🔺 What to do when markets are at an all-time high? Find smart bargains, like these.See Undervalued Stocks

Congress to probe Juniper 'back door' exposure, possible U.S. involvement

Published 01/28/2016, 10:26 PM
Updated 01/28/2016, 10:40 PM
Congress to probe Juniper 'back door' exposure, possible U.S. involvement
JNPR
-

By Joseph Menn

SAN FRANCISCO (Reuters) - A U.S. congressional probe into the impact of a hack of Juniper Networks Inc (N:JNPR) software will examine the possibility that it was initially altered at the behest of the National Security Agency, a lawmaker said in an interview on Thursday.

The House Committee on Oversight and Government Reform this month sent letters asking some two dozen agencies to provide documents showing whether they used Juniper devices running ScreenOS software. The company said in December ScreenOS had been compromised by hackers using a so-called back door in the software.

Rep. Will Hurd, a Texas Republican who heads the committee's technology subcommittee and formerly worked for the Central Intelligence Agency, said his initial goal in pursuing the probe was to determine whether government agencies, many of which use Juniper gear, had been compromised by the hackers.

But Hurd, a key player in the investigation, said the committee would also probe the origins of the breach. If it turns out that a back door was included at a U.S. government agency's request, he said, that should help change the policy debate.

The earliest Juniper back door identified by researchers used a technique widely attributed to the NSA. 

The NSA did not respond to a request for comment. Juniper declined to comment.

U.S. law enforcement and intelligence agencies have long lobbied in vain for legislation that would require technology companies to provide back doors in equipment that use encryption technology. They say they need such access to conduct authorized wiretaps and other types or surveillance.

The technology industry has fiercely opposed any such policy, arguing that back doors could be exploited by criminals or foreign intelligence services. The debate has heated up in the wake of recent attacks by Islamic militants, who make heavy use of digital communications networks.

"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?" Hurd said. "I don't think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses."

Juniper said in December it had found two unauthorized pieces of code inserted into ScreenOS that would have allowed whoever planted them to read email sent over supposedly secure connections known as virtual private networks, or VPNs.

After outside researchers picked apart the software patches Juniper issued to fix the problem, they concluded that one back door had been inserted in 2014 and one in 2012. The 2012 version, though, merely changed the formulation of a piece of software known as a random number generator, which is part of most encryption products.

The random number generator used in the Juniper products, known as Dual Elliptic Curve, has long been suspected by security professionals of containing a back door engineered by the U.S. National Security Agency. Those suspicions were largely confirmed by leaks from former agency contractor Edward Snowden.

Juniper said this month it would remove Dual Elliptic Curve entirely in future versions of its products.

Juniper has not said how the code got there in the first place. It sells into defense and intelligence agencies, however, and major customers could have requested that the code be modified as part of a contract, former employees told Reuters this month. That is how Dual Elliptic Curve made it into a software kit distributed by security company RSA.

The NSA is a logical suspect for the 2008 code insertion, said security researcher Nicholas Weaver of the International Computer Science Institute, while the offenders in both 2012 and 2014 are more likely to have been other countries.

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.