Reuters reported yesterday that Verisign, an Internet infrastructure company that manages the .com" ".net" and .gov" website addresses, was hacked in 2010. Should you be concerned?
According to the report, the 2010 security breach was hidden from Verisign executives until last September. But the data break-in was reported in the company's quarterly earnings report to investors, as required by changes in U.S. Securities and Exchange Commission regulations that went into effect in October of 2011.
But what worries most security experts is the still-undisclosed damage and risks that the nearly two-year old hack may pose. "We need an environment where companies have an incentive to disclose these things," said Jeff Fox, Consumer Reports' privacy expert. "Affected companies need to disclose not only the breach but the damage to consumers."
For example, it's still unknown whether data from the DNS servers has been taken. With DNS information, which translates a website's name (such as "google.com") to the proper numerical Internet address, criminals can redirect consumers' browser requests and send them to malicious websites instead.
And until August 2010, Verisign was also a provider of so-called Secure Socket Layer (SSL) certificates—the online code Web browsers look for when connecting users to sites, such as banks, that begin with "https" instead of the usual "http." Symantec, which now owns the Verisign SSL database, did tell Reuters that "there is no indication" the 2010 Verisign breech is tied to the SSL system.
To keep personal data safe while using the Internet, see Consumer Reports Guide to online security.
Key Internet operator VeriSign hit by hackers [Reuters]
VeriSign Hacked: What We Don't Know Might Hurt Us [PC World]
Why Are We Only Finding Out About the VeriSign Security Breach Now? [Time Techland]
VeriSign admits it was hacked repeatedly in 2010, staff didn't tell senior management [Sophos Security blog]
VeriSign 2010 Hack: DNS Data Theft A Possibility [Information Week]