| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8n+4YSG9_ZWJ3fBUx5eGKndifVqg_Wae+4C81ORfzZqCA@mail.gmail.com> Date: Thu, 2 Feb 2012 23:15:58 -0500 From: Jeffrey Walton <noloader@...il.com> To: Kyle Creyts <kyle.creyts@...il.com> Cc: FunSec List <funsec@...uxbox.org>, Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Key Internet operator VeriSign hit by hackers [DNS] On Thu, Feb 2, 2012 at 11:10 PM, Kyle Creyts <kyle.creyts@...il.com> wrote: > "Management was informed of the incident in September 2011" pg 33, sect 2 As I said: Alarming. > Further, there is no mention of risk potential for the SSL business > whatsoever, despite numerous mentions of risk factors for the Registry > Services business, not related to this attack. I was born at night, but not last night. > While nothing is "safe" to assume, I would say that suggesting that > this description of the incident describes an attack on tangential, > unmentioned businesses operated by the same organization may be a bit > of a reach. Pure science fiction, I'm sure. Jeff > On Thu, Feb 2, 2012 at 10:42 PM, Jeffrey Walton <noloader@...il.com> wrote: >> On Thu, Feb 2, 2012 at 10:37 PM, Kyle Creyts <kyle.creyts@...il.com> wrote: >>> This is at least a year and a half old. Please, don't republish "news" >>> that should have never been reprinted. I'm not sure who would have >>> allowed this tripe to be syndicated... >> Actually, it was just released in Verisign's 10-Q >> (https://investor.verisign.com/secfiling.cfm?filingID=1193125-11-285850&CIK=1014473). >> Otherwise, without the SEC changes, it probably never would have seen >> the light of day. >> >> And this is alarming: "Ken Silva, who was VeriSign's chief technology >> officer for three years until November 2010, said he had not learned >> of the intrusion until contacted by Reuters. Given the time elapsed >> since the attack and the vague language in the SEC filing, he said >> VeriSign "probably can't draw an accurate assessment" of the damage." >> >> Remember, this company runs a CA. I can't wait to see aggregate data >> on CA breaches next year (its being collected now by EFF, et al). >> >> Jeff >> >>> On Thu, Feb 2, 2012 at 2:49 PM, Jeffrey Walton <noloader@...il.com> wrote: >>>> http://www.reuters.com/article/2012/02/02/us-hacking-verisign-idUSTRE8110Z820120202 >>>> http://www.msnbc.msn.com/id/46238729/ns/technology_and_science-security/ >>>> >>>> (Reuters) - VeriSign Inc, the company in charge of delivering people >>>> safely to more than half the world's websites, has been hacked >>>> repeatedly by outsiders who stole undisclosed information from the >>>> leading Internet infrastructure company. >>>> >>>> The previously unreported breaches occurred in 2010 at the Reston, >>>> Virginia-based company, which is ultimately responsible for the >>>> integrity of Web addresses ending in .com, .net and .gov. >>>> ... >>>> >>>> The VeriSign attacks were revealed in a quarterly U.S. Securities and >>>> Exchange Commission filing in October that followed new guidelines on >>>> reporting security breaches to investors. It was the most striking >>>> disclosure to emerge in a review by Reuters of more than 2,000 >>>> documents mentioning breach risks since the SEC guidance was >>>> published. >>>> ... > > > > -- > Kyle Creyts > > Information Assurance Professional > BSidesDetroit Organizer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists