By Joseph Menn
SAN FRANCISCO (Reuters) - VeriSign Inc, the company in charge of delivering people safely to more than half the world's websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company.
The previously unreported breaches occurred in 2010 at the Reston, Virginia-based company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov.
VeriSign said its executives "do not believe these attacks breached the servers that support our Domain Name System network," which ensures people land at the right numeric Internet Protocol address when they type in a name such as Google.com, but it did not rule anything out.
VeriSign's domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept email from federal employees or corporate executives, though classified government data moves through more secure channels.
"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.
Even if the name system is safe, VeriSign offers a number of other services where security is paramount. The company defends customers' websites from attacks and manages their traffic, and it researches international cybercrime groups.
VeriSign would possess sensitive information on customers, and its registry services that dispense website addresses would also be a natural target.
Ken Silva, who was VeriSign's chief technology officer for three years until November 2010, said he had not learned of the intrusion until contacted by Reuters. Given the time elapsed since the attack and the vague language in the SEC filing, he said VeriSign "probably can't draw an accurate assessment" of the damage.
Baker said VeriSign's description will lead people to "assume that it was a nation-state attack that is persistent, very difficult to eradicate and very difficult to put your hands around, so you can't tell where they went undetected."
VeriSign declined multiple interview requests, and senior employees said privately that they had not been given any more details than were in the filing. One said it was impossible to tell if the breach was the result of a concerted effort by a national power, though that was a possibility. "It's an ugly, slim sliver of facts. It's not enough," he said.
The 10-Q said that security staff responded to the attack soon afterward but failed to alert top management until September 2011. It says nothing about a continuing investigation, and the Department of Homeland Security did not respond to questions about an inquiry or recommendations for VeriSign customers.
Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer certificates, which Web browsers look for when connecting users to sites that begin "https," including most financial sites and some email and other communications portals.
If the SSL process were corrupted, "you could create a Bank of America certificate or Google certificate that is trusted by every browser in the world," said prominent security consultant Dmitri Alperovich, president of Asymmetric Cyber Operations.
VeriSign sold its certificate business in the summer of 2010 to Symantec Corp, which has kept the VeriSign brand name on those products.
Symantec spokeswoman Nicole Kenyon said "there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems."
Some smaller issuers of such validation certificates have been compromised in the past, and false certificates have been used to spread the most sophisticated malicious software yet detected, including Stuxnet, which attacked the Iranian nuclear program.
In written Senate testimony on Tuesday, U.S. Director of National Intelligence James Clapper called the known certificate breaches of 2011 "a threat to one of the most fundamental technologies used to secure online communications and sensitive transactions, such as online banking." Others have said SSL as a whole is no longer trustworthy and effective.
In a section of its filing devoted to risk factors, VeriSign said it was a frequent subject of "the most sophisticated form of attacks," including some that are "virtually impossible to anticipate and defend against."
Security experts said the breach reminded them of last year's attack on RSA, an authentication company owned by storage maker EMC Corp. RSA's SecurID tokens authorize remote access and have been in wide use by government agencies and military contractors including Lockheed Martin Corp, which said it was probed on the heels of the RSA breach.
"This breach, along with the RSA breach, puts the authentication mechanisms that are currently being used by businesses at risk," said Melissa Hathaway, a former intelligence official who led U.S. President Barack Obama's cybersecurity policy review and later pushed for the SEC guidance. "There appears to be a structured process of hunting those who provide authentication services."
Even if VeriSign's certificates were not compromised, a significant breach "means that prevention is futile," Alperovich said. He said he hoped new legislation on cybersecurity, expected to reach the Senate floor this month, would call for more disclosures and bring more aid to companies under attack.
(Reporting by Joseph Menn; Editing by Gary Hill)