The saga of Juniper’s ScreenOS security breach continues. Now, a congressional subcommittee is trying to determine which government agencies use ScreenOS and whether they were hacked due to the back door in the software, which was discovered in December 2015.
Will Hurd (R-Texas) heads the technology subcommittee of the House Committee on Oversight and Government Reform, which is heading the ScreenOS investigation, according to a Reuters report.
Some theorize that the back door into ScreenOS was the work of the National Security Agency (NSA), and Hurd wants to investigate that as well.
This quote from Hurd, as reported by Reuters, kind of sums up the irony of it all: “I don’t think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses.”
The subcommittee has sent letters, such as this one to the U.S. Securities and Exchange Commission, to about two dozen government agencies. The letters request them to reply by Feb. 4 as to whether they used the affected Juniper software and whether they’ve applied the security patch.
The security problems have been determined to stem from Dual_EC, a pseudorandom number generator that was part of ScreenOS as far back as 2008 and which may have been included at the behest of the NSA. Code insertions into ScreenOS in 2012 and 2014 exploited a known Dual_EC weakness, creating the back door into Juniper firewalls.
Earlier this month, Juniper said it was removing Dual_EC entirely from its software.
Back in December we talked to HD Moore, chief research officer at Rapid7, a company that sells products that assist with the detection and prevention of attacks. He told us, “There are no security benefits and many likely downsides to implementing mandatory back doors.”