Security News > 2021 > February > SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat

SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat
2021-02-01 21:12

"In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers," a Wyden statement read. "Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor."

"The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks. A similar supply chain hack was used in the recent SolarWinds breach, in which several government agencies were compromised with malware snuck into the company's software updates," the members wrote.

Juniper's use of Dual EC dates to 2008, at least a year after Dan Shumow and Neils Ferguson's landmark presentation at the CRYPTO conference, which first cast suspicion on Dual EC being backdoored by the NSA. To many, Juniper's move to remove Dual EC confirmed the widely held belief the vulnerabilities were tied to operations by the NSA described in the 2013 article published by the German publication Der Spiegel.

In the Jan. 28 letter to NSA chief Gen. Paul Nakasone, the group of Democratic lawmakers want the agency to provide a previously undisclosed report about "Lessons learned" from the Juniper hack and detail what actions NSA took afterwards.

In June, Wyden also co-signed a letter to Juniper CEO Rami Rahim seeking answers about the hack.

Parallels between the SolarWinds and Juniper hacks are similar in that both involved federally managed computer systems and compromised software supply chains.


News URL

https://threatpost.com/solarwinds-nsa-encryption/163561/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Solarwinds 44 0 80 95 40 215
NSA 2 0 2 7 5 14