Treasury Department took over 8 weeks to fully patch Juniper security vulnerability

The secret backdoor in Juniper firewalls which automatically decrypted VPN traffic has been compared to “stealing a master key to get into any government building.” The security hole, which existed for at least three years, was publicly announced in December. The whodunit for installing the backdoor is still unknown, but some people believe it was repackaged from a tool originally created by the NSA.

DHS knew about Juniper backdoor ‘way before’ the public did

The Department of Homeland Security (DHS) is one of the agencies credited for playing a key role in Juniper debacle. John Felker, director of the DHS 24-7 National Cybersecurity and Communications Integration Center, told Nextgov that he and “three other DHS individuals knew of the security glitch from the company ‘way before’ the public.”

Felker would not say how long Juniper and DHS knew about the security flaw while leaving so many other organizations vulnerable. Juniper reportedly didn’t want it publicly known until it “understood the scope and nature of the dangers.” Then DHS and Juniper sounded the alarm to warn the rest of the world.

Although Felker is “confident” the Juniper vulnerability announced in December has been addressed, he told Nextgov:

“However—and I don’t know this for a fact—but I’m told that there was potentially a backdoor built into some of that” technology, too, he said, referring to unconfirmed reports. Felker added, “Some of that gear was in place for years.”

The recent research paper “A Systematic Analysis of the Juniper Dual EC Incident” (pdf) found that although Juniper had noted the use of Dual EC in 2013, claiming “that ScreenOS included countermeasures that neutralized this form of attack,” Juniper’s countermeasures were “never executed.” After reverse-engineering numerous versions of ScreenOS, the researchers discovered the “attack was only possible due to the interaction of a cluster of changes made by Juniper in the 6.2 version of ScreenOS released in 2008.”

Treasury Department took 8 weeks to patch Juniper hole, but no data stolen

A House Oversight subcommittee has been investigating the government’s use of the backdoored Juniper software. During a hearing today, the opening statement (pdf) by Congressman Will Hurd (R-TX) specifically called out the Treasury Department as having an unacceptable timeline for deploying Juniper patches.

Hurd pointed out that letters went out in January to the heads of 24 federal agencies, asking which ones were running the vulnerable software and when the emergency security patch had been installed. Twelve agencies had been affected, but it took three agencies, including the Department of Treasury, “longer than 50 days” to “fully install patches and mitigate the threat posed by this vulnerability.” Hurd said, “This is absolutely unacceptable.”

Sanjeev Bhagowalia, the Treasury Department’s CIO, testified (pdf) that 25% of the patches were deployed in one day; “84% within a week; 86% within two weeks; and 93% in seven weeks.” The remaining 7% of patching for configurations which “posed low risk for exploitation of the vulnerability,” were completed in “just over eight weeks.” 40 of 57 devices using the flawed Juniper software were classified as “high risk” out of an “abundance of caution,” but only four, such as the U.S. Mint and Bureau of Engraving and Printing, had been connected to the Internet. No worries; no data was stolen via the Juniper backdoor, he claimed.

But Rep. Hurd demanded to know how the Treasury Department would know if something was taken or not. When he asked how much unsupported, or legacy, software the Treasury Department is currently using, Bhagowalia responded that is a “small percentage.”

Attribution as a deterrent

Hurd said, “Various international groups and state-sponsored actors are constantly attempting to steal military secrets and expose the personally identifiable information of American citizens, and we cannot stand idly by while this happens.”

The victims, according to Hurd, were not the hacked companies; they “failed.” The victims were government agencies and other customers. He says attribution can play an important deterrence role.

You can’t really have it both ways, can you? If a backdoor in Juniper’s firewalls that allowed encrypted VPN traffic to be decrypted is considered a big, bad deal, then how is it not an epically terrible idea to require a backdoor for government access such as was suggested in the Burr-Feinstein backdoor proposal? If you want to play the attribution game, then if a company is breached via that backdoor, wouldn’t you start attribution with the names Sen. Dianne Feinstein and Sen. Richard Burr?