Verisign deep-hacked. For months.

Oh, my.

-- jra

I love this

VeriSign said its executives "do not believe these attacks breached the
servers that support our Domain Name System network,"

"Oh my God," said Stewart Baker, former assistant secretary of the
Department of Homeland Security and before that the top lawyer at the
National Security Agency. "That could allow people to imitate almost any
company on the Net."

Sounds like another opportunity for <insert congress person> to propose


So what part of VRSN got broken into? They do a lot more than just DNS.

Indeed, VeriSign owns Illuminet, who are mission-critical for POTS.
Illuminet is also in the business of recording telephone calls, SMS
messages, etc. for law enforcement.

That means that a "breach" at "VeriSign" could be nothing, or it could
give bad guys access to a lot more than any breach or leak reported to
date. Who knows?

That part is ambiguous at the moment since Verisign has not released
details. Symantec has bought the SSL part of the business and claim that
the SSL acquired network is not compromised. Sounds like lots of
assumptions being drawn.


See my new blog entry:

World notices that Verisign said three months ago that they had a
security breach two years ago


i thought news was only supposed to be at eleven


Shea and Wilson would be proud.

-- jr 'and somewhere, an evil geek is dry-washing his hands' a

Wasn't this division acquired by TNS ?


I am thinking it is related to the Chinese hacking of Gmail accounts in the
fall of 2010. Symantic acquired the SSL business in August 2010. The
hacking could have been in the spring for all we know. Google uses Thwate
as it's CA, but Thwate has "Builtin Object Token: Verisign Class 3 Public
Primary Certificate Authority" as it's root.

Seems to me part of the problem was traced back to browsers not checking
revoked certs via the browser CRLs. Didn't some in the chain have revoked
certs still installed?