steven36 Posted October 29, 2020 Share Posted October 29, 2020 Senator Wyden puts surveillance nerve-center on blast It's said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account of US Senator Ron Wyden's efforts to determine whether the NSA is still in the business of placing backdoors in US technology products. Wyden (D-OR) opposes such efforts because, as the Juniper incident demonstrates, they can backfire, thereby harming national security, and because they diminish the appeal of American-made tech products. But Wyden's inquiries, as a member of the Senate Intelligence Committee, have been stymied by lack of cooperation from the spy agency and the private sector. In June, Wyden and various colleagues sent a letter to Juniper CEO Rami Rahim asking about "several likely backdoors in its NetScreen line of firewalls." Juniper acknowledged in 2015 that “unauthorized code” had been found in ScreenOS, which powers its NetScreen firewalls. It's been suggested that the code was in place since around 2008. The Reuters report, citing a previously undisclosed statement to Congress from Juniper, claims that the networking biz acknowledged that "an unnamed national government had converted the mechanism first created by the NSA." Wyden staffers in 2018 were told by the NSA that a "lessons learned" report about the incident had been written. But Wyden spokesperson Keith Chu told Reuters that the NSA now claims it can't find the file. Wyden's office did not immediately respond to a request for comment. The reason this malicious code was able to decrypt ScreenOS VPN connections has been attributed to Juniper's "decision to use the NSA-designed Dual EC Pseudorandom Number Generator." The company has yet to clarify exactly why it made that decision. Juniper did not respond to a request for comment. When former NSA contractor Edward Snowden leaked agency secrets in 2013, Reuters reported that years earlier security firm RSA, now part of storage biz EMC, had accepted a $10m contract with the NSA to use Dual Elliptic Curve, or Dual EC, encryption. RSA at the time denied some of the claims without disputing the existence of the contract. The NSA had been keen to see Dual EC adopted and worked with the US Commerce Department to promote it. But in 2007, two Microsoft researchers reported there were serious flaws with the Dual Elliptic Curve Deterministic Random Bit Generator that led it to produce weak cryptography. By 2014, US standards agency NIST withdrew support for Dual EC. Juniper at some point between 2008 and 2009 appears to have added Dual EC support to its products at the request of "a single customer," widely believed to be the NSA. After Snowden's disclosures about the extent of US surveillance operations in 2013, the NSA is said to have revised its policies for compromising commercial products. Wyden and other lawmakers have tried to learn more about these policies but they've been stonewalled, according to Reuters. The NSA also declined to provide backdoor policy details to Reuters, stating that it doesn't share "specific processes and procedures." The news agency says three former senior intelligence officials have confirmed that NSA policy now requires a fallout plan with some form of warning in the event an implanted back door gets discovered and exploited. The Register asked the NSA to comment. We've not heard back. Source Link to comment Share on other sites More sharing options...
dMog Posted October 29, 2020 Share Posted October 29, 2020 scary world out there with all this cyber war stuff going on. Link to comment Share on other sites More sharing options...
caraid Posted October 29, 2020 Share Posted October 29, 2020 16 hours ago, steven36 said: The reason this malicious code was able to decrypt ScreenOS VPN connections has been attributed to Juniper's "decision to use the NSA-designed Dual EC Pseudorandom Number Generator." The company has yet to clarify exactly why it made that decision. Juniper did not respond to a request for comment. 16 hours ago, steven36 said: Juniper at some point between 2008 and 2009 appears to have added Dual EC support to its products at the request of "a single customer," widely believed to be the NSA. I wonder which companies still bought Juniper's products after such revelations came to light? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.