies 750,000 after COVID-19 tracing data accessed
News The state is following up to ensure no information was transferred to bad actors
By Rene Millman
-
Pearson fined $1 million for downplaying severity of 2018 breach
News The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
By Rene Millman