"Backdoor" computer hack may have put government data at risk
Federal investigators are concerned that a "potential vulnerability" has been discovered in software used by the government.
The flaw was discovered Thursday in software called ScreenOS, from Juniper Networks, which enables VPN (virtual private network) connections used by many businesses and agencies for secure access to their networks.
In a security bulletin posted on Juniper's website, it warned that the flaw "allows unauthorized remote administrative access to the device over SSH or telnet. Exploitation of this vulnerability can lead to complete compromise of the affected system."
The company released a statement Friday saying: "During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."
According to the tech site Engadget, the "backdoor" which could have given unauthorized users access to Juniper's software had been present since 2012.
CBS News Justice and Homeland Security Correspondent Jeff Pegues reports government investigators have been in contact with Juniper to see if government computers were potentially affected. If they were, sources say classified information could have been compromised. The FBI is aware of the issue.
But it's not yet clear whether hackers have taken advantage of the opening, or what damage might have been done. "At this time, we have not received any reports of these vulnerabilities being exploited," Juniper said Friday.
Cybersecurity expert Michael DeCesare, CEO of ForeScout Technologies, said Juniper will need to determine whether it was an inside or outside job. "It will take time for their IT department to really understand how the attack occurred," DeCesare told CBS News in an email.
"What's so troubling about this breach is that the very software that you trust to keep you safe becomes the vehicle into your organization for the attackers. The security industry at large must continue to focus on keeping our products free of such vulnerabilities," he said.
Juniper has released a software patch to correct the issue and urged users to update their systems "with the highest priority."