Report Reveals VeriSign Was Repeatedly Hacked In 2010

VeriSign was targeted multiple times by hackers in 2010, according to a report filed by the company last October with the US Securities and Exchange Commission.

The company, which manages network infrastructure for more than half the world’s websites, did not reveal any details of what information was taken or potential culprits.

Executive denial

Executives at VeriSign told Reuters that they did “not believe these attacks breached servers that support out Domain Name System network”. Had hackers breached into the DNS network, which directs internet browsers to the correct site, they would have been able to instead direct people to spoofed sites and from there obtained more sensitive data.

Ken Silva, VeriSign’s chief technology officer until November 2010, claimed he was unaware of the breach until Reuters approached him for comment and suggested that the company would not be able to draw “an accurate assessment” of the extent of the breach. The filing also claims that no members of senior management were aware of the attacks until September 2011.

“The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks,” said the SEC report from November 2011.

“However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

In 2010, VeriSign sold its authentication business to Symantec, including Secure Sockets Layer certificates (SSL) which are identified by browsers to confirm the authenticity of a website. Fears about whether the hacks on VeriSign also targeted SSL certificates were quashed by Symantec, who said: “The Trust Services (SSL), User Authentication (VIP) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign quarterly filing”.