[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS]
- To: Kyle Creyts <kyle.creyts@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Key Internet operator VeriSign hit by hackers [DNS]
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Thu, 2 Feb 2012 23:15:58 -0500
On Thu, Feb 2, 2012 at 11:10 PM, Kyle Creyts <kyle.creyts@xxxxxxxxx> wrote:
> "Management was informed of the incident in September 2011" pg 33, sect 2
As I said: Alarming.
> Further, there is no mention of risk potential for the SSL business
> whatsoever, despite numerous mentions of risk factors for the Registry
> Services business, not related to this attack.
I was born at night, but not last night.
> While nothing is "safe" to assume, I would say that suggesting that
> this description of the incident describes an attack on tangential,
> unmentioned businesses operated by the same organization may be a bit
> of a reach.
Pure science fiction, I'm sure.
Jeff
> On Thu, Feb 2, 2012 at 10:42 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>> On Thu, Feb 2, 2012 at 10:37 PM, Kyle Creyts <kyle.creyts@xxxxxxxxx> wrote:
>>> This is at least a year and a half old. Please, don't republish "news"
>>> that should have never been reprinted. I'm not sure who would have
>>> allowed this tripe to be syndicated...
>> Actually, it was just released in Verisign's 10-Q
>> (https://investor.verisign.com/secfiling.cfm?filingID=1193125-11-285850&CIK=1014473).
>> Otherwise, without the SEC changes, it probably never would have seen
>> the light of day.
>>
>> And this is alarming: "Ken Silva, who was VeriSign's chief technology
>> officer for three years until November 2010, said he had not learned
>> of the intrusion until contacted by Reuters. Given the time elapsed
>> since the attack and the vague language in the SEC filing, he said
>> VeriSign "probably can't draw an accurate assessment" of the damage."
>>
>> Remember, this company runs a CA. I can't wait to see aggregate data
>> on CA breaches next year (its being collected now by EFF, et al).
>>
>> Jeff
>>
>>> On Thu, Feb 2, 2012 at 2:49 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>>>> http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202
>>>> http://www.msnbc.msn.com/id/46238729/ns/technology_and_science-security/
>>>>
>>>> (Reuters) - VeriSign Inc, the company in charge of delivering people
>>>> safely to more than half the world's websites, has been hacked
>>>> repeatedly by outsiders who stole undisclosed information from the
>>>> leading Internet infrastructure company.
>>>>
>>>> The previously unreported breaches occurred in 2010 at the Reston,
>>>> Virginia-based company, which is ultimately responsible for the
>>>> integrity of Web addresses ending in .com, .net and .gov.
>>>> ...
>>>>
>>>> The VeriSign attacks were revealed in a quarterly U.S. Securities and
>>>> Exchange Commission filing in October that followed new guidelines on
>>>> reporting security breaches to investors. It was the most striking
>>>> disclosure to emerge in a review by Reuters of more than 2,000
>>>> documents mentioning breach risks since the SEC guidance was
>>>> published.
>>>> ...
>
>
>
> --
> Kyle Creyts
>
> Information Assurance Professional
> BSidesDetroit Organizer
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/