Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Calum M. MacLeod, EMEA Director, Venafi: Has The VeriSign Certificate Authority Been Hacked?

February 2012 by Calum M. MacLeod, EMEA Director, Venafi

Yesterday evening, the news that VeriSign had been hacked in 2010 hit the newswires, and it seems that today in many organizations, CSOs and other senior security staff are being asked to explain to their executives the implications of this.

As reported in Reuters, “VeriSign Inc, the company in charge of delivering people safely to more than half the world’s websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company. The previously unreported breaches occurred in 2010 at the Reston, Virginia-based company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov. “

As you know, the VeriSign CA business was acquired by Symantec in August 2010. According to Reuters, “Ken Silva, who was VeriSign’s chief technology officer for three years until November 2010, said he had not learned of the intrusion until contacted by Reuters. Given the time elapsed since the attack and the vague language in the SEC filing, he said VeriSign "probably can’t draw an accurate assessment" of the damage.”

In the same Reuters report, the “Symantec spokeswoman Nicole Kenyon said "there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems."” This of course comes quickly on the heels of Symantec’s admission on January 17th, that they had been the victim of a hack.

However the statements from the then CTO of VeriSign, and the Symantec spokeswoman seem to me contradictory. I think the answer might be that no one knows for certain.

The U.S. Director of National Intelligence James Clapper has called the known certificate breaches of 2011 "a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking." Additionally VeriSign said it was a frequent subject of "the most sophisticated form of attacks," including some that are "virtually impossible to anticipate and defend against."

Already the question being asked by the experts, such as Mikko Hypponen ,is “whether the Verisign hackers created rogue code signing certificates for, you know, JMicron and Realtek?”. In other words the certificates used in attacks such as Stuxnet, weren’t stolen from these companies but rather through a breach, were generated by hackers using these companies’ details as a cover. I guess we’re unlikely to find out.

What this if anything should drive home to any organization is that everyone is a potential victim, and that Certificate Authorities are the focus of attacks. Ultimately it is not SSL that’s broken, but the management of SSL in large enterprises.

The compromise of a certificate authority (CA) can enable an attacker, or Hacker, to generate fraudulent digital certificates, which the Hacker can use in a variety of attacks against high-value business assets. Ultimately, enterprises might need to replace some or all certificates issued by the CA and even explicitly stop trusting the CA in order to protect themselves. To avoid significant security and operational risks, enterprises must have a plan in place for responding to a CA compromise, whether an internal CA, or a Trusted Third Party. One “Diginotar” is enough!


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts