The Unnamed Network Provider Exposing our Infrastructure

Today was Global Threat day, when James Clapper testifies before various committees in Congress and Ron Wyden asks uncomfortable questions (today, directed exclusively at John Brennan). I’ll have a few posts about the hearings (in Senate Armed Services and Senate Intelligence Committees) and Clapper’s testimony, the SASC version of which is here.

One interesting detail in Clapper’s testimony comes in the several paragraph section on Infrastructure within a larger section on “Protecting Information Resources.” Here’s how the testimony describes the Juniper hack.

A major US network equipment manufacturer acknowledged last December that someone repeatedly gained access to its network to change source code in order to make its products’ default encryption breakable. The intruders also introduced a default password to enable undetected access to some target networks worldwide.

There’s no discussion of how many Federal agencies use Juniper’s VPN, nor of how this must have exposed US businesses (unless the NSA clued them into the problem). And definitely no discussion of the assumption that NSA initially asked for the back door that someone else subsequently exploited.

More importantly, there’s no discussion of the cost of this hack, which I find interesting given that it may be an own goal.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

13 replies
      • P J Evans says:

        I’ve been reading ew for a long time.
        Mostly I was amused by Comey trying to get people to buy into how much trouble the FBI has with encryption, given how many other agencies seem not to have trouble at all. (And all the rumors about NSA and fingers in encryption schemes.)

  1. haarmeyer says:

    I’m still trying to wrap my head around the idea of someone “repeatedly” breaking into Juniper’s “network” to get access to source code. There’s so much that doesn’t make sense in that, like what was the server for their proprietary IP and sourcecode doing on a network that someone could gain access to, how did the source code get compiled and shipped without anybody diffing it at all including their source control system, and what kind of number they put in to replace the one that was changed.

    Everything about that sounds like either massive corporate stupidity or an inside job.

  2. lefty665 says:

    Looks like it got pretty hot between Wyden and Brennan today. The Wash Post reports:
    .
    “Ultimately, Brennan admitted “very limited inappropriate actions” by CIA staff but accused Senate investigators of comparable transgressions and came close to shouting at Wyden: “Do not say that we spied on Senate computers or your files! Do not say that!””
    .
    It was the annual threat assessment, but Brennan clearly didn’t appreciate being identified as one of the threats.

  3. Les says:

    It could’ve been some hack of a government contractor or employee updating an obsolete version of the software and forcing its installation into the version control system. Hardcoded passwords are often used during testing software. Apparently, the encryption code was fixed and unfixed multiple times.

    • orionATL says:

      “… . Apparently, the encryption code was fixed and unfixed multiple times…”

      wow.

      you mean like just replacing your door every time it gets kicked in and then going out to the movies again?

Comments are closed.