Wednesday, December 23, 2015

Juniper's Software Security Problem and What We can learn from it?

Recently, Juniper was in the news for a wrong reason: FBI is investigating Juniper for a security hole in its Netscreen Firewall products. 

FBI is investigating on a security hole - i.e., someone had put  "unauthorized code" inside Netscreen Firewall - a security equipment sold by Juniper Networks.

While this investigation goes on, there is a major learning for all product companies. Adding some "unauthorized code" into the product is a regular technique used by various government agencies. Few years ago,  NSA had done a similar thing - put code on Cisco network equipment, which prompted John Chambers, then the CEO of Cisco, to write an open letter to President Obama asking Obama to stop the NSA from hacking into Cisco's equipment.

In February 2015, Kaspersky labs found out that NSA had created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi. See: NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware

Given the extent of reach and power NSA and other governmental agencies have, it would be wise to assume that majority of computer equipment could have "unauthorized code"!

How does such "unauthorized code" get into the system?

According to information revealed by Edward Snowden, hacking into hardware is relatively easy for agencies like NSA. NSA has a special department to handle this - called as TAO: Tailored Access Operation Unit. TAO intercept servers, routers, and other network gear being shipped to organizations targeted for surveillance and install covert implant firmware onto them before they're delivered. These devices are then re-packaged and placed back into transit to the original destination. All of this happens with the support of Intelligence Community partners and the technical wizards in TAO.

What can be done about it?

Since the "unauthorized code" is added during the transit, the original manufacturer has no idea that the software inside the device has been compromised. The customer also has no idea of what's inside the box.

As the experts at TAO can do a good job, there will be no physical signs of tampering on the physical boxes.

There are several ways to avoid such hacks. (but there is no perfect plan) This calls for vendor to provide a greater level of transparency to the customer.

1. Ship Hardware only - without any firmware in the device.

All physically shipped products are shipped without any software or data storage drives/memory.
Equipment vendors can then provide another copy of the firmware via secure channel. In an extreme case, customer physically walks into a vendor location and get a copy of the firmware in a disc, which is then installed on the device.

2. Vendor provides CRC checksum details, code size, time stamps and other details to customer 

Equipment vendor also provides loads of meta data about the compiled firmware. Details such as CRC checksum, code size, code time stamps for the golden image is shared with customer. Customers can then check their equipment and embedded code to see if anything has changed.

3. Customer can insist on Open source software only

Several governments are now insisting on using open source software - which engineers from customer side can validate, compile and install on the hardware.

The other option for the customer to insist on vendor to provide the source code. Customer then can validate, compile and install on the hardware.

All this calls for greater transparency by the vendor and a change in product shipment & deployment - which adds to the final cost of the product.

How to detect and catch such "unauthorized code"?

The burden on detecting and catching such "unauthorized code" lies on the end customer. Customers of computer systems have much to lose, hence they must step-up their internal software security practices.

Many customer have instituted a software security assurance program - but this program must also include firmware and hardware.

EMC has a software product called Network Configuration Manager (NCM) to ensure that the network devices are running on authorized code.

Network Configuration & Compliance Management tool, can be used to regularly check all equipment for any changes to the underlying firmware and warn if any irregularities are found. NCM can also be used to remediate infected devices and change the firmware to the known "Golden Image" which is a customer validated version.

Network Configuration & Compliance Management tool can be used to automatically check several thousands of devices simultaneously, do regular compliance audits, report any violations and even do automated remediation steps.

In addition to network device configuration, customer will have to constantly monitor network traffic to detect any "Unauthorized Data Movement". Here again there are tools such as RSA's Envision and Lanscope's StealthWatch System.

Tools can help - but remember that organizations like NSA has a long reach and even RSA's security code has been hacked by NSA. See: Alleged NSA Dual_EC_DRBG backdoor 

Closing Thoughts

Information Security is a major problem. When governments are hacking basic network devices and hardware such as hard drives, the burden of information security lies squarely on customer's shoulders. Customers should be vigilant, demand greater transparency and implement tools and processes to catch any security violations.

Today, there are software tools to help in network security and compliance. Customer have to use tools to the best possible extent, demand greater code level transparency and implement a robust security assurance program. (And then keep your fingers crossed!)


Andrew Thompson said...
This comment has been removed by a blog administrator.
karthika revathi said...

thanks for sharing this wonderful information.It helps us to know about latest technology.It provides the useful information about devops technologies.

Salesforce Training in Chennai