Congress Gives Federal Agencies Two Weeks To Tally Backdoored Juniper Kit

itwbennett writes: In an effort to gauge the impact of the recent Juniper ScreenOS backdoors on government organizations, the House of Representatives is questioning around two dozen U.S. government departments and federal agencies. The U.S. House of Representatives' Committee on Oversight and Government Reform sent letters to the agencies on Jan. 21, asking them to identify whether they used devices running the affected ScreenOS versions, to explain how they learned about the issues and whether they took any corrective actions before Juniper released patches and to specify when they applied the company's patches. The questioned organizations have until Feb. 4 to respond and deliver the appropriate documents, a very tight time frame giving that 'the time period covered by this request is from January 1, 2009 to the present.'

Proscecutions?

[jdwolfe]

Who at Juniper is getting prosecuted for selling backdoor'd routers to the United States Federal Government?

Re:Proscecutions?

[sims+2]

Prosecuted? Somebody's probably going to get an award for thinking ahead. They had their kit backdoored before the government even made it a requirement! Whats good for the goose is good for the gander and all that.

Isnt this a good thing?

[thesupraman]

I thought government security organisations of the three letter variety were busy trying to convince
us that security backdoors and 'special' access for government level players was a good thing?

Surely they should just be promoting this as a feature, that enables the rounding up of literally millions
of pedophiles, drug addicts, and terrorists Real Soon Now?

Oh, wait, they are not sure its only THEIR backdoors? Dont tell me other governments may also be
involved? But surely if its good for one government to have access, its better if more do - hell, they ALL
should, right? So they can enforce their own local views of What Is Right?

Are we being told only some governments are trustworthy? Can we please have a list? What happens when
governments change? This is all just too complicated!

It is a pity most police are now just too busy collecting revenue to do much police work, it all seemed a bit
simpler when they used to investigate actual crimes against the populace.

What did you know

[JustAnotherOldGuy]

Q: "What did you know and when did you know it?"

A: We didn't know nothin' then, we don't know nothin' now, and we won't know nothin' next week either."

"Thank you, this meeting is adjourned."

Re:ScreenOS is dying anyways

[msauve]

Fortinet?

Perhaps they should simply ask the NSA, they should know exactly when the backdoor stopped working on any particular site.

2009 time frame is bogus

Here's the letter to SSA:

Dear Ms. Colvin:
On December 17, 2015, Juniper Networks announced in a press release that it discovered
“unauthorized code that could allow a knowledgeable attacker to gain administrative access” to
certain devices and “decrypt VPN connections.“

On December 20, 2015, Juniper Networks issued a patch to the aforementioned software
vulnerability to their ScreenOS platform. In a related press release, Juniper Networks listed
vulnerable devices and described the potential exposure ifthis vulnerability was exploited:

0 Administrative Access (CVE-2015-7755) affecting devices rtmning ScreenOS 6.3
0r17 through 6/3 0r20; and 0 VPN decryption (CVE-2015-7756) affecting devices rtmning ScreenOS 6.20r15
through 6.2or18, ScreenOS 6.30rl2 through 6/3 0r2O.2

So that the Committee may better understand the extent of the ScreenOS vulnerabilities
and related effects on the cybersecurity posture of federal agencies that use the ScreenOS
platform, please provide the following documents and information as soon as possible, but no
later than 5:00 p.m. on February 4, 2016:

1. Documents sufficient to identify whether your agency, or any component agency,
used the affected Juniper ScreenOS platfonns;
2. Documents and communications referring or relating to how the agency, or its
components, discovered the vulnerability and ifany corrective measures were taken
prior to deploying the software patch issued by Juniper Networks on December 20,
2015;
3. Documents and communications referring or relating to what version(s) of ScreenOS
your agency, or any component agency, used; and
4. Documents sufficient to show when your agency, or any component agency,
deployed the software patch issued by Jtmiper Networks on December 20, 2015.

The Committee on Oversight and Government Refonn is the principal oversight
committee of the House of Representatives and may at “any time” investigate “any matter” as set
forth in House Rule X.

When producing documents to the Committee, please deliver production sets to the
Majority staff in room 2157 of the Rayburn House Ofce Building and the Minority staff in
room 2471 of the Rayburn House Office Building. The Committee prefers, ifpossible, to
receive all documents in electronic format. An attachment to this letter provides additional
information about responding to the Committee’s request.

Please contact Mike Flynn of the Majority staff at (202) 225-5074 or Brian Quinn ofthe
Minority staff at (202) 225-5051 with any questions about this request. Thank you for your
attention to this matter.
[signatures]

There's no mention of getting information as far back as 2009 in the letter. That bit was from some attached boilerplate rules about how the committee wants the report formatted, media, etc. Other letters that have nothing to do with the Juniper firewall issue have the same boilerplate rules attached. The committee only wants the information at stated in their four items. I don't why the report for the TFA put in that bit about the 2009 timeframe other than to exaggerate the work each agency is going to have to do.

Re:2009 time frame is bogus

[Zocalo]

Maybe because they read between the lines a bit? If you put the part of the letter that reads "Documents sufficient to identify whether your agency, or any component agency, used the affected Juniper ScreenOS platforms" (note the tense) with the timeframe that Juniper when started shipping products with a vulnerable version of ScreenOS (e.g. from 2009), then they are indeed asking for data that could potentially go back to 2009. Just because a company might be using an alternative product now, doesn't mean that they didn't have vulnerable products in the past, so they are indeed asking for agencies to review their equipment purchasing records going back to 2009.

Still, it's a pretty incompetent company that won't have at least some form of records of CapEx purchases going back six years, let alone a government agency, just because of financial and tax legislation requirements, albeit possibly not entirely digital and searchable. At my previous employer I could get a report with a complete list of assets from a given vendor complete with every logged change made to those assets from our ITIL CMDB system in a couple of minutes that would easily cover that timescale, although I suspect for many government agencies this is likely to involve some hapless interns digging through dusty paper boxes in a warehouse rather than someone running a report.

Re:In other words

[michelcolman]

I don't know what they're complaining about, I thought they wanted backdoors?

Re:In other words

[Opportunist]

I was thinking the same. First they start lamenting how they need government backdoors, now they complain when they find some. Make up your fucking mind, people!

Re:In other words

[gtall]

I know this might come as a shock to you, but the U.S. Government is very large. It does multiple things at one time. One part can have a policy contradicting another part. In some cases, the contradiction is mandated by Congress. Government is not a large company where getting out of line can get you fired. There is no line, there are fiefdoms. And you wouldn't want it any other way.