The FBI is investigating the devastating hack of Juniper Networks' ScreenOS, which could lead to the "complete compromise" of the VPNs of anyone using Juniper's NetScreen products in the last three years.
The US Department of Defense, the US Treasury and the FBI itself are among Juniper Networks Inc. (NYSE: JNPR)'s customers. It is not clear if any of those organizations use NetScreen VPNs specifically. CNN originally reported the FBI's investigation of the breach. (See Juniper Warns of 'Unauthorized Code' on Its Firewalls.)
Juniper initially disclosed the vulnerability this week, and issued a patch.
CNN reported that government officials believe the hackers are associated with a foreign government. The common belief in the US is that China is directly involved in cyber espionage. Russia is also almost certainly directly involved in cyber espionage, but might also be working in concert with putatively independent groups of hackers.
The bulk of the damage will have been sustained by Juniper customers, but the blow to Juniper itself could be crippling. The company is building its reputation on network security.
Just last month, when the company hired Kevin Walker as security chief technology officer (CTO), Juniper EVP Jonathan Davidson said, "For Juniper, 'security' and 'networking' are one and the same and we are committed to building the most secure networks for our customers." (See CSP Network Security Becomes White Hot.)
Security mavens on Twitter have been comparing the patch code to the original source code (because the best place to discuss security breaches is, apparently, Twitter).
The discussion is suitably arcane, but the gist of the theorizing is that the hack may have targeted a random number generator (dual_EC_DRBG, or dual elliptic curve deterministic random bit generator) that ScreenOS uses indirectly for generating cryptographic keys.
These Twitterati believe that Juniper is using this approach at the behest of the NSA to help create a backdoor to these systems. Their argument boils down to this: The NSA is ultimately responsible for the breaches because it insists that backdoors be included in networking equipment.
This speculation -- still unverified -- slots right in to the ongoing political argument that Silicon Valley is having with the US Government. Silicon Valley companies have been arguing that any backdoor inserted into any networked system to accommodate US security interests makes a network inherently more vulnerable to hackers.
Whatever the specific nature of the hack might end up being, it is known that the origin of the breach was the insertion of illicit programming in the source code of ScreenOS, the operating system for the company's NetScreen products, which are used for VPNs, firewalls and traffic shaping, including protection against denial-of-service attacks. The company said that JunOS, its proprietary OS for its routers and other systems, appears to be unaffected.
The first hack, according to Juniper's security bulletin, "allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system."
The second hack "may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic."
In a blog post, Bob Worrall, Juniper's SVP chief information officer, wrote "At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority."
The lack of such reports should be no balm whatsoever. According to Juniper's security note, it would be not only possible but easy for hackers to leave no trace that they had even logged on to the system.
Given that, it might be impossible to determine how extensive or damaging the security failure might have been, beyond identifying Juniper's NetScreen customers.
— Brian Santo, Senior Editor, Components, T&M, Light Reading