The Unnamed Network Provider Exposing our Infrastructure

Today was Global Threat day, when James Clapper testifies before various committees in Congress and Ron Wyden asks uncomfortable questions (today, directed exclusively at John Brennan). I’ll have a few posts about the hearings (in Senate Armed Services and Senate Intelligence Committees) and Clapper’s testimony, the SASC version of which is here.

One interesting detail in Clapper’s testimony comes in the several paragraph section on Infrastructure within a larger section on “Protecting Information Resources.” Here’s how the testimony describes the Juniper hack.

A major US network equipment manufacturer acknowledged last December that someone repeatedly gained access to its network to change source code in order to make its products’ default encryption breakable. The intruders also introduced a default password to enable undetected access to some target networks worldwide.

There’s no discussion of how many Federal agencies use Juniper’s VPN, nor of how this must have exposed US businesses (unless the NSA clued them into the problem). And definitely no discussion of the assumption that NSA initially asked for the back door that someone else subsequently exploited.

More importantly, there’s no discussion of the cost of this hack, which I find interesting given that it may be an own goal.

image_print
13 replies
      • P J Evans says:

        I’ve been reading ew for a long time.
        Mostly I was amused by Comey trying to get people to buy into how much trouble the FBI has with encryption, given how many other agencies seem not to have trouble at all. (And all the rumors about NSA and fingers in encryption schemes.)

  1. haarmeyer says:

    I’m still trying to wrap my head around the idea of someone “repeatedly” breaking into Juniper’s “network” to get access to source code. There’s so much that doesn’t make sense in that, like what was the server for their proprietary IP and sourcecode doing on a network that someone could gain access to, how did the source code get compiled and shipped without anybody diffing it at all including their source control system, and what kind of number they put in to replace the one that was changed.

    Everything about that sounds like either massive corporate stupidity or an inside job.

  2. lefty665 says:

    Looks like it got pretty hot between Wyden and Brennan today. The Wash Post reports:
    .
    “Ultimately, Brennan admitted “very limited inappropriate actions” by CIA staff but accused Senate investigators of comparable transgressions and came close to shouting at Wyden: “Do not say that we spied on Senate computers or your files! Do not say that!””
    .
    It was the annual threat assessment, but Brennan clearly didn’t appreciate being identified as one of the threats.

  3. Les says:

    It could’ve been some hack of a government contractor or employee updating an obsolete version of the software and forcing its installation into the version control system. Hardcoded passwords are often used during testing software. Apparently, the encryption code was fixed and unfixed multiple times.

    • orionATL says:

      “… . Apparently, the encryption code was fixed and unfixed multiple times…”

      wow.

      you mean like just replacing your door every time it gets kicked in and then going out to the movies again?

Comments are closed.