Backdoors have been a sensitive issue in the last few years – and this controversial issue got even hotter after the terrorist attacks. Yet despite the attention focused on backdoors no one noticed that someone had quietly installed unauthorized backdoors three years ago on a core piece of networking equipment used to protect corporate and government systems around the world.
By Michael Fayerman
Managing Editor Intelligence technology
On Thursday, tech giant Juniper Networks made a startling press release that it had found “unauthorized” code embedded into its operating system running on many of its firewalls.
The code, which appears to have been in multiple versions of the company’s ScreenOS software went back all away to estimated middle of 2012. This code would have allowed hackers to take complete control of Juniper NetScreen firewalls. It also would permit hackers, if they had resources and skills, to separately decrypt encrypted traffic running through the VPN on its firewall.
The bottom line it would allow a knowledgeable attackers to gain “administrative”(full access) and decrypt VPN connections. During the research of this incident, I came across many opinions regarding the danger of the “backdoors” However, i would not equate a hacker attack that remained undetected for several years with authorized capabilities to decrypt VPN or authorized access to master password to prevent terrorist attacks. The irony is that NSA used the Juniper VPN services.
To address this issue is not closing authorized “backdoors” but also facilitate venture groups to start focusing on harnessing technology security talent or use CIA’s In-Q-Tel to build up their financial resources and work with venture advisory groups to find top talent in security.
There are two levels of protection involved at the high level : first at the vendor level. Unfortunately, the main venture groups are focused on services and social networks. The standard audits and penetration studies need to be augmented with innovative technical security studies. I envision a highly sophisticated scanning software that would require the best and brightness, well compensated with potential upside to get involved in these type of projects.
The second should be repeated for the most part in government agencies that hold secret and sensitive data that can affect US national security. I do believe that in 2016 a roadmap to solving these issues would be addressed legislatively and at the venture capital level.