The Department of Homeland Security and federal agencies are in incident-response mode as they work to remove listening posts in software planted by suspected cyberspies.
The unauthorized code can allow attackers to invisibly decrypt communications passing through widely-used Juniper Networks firewalls, according to the company. The existence of the three-year old bug was disclosed on Dec. 17. The government has spent about $13 million on Juniper products since 2012, according to the federal funding-tracker USASpending.gov.
Currently, the government is scouring its IT inventory to identify affected Juniper systems — plus any information that ever touched a Juniper firewall.
It is believed a foreign party rigged the software. Reports this week suggested the assailants might have taken advantage of a weakness that the National Security Agency allegedly placed in a popular encryption formula.
Dave Aitel, who worked at the code-breaking agency and now serves as chief technology officer at cybersecurity firm Immunity, said the discovery of an unauthorized backdoor in Juniper’s encryption program demonstrates precisely why even legal backdoors can backfire. The hack reinvigorated an already tense debate about encrypted communications, which consumers increasingly are using for privacy and terrorists increasingly are using to evade law enforcement’s eyes and ears. The FBI wants tech providers to be able to break coded messages, when served with a warrant.
“We have every presidential candidate talking about crypto backdoors and no one can really point to why they are so dangerous,” Aitel said. But the Juniper software tampering is “a perfect case example of why cryptographic backdoors are so dangerous in the real world.”
As it happens, DHS Secretary Jeh Johnson, whose agency is responsible for helping agencies fix the Juniper vulnerabilities, recently raised alarms about a world without so-called backdoors for law enforcement.
In April, Johnson told RSA cybersecurity conference attendees: “I understand the importance of what encryption brings to privacy,” but “our inability to access encrypted information poses public safety challenges.”
DHS currently is assessing the risk the Juniper compromise poses to government systems, according to the department.
“It’s not just about the machine,” Aitel said. “It’s about all the data that ever went through the networks that that machine was connected to. It’s really painful. They have to look at their supply chain,” including the many corporate contractors handling agency data. What if one of their major suppliers uses juniper and now they can’t trust that supplier either?”
Many federal agencies do not have a firm grasp on how many systems they have, in general, which could complicate the scavenger hunt.
The Internal Revenue Service could not update 1,300 of its computers from Microsoft Windows XP to Windows 7 because the agency couldn’t find them all, according to a report released by the Treasury Inspector General for Tax Administration. As of the third quarter of fiscal 2015, 17 of the 24 major federal agencies could not automatically identify the number of software programs running on their network, according to Performance.gov, a federal goal-tracking site. And 16 departments could not detect how many devices were connected to it.
Homeland Security, which oversees civilian cybersecurity, has a few tools at its disposal to spur agency action.
DHS spokesman S.Y. Lee said in an emailed statement that the department is aware of reports regarding Juniper’s software and is still evaluating the potential ramifications.
“As we routinely do when such vulnerabilities are brought to light, we are assessing the potential impact, if any, on federal networks, and will take any appropriate mitigation measures in close coordination with interagency partners,” he said. The department is advising agencies toreview the critical steps recommended by Juniper and “to update their software.”
A DHS official told Nextgov that Homeland Security has been and remains in close touch with the company. The department’s U.S. Computer Emergency Readiness Team “has provided information to all federal agencies to patch this potential vulnerability and stands ready to offer further assistance if requested,” the official said.
The 2014 Federal Information Security Modernization Act empowers DHS to issue “binding operational directives,” but it is unclear whether Homeland Security has done so in this situation.
It’s also unknown whether DHS is scanning all other agencies’ networks for vulnerabilities through an intrusion-prevention tool called EINSTEIN, an action permitted under an executive branch memo issued last year. A federal spending bill that Congress cleared last week, and now awaits President Obama’s signature, would cement into law DHS’s ability to scan every civilian agency network.
The Juniper emergency brings to mind a 2014 governmentwide race to root out “Heartbleed,” a bug discovered in April of that year that allowed hackers to weasel into another type of widely-used encryption software. Similarly, after Chinese spyware pinched private records on 21.5 million former personnel, individuals applying for clearances to handle classified information, and their families. Homeland Security deployed EINSTEIN during both incidents.
On Tuesday, Wired‘s Kim Zetter reported NSA inadvertently might be to blame for the Juniper software bug.
An analysis ”suggests that the Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes,” according to Wired.
Aitel, the former spy agency employee, said the Juniper campaign cast too wide a net to be the brainchild of NSA.
The federal government “could not legally covertly trojan the source code of a US company,” he said in a Dec. 18 blog post, shortly after the revelations. Past NSA hacking operations, such as one that allegedly bugged select Cisco equipment shipments en route to adversaries, demonstrate that America’s “policy in this area” is “specificity when it comes to targets.”
Early news reports indicated the FBI is investigating the Juniper matter. On Tuesday, FBI officials referred Nextgov to DHS and said they had no comment on whether any investigation is underway.
Juniper officials on Dec. 17 acknowledged the security vulnerabilities in virtual private network tools ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, and the company simultaneously released patches.
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Chief Information Officer Bob Worrall said in a post on the company’s website. As of now, the company has not received any reports of the vulnerabilities being exploited.
When Nextgov asked how the company is assisting federal victims, a Juniper spokeswoman said, “We have reached out to affected customers, strongly recommending that they update their systems and apply the patched releases with the highest priority.”