It’s been quite a month, hasn’t it?
From the (arguably insane) debate over strong encryption to the tensions between the US and China to troubling revelations about the NSA, government surveillance has been at the fore of everyone’s mind for quite some time. Especially given what just recently happened with Juniper. I should probably offer some context there.
On Thursday, December 17th, Juniper Networks – yes, that Juniper networks – had a troubling revelation for the world. It found “unauthorized code” embedded in multiple versions of its ScreenOS software. According to the firm, this code would have allowed attackers with the necessary resources to decrypt encrypted traffic running through its VPN firewalls.
What makes this particularly startling isn’t merely the fact that the unauthorized code was present. Rather, it’s the amount of resources, and technical expertise that would have been required to embed it. According to the security community, all signs point to a state actor.
“The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the British, the US, the Chinese, or the Israelis,” security researcher Nicholas Weaver told Wired. “You need to have wiretaps on the internet for that to be a valuable change to make [in the software].”
In other words, this wasn’t the work of a simple black hat hacker who wanted to steal some financial information or personal data. This was the work of a sophisticated state organization. At the risk of sounding hyperbolic, it was the work of digital spies.
And anyone who hasn’t already patched out the code is still very much at risk.
“The backdoors are also a concern because one of them—a hardcoded master password left behind in Juniper’s software by the attackers—will now allow anyone else to take command of Juniper firewalls that administrators have not yet patched, once the attackers have figured out the password by examining Juniper’s code,” writes Kim Zetter of Wired. “[And] there is another concern raised by Juniper’s announcement and patches – any other nation-state attackers, in addition to the culprits who installed the backdoors, who have intercepted and stored encrypted VPN traffic running through Juniper’s firewalls in the past, may now be able to decrypt it, Prins says, by analyzing Juniper’s patches and figuring out how the initial attackers were using the backdoor to decrypt it.”
Disturbing, isn’t it? But what can you do to protect yourself from such large organizations? How can you keep your business safe from spies?
There are a few steps I’d advise:
Watch the news. Digital security has taken center stage of late. By keeping yourself apprised of what’s going on in the tech sector, you’ll be far better-equipped.
Patch ASAP. It shouldn’t even be necessary to mention this, but if there’s a security patch available for any of the software used within your organization, install it immediately.
Prepare for a breach. Now for the bad news. If a state surveillance organization really wants to break into your business, there’s not a whole lot you’ll be able to do to stop them. With that in mind, make sure you’ve proper protocols in place for when a data breach happens – that’ll help you better mitigate the damage.
Don’t get too paranoid. I’ve made it seem like government surveillance is some sort of ominous boogeyman. And don’t get me wrong – it’s definitely an unpleasant thing to think about. But in all likelihood, your organization isn’t going to be targeted.
That doesn’t mean you shouldn’t prepare, of course – it just means you shouldn’t spend your time looking over your shoulder, wondering when the spies are coming for you.