My Bitdefender
  • 0 Shopping Cart

Bitdefender Blog

VeriSign Breach May Shatter Enterprise Trust

by Catalin Cosoi, on 02 February 2012

“The Company as an operator of critical infrastructure is frequently targeted and experiences a high rate of attacks. These include the most sophisticated form of attacks, such as APT (advanced persistent threats) attacks and zero-hour threats, which means that the threat is not compiled until the moment it is launched, making these attacks virtually impossible to anticipate and defend against.”

According to an article by Joseph Menn on Reuters, VeriSign Inc was repeatedly hacked back in 2010.

The details can be found in the U.S. Securities and Exchange Commission filing in October 2011, when Verisign said that in 2010, “the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network.”

It is reassuring that there was not a breach of the servers that support their DNS (which ensures people land at the right numeric Internet Protocol address when they type in a specific URL and which processes as many as 50 billion queries per day), but not ruling it out completely and leaving enough place for doubt means that we still need to wait for a complete assessment of the incidents.

In written Senate testimony on Tuesday, U.S. Director of National Intelligence James Clapper called the known certificate breaches of 2011 "a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking." Why? Because if the SSL process were corrupted, you could easily create a Bank of America certificate that will be trusted by every browser in the world, raising phishing attacks to whole new level.

Taking the example of Stuxnet (discovered in June 2010), we know stolen certificates have been used in time to spread sophisticated malicious software. A valid digital signature is a crucial requirement of 64-bit operating systems whenever a critical piece of software (such as a kernel-mode driver - or rootkit, to be more specific) tries to install itself. It is estimated that the antivirus industry discovered it more than one year after it started infecting PCs just because the rootkit had been vouched for as legit by a valid digital certificate.

The same report also states that: “The Company as an operator of critical infrastructure is frequently targeted and experiences a high rate of attacks. These include the most sophisticated form of attacks, such as APT (advanced persistent threats) attacks and zero-hour threats, which means that the threat is not compiled until the moment it is launched, making these attacks virtually impossible to anticipate and defend against.

The last sentence is probably the most scary. VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites. A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems.

It’s also worth remembering that this already happened to DigiNotar last year. Fake certificates were issued and used by cybercrooks to impersonate Gmail and other critical services. What's worrying is that the attackers could have generated valid software signing certificates for smaller, less-known companies and use them to sign malware. By the time VeriSign realizes that the respective company did not request the certificate, some nasty rootkits could be long since in the wild.

DigiNotar went bankrupt in less than one month after grasping the extent of the breach. The implications of a hack against the world’s most important enterprise trust seller are yet to be determined.

All in all, we need more details to see what exactly happened during those consecutive breaches and what data was actually stolen. While we were considering that hacking large corporations initially started in Jan 2011, with the HBGary breach, its now apparent the trend goes back further. Even though the VeriSign incidents happened back in 2010, they were not reported to management in 2011.

To conclude, the worst case scenario would be several phishing attacks with valid certificates that browsers will render as legit. This would potentially yield a huge level of data that could be exploited for financial gain. However, its important to remember that a strong antiphishing solution will keep you protected.

Catalin Cosoi

Chief Security Researcher

Daily "Did you know?"

On July 31, 2008, the Koobface computer worm started to target users of Facebook and MySpace; and new variants still constantly appear.

Authors

  • Bitdefender Security Specialists
    Bitdefender Labs
  • Catalin Cosoi
    Chief Security Researcher
  • Dan Lowe
    Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry.
  • Ligia Adam
    Security Evangelist and Social Media Professional
  • Loredana Botezatu
    Loredana Botezatu – E-threat Analyst – Loredana has been writing about the IT world and e-security for well over five years. She has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Categories

HOTforSecurity