“Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security, according to Reuters. “That could allow people to imitate almost any company on the Net.”
One of the most disturbing elements to emerge is that not only did VeriSign fail to disclose these attacks to the public, it didn’t even tell its own senior managers. Ken Silva, who was VeriSign's chief technology officer for most of 2010, said that “he had not learned of the intrusion until contacted by Reuters.”
VeriSign finally spoke publicly yesterday in declaring that “we do not believe that the operational integrity of the Domain Name System (DNS) was compromised.” But its SEC filing states that “although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”
Symantec, which acquired parts of the original VeriSign during 2010 and kept the brand name, declared that “Trust Services (SSL), User Authentication (VIP, PKI, FDS), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.” It goes on to add that the VeriSign breaches do not affect the SSL business it acquired, and that “SSL, or HTTPS encryption, remains today as the most secure method to protect online data in transit.” Symantec doesn’t indicate whether the due diligence process of the acquisition disclosed the breaches at the time.
"This breach,” reports Reuters quoting Melissa Hathaway, a former intelligence official who led U.S. President Barack Obama's cybersecurity policy review, “along with the RSA breach, puts the authentication mechanisms that are currently being used by businesses at risk. There appears to be a structured process of hunting those who provide authentication services."
“The hack of VeriSign echoes 2011 attacks against certificate registrars Comodo and DigiNotar, both of which appeared to be executed by – or on behalf of – one or more nation states,” reports InformationWeek; but Graham Cluley of Sophos urges caution. “Inevitably,” he says, “there will be speculation that the attack could have been sponsored by a foreign state - but with the level of information shared so far it's simply impossible to say.”
“We expect these attacks,” comments Rob Rachwald of Imperva talking about Comodo, DigiNotar, RSA and Verisign, “to reach a tipping point in 2012 which, in turn, will invoke a serious discussion about real alternatives for secure web communications. The VeriSign attack highlights that the tipping point may have actually arrived in 2011.”
The bottom line, however, is that “the worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit,” explains Catalin Cosoi, global research director at BitDefender. “This would potentially yield a huge level of data that could be exploited for financial gain. However, it’s important to remember that a strong anti-phishing solution will keep you protected.”