A reported long-running intrusion tied to Velvet Ant shows why defenders now have to verify authentication integrity, not just patch software and hope the login stack is still honest.