The Unnamed Network Provider Exposing our Infrastructure
Today was Global Threat day, when James Clapper testifies before various committees in Congress and Ron Wyden asks uncomfortable questions (today, directed exclusively at John Brennan). I’ll have a few posts about the hearings (in Senate Armed Services and Senate Intelligence Committees) and Clapper’s testimony, the SASC version of which is here.
One interesting detail in Clapper’s testimony comes in the several paragraph section on Infrastructure within a larger section on “Protecting Information Resources.” Here’s how the testimony describes the Juniper hack.
A major US network equipment manufacturer acknowledged last December that someone repeatedly gained access to its network to change source code in order to make its products’ default encryption breakable. The intruders also introduced a default password to enable undetected access to some target networks worldwide.
There’s no discussion of how many Federal agencies use Juniper’s VPN, nor of how this must have exposed US businesses (unless the NSA clued them into the problem). And definitely no discussion of the assumption that NSA initially asked for the back door that someone else subsequently exploited.
More importantly, there’s no discussion of the cost of this hack, which I find interesting given that it may be an own goal.
Comey is whining about encryption again, and how hard it is for the FBI to deal with it.
http://www.sfgate.com/news/politics/article/The-Latest-Intelligence-chief-warns-of-more-6817494.php
PJ @ 1 FBI’s been whining about how hard it is for them since they had to climb poles to tap phones.
I’ve been reading ew for a long time.
Mostly I was amused by Comey trying to get people to buy into how much trouble the FBI has with encryption, given how many other agencies seem not to have trouble at all. (And all the rumors about NSA and fingers in encryption schemes.)
It also seems that today was the day for the FBI to finally unveil a real live case of encryption slowing an investigation:
http://www.latimes.com/nation/la-na-san-bernardino-phone-locked-20160209-story.html
Apparently they don’t know how to jailbreak a commercial phone. If true this comes with the caveat that the targets in question are already dead but would represent a significant PR event for them.
I’m still trying to wrap my head around the idea of someone “repeatedly” breaking into Juniper’s “network” to get access to source code. There’s so much that doesn’t make sense in that, like what was the server for their proprietary IP and sourcecode doing on a network that someone could gain access to, how did the source code get compiled and shipped without anybody diffing it at all including their source control system, and what kind of number they put in to replace the one that was changed.
Everything about that sounds like either massive corporate stupidity or an inside job.
If you really believe the moat surrounding your tall-walled castle works, then only supernatural ninjas could break in and steal the silverware, so you do not question the person you find walking out of the kitchen with a full plate.
.
Otherwise, your mind will buckle under the constant adrenaline feed.
.
p.s. Version of this same thing (as documented on this site many times by many people) has regularly happened to our national grids, networks, etc.
Really? Corporate proprietary source code?
Yup, developer(s) work(s) from off-site locations all the time.
.
Especially the out-sourced ones.
This may
create some horrorsfill out the idea a bit for you of just one of the many ways this is a problem:.
http://www.ijser.org/researchpaper%5CControlling-of-Electrical-Power-System-Network-by-using-SCADA.pdf
And the fact that developers work from offsite means that the server on which the corporation archives and does version control is on the open internet? Never was at anywhere I worked.
Looks like it got pretty hot between Wyden and Brennan today. The Wash Post reports:
.
“Ultimately, Brennan admitted “very limited inappropriate actions” by CIA staff but accused Senate investigators of comparable transgressions and came close to shouting at Wyden: “Do not say that we spied on Senate computers or your files! Do not say that!””
.
It was the annual threat assessment, but Brennan clearly didn’t appreciate being identified as one of the threats.
It could’ve been some hack of a government contractor or employee updating an obsolete version of the software and forcing its installation into the version control system. Hardcoded passwords are often used during testing software. Apparently, the encryption code was fixed and unfixed multiple times.
“… . Apparently, the encryption code was fixed and unfixed multiple times…”
wow.
you mean like just replacing your door every time it gets kicked in and then going out to the movies again?