[ISN] VeriSign refutes security vulnerability claim

From: InfoSec News <alerts_at_private>
Date: Thu, 24 Jun 2010 00:30:54 -0500 (CDT)

By Aharon Etengoff 
TG Daily
22nd Jun 2010

VeriSign has denied claims of an alleged security vulnerability recently 
identified by Comodo.

According to Comodo CEO Melih Abdulhayoglu, the vulnerability could 
theoretically allow hackers to access VeriSign customer accounts - 
including a major financial institution - without proper authentication.

"The vulnerability involves a simple search for a specific keyword, 
which then leads to a VeriSign account public access page. So, access to 
these accounts are only a pass phrase away. Think about it: malicious 
hackers from Russia or China can simply brute force their way past the 
password. Remember, security is only as good as its weakest link," 
Abdulhayoglu told TG Daily.

"Unfortunately, VeriSign has not accepted our analysis of the 
vulnerability. They are not seeing the problem and have told us that 
(second tier) challenge phrases are surrounded by stringent security and 
are monitored. But this is certainly not an acceptable policy and that 
is is the crux of the problem."


Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com
Received on Wed Jun 23 2010 - 22:30:54 PDT

This archive was generated by hypermail 2.2.0 : Wed Jun 23 2010 - 22:36:55 PDT