VeriSign hack: Reactions from the security community

February 3, 2012 by Jon Callas     No Comments

Blogmaster Note: This was originally posted on February 3, 2012 to Help Net Security

Reuters reports that VeriSign has been hacked and “undisclosed information” has been stolen. There isn’t much more in the reports other than speculation, but there are a number of things to remember.

They claim that this doesn’t affect the VeriSign certificate business, which is now owned by Symantec. Symantec has kept the VeriSign name on that business, and each of them says that this doesn’t affect Symantec. VeriSign proper runs DNS, does threat protection, and runs back-ends for telephone systems.

Nearly everyone will be hacked eventually. The measure of a company is how they respond. The critical infrastructure of the Internet is under both attack from frivolous and serious sources. From the media to hacktivism to criminals to nation states. The important thing for all companies to have in place is a response plan. That has to include assessment, containment, remediation, and notification. Notification is especially important because the public safety is at stake and those who have been spared need to know what the real threats are. Only those under attack can tell the rest of us. It’s been over a year since VeriSign was attacked. They owe it to their customers as well as the community to let us know what happened. There are responsibilities that go with running critical infrastructure and reporting is among them. This is serious and shouldn’t be buried in an SEC report.

Jon Callas

About

Jon Callas has over 30 years of experience and served as Entrust’s Chief Technology Officer. Prior to joining Entrust, Callas co-founded PGP Corporation which specialized in email and data encryption software. Over the course of more than fifteen years, Callas held leadership functions including CTO and CSO. Most recently, he also served as an operating system security expert with Apple. Additionally, he has held leadership positions with corporations including Wave Systems Corporation, Digital Equipment Corporation and Counterpane Internet Security Inc. He has also authored several Internet Engineering Task Force (IETF) standards including OpenPGP, DKIM, and ZRTP.

Add to the Conversation