Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
The NSA: Not as Smart as They Think They Are …
Last week, I posted a link to an article about the breach at Juniper Networks — and said it was bad news.
Today, Wired released an article that describes in great detail how the breach affected Juniper’s network gear. For the layfolks in the room, let me summarize the nature of the breach. Then I’ll point out how this breach was caused, probably intentionally, by the NSA, and how the NSA has, in this case, made us all more vulnerable.
To understand the breach, you need to first have a rudimentary understanding of how a virtual private network, or VPN, works. Anyone who works for a company and connects remotely to their company’s network will have heard the term. A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users. A VPN creates a “tunnel” through the Internet between two points — usually a laptop and a company firewall. Or the two points may be two firewalls, one at the corporate headquarters, the other at a remote branch. The data that flows through this tunnel is encrypted by the VPN software at one end, then decrypted at the other. Theoretically, while the data is in transit, it’s safe from prying eyes. While the process for encrypting data is generally complex, the idea is quite simple. The software simply runs the data through a set of instructions (known as an algorithm) that scramble it all up like an egg. It does this based upon an encryption key. So long as the other end has the same key, and the same algorithm for encryption, it can basically reverse the steps and unscramble the data.
In some cases, the encryption keys are manually created. In the case of the Juniper breach, their software uses a method to randomly generate the encryption key called “Dual_EC”. This algorithm was pushed and approved by the NSA for use in security equipment (aka firewalls) used by the government. It has an inherent weakness, well known and documented since 2007, that makes it easy for hackers to determine the encryption key and therefore easily decrypt data passing through a Juniper firewall. But Juniper failed to pull this bit of code out of their VPN software, and so they were still relying upon the “Deal_EC” algorithm to “randomly” generate an encryption key.
In brief: The Juniper firewall randomly generates a key, which it then uses to encrypt data. Hackers relied upon a well-known weakness in the encryption software to decrypt data coming from any firewall, using a specific version of the VPN software.
It seems that the weakness in the code that generates the random encryption key was placed there deliberately by the NSA. It is not 100 percent sure, but the weakness is so obvious that it raises serious concerns. If that’s true, the NSA would certainly have done so with national security in mind — at least you’d hope. But in doing so, they made every Juniper firewall vulnerable to hackers with more dubious intentions. The NSA is not fully to blame, though. Juniper Networks knew the weakness was there, but did not adequately protect against them.
Malicious intent or not, one thing is clear: We do not take cyber security as seriously as we think we do. This is an epic failure by a company that ought to know better.
Published in General, Military, Science & Technology
How widespread is use of this inferior software?
Has the NSA done more damage( literal, objective, monetary damage) than any other agency in history?
We’ve done some research internally and are confident that no Cisco gear is affected. Beyond that, I cannot say. Juniper released patches for there gear recently to fix the issue…but as the article suggests, those patches may be just as suspect.
Well, I was in the Army…so I have to say no. ;-)
The Snowden disclosures describe an NSA exploit of the Juniper firewalls called FEEDTHROUGH. This could be it.
Sure seems possible. Thanks for the link. Yet another site to add to my ever growing list of “must read”.
I am going to assume that Spin’s response had multiple meanings. It did cause me to smile. Good quip, Spin.
Yeah, but if the NSA didn’t do this, then something something ISIS something danger. In other words: we need to have the NSA undermine Internet security to save us from ISIS.
Don’t you hate it when that happens?
In all seriousness though, I think it’s worth thinking long and hard about building back doors into software. The ability of the government to use them to spy on terrorists seems to be offset by the times when others use them to spy on the government.
Never mind the third parties being spied upon by fourth parties.
I don’t think so, Tim.
An OpenBSD committer (a person with access to the source code) intentionally placed, under the pay of Uncle Sam, a weakness in their VPN suite, iked. It was never removed, but the code was so altered between then and now that it is quite impossible to ascertain if that weakness is still present.
These are not backdoors. These are front doors with smaller handles.
There is no thinking. A back door is a vulnerability. It will be used by people, both legitimate (government) or illegitimate (not government). Once a backdoor is found that software is no longer secure. It is like having a combination lock on the backdoor of your house then pasting the combination lock code on the back door hoping it will stop all those that are not smart enough to read the code. Eventually somebody you do not want will read the code and use it. If the government wants your information they can get it via traditional methods of capture (warrants)
You presume too much…
In theory it’s for spying on non-traditional criminals. That is, terrorists. The thing about really good encryption is that it’s possible for civilians to make and for governments to be unable to break. That is, if you really want the government to know what the “Three Guys Named Mohammed” pizza company is cooking up then you’ve got to grant them the ability to potentially look at all the other people too.
Now, in my mind it comes down to an analogy to gun control, and I don’t trust the government to have access to everyone’s stuff, nevermind when others inevitably find their way in. But I’d like to consider and discuss the thing from first principles to make sure I’m thinking about it correctly.
Except at this late date we know full well that the gov’t will never find out what the pizza shop is doing, because they’ll turn a blind eye to the Muslims, and their surveillance/vetting skills and practices just stink.
So we’re trading freedom for nothing.
Thank Heavens the Islamic terrorists are so incompetent, because that’s the primary thing protecting us.