Broadband Tech > Security > Security > "Key Internet operator VeriSign hit by hackers"

"Key Internet operator VeriSign hit by hackers"

said by »www.reuters.com/article/2012/02/···20120202 :

---

(Reuters) - VeriSign Inc, the company in charge of delivering people safely to more than half the world's websites, has been hacked repeatedly by outsiders who stole undisclosed information from the leading Internet infrastructure company.

The previously unreported breaches occurred in 2010 at the Reston, Virginia-based company, which is ultimately responsible for the integrity of Web addresses ending in .com, .net and .gov.

VeriSign said its executives "do not believe these attacks breached the servers that support our Domain Name System network," which ensures people land at the right numeric Internet Protocol address when they type in a name such as Google.com, but it did not rule anything out.

VeriSign's domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept email from federal employees or corporate executives, though classified government data moves through more secure channels.

"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."

[...]

---

I have no faith in VeriSign, and as their whole business is about trust, I don't see them lasting.
--
What I used to be I no longer am... God, why can't you freeze time for my sake?

Like Comodo hasn't lasted? Nah...it is all about power, baby. And Comodo and Verisign have that in spades.

Comodo?

reply to Zupe
"Oh My God," I bet he loves that quote. Glad to see the DHS is putting 13 year old girls in charge. I bet they edited the "Like" and "Totally" out of the 2nd part of his quote.

"Oh my God, Like, that totally could allow people to imitate ..."
--
--

reply to AVD

reply to Mele20

You are very naive. I suggest you read "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates" which was published recently by the cabforum.

»www.cabforum.org/

Then I suggest you go to mozilla.dev.security.policy News Group and begin with the thread "Updating Mozilla's CA Certificate Policy in Regards to CAB Forum BRS". That's just the beginning but it should educate you a little.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

You're going to have to elaborate. Naive? Educate me a little?

I disagree with this sentence of yours:

"Comodo, if they do not change, will not last as well. If they charge that much for a certificate, and cannot even be bothered to verify the identity of the client in a meaningful way, I don't see them lasting."

Even Mozilla decided they could not buck them. Mozilla said that Comodo is too big to fail as that would cause disaster for the Internet. This was back in Dec-2008-Jan-2009 when Eddy Nigg (CEO of StartCom Cert provider) was able to buy a cert from a Comodo reseller for Mozilla.com. He had nothing whatsoever to do with Mozilla. He posted this on the mozilla.dev.tech.crypto News Group on Christmas Eve 2008. The ensuing uproar had Mozilla developers telling users to UNtrust all Comodo and Comodo related certs (about 8 root ones) in Fx and SM and had them discussing on the Newsgroup and in their blogs about what to do. They came very close to pulling all Comodo/Comodo related certs from Mozilla browsers forever. The discussion was very heated. I was glued to the News Group all through the holidays. Many of us here did what the developers recommended and Untrusted all Comodo related certs.

Mozilla finally (after several weeks of discussion) decided to not pull Comodo certs from their browsers because they felt it would cause a lot of pain and confusion for users most of whom don't even know what a cert is. They also stated that Comodo was too big a cert provider (now the world's largest) to fail as it would cause general chaos. After this happened Comodo went on its merry way, non-repentenent with Melih (the flamboyant CEO) yelling about unfairness and he did NOTHING to fix the problems with his resellers. In fact, he flaunted his power and knowingly and willingly sold certs to KNOWN MALWARE SITES that his "free" software detected as malicious. This caused another uproar in the consumer Security area. When one well known computer security antimalware researcher criticized Comodo for putting users at such risk, Melih started a smear campaign and well you can read all this...just search here for all threads over the past 5 years on Comodo certs, malware sites, etc. Also search at Wilders Security forum for the same. (Melih got himself banned for life there for several things he did and I was there in the thread when he got banned. He threw a temper tantrum, hid his IP and tried to get back in the site. Wilders banned him for life).

After about a year, Melih was in the news again because he was caught AGAIN selling certs to KNOWN malware sites. But Comodo still stands as the largest cert provider in the world. Some members here actually still use Comodo's free products even though to me that makes zero sense. But most of us would never touch his products (what he did to Kevin and Nancy and BoClean was despicable) and we tell our browsers to not trust Comodo and Comodo related (like AddTrust, UserTrust, etc) certs.

The reason I gave you that link is because that NewsGroup for Mozilla developers sheds light on what is happening in regards to the Cert providers forum finally issuing a set of basic standards that all cert providers will have to agree to. There has been NONE until now (Wild West out there). Mozilla is not too happy with the set of standards because the browser companies had NO say in compiling the standards...just the self serving Cert providers. Mozilla devs complain that the browser users are being totally overlooked and are still the whipping child for these Cert providers. Mozilla has debated whether or not to vote yes or no on the new standards as voting yes means that Mozilla's standards (which they think are really good) will have to be changed somewhat and they say the users are being ignored.

This is getting way too long. My main point here is that Comodo not only is still standing, still in Mozilla browsers root certs, now the largest cert provider in the world and still stinks, doesn't give a shit about users, Mozilla knows this but is afraid to pull the certs. I think they should pull them even this late in the game and let the shit fall wherever it may. At least the havoc wrought by Mozilla acquiring some balls would serve to rock the foundation of this inadequate, arrogant group of cert providers and would force radical change which is desperately needed in the area of SSL.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to Zupe
Hopefully all of these rogue CAs will one day get removed or better yet become unnecessary.

It seems like the list of untrustworthy CAs is growing even bigger although to be honest I've never believed in the idea of buying trust.

Trust should be earned not bought.

You can also add trustwave to the growing list along with the rest.

»bugzilla.mozilla.org/show_bug.cgi?id=724929

reply to Zupe
Refuse to hit the net without being sandboxed or live cd thesedays.
Nothing short of safehex for programs/exe's to be run from reputable sources either.
To hell with those cert providers.

Still infection free with win7 64 and various linux cd's
--
Paradigm Shift beta test pilot. "Now is the not right time to stop folding."

sandboxes and live cd's are not immune from MitM attacks using forged certificates and DNS entries.

that's different....

reply to Mele20
OK, now I see what you're saying. I agree with your points, but I am looking at this from a consumer standpoint.

I am honestly shocked to hear this, and I'm surprised that this doesn't hit the media more often. I wonder what Google thinks of Comodo. I wonder if the US government will crack down on Comodo for national security, after their "partners" issued those certificates for Iran.
--
What I used to be I no longer am... God, why can't you freeze time for my sake?