- How to stream Real Madrid vs. Galatasaray in the Champions League Today 2:00 AM
- How to stream Atletico Madrid vs. Bayer Leverkusen in the Champions League Monday 11:00 PM
- Russian bots targeting Joe Biden on Instagram Monday 10:04 PM
- TikTok takes down 2 dozen ISIS accounts being used for recruitment Monday 9:38 PM
- British judge refuses to delay WikiLeaks founder Julian Assange’s extradition hearing Monday 8:01 PM
- Indicted Giuliani associate Lev Parnas’ private Instagram filled with Trump connections Monday 7:22 PM
- ‘Bomboclaat’ is the new ‘sco pa tu manaa’ Monday 7:00 PM
- Lori Harvey reportedly trying to walk away from car crash spawns memes Monday 6:00 PM
- In Netflix’s ‘Upstarts,’ Silicon Valley CEOs are the good guys Monday 4:35 PM
- This video of a tree struck by lightning is… relatable? Monday 4:13 PM
- How to watch ‘Keeping Faith’ Monday 3:37 PM
- ‘South Park’ at the center of $500 million streaming war Monday 3:16 PM
- Pizza Hut and Papa John’s employees pranked into talking to each other on the phone Monday 2:34 PM
- Twitter bullies brought Jordan Peterson to tears Monday 2:24 PM
- 25 last-minute Halloween costumes for those with no time to shop Monday 1:30 PM
Juniper Networks removes eavesdropping code
Juniper Networks has been facing a firehose of criticism.
Juniper Networks has been facing a firehose of criticism since it revealed last month that security flaws in its own code could have allowed for eavesdropping on users’ communications for years.
The flaws garnered widespread attention because they occurred in Juniper’s ScreenOS, firewall firmware widely used by corporations and government agencies. Although Juniper released a security update to fix the encryption backdoor, vulnerabilities persist—any users who have not installed the update are still vulnerable, and security researchers have called attention to the possible involvement of the National Security Agency in the replacement code.
In response to the continued criticism, Juniper announced Friday that it would make additional security improvements to ScreenOS sometime this year.
What’s wrong with ScreenOS?
At a cryptography conference held at Stanford University last week, researchers from the University of California, San Diego, presented findings that Juniper’s code had been tampered with several times since 2008 to enable eavesdropping, Reuters reports.
The researchers scrutinized Juniper’s use of a supposedly random number-generating algorithm called Dual-Elliptic Curve in its encryption.
Cryptographers are wary of Dual-Elliptic Curve, or Dual_EC, because it relies on a seed number to generate the “random” numbers—and, if a hacker has access to the seed number, he or she can predict what those random numbers will be.
The UC San Diego researchers, led by Hovav Shacham, found that Juniper’s seed number was altered, suggesting that the algorithm Juniper used to encrypt communications was compromised. The team also found that some of the generated numbers were being displayed, which could make it easier for an attacker using the seed number to predict the “random” output of numbers.
Why is there speculation about the NSA’s involvement?
Nicholas Weaver of the International Computer Science Institute told Reuters that the compromises found in Juniper’s use of Dual_EC hinted at NSA involvement, but the NSA has been tied to Dual_EC in the past.
The NSA was involved in designing Dual_EC, and both Reuters and the New York Times reported in 2013 that the algorithm may enable a NSA backdoor for eavesdropping on encrypted communications.
What’s Juniper doing to fix the security issue?
In a blog post published Friday evening after the conference at Stanford, Juniper CIO Bob Worrall announced that the Dual_EC would be replaced in future versions of ScreenOS. “We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products,” he wrote. “We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016.”
Worrall also offered assurances that Juniper would continue to improve security in its products. He noted that the firm has worked to keep customers informed of the vulnerabilities and to fix them as quickly as possible. “We have also demonstrated that it is our policy to fix security vulnerabilities when they are found and to notify our customers according to our Security Incident Response Team procedures,” he wrote.
“The investigation of the origin of the unauthorized code continues,” he added. Worrall had previously called the flawed code, which enabled the decryption of VPN traffic, “unauthorized,” suggesting that it had been snuck in rather than placed intentionally by the company.
Illustration by Max Fleishman
Kate Conger is a politics and cybersecurity journalist who currently writes for Gizmodo. Her work has previously appeared in BuzzFeed, Digital Trends, Real Clear Politics, San Francisco Examiner, and elsewhere. Together with Dell Cameron, she won the Society of Professional Journalists' award for Best Scoop in 2017 for a report on the leak of data about 200 million American voters.