cancel2 2022
Canceled
The US government has launched an investigation following the discovery of "unauthorised code" in firewall software from Juniper Networks to determine whether it was inserted by the NSA, according to Reuters. Juniper revealed in December that it had found two pieces of code in the firm's ScreenOS software that could give remote hackers the ability to spy on secure virtual private network connections. Analysis indicated that the backdoor code was inserted as far back as 2012.
The US House Committee on Oversight and Government Reform sent a number of official letters on 21 January asking various government departments to audit their networks and report on how they responded to the problem. The departments, which include the Department of Defence, the State Department and NASA, were tasked by the committee to report back by 5pm on 4 February on what "corrective measures" were taken to resolve the security flaw. Will Hurd, a Texas republican and formerly of the CIA, who now runs a US technology subcommittee, confirmed to Reuters that his investigation will include the possibility of NSA involvement.
"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?" he asked.
"I don't think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses."
Curbing the code
Juniper Networks said previously that it will remove the offending code. Bob Worrall, chief information officer at Juniper, explained that the firm will update its cryptographic algorithms, including the Dual Elliptic Curve technology found in ScreenOS, in the first half of 2016. "We will replace Dual_EC and ANSI X931 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release," he said in a statement.
"We remain confident that the patched releases, which use Dual_EC, remediate the unauthorised administrative access issue as well as the VPN decryption issue. We strongly recommend that customers upgrade their affected systems to the patched releases with high priority." A number of weaknesses in the cryptographic security of the Dual_EC algorithm have been revealed since the Edward Snowden disclosures in 2013. Most concerning were the revelations from RSA Security, which publically advised its customers to discard the algorithm after it was linked to NSA spying techniques.
Worrall explained that an investigation by security researchers found "no evidence" of any other tampering with the code in ScreenOS or Junos OS, which is the main operating system for most of Juniper's product lines. "The investigation also confirmed that it would be much more difficult to insert the same type of unauthorised code in Junos OS," he added.
The statement came only a day after research by a Stanford University team of cryptographers revealed evidence of tampering with Juniper code, according to Reuters. Analysis by the encryption experts found that Juniper's product code was changed in several ways in 2008 to allow the suspected attackers to eavesdrop on customers' VPN network sessions. One expert branded the backdoor "straightforward" as it simply allowed anyone with the correct password to see everything on the network.
The researchers and Juniper have not directly blamed the NSA for the invasive code, but a number of documents in the Edward Snowden disclosures showed that the agency is highly capable of tampering with technology products. It emerged previously that the NSA routinely intercepts routers and computer equipment to plant spying devices before repackaging them for delivery. However, a separate NSA toolkit called FeedThrough, also revealed in 2013, outlined how the agency has been able to bypass Juniper's firewalls for years.
A report in German publication Der Spiegel said that the NSA has used persistent malware to burrow into Juniper's firewalls and install NSA programs into the firm's computers.
http://www.v3.co.uk/v3-uk/news/2439...ode-decrypting-vpn-traffic-in-its-firewall-os
The US House Committee on Oversight and Government Reform sent a number of official letters on 21 January asking various government departments to audit their networks and report on how they responded to the problem. The departments, which include the Department of Defence, the State Department and NASA, were tasked by the committee to report back by 5pm on 4 February on what "corrective measures" were taken to resolve the security flaw. Will Hurd, a Texas republican and formerly of the CIA, who now runs a US technology subcommittee, confirmed to Reuters that his investigation will include the possibility of NSA involvement.
"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?" he asked.
"I don't think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses."
Curbing the code
Juniper Networks said previously that it will remove the offending code. Bob Worrall, chief information officer at Juniper, explained that the firm will update its cryptographic algorithms, including the Dual Elliptic Curve technology found in ScreenOS, in the first half of 2016. "We will replace Dual_EC and ANSI X931 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release," he said in a statement.
"We remain confident that the patched releases, which use Dual_EC, remediate the unauthorised administrative access issue as well as the VPN decryption issue. We strongly recommend that customers upgrade their affected systems to the patched releases with high priority." A number of weaknesses in the cryptographic security of the Dual_EC algorithm have been revealed since the Edward Snowden disclosures in 2013. Most concerning were the revelations from RSA Security, which publically advised its customers to discard the algorithm after it was linked to NSA spying techniques.
Worrall explained that an investigation by security researchers found "no evidence" of any other tampering with the code in ScreenOS or Junos OS, which is the main operating system for most of Juniper's product lines. "The investigation also confirmed that it would be much more difficult to insert the same type of unauthorised code in Junos OS," he added.
The statement came only a day after research by a Stanford University team of cryptographers revealed evidence of tampering with Juniper code, according to Reuters. Analysis by the encryption experts found that Juniper's product code was changed in several ways in 2008 to allow the suspected attackers to eavesdrop on customers' VPN network sessions. One expert branded the backdoor "straightforward" as it simply allowed anyone with the correct password to see everything on the network.
The researchers and Juniper have not directly blamed the NSA for the invasive code, but a number of documents in the Edward Snowden disclosures showed that the agency is highly capable of tampering with technology products. It emerged previously that the NSA routinely intercepts routers and computer equipment to plant spying devices before repackaging them for delivery. However, a separate NSA toolkit called FeedThrough, also revealed in 2013, outlined how the agency has been able to bypass Juniper's firewalls for years.
A report in German publication Der Spiegel said that the NSA has used persistent malware to burrow into Juniper's firewalls and install NSA programs into the firm's computers.
http://www.v3.co.uk/v3-uk/news/2439...ode-decrypting-vpn-traffic-in-its-firewall-os