One of the biggest fears of any company is that a hacker or outside organization is utilizing a backdoor to spy on them. For customers of Juniper Networks, as it turns out, the NSA could have been eavesdropping for quite some time.
On Friday, January 8, Juniper Networks’ Derrick Scholl penned a blog post detailing steps the company had taken to mitigate some recent security issues. In the post, the company also noted that it would be replacing ANSI X9.31 and Dual EC DRBG in its in ScreenOS 6.3. The issue with this is that Dual EC DRBG is believed to have developed, in part, by the NSA.
For those unfamiliar, Dual EC DRBG stands for Dual Elliptic Curve Deterministic Random Bit Generator. According to the internal documents leaked by Edward Snowden, the Dual EC DRBG standard was published by the National Institute of Standards and Technology (NIST), with contributions from the NSA and contains a backdoor for the NSA as well.
According to a Juniper Networks press release, the changes were made to “enhance the robustness of the ScreenOS random number generation subsystem.”
Random number generation is essential to security, and the company said it would be replacing Dual EC and ANSI X9.31 with the same number generation technology it is using in its other products sometime in the first half of this year. However, the question becomes why the company was using it to begin with.
Security consultant John Pironti said that the integrity of Dual Elliptic Curve has been questioned since 2007 by cryptographers, especially given its potential connection to the NSA.
“It is unfortunate that it has taken Juniper so long to remove this code,” Pironti said. “One reason may be the significant amount of business that Juniper does with the US Government and its interest in preserving this business.”
Whatever their reasons for using the code, companies such as Juniper’s involvement with organizations like the NSA creates problems beyond just privacy concerns.
“Government involvement, especially from intelligence agencies creating backdoors into security products, can inflict distrust across the entire industry,” said Ondrej Krehel, founder of security firm LIFARS.
The Dual EC news comes a mere day after University of California, San Diego researchers presented on a 2008 backdoor vulnerability in a Juniper product that gave access to VPN sessions, and a month or so after Rapid7 noted a default backdoor password in ScreenOS.
Disclosures like the one presented by Juniper can obviously be a serious concern to enterprise IT professionals. Anyone who discovers these backdoors can exploit them to attack an organization. And, if a vulnerability is detected in a vendor product and an organization avoids corrective action for too long, then they could be on the hook for any damage incurred.
For example, according to Shodan founder John Matherly, more than 200,000 devices were still vulnerable to OpenSSL’s HeartBleed toward the end of 2015, more than a year after it was initially detected. At that point, the blame will often fall on the enterprise itself rather than the vendor.
To protect themselves, and better make informed decisions, Pironti suggests that enterprises should take a greater interest in the code and algorithms powering their favorite products.
“It is suggested that they require vendors to provide an inventory of all of the code libraries and algorithms used in the development of their products as part of the product/code procurement and acceptance process,” Pironti said.
Additionally, he said, they should hold vendors and third parties accountable for the steps they take following a breach or attack.
TechRepublic columnist Michael Kassner said that another way organizations can protect themselves from potential threats and vulnerabilities is by setting up a verifiable chain of custody for critical networking gear.
“Experts state more often than not, security hardware and software companies subcontract parts of the software package or device assembly to third-party vendors,” Kassner said. “Anywhere in that chain, malicious hardware and or software can be inserted into the component, assembly, or device.”