Editors note: at the request of Symantec, some minor adjustments were made by the author to the following text.
(Translated from the original Italian)
There is no peace in cyber space, as day after day we read that the computer systems for major corporations and governments are compromised due to repeated cyber attacks.
This time it was the prestigious Verisign, a name that is our mind we link to the concept of “strong security”, but we are learning that the idea of total security is just an utopia.
The company;s products are designed to defend user's websites from attacks and from the intercepting and hijacking of their traffic.
Once more the situation is really serious, as a company that offers security services for authentication has been breached repeatedly by hackers who stole undisclosed information from their internal infrastructure.
After the Symantec case, now another company that deals in security as their primary business demonstrates of how dangerous are the new cyber threats, and how burdensome is their impact under the current economic picture.
The news of the VeriSign attacks has was revealed in a quarterly U.S. Securities and Exchange Commission (SEC) filing in October. But what is puzzling in my opinion, is that the ex-CIO Ken Silva, in charge for three years until November 2010, said he had not learned of the intrusion until contacted by Reuters.
Securities and Exchange Commission Form 10-Q made clear that security staff at VeriSign had immediately responded to the attacks, but has failed to alert top management until September 2011.
"In written Senate testimony on Tuesday, U.S. Director of National Intelligence James Clapper called the known certificate breaches of 2011 [a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking. Others have said SSL as a whole is no longer trustworthy and effective."
Since Q2 2010 Verisign Inc., the company who issued the SEC filing, is no longer associated with authentication or SSL certificates infact going through the product rebranding, Symantec actually owns and runs the authentication business.
It is curious that VeriSign sold in Q2 2010 the business unit that manages the authentication services to Symantec Corp, which has kept the brand name on VeriSign products, and who immediately sought to distance themselves through a statement by spokesperson Nicole Kenyon:
"There is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems. Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing. Also, Verisign Inc., the company who issued the SEC filing, is no longer associated with authentication or SSL certificates."
In this specific case, several attacks have been successfully conducted against VeriSign, with the first one occurring in 2010 at the Reston, Virginia based firm, according to a report by Reuters.
The unit is responsible for reverifying the integrity of top-level domains including all .gov, .com and .net addresses, and is also one of the main providers for the Secure Sockets Layer (SSL) authentication certificates used by most financial sites to ensure their legitimacy.
VeriSign holds sensitive information on a large number of customers, and its registry services that dispense website addresses would be a desirable target.
By now we' have a clear idea of how important are the certificates within a PKI infrastructure and why the Certificate Authorities have been subject to constant attacks: At stake is more than the survival of a protocol or a technology company - on these services is based most of the communications infrastructure of governments and worldwide leading institutions.
VeriSign's officials have declared that they "do not believe these attacks breached the servers that support our Domain Name System network", but in light of what happened recently, it is normal to have a lot of doubts about the statements provided.
The situation is embarrassing and dangerous, as the systems of VeriSign receive more than 50 billion queries daily.
The impairment of these mechanisms could lead to the redirection of requests to bogus sites with serious consequences - and not just that - the compromise of the model itself raises the risk of interception of emails and confidential documents that pass through channels of communication.
Eloquent commentary was offered by Stewart Baker, former assistant secretary of the Department of Homeland Security, previously the top lawyer at the National Security Agency:
"Oh my God... That Could Allow people to imitate Almost any company on the Net... Assume that it was a nation-state attack that is persistent, very difficult to eradicate and very difficult to put your hands around, so you can't tell where they went undetected."
Why steal a certificate or attack a Certification Authority? Let’s try to answer:
Malware production - Installation for certain types of software could require that its code is digitally signed with a trusted certificate. Stealing the certificate of a trusted vendor reduces the possibility that the malicious software will be detected as quickly. That is exactly what happened with the Stuxnet virus.
Economic Fraud - Digital signatures give a warranty on who signed a document and you can decide if you trust the person or company who signed the file and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer a kind of an identity theft, just imagine what could be the implication.
Some bots, like the Zeus banking malware, could be deployed to steal steal site certificates so that they can fool web browsers into thinking that a phishing site is a legitimate bank website.
Cyber warfare - Criminals or governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being secretly tampered with and intercepted. That is for example what occurred in the DigiNotar case … companies like Facebook, Google and also agencies like the CIA, MI6 were targeted in the certificate hack.
We expect hard times...
Cross-posted from Security Affairs