VeriSign Was Repeatedly Hit by Hackers in 2010

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Dear [insert hacked company]:

No one believes any statement you make two years after the fact. Stating that company execs "do not believe" the attacks breached servers with critical information tells us they simply have no clue as to the extent of the damage.

Sincerely, The General Public

"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net." The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors.
Click to expand...
 
Imagine the fun a hacker would have if he managed to both change the DNS entry for a bank and generate a fake SSL certificate.

One use would be to construct a proxy server that relays all the online banking sessions while recording usernames and passwords.

I call for ICAN to immediately suspend VeriSigns ownership of .com/net/org if they cannot be trusted to responsibly notify the public and/or governments/police about serious breaches of their security.
 
You really think everyone would have learned from the incident with Sony on how NOT to handle announcing security breaches.

If they want to pick a company to properly emulate, they should pick LastPass and how they reacted when they believed but weren't even 100% sure their servers were breached. They shut everything down, forced everyone into offline mode, made everyone change their passwords by default (you could opt out of it if you were particularly brave) and changed the encryption algorithms going forward.

They responded so well that I still use LastPass despite the possible breach they may have suffered. That's how should react to it. Absolutely overboard paranoia.
 
Fuck it. If they just hit a dns server, the horror that would ensue is enough.
 
Methadras said:
Fuck it. If they just hit a dns server, the horror that would ensue is enough.
Click to expand...

Some day someone is going to figure out how to do something like that and then it's really going to get ugly. I'm just concerned about a false flag super-hack like that happening just prior to some politician pushing a bill for massive government control on the internet "so that it never happens again". That's all it will take, and I wouldn't be surprised if some bureaucrat doesn't already have this kind of "emergency" legislation sitting in a file drawer already drafted up, waiting for such an occasion to present itself.
 
Phoenix333 said:
Some day someone is going to figure out how to do something like that and then it's really going to get ugly. I'm just concerned about a false flag super-hack like that happening just prior to some politician pushing a bill for massive government control on the internet "so that it never happens again". That's all it will take, and I wouldn't be surprised if some bureaucrat doesn't already have this kind of "emergency" legislation sitting in a file drawer already drafted up, waiting for such an occasion to present itself.
Click to expand...

Ummm...that was figured out. In fact, this was news about 6 years ago. People have already been duped by pass through sites and fake certificates ever since the German group used a PS3 farm to hack SSL certificate security.
 
Steve Gibson recently talked about switching over from VeriSign to DigiCert..

I followed through with switching my SSL certificates throughout the entire site from VeriSign over to DigiCert. And the experience was spectacular. I am so glad to be with DigiCert now. I mean, I'm saving money. http://www.grc.com/sn/sn-332.htm
Click to expand...

first of all, no one is more expensive than VeriSign. And only people who use VeriSign are going to be big guys. I mean, I've been there until now. I'm just not willing to pay that money for the benefit of extended validation. I want extended validation, but not at VeriSign's prices. So, but IBM and, I mean, I don't know who uses VeriSign. But someone certainly does. http://www.grc.com/sn/sn-331.htm
Click to expand...

It is VeriSign that I have often and almost constantly talked about as having amazingly expensive certs, and that I intend to go over to DigiCert because, thanks to the Certificate Patrol add-on on Firefox, I saw that Facebook was using DigiCert, and a number of other very high-profile sites, so my feeling was, if they can, I can, too. http://www.grc.com/sn/sn-312.htm
Click to expand...
 
You must log in or register to reply here.
Back
Top