Wave Systems Corp. (fka WAVXQ)

[Genz2]

U.S. Officials Ask Juniper Networks About Investigation Into 2015 Backdoor

https://www.securityweek.com/us-officials-ask-juniper-networks-about-investigation-2015-backdoor

More than a dozen U.S. officials have sent a letter to California-based networking and cybersecurity solutions provider Juniper Networks to ask the company about the results of the investigation launched in 2015 following the discovery of a backdoor in its products.

In late 2015, Juniper Networks revealed that it had identified unauthorized code in some versions of the ScreenOS operating system running on its firewalls. The code was found to introduce two vulnerabilities: one that could be exploited to remotely gain admin access to a device, and one that could allow an attacker to decrypt VPN traffic.

The VPN vulnerability was related to the use of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), which ScreenOS used as a pseudo-random number generator (PRNG). Dual EC DRBG was known to contain a backdoor introduced by the NSA, which led some to speculate that the NSA may have planted the unauthorized code in Juniper products, while others said it could have been the work of a foreign government.

An initial analysis revealed that the backdoor may have been there since 2008. Juniper had been aware of the security risks posed by the use of Dual EC DRBG and it had not used it as its primary PRNG. In addition, the company made some changes that should have mitigated risks, but the unauthorized code enabled the backdoor and made it possible to launch attacks.

A group of three senators and 13 members of the U.S. House of Representatives announced on Wednesday that they have sent a letter to Juniper Networks in an effort to find out what the company learned from its investigation into what the officials described as “secret government backdoors.”

“It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered,” the officials wrote. “The American people — and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data — still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security.”

The letter was sent to Juniper just as the U.S. Attorney General and other government officials have been trying to convince — and in some cases even force — companies to add encryption backdoors to their products to facilitate surveillance and investigations.

Juniper has been given one month to answer eight questions about the incident, including on the company’s decisions surrounding Dual EC DRBG, the results of its investigation, the source of the unauthorized code, and any recommendations made and implemented following the probe.

SecurityWeek has reached out to Juniper Networks for comments, but we have yet to hear back. This article will be updated if the company responds.
==================================================================
https://www.wavesys.com/wave-alternative

The IT perimeter is gone

With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.

It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.

You have to start with the device

Wave has an alternative: security that’s built into each and every device.

We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.

We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.

Security that’s confirmed, not assumed

With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.

A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.

Do we need to say that with Wave, compliance is no problem?

Start closing your security gaps today, with what you’ve got

You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.

It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.

Questions? Read on, or contact our sales department.
==================================================================
https://www.wavesys.com/

https://www.wavesys.com/contact-information