Home / Blogs

World Notices That Verisign Said Three Months Ago That They Had a Security Breach Two Years Ago

John Levine

The trade press is abuzz today with reports about a security breach at Verisign. While a security breach at the company that runs .COM, .NET, and does the mechanical parts of managing the DNS root is interesting, this shouldn't be news, at least, not now.

Since Verisign is a public company, they file a financial report called a 10-Q with the SEC every quarter. According to the SEC's web site, Verisign filed their 10-Q for June through September 2011 on October 28th. where it's been available to the public ever since.
Like every other 10-Q, it has a Risk Factors section which lists all the reasons that the company might fail, so don't sue us. Normally those sections are pretty routine, key employees might quit, customers might desert us, key contracts might not be renewed, that sort of stuff. But this 10-Q contained this bit:

We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network. Information stored on the compromised corporate systems was exfiltrated. The Company's information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future. The occurrences of the attacks were not sufficiently reported to the Company's management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company's disclosure controls and procedures in this area.

Apparently nobody got around to reading it until today, at least nobody who understands the business well enough to know what it means.

All the press reports I've seen just regurgitate that paragraph, adding a few quotes from people close to Verisign who all said they didn't know about it either, and security types who told us that it's an enormous big deal. (Now that you've read the paragraph, you're as qualified to pontificate as anyone.)

Personally, I don't know if it's an enormous big deal or not. Risk factor sections tend to be written as pessimistically as possible, so you can skip over the parts about they cannot assure you and so forth. One thing I do know is that it happened over a year ago, so if anything significant happened as a result, and Verisign knew about it, they'd have told us about that, too, on the principle that you release all your bad news at once. So this means that either it really was just a minor network breach, or the evil consequences are so deep and subtle that we may not know about them for years and years, if ever. I'd tend toward the former, but then, I'm not a Verisign stockholder.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cyberattack, DNS, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

If I understand correctly... Kevin Murphy  –  Feb 03, 2012 12:35 AM PDT

So, in summary, you're questioning the value of articles that merely block-quote the SEC filing and pad it out with useless commentary?

you forgot "the three month old SEC John Levine  –  Feb 03, 2012 7:58 AM PDT

you forgot "the three month old SEC filing"

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Dyn Acquires Managed DNS Provider Nettica

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

SPECIAL: Video Interviews from NamesCon 2014 in Las Vegas

Sponsored Topics