xkcd

[KnightExemplar]

Thanks Bruce Schneier for posting this on his blog.

http://www.reuters.com/article/2012/02/ ... Z820120202

For those who don't know much on the subject, here's a brief overview. Whenever you see "HTTPS", it is known to be "secure" HTTP. This is the technology that is used to protect bankofamerica.com, paypal, and other sites. Whenever you visit bankofamerica.com, your computer downloads a certificate that bankofamerica apparently produced. To make sure that its a real certificate, your computer automatically checks with Certificate Authorities, such as Verisign. All of this happens automatically, as shown in the following screenshot.

In short:


When a site fails the certificate check, your web browser usually displays a page like:


We can trust that "https://www.bankofamerica.com" is actually owned by bankofamerica, because it is Verisign's job to do that. In fact, the "green bar of trust" appears only on the most trusted of certificates. And when Bank of America is paying somewhere on the order of $1500 per year per domain name, you would expect that Verisign would be doing their job... and protecting their certificates authenticity.

However, Verisign was hacked... repeatedly in 2010. And only now do we know about it. Such an important company was charging ridiculous amounts of money for trust that honestly they shouldn't have anymore! Its one thing when say... your $10 Comodo certificate gets hacked and forged. But when apparently the most secure certificate authority has been hacked... and repeatedly hacked... without the public knowing about it... its just not right.

Ultimately, if the hackers took specific information, they'll be able to forge any Verisign certificate, which includes sites like BankOfAmerica, Paypal, Mastercard, Amazon... pretty much all of the big professional sites get their certificates from Verisign.

[sourmìlk]

But this is only a problem if you've been tricked into visiting a website that you think is authentic, but actually isn't, ya? As in, if I'm actually going to bank of america, these hackings can't do anything because they're only hacking the guys who verify the certificate, they're not intercepting data between me and the server.

[KnightExemplar]

But this is only a problem if you've been tricked into visiting a website that you think is authentic, but actually isn't, ya? As in, if I'm actually going to bank of america, these hackings can't do anything because they're only hacking the guys who verify the certificate, they're not intercepting data between me and the server.

If hackers have been able to break the root trust certificate, then you will not be able to tell if someone is intercepting data between you and the server. That is the standard Man in the Middle Attack. In addition, they can pretend to be bankofamerica and get the "green bar of trust", while actually being a phishing site.

EDIT: The way this attack works, is that the Hacker gives you a fake certificate. He claims to be bankofamerica.com. Now when you visit "bankofamerica.com", you'll instead see the hacker if he uses a combination of different techniques. This is pretty easy at various levels, from ARP Poisoning at local places (do you trust your local WiFi connections on a bus? On the train? In McDonalds?). To DNS Cache Poisoning. Both DNS and ARP are insecure, so HTTPS is needed to ensure the validity of sites. But since a major root certificate authority has proven themselves to be incompetent, this more or less means that the HTTPS system we rely on is potentially broken.

Basically, the hard part is supposed to be the certificate trust chain. Every other bit is considered the simple part of hacking really. It is very very easy to intercept data from WiFi for example.

[sourmìlk]

Obviously they're all problematic, but the only one I'm worried about is DNS cache poisoning. Most people here are pretty smart about identifying phishing sites and I don't think we'd use a banking website on a public network.

[KnightExemplar]

If they can impersonate certificates, then the "man in the middle" attack means that they can also break the encryption between you and the website.



Thus, the site would look identical, you would be accessing it via "HTTPS", but all of the information would appear unencrypted to the attacker. The redirection there can happen from an ARP Poison attack. (AKA: Impersonating an IP Address)

[Mittagessen]

Most people here are pretty smart about identifying phishing sites and I don't think we'd use a banking website on a public network.

Oh you have no idea. It's trivial to build a phishing suite that looks exactly like the original. Using UTF-8 or simply registering similar domain names works for a lot of banks, especially small credit unions (was it sparkassehintertupfingen.de or sparkasse-hintertupfingen.de) and in countries using non-ASCII alphabets. If your target is sufficiently small enough they'll probably won't have as extensive internet monitoring in place as larger institutions
Additionally, SSL (the cryptographic protocol that is just stuffed between HTTP and lower layers to secure the connection) is THE protocol ensuring encryption and data integrity on the internet. Fishy certificates or corrupted certification authorities also makes Email and XMPP (a IM protocol used for example by googletalk) susceptible to interception and tampering.

[KnightExemplar]

Most people here are pretty smart about identifying phishing sites and I don't think we'd use a banking website on a public network.

Oh you have no idea. It's trivial to build a phishing suite that looks exactly like the original. Using UTF-8 or simply registering similar domain names works for a lot of banks, especially small credit unions (was it sparkassehintertupfingen.de or sparkasse-hintertupfingen.de) and in countries using non-ASCII alphabets. If your target is sufficiently small enough they'll probably won't have as extensive internet monitoring in place as larger institutions
Additionally, SSL (the cryptographic protocol that is just stuffed between HTTP and lower layers to secure the connection) is THE protocol ensuring encryption and data integrity on the internet. Fishy certificates or corrupted certification authorities also makes Email and XMPP (a IM protocol used for example by googletalk) susceptible to interception and tampering.

Yup, THE way you are supposed to differentiate between a phishing site and a legitimate one is by checking their certificates. But if you can't trust the certificate... then everything has been broken.

[mousewiz]

Don't get me wrong, it's a bad thing, but honestly so many websites (including my own bank =/) mix content and have an HTTP main page linking to an HTTPS login page or whatever that I don't expect average people are significantly more at risk because of certificate forgery than they would be without certificate forgery.

I mean, if I'm an attacker and I can forge certificates, then awesome.
But if I'm an attacker and I can't forge certificates, I'm not too worried; I just run the MITM attack against the HTTP main page and change the HTTPS login link to my own phishing page and profit. I don't see certificate forgery as 'worth it' unless I already have it or it's the only way to get what I want. If profit is what I want and one bank doesn't mix content, I just pick a different bank.

[Diadem]

Last year there was a major scandal here in The Netherlands when a certificate company that produced the certificates for Dutch government sites (amongst others) was hacked. It made national news for several days though. I'm not sure what happened to the company, but it must have hurt their bottom-line hard.

The biggest news is not that verisign got hacked, but that they covered this up. That is really unethical in such a situation. People can be victims of phishing without ever knowing it, while having done everything right. Banks that think their transactions are secure might lose a lot of money that way.

It's pretty obvious that the only good response is to move away from verisign completely. If we can neither trust them to protect their systems, nor trust them to be honest, than they have no business existing.

[Chen]

So what's the actual impact of this? The Reuters article is extremely vague on if anything was actually taken at all. They were "hacked" without anyone actually saying what information was taken. They proceed to say what COULD happen IF the hackers could forge certificates, but conveniently don't mention that sufficient information was taken to actually DO this.

[KnightExemplar]

So what's the actual impact of this? The Reuters article is extremely vague on if anything was actually taken at all. They were "hacked" without anyone actually saying what information was taken. They proceed to say what COULD happen IF the hackers could forge certificates, but conveniently don't mention that sufficient information was taken to actually DO this.

Computer Forensics is a very complicated subject. In many cases, a skilled hacker can make himself appear as if he were never there, as well as hide all of the data that they stole. A big problem is that no one knows how badly Verisign was hacked... furthermore, it is clear that Verisign (from the vague reporting) was caught blindsided with this and doesn't have details into the hack. True, we don't know if something terrible has occurred. On the other hand, we don't know that this was completely benign either. This is the nature of a hack today: if caught unprepared, you only see evidence that a hack occurred. You don't know what they did, how far they got, or why they did it, or where they came from.

Even without knowing the details of the hack, we've got significant failures in Verisign:
* They haven't conducted an investigation. And now it is far too late to do so.
* Their reporting was slow. Contrast with the PS3 hack or the Nasdaq hack, RSA hack, or any of the other high-profile hacking cases from last year. Verisign on the other hand remained under the radar. True, it is damaging to your reputation if you report that you've been hacked... but this is far worse than that. Verisign has just painted itself as a company that won't release details when they are hacked.
* This also underscores a potential "people problem" in Verisign. According to the article, the executives / higher management of Verisign were not informed of the hack. And now it is too late. Can we trust Verisign's employees with our information in the future?
* Even if say, the root certificates private keys were not stolen, there is a lot of personal information that Verisign collects to verify your identity. So the customers of Verisign could have their information leaked, akin to how the PS3 hack leaked addresses and phone numbers to hackers.

Ultimately, no one knows. And its too late to find out now. From a security company that charges $1500 per year per certificate, this is simply unacceptable.

Obviously they're all problematic, but the only one I'm worried about is DNS cache poisoning. Most people here are pretty smart about identifying phishing sites and I don't think we'd use a banking website on a public network.

Oh, I can't believe I forgot about this in my earlier response. The ".com" and ".net" DNS servers are currently owned by Verisign. That means if you ever visit a site that ends with ".com" or ".net", you are first hitting Verisign's servers. Fortunately, the Verisign executive said that the top-level DNS servers are safe, but how do we know for sure?

The public has entrusted an absurd level of trust towards Verisign. It is their job to make sure that all websites that end in ".com" or ".net" actually take you to the right website... just to let you guys know how important this company is.

[Steax]

I'll try and be the somewhat-neutral person in the conversation (to be fair, KnightExemplar is quite slanted on his posts):

To be clear, a 'hacked certificate' does not immediately grant access to all communications to a website. It does, however, allow more conventional attacks take place. Those generally protected against by said HTTPS. These are still sophisticated attacks, and aren't entirely super-common.

Therefore, this means a significant reduction in security, but it's not immediately apparent where something could go wrong. With HTTPS, theoretically it would be impossible to intercept and understand the transfered data; it gets encrypted at your computer and decrypted at their servers. Users can not tell when they're being intercepted by a party that benefited from the hacking. Users also can not reasonably protect themselves somehow from this issue.

It's true that this shows just how bad Versign is at their security, and it's a major security leak. However, for the casual user who doesn't understand all this stuff, there's practically nothing you can do about it. This is why I tend to be against the news trying to convince people that these companies are flawed; it only helps to cause widespread panic and mistrust which, while possibly deserved, is not yet confirmed.

[kiklion]

I'll try and be the somewhat-neutral person in the conversation (to be fair, KnightExemplar is quite slanted on his posts):

To be clear, a 'hacked certificate' does not immediately grant access to all communications to a website. It does, however, allow more conventional attacks take place. Those generally protected against by said HTTPS. These are still sophisticated attacks, and aren't entirely super-common.

Therefore, this means a significant reduction in security, but it's not immediately apparent where something could go wrong. With HTTPS, theoretically it would be impossible to intercept and understand the transfered data; it gets encrypted at your computer and decrypted at their servers. Users can not tell when they're being intercepted by a party that benefited from the hacking. Users also can not reasonably protect themselves somehow from this issue.

It's true that this shows just how bad Versign is at their security, and it's a major security leak. However, for the casual user who doesn't understand all this stuff, there's practically nothing you can do about it. This is why I tend to be against the news trying to convince people that these companies are flawed; it only helps to cause widespread panic and mistrust which, while possibly deserved, is not yet confirmed.

Mistrust is definitely deserved due to not reporting being hacked for 2 years. Company A has my CC info, they admit to being hacked the moment they realize it, say a month after it occurred. I can now cancel those credit cards and receive new numbers. I have the ability to audit my accounts and make claims against unauthorized charges.

If you wait 2 years, you can no longer challenge claims that you probably already paid for. You can cancel the CC but the damage has already been done.

Also there is stuff that the everyday person can do to protect yourself. You can remove verisign as a trusted root from your browser and you can ensure you don't do business with them. You can also choose to use other TLD's beyond .org and .com whenever possible.

[Steax]

I simply stated that it's not yet confirmed: Verisign isn't saying that they lost any critical data. Is it a security issue? Yes it is. Is it enough reason for the security-conscious to take action? Sure. But we have to be careful not to over-sensationalize this to the general public. Verisign's problem does not immediately mean all our communication is now in the hands of hackers, as some articles try to make out.

Also there is stuff that the everyday person can do to protect yourself. You can remove verisign as a trusted root from your browser and you can ensure you don't do business with them. You can also choose to use other TLD's beyond .org and .com whenever possible.

That works... in a way. You're pretty much blocking yourself off from a large section of the internet.

[KnightExemplar]

It may not be confirmed, but like the RSA hack (which seems to have led to the Lockheed Martin hack), I would not be surprised if this Verisign hack was the precursor to a larger attack.

At the end of the day, some entity out there is successfully attacking our most trusted authentication companies. Companies that control the basic infrastructure of the internet. As you've mention Steax, there is literally nothing we can do to protect ourselves: Verisign is the company we all trust because we have to.

Anyway, for someone who goes around and uses public WiFi in like... McDonalds or in Hotels, you're open to publicly known "attacks" like this. HTTPS protects you 100% from that attack... if correctly done. You get certificates to prove that the sites you're looking at are really the sites you think they are... and then the connection becomes encrypted between them. Of course, HTTPS is no longer "correctly done" because Verisign could have potentially lost their root certificates.

So now what? The best we can do is publicly blast Verisign till no one trusts them anymore. Then we'll use the next Certificate Authority that pops up. Just sweeping this under the rug screws up the system. If we can't trust Verisign, then we should stop using them.

[stevey_frac]

This reeks of a foreign government attack.

I don't your typical hacker could pull this off without bragging about it to someone, somewhere. It's just not in their / our nature.

[Steax]

We'll just have to see how the situation develops. There's no easy solution, though I suppose some people who understand the stuff could go against verisign. The overall shift would be extremely costly, complicated and error-prone.

This reeks of a foreign government attack.

I don't your typical hacker could pull this off without bragging about it to someone, somewhere. It's just not in their / our nature.

Would you brag about it when you have the keys to a ridiculously large pile of information and money?

[stevey_frac]

If I obtained such through a hack... yes.. probably... despite knowing it's against my best interest. The hacker cred that would come with hacking verisign is so large, I don't think your regular hacker crowd could keep quiet. Chinese government hackers on the other hand...

--Steve

[Steax]

Fundamental attribution error strikes again. No, really, when it's between hacker cred and having the keys to half the web's encrypted data, I'd be astonished if the hacker even tried to expose himself. Not to mention the ridiculous levels of scrutiny and manhunting that will undoubtably ensue.

Is there any particular reason you'd pin it on foreign governments?

[stevey_frac]

You do realize that hackers outting themselves in IRC chat rooms has happened before right?

In fact.. hackers often take credit? And that manhunts often do result? Did you miss the whole Sony debacle? Were you simply not around for all of Lulzsec?

This isn't that much of a bigger take then getting millions of credit cards' information... in fact.. the Sony hack was worse then this...

This you COULD use to get credit cards... in the Sony hack.. they DID get credit cards... Lots of em.

--Steve

[Ghostbear]

You do realize that hackers outting themselves in IRC chat rooms has happened before right?

And those are the stupid hackers. What of it? Dumb people brag about crimes they've committed all the time. The smart criminals take their success and laugh all the way to (or, in this case, from) the bank.

[mousewiz]

I doubt that forged Verisign certificates, if they can now be created, will be used to steal random CC & bank information. You don't need to hack Verisign if all you want is mass CC fraud. Using forged certificates to commit mass CC fraud would effectively be bragging that you can forge certificates and would force Verisign certificates to be revoked. There are far more interesting things than financial information that could be targeted with forged certificates.

[stevey_frac]

You do realize that hackers outting themselves in IRC chat rooms has happened before right?

And those are the stupid hackers. What of it? Dumb people brag about crimes they've committed all the time. The smart criminals take their success and laugh all the way to (or, in this case, from) the bank.

Or... alternatively... Hackers are often socially repressed, and seek recognition from their peers?

And the fact that there haven't been large scale certificate forgeries that we've noticed would indicate that either

A) No such information was leaked, and forgeries are not currently possible
B) The people who took said information are doing so with specific targeted attacks.

I'd argue the people who are most able to perform the attacks are government sponsored hackers, and also the people who are most likely to not tell anyone about it. That's kinda why I like the theory.

Mind you... for this to be plausible, you also have to buy into the idea that at least some governments maintain a staff of black-ops hackers... Which I think is not that unreasonable.

--Steve

[Ghostbear]

Or... alternatively... Hackers are often socially repressed, and seek recognition from their peers?

Some hackers, sure. Are you willing to apply that as a blanket statement to all hackers? There are going to be smarter hackers out there, without the desire to brag about their successes. Pointing out the idiots amongst a criminal group (actually, just plain "group", really), even if there are a lot of them, does nothing to prove that every member of that group is stupid. The idiot criminals are the ones that get all of the attention, you smart ones are the ones you don't hear about.

And the fact that there haven't been large scale certificate forgeries that we've noticed would indicate that either

A) No such information was leaked, and forgeries are not currently possible
B) The people who took said information are doing so with specific targeted attacks.

What about:
(C) We haven't noticed them yet.

It's entirely possibly that the hack didn't result in certificates being able to be forged, but pointing out that we haven't seen such yet isn't proof of it at all. Nor is the evidence "but hackers love to brag" particularly compelling.

[stevey_frac]

No. I'm willing to make it as a statement about 'most'.

The fact that you are calling the hackers who don't brag about it the 'smart' ones, really tells me that you don't understand the hacker subculture. Go read about Kevin Mitnick, or some of the other greats, and tell me that they aren't absolutely brilliant. (Mitnick was more a phreaker then hacker, but the point stands)

As for 'C'... someone somewhere would have noticed widespread certificate forgeries by now if they were being made. Widespread forgeries leave fingerprints that ISP NOC's can see. Also, there's 1000's of security experts out there monitoring for all kinds of crap, I'm quite confident of that they would have seen something.

Either they are not being made, or they are being made in a very targeted manner.

I would argue that it is possible that the information was stolen but not used, as a viable 'C'...

[Ghostbear]

No. I'm willing to make it as a statement about 'most'.

The fact that you are calling the hackers who don't brag about it the 'smart' ones, really tells me that you don't understand the hacker subculture. Go read about Kevin Mitnick, or some of the other greats, and tell me that they aren't absolutely brilliant. (Mitnick was more a phreaker then hacker, but the point stands)

This just tells me you aren't willing to shed your preconceptions about a group of people. The smart label was applied to their criminal activity; obviously most hackers are going to be smart (otherwise, they wouldn't be very good at hacking)- what many aren't is smart about what they do after they did their hacking. Are you really so unwilling to consider the notion of hackers out there that don't need to brag about their accomplishments? It doesn't matter if it's some, many, most or even 99%- so long as there are some out there that don't do that, then it's foolish to assume that they all will, and that because no one has done that bragging, that they haven't done anything.

[stevey_frac]

No. I'm willing to make it as a statement about 'most'.

The fact that you are calling the hackers who don't brag about it the 'smart' ones, really tells me that you don't understand the hacker subculture. Go read about Kevin Mitnick, or some of the other greats, and tell me that they aren't absolutely brilliant. (Mitnick was more a phreaker then hacker, but the point stands)

This just tells me you aren't willing to shed your preconceptions about a group of people. The smart label was applied to their criminal activity; obviously most hackers are going to be smart (otherwise, they wouldn't be very good at hacking)- what many aren't is smart about what they do after they did their hacking. Are you really so unwilling to consider the notion of hackers out there that don't need to brag about their accomplishments? It doesn't matter if it's some, many, most or even 99%- so long as there are some out there that don't do that, then it's foolish to assume that they all will, and that because no one has done that bragging, that they haven't done anything.

I'm NOT assuming they all will. I'M NOT TRYING TO PROVE CONCLUSIVELY THAT THIS IS WHAT MUST HAVE HAPPENED. Nor have I stated as such.

Contrary to what you seem to believe, it is quite alright to say 'This is what I think has happened' , and give an explanation as to why I believe such.

Also, I'm not using any preconceptions. I'm using my interactions with said group of people.

[Ghostbear]

I'm NOT assuming they all will. I'M NOT TRYING TO PROVE CONCLUSIVELY THAT THIS IS WHAT MUST HAVE HAPPENED. Nor have I stated as such.

You've been stating that a hacker would probably do whatever they could to get "hacker cred" instead of to exploit the situation for their own gain. I have taken issue with that assertion because it assumes that hackers are just like they are popularly imagined to be. Where was the group getting hacker cred after they broke into defense contractors? Hacking is no longer solely about "cred"- there are many criminal elements that will use it to make money.

Contrary to what you seem to believe, it is quite alright to say 'This is what I think has happened' , and give an explanation as to why I believe such.

Of course, and I would hope you'd think it's quite alright for someone to say "I think your explanation doesn't make sense" and give their own reasons for such.

Also, I'm not using any preconceptions. I'm using my interactions with said group of people.

With some members of the group, who, by virtue of you knowing that they're hackers, are not going to be the smart (with respect to their actions) ones. It doesn't prove much of anything, except what those people you've interacted with are like.

[stevey_frac]

Alright then. Just to re-iterate...

I'm saying... the popular common hacker subculture tends to behave like the popular common hacker subculture... and that there is a second group who have ulterior motives. I am assuming government sponsored individuals.

You are saying that the sum of all hackers comprises more then the common hacker subculture, and that there is probably a second group who have ulterior motives... You are assuming criminals and/or 'Smart' hackers.

Surely we can find common ground here...

--Steve

Edit: The people you are describing as 'smart hackers' are really not members of the hacker subculture at all... Seeing as they do not interact with them in any way, and do not appear to be influenced or obey any of the social mores of the group...

[Ghostbear]

Certainly. My issue was with the idea that any hacker that isn't backed by a government (or the Russian mafia or whatever) is going to be stupid about their actions. Obviously some, perhaps even many, are going to act like that popular image suggest they will, but even amongst those that don't have an ulterior motive, many of them are going to be smart enough to say "Hey, I shouldn't broadcast that I just broke the law in a way that I might be able to make lots of money off of!". Which is why I think "but nobody is bragging about it" is good evidence to say "nothing has been done with the possibly stolen information".

[Steax]

The hackers looking for fame and 'cred' are obviously the subculture we're exposed to, because they're, well, not trying to hide what they're doing.

The hackers looking for profit would hide their operations, launder money, work with questionable third parties and do other things that are blatantly illegal. We've had a bunch of them already stealing billions of dollars, and those are the ones we've debunked. They're not government-sponsored, they just want money.

I'm just taking issue with the conclusion that these must be foreign governments because nobody's stupidly stood up and said "HA! I HACKED VERISIGN! LALALALALALALALA!"

Also, this has little to do with the "hacker subculture." Verisign was not "hacked by a member of the hacker subculture," it was "hacked by a hacker." It doesn't matter what the subculture is. It could be a well-intentioned geek trying things out. It could be the abakazanians. You're making the claim that "N has the characteristics Q, R, and S" without the statement that "Incident X was caused by N."

[KnightExemplar]

You do realize that hackers outting themselves in IRC chat rooms has happened before right?

In fact.. hackers often take credit? And that manhunts often do result? Did you miss the whole Sony debacle? Were you simply not around for all of Lulzsec?

This isn't that much of a bigger take then getting millions of credit cards' information... in fact.. the Sony hack was worse then this...

This you COULD use to get credit cards... in the Sony hack.. they DID get credit cards... Lots of em.

--Steve

From my understanding, credit cards are stolen so often... and there are so many attacks that grab credit cards... that the Black Market is flooded with them. This site claims that the going price for credit-card numbers is 2 to 4 bucks. So actually... no, credit card information isn't worth too much. And thats before the black market was flooded with the credit cards from Sony's hack.

Considering you can do so much more with Root Credentials, I don't think hackers are going to go for a few bucks (or even a few thousand bucks, if they commit mass fraud).

As for the "hackers take credit" line... http://blogs.mcafee.com/mcafee-labs/don ... ssian-gang . The guys who were out on IRC chat lines "taking credit" are the dumb ones. Look behind the scenes, and we start seeing potential criminal activity. Possibly foreign government activity (Russian Mafia or Russian Government? We just know that someone... from Russia... was manipulating Anonymous months before the Sony Hack). Sure, your script kiddies are going to coordinate a DDOS attacks because someone posts a funny image with the V for Vendetta mask on it. But your professional hackers will then take advantage of this flood of attacks and then actually go for the gold.

There's no evidence that the "Hacktivist" anonymous got the credit card information out of Sony's servers. (That I know of anyway). Correct me if I'm wrong of course, but I'm currently of the opinion that the Anonymous script-kiddies are just getting manipulated into doing attacks that cover the tracks of the real crooks.

[addams]

Such an interesting world.

What were the words? Treacherous and Deceitful?
The words that describe the Human animal? Not all, but, many.

[KnightExemplar]

I wouldn't go that far.

Big companies like Verisign are literally the targets of everyone in the world. Every single hacker that is worth his salt has Verisign in his/her crosshairs. Verisign is a target because its trusted and is literally one of the centerpieces of the Internet right now. If the Internet had a "single point of failure", Verisign is damn close to it. At least as far as security is concerned. (Housing top level domains like .com, .net, and .org... as well as being a major component in the HTTPS system).

It is expected that Verisign would be attacked on a daily basis. There is just too much to gain if you get access.