VeriSign Breached – Who Can You Trust Redux

It was reported by Reuters today (“Key Internet operator VeriSign hit by hackers“) that VeriSign has disclosed that the company was hacked in 2010.  This is significant at many levels.

First, VeriSign essentially handles the credentials for over half of all Web sites, specifically sites ending in .com, .net and .gov.  VeriSign executives could only say that they “do not believe” that the critical domain name services, leading many to speculate that VeriSign does not yet know the extend of the breach.  And even if the domain name services were not compromised, compromise of any of VeriSign’s other services could still represent significant risk to a very large number of companies and government agencies.

Given that VeriSign has not been forthcoming with details and frankly does not seem to know yet the full extent of the breach, the security of an enormous amount of Web sites is in question this morning.  I am not sure that this can be understated.  Depending on what we learn about this breach, the tectonic plates of online security may have just shifted significantly.

Second, the VeriSign breach is a huge blow to the topic of trust on the Internet (see  the blog post “Certificate Authorities Hacked – So Who Can You Trust?“).  This trust was already significantly impacted by the RSA breach last year and the compromise of several certificate authorities (CAs) such as DigiNotar.  But the aggregate affect of these breaches, in my opinion, is dwarfed by a compromise of VeriSign.  Consider that the “s” in “https” is based on Secure Sockets Layer (SSL) certificates, the majority of which are issued by VeriSign.  Suddenly the ubiquitous lock icon and green indicator of  web site trust suddenly do not feel so secure and trustworthy.  The past months have been filled with questions about the trustworthiness of SSL, and this breach will pour gasoline on that fire. In a broader sense, the article points out the RSA and VeriSign attacks are designed to undermine the fundamental underpinnings of authentication.  This puts all transactions – business, government, personal – at risk.

Third, the VeriSign breach came to light in a 10Q filing with the SEC that listed the breach in accordance to the new SEC guidance on breach disclosure.  Reuters did a search of such disclosures and found the VeriSign admission.  Without the SEC guidance, this breach may never have come to light and the companies that trust the integrity of VeriSign’s services would have never known.  I draw the conclusion that there was no communication of VeriSign to their customer given that the CTO of VeriSign at the time of the breach learned about the problem from Reuters.

The potential impact of this breach could make this event the tipping point in the call for more strict guidance and perhaps even legislative action in regard to breach disclosure (see “Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement“). Proponents will have a field day with the idea that VeriSign may have never disclosed the breach without the SEC guidance.  But opposition to such action will also use the event as an argument against such action. The article intimates that the breach is a persistent attack done by a nation-state, or an Advanced Persistent Threat attack.  Such an attack at a company such as VeriSign has far reaching impact on national security, so there are those who would not want the attack disclosed before there was reasonable time to perform analysis, attribution, and potentially launch a counter attack.  Mix this attack in with a presidential election year and I predict the skies will darken will calls and counter arguments for legislation.

Fourth, this event may finally take many over the emotional hump  of clinging to the hopes that 100% prevention is still possible (see “The Emotional Barriers to Embracing the Presumption of Breach Doctrine“).  The article quotes security consultant Dmitri Alperovich as saying “prevention is futile”.  Those who have clung doggedly to prevention in the face of mounting evidence will find it hard to continue to do so.  It is okay.  Those of us who have already accepted the inevitable are here, waiting for you without judgement.  Just let go.

Fifth.  I will have much more to say about this subject, but notice that although the breach happened in 2010, VeriSign still does not know the extent of the damage.  There were even intimations that they may not have completely eradicated the adversary from their systems.  This is proof to my ongoing statement that organizations are not equipped to detect, analyze, and respond to breaches.  Trust me when I say I have much more to say on this topic in the very near term.

Watching this story unfold should prove to be quite interesting.  Quite interesting.