VeriSign left executives and the public in the dark about breaches

VeriSign left executives and the public in the dark about breaches. (IMG: S.Ragan)

The company that still maintains a large footprint in the Internet’s SSL market, and controls the root DNS for the .com, .net, and .gov domain space, was repeatedly attacked in 2010, resulting in at least one successful breach. Only, according to their statements to the SEC, those investigating the breach told no one, including the public and top company executives.

VeriSign’s security woes came to light after Reuters discovered them in a quarterly 10-Q filing with the U.S. Securities and Exchange Commission (SEC). Last October, the SEC released guidance to public corporations urging better disclosure when it comes to security incidents and investment risks.

While there are no disclosure requirements on the books that mention cybersecurity, registered companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” the SEC said.

According to the 10-Q filing, there were several attacks to VeriSign’s network in 2010, none of which were disclosed to the public. While the company does not believe that the root DNS servers were breached, they did confirm that information stored on the compromised corporate systems was exfiltrated. They did not disclose what the compromised data consisted of.

To make matters worse, the internal investigators applied “remedial measures” to address the problem, and withheld information about the incident from top executives. On top of that, the measures that were put in to place might not be enough to prevent similar attacks, the filing stated.

“The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area,” the 10-Q outlines.

Commenting on the incident and subsequent disclosure, the CMO of LogLogic, Mandeep Khera, told The Tech Herald that the revelation was scary, because not only was VeriSign breached repeatedly, but their entire process broke down.

“Senior management wasn’t notified for a long time and the breach wasn’t disclosed publicly. This reinforces the point that most companies still have a very weak security infrastructure,” Khera said.

“If security companies like VeriSign can be breached repeatedly, you have to wonder what’s going on with all the other companies in the world. What’s also interesting is that breach notification regulations are bypassed in these cases, because senior management weren’t in the loop.”

For their part, VeriSign followed the SEC’s disclosure recommendations and acknowledged that the breach poses a risk to the company and investors.

“We retain certain customer information in our secure data centers and various registration systems. It is critical to our business strategy that our facilities and infrastructure remain secure and are perceived by the marketplace to be secure,” the 10-Q said.

“Despite our security measures, our infrastructure may be vulnerable to physical break-ins, computer viruses, attacks by hackers or nefarious actors or similar disruptive problems,” the company added.

If that were to happen, investors are warned, VeriSign could face “significant liability” and “customers could be reluctant to use our services.” Moreover, this type of situation “could adversely affect our reputation and harm our business.”

Perhaps they remained silent for that very reason, but in truth, no one will ever know why the internal IT staff dealing with the incident remained silent and didn’t bother to inform people internally, let alone the public.

Last year, after the attacks on Comodo and DigiNotar, it was assumed VeriSign walked away unharmed, and their SSL divisions wasted no time publicizing this and using it for sales pitches and marketing.

As it turns out, the only reason the public thought they were unharmed by the rash of large-scale attacks against major companies was that they withheld the information. In reality, VeriSign was the first, followed by DigiNotar, and then Comodo.

“This shouldn't surprise anyone,” said Rob Rachwald, director of security strategy at Imperva.

“We are seeing a rise in attacks which target the worldwide infrastructure that supports SSL. We expect these attacks to reach a tipping point in 2012, which, in turn, will invoke a serious discussion about real alternatives for secure web communications. The VeriSign attack highlights that the tipping point may have actually arrived in 2011.”

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.