What do you do when your efforts to catch a bad guy only result in helping him do his evil deeds? That may be the case in what is arguably one of the most ludicrous possible scenarios to come out of software security news in a long, long time. While the public will most likely never get the full story due to built-in confidentiality and “need to know basis” regulations, it seems like the National Security Agency may have blown a giant hole in its own security software, allowing hackers to waltz right in.
Juniper Networks, a software developer who supplies a number of programs for the government, discovered some unauthorized code in one of their products, code that was put there intentionally and seems to have been intended to provide a “backdoor” for monitoring purposes. It didn’t take long for hackers–some that the government presumes are working for a foreign government with the means to support their work–to exploit the code and use it as their own portal into government servers. Outside security experts now have reason to believe it was this very backdoor code that let hackers breach a number of government agencies, including the now very-famous Office of Personnel Management breach that exposed the complete profiles of 4 million federal employees–including many who had top-level security clearances–and another 18 million profiles of people those federal employees had listed as contacts, references, and family members.
The three-year span during which time the government used this faulty software may have exposed some of the highest levels of state secrets to outside hackers, which has now prompted an investigation by the House Oversight Committee. One of the chief concerns of the Committee is that some agencies didn’t install the patch that Juniper provided that would have secured the software.