US Gov't Agencies Freak Out Over Juniper Backdoor; Perhaps They'll Now Realize Why Backdoors Are A Mistake
from the wishful-thinking dept
Last week, we wrote about how Juniper Networks had uncovered some unauthorized code in its firewall operating system, allowing knowledgeable attackers to get in and decrypt VPN traffic. While the leading suspect still remains the NSA, it's been interesting to watch various US government agencies totally freak out over their own networks now being exposed:The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems "with the highest priority."And, yes, this equipment is used all throughout the US government:
The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.
One U.S. official described it as akin to "stealing a master key to get into any government building."
Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that "US intelligence agencies require."And, of course, US officials are insisting that it couldn't possibly be the NSA, but absolutely must be the Russians or the Chinese:
Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.
The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn't reached conclusions.Yeah, sure. Anything's possible, but the NSA still has to be the leading suspect here, and the insistence that it's the Chinese or the Russians without more proof seems like a pretty clear attempt at keeping attention off the NSA.
And, of course, all of this is happening at the very same time that the very same US government that is now freaking out about this is trying to force every tech company to install just this kind of backdoor. Because, as always, these technically illiterate bureaucrats still seem to think that you can create backdoors that only "good" people can use.
But that's not how technology works.
Indeed, now that it's been revealed that there was a backdoor in this Juniper equipment, it took one security firm all of six hours to figure out the details:
Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours.Putting backdoors into technology is a bad idea. Security experts and technologists keep saying this over and over and over and over again -- and politicians and law enforcement still don't seem to get it. And, you can pretty much bet that even though they now have a very real world example of it -- in a way that's impacting their own computer systems -- they'll continue to ignore it. Instead, watch as they blame the Chinese and the Russians and still pretend that somehow, when they mandate backdoors, those backdoors won't get exploited by those very same Chinese and Russian hackers they're now claiming were crafty enough to slip code directly into Juniper's source code without anyone noticing.
“Once you know there is a backdoor there, … the patch [Juniper released] gives away where to look for [the backdoor] … which you can use to log into every [Juniper] device using the Screen OS software,” he told WIRED. “We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, china, cybersecurity, privacy, russia, security
Companies: juniper networks
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
You're lucky, they got my whole SF-86. They know more about me now than I do.
[ link to this | view in chronology ]
No, they won't.
[ link to this | view in chronology ]
Re: No, they won't
[ link to this | view in chronology ]
The heart wants what the heart wants
It's like: I want her to love me but she doesn't. What's wrong with her?
[ link to this | view in chronology ]
One of 3 possibilities here - NSA, CIA, FBI
Truth be damned, et al.
That's why the constitutional amendments were so clear and adamant about "Congress may pass no law" when it comes to sidestepping them.
The founding fathers "KNEW" that generations down the line would be tempted to fuck everyone over to line their pockets and seize the reigns of power ever more tightly.
[ link to this | view in chronology ]
Re: One of 3 possibilities here - NSA, CIA, FBI
Though I would say that you can bet your ass that the NSA found it years ago and didn't tell anyone so that they could exploit it. Not all that much different from putting it in themselves I'd say.
[ link to this | view in chronology ]
Re: Re: One of 3 possibilities here - NSA, CIA, FBI
[ link to this | view in chronology ]
Re: Re: One of 3 possibilities here - NSA, CIA, FBI
<<< %s(un='%s') = %u
Who put it in is an open question, but based on the deliberate obfuscation, it was likely intended to be a surreptitious backdoor that would make it past automated code auditing routines into production firmware.
[ link to this | view in chronology ]
Re: One of 3 possibilities here - NSA, CIA, FBI
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I'm in shock!
It makes me wonder about other firmware now. How many others are there? The NSA should insist on inspecting and fixing back doors other "sophisticated" countries have been able to put in. Of course since this was made public, a more sophisticated back door has since been implemented.
If only there was a way to review code before production.
[ link to this | view in chronology ]
Re: I'm in shock!
Or the update changed the built in password from FEDS!RULE! to FEDS!RULE2 and they left the actual backdoor in place.
[ link to this | view in chronology ]
Re: I'm in shock!
[ link to this | view in chronology ]
The second is the SSH backdoor also put in by an unknown party and this is unknown how it got into the system code. Fox-IT revealed this password by checking out the patch for it, so anyone with open SSH (never a good thing), and unpatched ScreenOS Juniper is liable to be compromised at the any level since it backdoors into shell mode. A quick Shodan search could probably cripple some companies, so it's definitely serious.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Should be able to track it down.
[ link to this | view in chronology ]
Sophisticated huh? That rules out simple minded Americans!
Yes, yes, it was such a sophisticated attack there is no way the morons working for U.S. spy agencies could have done this!
Has to be China or Russia, they are so much smarter than us and the only people capable of pulling off such a sophisticated attack!
[ link to this | view in chronology ]
https://gigaom.com/2013/12/29/nsas-backdoor-catalog-exposed-targets-include-juniper-cisco-samsung-an d-huawei/
[ link to this | view in chronology ]
Re:
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-device s-a-940994.html
Now we know how this was made possible:
'Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades."'
[ link to this | view in chronology ]
Mike, you just don't seem to get it
What the government wants is back doors that ONLY allow in good guys.
* whether the NSA should be included in the group of good guys or bad guys is left as an exercise for the reader.
[ link to this | view in chronology ]
Re: Mike, you just don't seem to get it
Thing is, while I am not a government hack, I am an optimist, I know if the US government reflects on events like this, they will realize that weakened security for surveillance reasons is an epically stupid idea, and persist in asking for it anyway.
[ link to this | view in chronology ]
Re: Mike, you just don't seem to get it
Which is the basic government problem: good guys may associate with bad guys, and then both get in. And once they are in, they go everywhere.
[ link to this | view in chronology ]
Re: Re: Mike, you just don't seem to get it
[ link to this | view in chronology ]
Re: Re: Mike, you just don't seem to get it
Or do you really trust your government not to abuse this to screw over law abiding citizens they just do not like for various reasons?
[ link to this | view in chronology ]
Re: Re: Re: Mike, you just don't seem to get it
The golden key only works for those with pure intentions.
If someone in the government goes bad, the golden key no longer works for them.
Why can't anyone understand something so simple? A magical golden key to the back door would solve all our problems. Good guys can get in. Bad guys can not. If silicon valley could bring their pixee dust, and law enforcement could bring their genuine unicorn horn powder, and they get together, surely we could solve this problem.
[ link to this | view in chronology ]
Re: Mike, you just don't seem to get it
[ link to this | view in chronology ]
Shhhhh
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Isn't it a good thing that nobody ever created such a key?
The U.S. officials said they are certain U.S. spy agencies themselves aren't behind the back door
Great way to put that statement. I'm sure the NSA isn't behind the back door - they came through it when they created it and are already inside.
[ link to this | view in chronology ]
Just ScreenOS?
...brig
[ link to this | view in chronology ]
Re: Just ScreenOS?
And to "some_guy" at comment #38.... Israel? WTF?
[ link to this | view in chronology ]
Re: Re: Just ScreenOS?
[ link to this | view in chronology ]
Re: Re: Re: Just ScreenOS?
Juniper Networks is a multinational corporation.
Your info is so wrong.
Ditto.
[ link to this | view in chronology ]
Of course, that assuming that the ones we are calling "good guys" are actually "good". Or even "honest".
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Deja Vu
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Wait, what?
This seems to be an open admission that the USA has the least sophisticated spy agencies in the world.
[ link to this | view in chronology ]
Re: Wait, what?
[ link to this | view in chronology ]
Movie script
[ link to this | view in chronology ]
Just wait
[ link to this | view in chronology ]
Inventory list
FBI: 124 devices, 723 installs
NSA: 0 devices, 0 installs
CIA: 334 devices, 1,354 installs
[ link to this | view in chronology ]
Re: Inventory list
I bet they'd still use them but install their own firmware patched to remove the backdoor(s).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Liability
[ link to this | view in chronology ]
Re: Liability
Because the second "backdoor" (which isn't really a backdoor to the system, but to its traffic), was a NIST standard EC-PRNG, which was deliberately compromised by the NSA.
Somebody at Juniper even changed the curve, so it was not (that?) vulnerable, but later somebody changed it back to the curve the NSA knew was vulnerable. It's impossible the NSA did not notice that.
While it might not have been the NSA which changed it back (but it's likely it was indeed the NSA), at least it knew and put knowingly every other government agency and all people at jeopardy.
[ link to this | view in chronology ]
Re: Re: Liability
If you put the fox in charge of guarding the chicken house, don't be surprised if a few chickens go missing.
[ link to this | view in chronology ]
Magic Unicorns
[ link to this | view in chronology ]
Not the NSA
[ link to this | view in chronology ]
Russians or Chinese - PUHleeeze
[ link to this | view in chronology ]
Re: Russians or Chinese - PUHleeeze
Uh... Juniper was founded at Xerox PARC in the United States by an Indian-American. They're still headquartered in the US and as far as I know, their biggest stakeholders are American investment firms.
Please follow up with information on your claim that they're owned by Israelis.
[ link to this | view in chronology ]
Why so angry?
[ link to this | view in chronology ]
I think you are misunderstanding...
[ link to this | view in chronology ]
What a great way to improve the economy!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Cisco fiasco...
IIRC, wasn't it recommended that purchasers of Cisco routers send a vehicle to the Cisco manufacturing facility for transport? Maybe they're made outside the US.
[ link to this | view in chronology ]
Re:
Why would they want to improve the economy? That only benefits you, not them.
[ link to this | view in chronology ]
Juniper executive: Thank God for CISA liability waivers!
If CISA hadn't passed, we might now be on the hook for our incompetence.
[ link to this | view in chronology ]
Re: Juniper executive: Thank God for CISA liability waivers!
[ link to this | view in chronology ]
China & Russia: We did what??
[ link to this | view in chronology ]
Incompetent Noobs
This is gross incompetence on behalf of all the US government know-nothing nitwits involved.
How many billions of US dollars were squandered on this boondoggle?
Will these incompetent noobs be held to account?
Unfortunately failing spectacularly while working for the US government means failing upward so these worthless noobs will be promoted. After their promotions the noobs can then testify before congress about how they too believe in unicorns.
[ link to this | view in chronology ]
Ha
[ link to this | view in chronology ]
This Is Not About No Backdoors!
[ link to this | view in chronology ]
Pulling a Hillary
[ link to this | view in chronology ]
Roll it back to zero
[ link to this | view in chronology ]
Gov't Fraud Waste and Abuse
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The problem has to be bad guys did this because they didn't have our pure intentions anyone could access the backdoor.
Perhaps this might put the tiniest little idea in their heads that the people who inform them of how they are supposed to vote & what to say in the media might not be fully truthful. That maybe they should look to be educated about topics they wish to rule on beyond a talking points memo attached to a "donation"... but then that old line comes to mind... money talks.
[ link to this | view in chronology ]
[ link to this | view in chronology ]