Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×

Congress Gives Federal Agencies Two Weeks To Tally Backdoored Juniper Kit (csoonline.com) 77

itwbennett writes: In an effort to gauge the impact of the recent Juniper ScreenOS backdoors on government organizations, the House of Representatives is questioning around two dozen U.S. government departments and federal agencies. The U.S. House of Representatives' Committee on Oversight and Government Reform sent letters to the agencies on Jan. 21, asking them to identify whether they used devices running the affected ScreenOS versions, to explain how they learned about the issues and whether they took any corrective actions before Juniper released patches and to specify when they applied the company's patches. The questioned organizations have until Feb. 4 to respond and deliver the appropriate documents, a very tight time frame giving that 'the time period covered by this request is from January 1, 2009 to the present.'
This discussion has been archived. No new comments can be posted.

Congress Gives Federal Agencies Two Weeks To Tally Backdoored Juniper Kit

Comments Filter:
  • by dreamchaser ( 49529 ) on Wednesday January 27, 2016 @10:10PM (#51386169) Homepage Journal

    They should be phasing those out regardless. Netscreen devices are EOL. Too many people are still using them. I know I have actively encouraged clients to ditch them. Unfortunately the Juniper SRX firewalls are crap, at least the low end/branch ones. The big iron is alright but still doesn't compare feature wise to Check Point, Palo Alto, Fortinet, etc.

  • Proscecutions? (Score:5, Insightful)

    by jdwolfe ( 4433569 ) on Wednesday January 27, 2016 @10:12PM (#51386177)
    Who at Juniper is getting prosecuted for selling backdoor'd routers to the United States Federal Government?
  • by thesupraman ( 179040 ) on Wednesday January 27, 2016 @10:15PM (#51386189)

    I thought government security organisations of the three letter variety were busy trying to convince
    us that security backdoors and 'special' access for government level players was a good thing?

    Surely they should just be promoting this as a feature, that enables the rounding up of literally millions
    of pedophiles, drug addicts, and terrorists Real Soon Now?

    Oh, wait, they are not sure its only THEIR backdoors? Dont tell me other governments may also be
    involved? But surely if its good for one government to have access, its better if more do - hell, they ALL
    should, right? So they can enforce their own local views of What Is Right?

    Are we being told only some governments are trustworthy? Can we please have a list? What happens when
    governments change? This is all just too complicated!

    It is a pity most police are now just too busy collecting revenue to do much police work, it all seemed a bit
    simpler when they used to investigate actual crimes against the populace.

    • Re: (Score:3, Funny)

      by msauve ( 701917 )
      But, think of the children (aka "congress").
    • by Anonymous Coward

      ... enables the rounding up of enables the rounding up of literally millions of pedophiles, drug addicts, and terrorists ...

      That's kinda the problem. There laws were passed to spy on suspicious people. Spying on politicians and their friends is treating them like criminals. That's a defamation of their good names and an insult to their lofty jobs. Important people don't hate mass surveillance because it's ineffective, abusive, or encourages treason; they hate it because it makes them look bad.

  • by Anonymous Coward

    I spent much of last year responding to a security audit that had to do with a leak of personal information through email. Very few people were affected . It was an honest mistake. The audit is exhaustive.

    It is hard to provide every email *relevant* message for your colleagues for years. It is hard to document everything we ever said about securing information. It's hard in a short time to prove you are educating the whole staff again about what you told them all before.

    We are better for it, and my group wa

  • I'll get you, my pretty, and your little dog, too!
    • by subk ( 551165 )

      I'll get you, my pretty, and your little dog, too!

      Spoiler Alert: I know what happens next. The house falls on the bitch.

  • What did you know (Score:4, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Wednesday January 27, 2016 @10:27PM (#51386229) Journal

    Q: "What did you know and when did you know it?"

    A: We didn't know nothin' then, we don't know nothin' now, and we won't know nothin' next week either."

    "Thank you, this meeting is adjourned."

  • then mention the NSL that was always in place?
  • by WaffleMonster ( 969671 ) on Wednesday January 27, 2016 @11:14PM (#51386393)

    Congress should just ask NSA and save everyone the trouble.

  • Just sayin'
  • There's no way this order can be reasonably complied with. If indeed it could ever be done.
    And, who's going to pay for it?
    What a disgusting bunch of idiots pretend to run my country.
    • Going back to 2009 is a huge undertaking, even for an organization with a decent asset management process.
      Complying with what is currently on the network shouldn't be difficult at all.
  • by Anonymous Coward on Thursday January 28, 2016 @12:30AM (#51386537)

    Here's the letter to SSA:

    Dear Ms. Colvin:
    On December 17, 2015, Juniper Networks announced in a press release that it discovered
    “unauthorized code that could allow a knowledgeable attacker to gain administrative access” to
    certain devices and “decrypt VPN connections.“

    On December 20, 2015, Juniper Networks issued a patch to the aforementioned software
    vulnerability to their ScreenOS platform. In a related press release, Juniper Networks listed
    vulnerable devices and described the potential exposure ifthis vulnerability was exploited:

    0 Administrative Access (CVE-2015-7755) affecting devices rtmning ScreenOS 6.3
    0r17 through 6/3 0r20; and 0 VPN decryption (CVE-2015-7756) affecting devices rtmning ScreenOS 6.20r15
    through 6.2or18, ScreenOS 6.30rl2 through 6/3 0r2O.2

    So that the Committee may better understand the extent of the ScreenOS vulnerabilities
    and related effects on the cybersecurity posture of federal agencies that use the ScreenOS
    platform, please provide the following documents and information as soon as possible, but no
    later than 5:00 p.m. on February 4, 2016:

    1. Documents sufficient to identify whether your agency, or any component agency,
    used the affected Juniper ScreenOS platfonns;
    2. Documents and communications referring or relating to how the agency, or its
    components, discovered the vulnerability and ifany corrective measures were taken
    prior to deploying the software patch issued by Juniper Networks on December 20,
    2015;
    3. Documents and communications referring or relating to what version(s) of ScreenOS
    your agency, or any component agency, used; and
    4. Documents sufficient to show when your agency, or any component agency,
    deployed the software patch issued by Jtmiper Networks on December 20, 2015.

    The Committee on Oversight and Government Refonn is the principal oversight
    committee of the House of Representatives and may at “any time” investigate “any matter” as set
    forth in House Rule X.

    When producing documents to the Committee, please deliver production sets to the
    Majority staff in room 2157 of the Rayburn House Ofce Building and the Minority staff in
    room 2471 of the Rayburn House Office Building. The Committee prefers, ifpossible, to
    receive all documents in electronic format. An attachment to this letter provides additional
    information about responding to the Committee’s request.

    Please contact Mike Flynn of the Majority staff at (202) 225-5074 or Brian Quinn ofthe
    Minority staff at (202) 225-5051 with any questions about this request. Thank you for your
    attention to this matter.
    [signatures]

    There's no mention of getting information as far back as 2009 in the letter. That bit was from some attached boilerplate rules about how the committee wants the report formatted, media, etc. Other letters that have nothing to do with the Juniper firewall issue have the same boilerplate rules attached. The committee only wants the information at stated in their four items. I don't why the report for the TFA put in that bit about the 2009 timeframe other than to exaggerate the work each agency is going to have to do.

    • by Zocalo ( 252965 ) on Thursday January 28, 2016 @04:36AM (#51387013) Homepage
      Maybe because they read between the lines a bit? If you put the part of the letter that reads "Documents sufficient to identify whether your agency, or any component agency, used the affected Juniper ScreenOS platforms" (note the tense) with the timeframe that Juniper when started shipping products with a vulnerable version of ScreenOS (e.g. from 2009), then they are indeed asking for data that could potentially go back to 2009. Just because a company might be using an alternative product now, doesn't mean that they didn't have vulnerable products in the past, so they are indeed asking for agencies to review their equipment purchasing records going back to 2009.

      Still, it's a pretty incompetent company that won't have at least some form of records of CapEx purchases going back six years, let alone a government agency, just because of financial and tax legislation requirements, albeit possibly not entirely digital and searchable. At my previous employer I could get a report with a complete list of assets from a given vendor complete with every logged change made to those assets from our ITIL CMDB system in a couple of minutes that would easily cover that timescale, although I suspect for many government agencies this is likely to involve some hapless interns digging through dusty paper boxes in a warehouse rather than someone running a report.
      • Regardless of the deadline for the report, this is mostly information the agencies should already have considered when the vulnerability was announced. If they cannot comply with the deadline, well you know there is an agency where IT is asleep at the switch. That's valuable information in itself. I would not be surprised if it was all of them.
  • by Anonymous Coward

    the same morons who want to worry about THIS seem to have no problem with nearly the entire government running a combination of ancient, unmaintained and vulnerable old flavors of Windows and IE, or WORSE the newest flavors of windows that have a permanent, autonomous and continually-active "back-door" built right in. With the most-recent versions of Windows sucking-up all keystrokes and mouse moves and even, in some cases, audio from any built-in microphones, and sending stuff off to headquarters in Redmon

  • I thought you wanted government backdoors, now you make a fuss. Make up your fucking mind!

  • A backdoor, likely added by a 3-letter US government agency, being used in another US government agency causing a security breach....

I owe the public nothing. -- J.P. Morgan

Working...