Verisign, the Internet security company responsible for management of the .COM domain, told federal regulators that it was the victim of several successful attacks in 2010, but that those incidents were not reported to the company’s management until September, 2011. The news was first reported by Reuters.
The disclosure came in a 10-Q quarterly filing with the Securities and Exchange Commission (SEC) in October. Few details are known about the incident at Verisign, which manages key components of the domain name system (DNS) – including the .COM top level domain (or TLD), the ultimate source of information that maps numeric Internet Protocol (IP) addresses to the text addresses that most Internet users rely on. The extent of the breach is not known, but Verisign said it does not believe that the attackers breached servers that support DNS. The incident follows other high profile attacks on firms that help secure online identities, including certificate authorities Diginotar and Comodo.
The disclosure is in response to new SEC guidelines for companies that have experienced security breaches. In it, Verisign says that it experienced “security breaches in the corporate network in 2010 which were not sufficiently reported to Management.” The attacks gave the unknown assailants “access to information on a small portion of our computers and servers,” and that data was ferried out of the company, Verisign said. “We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network,” the 10-Q states.
According to the filing, the Company’s information security group became aware of the attacks shortly after they occurred and “implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks.”
VeriSign getting attacked isn’t surprising, said Anup Ghosh, Research Professor and Chief Scientist in the Center for Secure Information Systems (CSIS) at George Mason University. “Every Fortune 500 (company) gets targeted,’ he said. However, that will change if it turns out that either the .COM TLD or if the attack was aimed at VeriSign’s certificate authority business, akin to the attacks on other CAs.Unlike the Dutch firm Diginotar, which was forced out of business by a compromise of its root CA, VeriSign would likely be too big to fail – to borrow a term from the bailout of banks in the U.S.
Ghosh said that the incident is more evidence that legacy security tools just aren’t working.
“Verasign is buying the products available, but they are being let down by the security community,” said Ghosh, who is also the CEO of the security firm Invincea, which sells Web browser protection technology.
The reasons for the delay in disclosure of the attacks isn’t known. VeriSign sold its security business to Symantec Corp. in May, 2010. It is unclear whether the company knew of the breach prior to that sale.
