Big Brother touched Juniper Networks - backdoor allowed anyone to eavesdrop on communications

By: (plus.google.com) +David Herron; Date: 2015-12-23 10:14

Tags: Big Brother » Government Spying » Privacy

It's known the U.S. Government spy agencies have demanded "cooperation" from computer and networking equipment vendors in ensuring spy agencies can unlawfully tap into communications traffic. The effect is that anybody learning the secret keys used by government spies to wiretap communications can also listen in on communications.

A couple weeks ago the Republican candidates for the 2016 US Presidential election held a debate in which Carly Fiorina (former HP CEO) bragged about having helped Government spy agencies do something to a computer shipment that may have involved installing backdoors.

All the Republican candidates (except for Rand Paul) proclaimed the necessity of undermining the Internet so that spy agencies can "do something about Terrorism". My blog post at the time pointing out the problem, that they're willing to destroy the Internet and trample on our freedom of privacy and freedom of speech, was met with a certain amount of derision. This is a serious problem we're facing, that the Internet has been subverted into a massive spying operaton.

An example of this, and the problems with having done so, is in today's news. According to The Register, (www.theregister.co.uk) routers made by Juniper Networks have been discovered to have "backdoors" installed that make it easy for those with knowledge of certain details to decrypt any communication going through those routers. The backdoors share characteristics with a random number generator the NSA lobbied for adoption, even though researchers who studied the Dual EC DRBG random number generator determined it could be decoded by "clever eavesdroppers".

In other words, the NSA wanted the world to adopt this random number generator - these are used for initializing encryption algorithms - that would predetermine the characteristics of encrypted communications that the NSA could then easily decrypt.

Juniper Networks admitted there had been unauthorized changes to software in their routers. The researchers who uncovered the flaw of course don't have access to the audit trail to determine who inserted these changes. It smells like the NSA caused this to happen, but The Register doesn't have proof of the culprit.

However, the effect is what I said above - a backdoor allowing anyone with the right knowledge to easily decrypt communications. It may not matter whether it was the NSA who did it. The truth is that Juniper routers are vulnerable, and it seems purposely so. It's just that the NSA has the motive to do this, and the means (it's well known Government agencies have demanded various forms of "cooperation" of this sort over the last several years).

What's truly egregious about this is that nefarious 3rd parties also discovered the same vulnerability. According to The Register, they built ... well, The Register has this quote from (blog.cryptographyengineering.com) a blog post by Matthew Green, a cryptography researcher at Johns Hopkins University. That blog post goes into many more details.

"For the past several years, it appears that Juniper NetScreen devices have incorporated a potentially backdoored random number generator, based on the NSA's Dual EC DRBG algorithm,"

"At some point in 2012, the NetScreen code was further subverted by some unknown party, so that the very same backdoor could be used to eavesdrop on NetScreen connections. While this alteration was not authorized by Juniper, it's important to note that the attacker made no major code changes to the encryption mechanism – they only changed parameters."

"To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional – you be the judge,"

"They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them,"

"The end result was a period in which someone – maybe a foreign government – was able to decrypt Juniper traffic in the US and around the world."

His blog post closes with this explanation of why these details of random number generators and encryption algorithms matter:

For the past several months I've been running around with various groups of technologists, doing everything I can to convince important people that the sky is falling. Or rather, that the sky will fall if they act on some of the very bad, terrible ideas that are currently bouncing around Washington -- namely, that our encryption systems should come equipped with "backdoors" intended to allow law enforcement and national security agencies to access our communications.

One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted. Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don't trust to read our messages. Normally when we talk about this, we're concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

The problem with cryptographic backdoors isn't that they're the only way that an attacker can break into our cryptographic systems. It's merely that they're one of the best. They take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes.

That is - he's raising the same concern I raised. Many politicians are calling for subversion of the Internet, so that spy agencies can more easily eavesdrop, and more easily "catch terrorists". But the effect will simply be more invasion of privacy, and worse that criminals and others will make unintended use of these backdoors.

An example that came up in todays news is (arstechnica.com) a guy from the Bahama's captured by the FBI trying to sell stuff he purloined out of private e-mail accounts of Actors/Actresses/etc. In part it's the same-old-same-old story of someone hacking into e-mail accounts, and pilfering stuff. In this case it's TV scripts, movie scripts, sex tapes, private identifying numbers, and so on. It's the sort of story which comes up on occasion, you read it, yawn and move on. But, it's also a symptom of the whole problem. Nefarious people grabbing private personal data they have no business accessing.

Maybe this guy used the sort of backdoor which was installed by government agents, or maybe not. It doesn't matter. It's just another instance of privacy violation. When the Government leans on computer equipment makers to install security backdoors - it means the Government is increasing the chance of privacy violations. And the government cannot control who uses those tools.

« How to restore a MySQL database and tables from .frm .ibd or .myd raw database files If Wordpress is switching from PHP to Node.js, how should they do it? »
2016 Election Acer C720 Ad block AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga and Jon Pertwee Android Anti-Fascism AntiVirus Software Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Astrophotography Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Data Big Finish Big Science Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Conservatives Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Cybersecurity Daleks Darth Vader Data backup Data Formats Data Storage Database Database Backup Databases David Tenant DDoS Botnet Department of Defense Department of Justice Detect Adblocker Developers Editors Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Doctor Who Review Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Eliminating Jobs for Human Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake News Fedora VirtualBox Fifth Doctor File transfer without iTunes FireFly Flash Flickr Fraud Freedom of Speech Front-end Development G Suite Gallifrey git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Green Transportation Hate Speech Heat Loss Hibernate Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man iShowU Audio Capture iTunes Janet Fielding Java JavaFX JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kext Kindle Kindle Marketplace Large Hadron Collider Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X Machine Learning Machine Readable ID macOS macOS High Sierra macOS Kext MacOS X setup Make Money Online March For Our Lives MariaDB Mars Mass Violence Matt Lucas MEADS Anti-Missile Mercurial MERN Stack Michele Gomez Micro Apartments Microsoft Military AI Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications Mobile Computers MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Network Attached Storage Node Web Development Node.js Node.js Database Node.js Performance Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online Photography Online Video Open Media Vault Open Source Open Source and Patents Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenJDK OpenVPN Palmtop PDA Patrick Troughton Paywalls Personal Flight Peter Capaldi Peter Davison Phishing Photography PHP Plex Plex Media Server Political Protest Politics Postal Service Power Control President Trump Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero ReactJS Recaptcha Recycling Refurbished Computers Remote Desktop Removable Storage Republicans Retro Computing Retro-Technology Reviews RFID Rich Internet Applications Right to Repair River Song Robotics Robots Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction SD Cards Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Networks Social Media Warfare Social Network Management Social Networks Software Development Software Patents Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Tegan Jovanka Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Tom Baker Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Twitter Ubuntu Udemy UDOO US Department of Defense Virtual Private Networks VirtualBox VLC VNC VOIP Vue.js Walmart Weapons Systems Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Webpack Website Advertising Weeping Angels WhatsApp William Hartnell Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization