Juniper Breach Mystery Starts To Clear With New Details on Hackers and US Role (yahoo.com) 19
An anonymous reader shares a report: An anonymous reader Days before Christmas in 2015, Juniper Networks alerted users that it had been breached. In a brief statement, the company said it had discovered "unauthorized code" in one of its network security products, allowing hackers to decipher encrypted communications and gain high-level access to customers' computer systems. Further details were scant, but Juniper made clear the implications were serious: It urged users to download a software update "with the highest priority." More than five years later, the breach of Juniper's network remains an enduring mystery in computer security, an attack on America's software supply chain that potentially exposed highly sensitive customers including telecommunications companies and U.S. military agencies to years of spying before the company issued a patch.
Those intruders haven't yet been publicly identified, and if there were any victims other than Juniper, they haven't surfaced to date. But one crucial detail about the incident has long been known -- uncovered by independent researchers days after Juniper's alert in 2015 -- and continues to raise questions about the methods U.S. intelligence agencies use to monitor foreign adversaries. The Juniper product that was targeted, a popular firewall device called NetScreen, included an algorithm written by the National Security Agency. Security researchers have suggested that the algorithm contained an intentional flaw -- otherwise known as a backdoor -- that American spies could have used to eavesdrop on the communications of Juniper's overseas customers. NSA declined to address allegations about the algorithm.
Juniper's breach remains important -- and the subject of continued questions from Congress -- because it highlights the perils of governments inserting backdoors in technology products. "As government agencies and misguided politicians continue to push for backdoors into our personal devices, policymakers and the American people need a full understanding of how backdoors will be exploited by our adversaries," Senator Ron Wyden, a Democrat from Oregon, said in a statement to Bloomberg. He demanded answers in the last year from Juniper and from the NSA about the incident, in letters signed by 10 or more members of Congress.
Those intruders haven't yet been publicly identified, and if there were any victims other than Juniper, they haven't surfaced to date. But one crucial detail about the incident has long been known -- uncovered by independent researchers days after Juniper's alert in 2015 -- and continues to raise questions about the methods U.S. intelligence agencies use to monitor foreign adversaries. The Juniper product that was targeted, a popular firewall device called NetScreen, included an algorithm written by the National Security Agency. Security researchers have suggested that the algorithm contained an intentional flaw -- otherwise known as a backdoor -- that American spies could have used to eavesdrop on the communications of Juniper's overseas customers. NSA declined to address allegations about the algorithm.
Juniper's breach remains important -- and the subject of continued questions from Congress -- because it highlights the perils of governments inserting backdoors in technology products. "As government agencies and misguided politicians continue to push for backdoors into our personal devices, policymakers and the American people need a full understanding of how backdoors will be exploited by our adversaries," Senator Ron Wyden, a Democrat from Oregon, said in a statement to Bloomberg. He demanded answers in the last year from Juniper and from the NSA about the incident, in letters signed by 10 or more members of Congress.
Just need to attack Huawei (Score:4, Interesting)
American government agencies exploited American products in order to spy on everyone in the world. And turn around to launch an major PR and legal attack against a major Chinese competitor while refusing to show any real proof [wsj.com].
It's called American Exceptionalism [merriam-webster.com].
Re: (Score:2, Insightful)
We already know that the NSA hacked into Huawei.
https://www.cnet.com/tech/serv... [cnet.com]
Snowden already told us everything.
"With Mr. Snowden’s leaks in 2014, the NSA lost the ability to spy on one of the most significant intelligence targets: China. Another NSA document revealed that the agency was spying on Huawei to learn its links to the Chinese military and the ruling Communist Party.
“Many of our targets communicate over Huawei-produced products, we want to make sure that we know how to exploit the
Re: (Score:1)
Snowden already told our adversaries everything.
FTFY.
Re: (Score:3)
Including the general populace eh?
Re: (Score:2)
all part of the new 'Fuck China' message of privately owned 'influential' websites.
Re: (Score:1)
American government agencies exploited American products in order to spy on everyone in the world. And turn around to launch an major PR and legal attack against a major Chinese competitor while refusing to show any real proof [wsj.com].
It's called American Exceptionalism [merriam-webster.com].
I'd like to see the proof that this is a US hack...not calling anyone a lier mind you...
In case anyone is wondering what it was.. (Score:3, Insightful)
It was the Dual Elliptic Curve Deterministic Random Bit Generator algorithm. This has been long suspected as an NSA backdoor, I think for over a decade at this point.
Re:In case anyone is wondering what it was.. (Score:5, Insightful)
Here's a paper from Microsoft how to exploit the vulnerability... from 2007
http://rump2007.cr.yp.to/15-sh... [cr.yp.to]
Re: (Score:3)
The irony is, you are already trusting the person behind the cr.yp.to site: Daniel J. Bernstein (DJB for short) is one of the leading and most trusted researchers in the world of cryptography and computer security in general.
Sen Wyden demanded answers ... (Score:3)
That'll do it. Wyden knew of the illegal NSA spy programs before Snowden blew the whistle and he didn't speak up. 'Classified' doesn't make the illegal legal.
Reality is that the US government is unaccountable from top to bottom. Abuses by the IRS, FBI and even the FDA show a complete lack of give-a-shit about the law.
Not consistent with the known evidence (Score:3)
In law there is a exception to hearsay for things that the accused blurted out right after the incident occurred, rather than weeks or months later. The thinking is that something they blurt out in the heat of the moment is less likely to be a calculated lie.
Juniper blurted out that there was unauthorized code.
That is, CODE, lines of programming, had been added to the product. Given what we know, that's probably true.
Much later, some speculated that the design of the *algorithm*, the math, could have been weaker than expected. That's a very different thing than having unauthorized code added.
We don't know for sure what happened. The available evidence most strongly suggests that an attacker straight up added code to the *product*, code that wasn't put there by Juniper developers. That's not at all the same thing as if Juniper devs implemented an algorithm and the NSA knew something secret about the math behind the algorithm.
Re: (Score:2)
Much later, some speculated that the design of the *algorithm*, the math, could have been weaker than expected.
No, you need to check your timeline. Microsoft published a paper in 2007 about the "Q value" as a potential backdoor in the algorithm. Juniper added the algorithm in 2008. They were hacked in 2012 and again in 2014 when code was changed.
The NSA was strong-arming NIST and bribing vendors (RSA, for example) to implement the algorithm and set it as default back in 2008.
Juniper code quality sucked... (Score:1)
I've seen some source code of one Juniper product.
Even though I am just a programmer and not security expert I found couple serious security issues...
Overall quality was crap - looked like corporate product outsourced to India with rushed deadlines...
New details (Score:2)
Backdoors? (Score:2)
the American people need a full understanding of how backdoors will be exploited by our adversaries
Doesn't exploitation of backdoors always involve some variety of being fucked?