Security Platforms/Tools

British Spy Agency & NSA Tied to Juniper Vulnerabilities – Reports

The British spy agency GCHQ, with help from the NSA, learned to covertly exploit vulnerabilities in 13 models of Juniper firewalls, according to a top-secret 2011 document, as reported by The Intercept.

"The six-page document, titled 'Assessment of Intelligence Opportunity – Juniper,' raises questions about whether the intelligence agencies were responsible for or culpable in the creation of security holes disclosed by Juniper Networks Inc. (NYSE: JNPR) last week," according to The Intercept. "While it does not establish a certain link between GCHQ, NSA, and the Juniper hacks, it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the 'NetScreen' line of security products..." (See Juniper Warns of 'Unauthorized Code' on Its Firewalls.)

The document, provided by NSA whistleblower Edward Snowden, refers to Juniper as a " 'threat' and a 'target' because it provides technology to protect data from eavesdropping," The Intercept says. "Far from suggesting that security agencies should help U.S. and U.K. companies mend their digital defenses, it says the agencies must 'keep up with Juniper technology' in the pursuit of SIGINT, or signals intelligence."

The 2011 capabilities against Juniper are likely not connected to vulnerabilities disclosed last week, Matt Blaze, a cryptographic researcher and director of the Distributed Systems Lab at the University of Pennsylvania, tells The Intercept.

Want to know more about security? Visit Light Reading's security content channel.

And yet the NSA might be indirectly responsible for the recently disclosed vulnerability, according to a report on Wired. The culprits may have modified a backdoor previously created by the NSA.

The incident underscores the problems with recent US and UK government proposals to require that encryption technology contain backdoors that can be used by government and law enforcement, according to the blog Techdirt.

"Putting backdoors into technology is a bad idea," says Techdirt. "Security experts and technologists keep saying this over and over and over and over again -- and politicians and law enforcement still don't seem to get it. And, you can pretty much bet that even though they now have a very real-world example of it -- in a way that's impacting their own computer systems -- they'll continue to ignore it. Instead, watch as they blame the Chinese and the Russians and still pretend that somehow, when they mandate backdoors, those backdoors won't get exploited by those very same Chinese and Russian hackers they're now claiming were crafty enough to slip code directly into Juniper's source code without anyone noticing."

Related posts:

— Mitch Wagner, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profileFollow me on Facebook, West Coast Bureau Chief, Light Reading. Got a tip about SDN or NFV? Send it to [email protected]

KBode 1/4/2016 | 9:24:44 AM
Re: Backdoors... And every indication is we're headed toward MORE backdoors, since both leading political candidates full support them as a "solution" to the "problem" of encryption, not realizing encryption benefits us all.
danielcawrey 12/28/2015 | 9:12:24 PM
Re: Backdoors... I agree this is making everything less secure.

People are certainly concerned about their privacy in light of this, and they well should be. There aren't many protections from backdoors right now. Someday maybe there will be, but I am not too hopeful. 
KBode 12/27/2015 | 12:00:19 PM
Backdoors... How many times exactly do security professionals have to remind government that backdoors are a bad idea? They wind up making EVERYBODY less secure. How many companies were at risk this last month after this backdoor was revealed (and, from what I understand, not initially properly patched by Juniper?) 
Joe Stanganelli 12/25/2015 | 11:22:07 AM
Government made its bed... Stuff like this is exactly why companies like Apple work on rolling out end-to-end encryption that keeps even the company itself from discovering and releasing information even if it wanted to.
Director38214 12/23/2015 | 6:12:38 PM
Come on Why would they do that ;)
Sign In