Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Customer Data / Juniper Ditches Code Tied to NSA
Juniper Networks Ditching Alleged NSA Eavesdropping Code
Juniper Networks Ditching Alleged NSA Eavesdropping Code
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The source of unauthorized code that left its ScreenOS software platform vulnerable to hacking is still under investigation by Juniper Networks. The company has issued patches for the vulnerability and has found no further evidence of unauthorized code in ScreenOS, senior vice president and CIO Bob Worrall said in a Friday post on Juniper's Security Incident Response blog.

Some security experts, citing documents revealed by former National Security Agency (NSA) contractor and whistleblower Edward Snowden, have speculated the NSA might have had a hand in the recently discovered Juniper vulnerabilities. Juniper makes routers, switches and other networking products used by Internet service providers to manage online IP and traffic routing.

On December 17, Juniper said that it had discovered the unauthorized code during an internal code review. The code "could allow a knowledgeable attacker to gain administrative access to Juniper's NetScreen devices and to decrypt VPN connections," Worrall said at that time.

Products Will Continue To Be Targets

In his latest update, Worrall said Juniper plans to make further changes to address the security concerns raised by the unauthorized code discovery in ScreenOS. A detailed investigation conducted with the help of "a respected security organization," found no evidence of unauthorized code in another Juniper platform, Junos OS, he said. Worrall added that "it would be much more difficult to insert the same type of unauthorized code in Junos OS."

Worrall said Juniper plans to replace both Dual_EC and ANSI X9.31 in ScreenOS 6.3 with "the same random number generation technology currently employed across our broad portfolio of Junos OS products." The company intends to make those changes with a future release of ScreenOS set for the first half of this year, he added.

"Juniper Networks is keenly aware of the current and evolving threats to national and economic security around the world," Worrall added. "As a proven leader in driving technology innovation, we are also aware that our products will continue to be a target of cyberattacks."

He said Juniper's recent actions demonstrate "it is our policy to fix security vulnerabilities when they are found and to notify our customers according to our Security Incident Response Team procedures."

Security Holes 'Put Users at Risk'

In an article published December 23 on The Intercept, Ryan Gallagher and Glenn Greenwald -- who was one of the journalists to first reveal Snowden's surveillance disclosures in 2013 -- said that a February 2011 document from the GCHQ, the U.K.'s equivalent of the NSA, suggested the NSA "helped British spies find security holes in Juniper firewalls."

While the document did not establish a clear link between the NSA, the GCHQ and the Juniper backdoor code, "it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the 'NetScreen' line of security products, which help companies create online firewalls and virtual private networks," Gallagher and Greenwald said.

We reached out to Juniper, but were told by a spokesperson the company had nothing further to add since Worrall's post was published on Friday. However, Juniper has said it has not been informed by any users that the unauthorized code had been exploited.

In a related development, the digital rights advocacy group Access Now today announced that 195 people from 42 countries had signed a letter in support of strong encryption and against actions "that would undermine digital security."

While the letter was not drafted in direct response to the Juniper issue, Access Now policy counsel Drew Mitnick told us, "The Juniper vulnerability shows the importance of the letter. Weak encryption leads to poor security. Juniper used a standard known to have been compromised, likely for surveillance. As a result, an unknown number of users, companies, and government agencies were put at risk."

Tell Us What You Think


Posted: 2016-01-16 @ 1:45pm PT
For those of you who think encryption is unimportant and you have nothing to hide, I have to ask: Does it at all bother you that Microsoft has your banking card info and PIN number and can legally do anything they like with it, as per the fine print in their end user license agreement?

Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.