Company buried fact of 2010 incidents involving its Internet domain service in a fall 2011 financial filing, which came to light only this week
In October 2011, Internet infrastructure firm VeriSign released its usual quarterly report. Buried in the 50-page filing to the SEC was the revelation that the company had been breached multiple times the previous year.
The incidents came to light only today, when news service Reuters found the information during an investigation of whether public companies were disclosing breach incidents in their financial statements. VeriSign's account of the incidents carried few details, and the company refused additional comment.
In the filing, VeriSign stated, "In 2010, the company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our DNS (Domain Name System) network."
VeriSign manages the Domain Name System for the .com and .net top-level domains, as well as the .name, .cc, and .tv domains. In addition, at the time of the attacks, the company sold and managed a large digital signature service, selling SSL and EV (extended validation) signatures that are used to secure websites and email and to sign code. The Internet security business unit was sold to Symantec in 2010.
Although the announcement comes after the revelation of breaches in 2011 of other Internet infrastructure firms -- such as the now-defunct DigiNotar, rival Comodo, and security giant RSA -- the VeriSign hacks occurred months before those breaches. If VeriSign had disclosed the attacks in 2010, Comodo and other hacked firms might have been able to improve their own security in time to detect the attacks they experienced in 2011, said Melih Abdulhayoglu, Comodo's CEO.
"We would have been on a higher alert, it would have changed a lot of things," Abdulhayoglu noted. "I'm sure that other CAs [certificate authorities] would have taken the hint and done something about it."
http://www.infoworld.com/t/cyber-crime/ ... ils-185617
CISSP, MCSE, CSTA, Security+ SME