US Gov't Agencies Freak Out Over Juniper Backdoor; Perhaps They'll Now Realize Why Backdoors Are A Mistake
from the wishful-thinking dept
Last week, we wrote about how Juniper Networks had uncovered some unauthorized code in its firewall operating system, allowing knowledgeable attackers to get in and decrypt VPN traffic. While the leading suspect still remains the NSA, it’s been interesting to watch various US government agencies totally freak out over their own networks now being exposed:
The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”
The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.
One U.S. official described it as akin to “stealing a master key to get into any government building.”
And, yes, this equipment is used all throughout the US government:
Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that “US intelligence agencies require.”
Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.
And, of course, US officials are insisting that it couldn’t possibly be the NSA, but absolutely must be the Russians or the Chinese:
The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door. China and Russia are among the top suspected governments, though officials cautioned the investigation hasn’t reached conclusions.
Yeah, sure. Anything’s possible, but the NSA still has to be the leading suspect here, and the insistence that it’s the Chinese or the Russians without more proof seems like a pretty clear attempt at keeping attention off the NSA.
And, of course, all of this is happening at the very same time that the very same US government that is now freaking out about this is trying to force every tech company to install just this kind of backdoor. Because, as always, these technically illiterate bureaucrats still seem to think that you can create backdoors that only “good” people can use.
But that’s not how technology works.
Indeed, now that it’s been revealed that there was a backdoor in this Juniper equipment, it took one security firm all of six hours to figure out the details:
Ronald Prins, founder and CTO of Fox-IT, a Dutch security firm, said the patch released by Juniper provides hints about where the master password backdoor is located in the software. By reverse-engineering the firmware on a Juniper firewall, analysts at his company found the password in just six hours.
?Once you know there is a backdoor there, ? the patch [Juniper released] gives away where to look for [the backdoor] ? which you can use to log into every [Juniper] device using the Screen OS software,? he told WIRED. ?We are now capable of logging into all vulnerable firewalls in the same way as the actors [who installed the backdoor].?
Putting backdoors into technology is a bad idea. Security experts and technologists keep saying this over and over and over and over again — and politicians and law enforcement still don’t seem to get it. And, you can pretty much bet that even though they now have a very real world example of it — in a way that’s impacting their own computer systems — they’ll continue to ignore it. Instead, watch as they blame the Chinese and the Russians and still pretend that somehow, when they mandate backdoors, those backdoors won’t get exploited by those very same Chinese and Russian hackers they’re now claiming were crafty enough to slip code directly into Juniper’s source code without anyone noticing.
Filed Under: backdoors, china, cybersecurity, privacy, russia, security
Companies: juniper networks
Comments on “US Gov't Agencies Freak Out Over Juniper Backdoor; Perhaps They'll Now Realize Why Backdoors Are A Mistake”
I just got a notice that my personal information was included in the OPM data breach. Great! They can’t even keep my SSN secure, how are they going to keep their golden keys secure?
Re: Re:
I just got a notice that my personal information was included in the OPM data breach. Great! They can’t even keep my SSN secure, how are they going to keep their golden keys secure?
You’re lucky, they got my whole SF-86. They know more about me now than I do.
“Perhaps They’ll Now Realize Why Backdoors Are A Mistake”
No, they won’t.
Re: No, they won't
Exactly. They will build an even more difficult to find backdoor and install it if they haven’t already.
The heart wants what the heart wants
We want to spy on you but don’t want anyone to spy on us. Why isn’t this happening.
It’s like: I want her to love me but she doesn’t. What’s wrong with her?
One of 3 possibilities here - NSA, CIA, FBI
Of course it’s the NSA, everyone knows this.
Truth be damned, et al.
That’s why the constitutional amendments were so clear and adamant about “Congress may pass no law” when it comes to sidestepping them.
The founding fathers “KNEW” that generations down the line would be tempted to fuck everyone over to line their pockets and seize the reigns of power ever more tightly.
Re: One of 3 possibilities here - NSA, CIA, FBI
Well, I wouldn’t say for sure it was the NSA, or the CIA or FBI for that matter. It is still possible this bad idea was the brain child of some programmer at Juniper who put it in for debugging or something, and never took it out.
Though I would say that you can bet your ass that the NSA found it years ago and didn’t tell anyone so that they could exploit it. Not all that much different from putting it in themselves I’d say.
Re: Re: One of 3 possibilities here - NSA, CIA, FBI
The NSA is culpable for this, and everyone knows it without any doubt.
Re: Re: One of 3 possibilities here - NSA, CIA, FBI
Based on the hard-coded password:
<<< %s(un='%s') = %u
Who put it in is an open question, but based on the deliberate obfuscation, it was likely intended to be a surreptitious backdoor that would make it past automated code auditing routines into production firmware.
Re: One of 3 possibilities here - NSA, CIA, FBI
Probably because they had just fought a war against that.
They will double down, it’s all they know how to do. Ignore reality and double down. One thing is for sure. US companies cannot be trusted with your data due to the USG and the NSA.
I'm in shock!
Of course it wasn’t the U.S. they would never do such a thing. Juniper is wrong to point out the backdoor. Now the terrorists have won. In removing the back door, LEOS will never be able to do their jobs ever again.
It makes me wonder about other firmware now. How many others are there? The NSA should insist on inspecting and fixing back doors other “sophisticated” countries have been able to put in. Of course since this was made public, a more sophisticated back door has since been implemented.
If only there was a way to review code before production.
Re: I'm in shock!
Or the update changed the built in password from FEDS!RULE! to FEDS!RULE2 and they left the actual backdoor in place.
Re: I'm in shock!
nah, gotta review compilers, machine code, and hardware implementation if you wanna get REALLY tinfoil. also, advanced opponents love BIOS.
I think this article is mixing the two vulnerabilities in ScreenOS found. The first is the VPN vulnerability, it was perhaps not put in by the NSA, but due to the NSA mucking around with NIST created the issue(DUAL_EC_DBRG). Check Bruce Schneier’s explaination: link.
The second is the SSH backdoor also put in by an unknown party and this is unknown how it got into the system code. Fox-IT revealed this password by checking out the patch for it, so anyone with open SSH (never a good thing), and unpatched ScreenOS Juniper is liable to be compromised at the any level since it backdoors into shell mode. A quick Shodan search could probably cripple some companies, so it’s definitely serious.
Caught in hypocrisy? Deploy the reality distortion field!
Should be able to track it down.
Certainly any major code like this is managed with a code repository, such as git, SourceSafe, or mercurial. We should be able to figure out where the offending code came from, or at least who was involved in it. Of course, if it’s the NSA it will likely be the last we hear of it.
Sophisticated huh? That rules out simple minded Americans!
“because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door.”
Yes, yes, it was such a sophisticated attack there is no way the morons working for U.S. spy agencies could have done this!
Has to be China or Russia, they are so much smarter than us and the only people capable of pulling off such a sophisticated attack!
They are faking it. It was revealed more than 2 years ago with the Snowden revelations.
https://gigaom.com/2013/12/29/nsas-backdoor-catalog-exposed-targets-include-juniper-cisco-samsung-and-huawei/
Re: Re:
Another article showing that Snowden already proved this was done by the NSA:
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
Now we know how this was made possible:
‘Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.”‘
Mike, you just don't seem to get it
Juniper’s back door allowed both bad guys as well as good guys, such as* the NSA to get in through the back door.
What the government wants is back doors that ONLY allow in good guys.
* whether the NSA should be included in the group of good guys or bad guys is left as an exercise for the reader.
Re: Mike, you just don't seem to get it
I don’t think of it as a backdoor, I like to think of it as magic window frosting that can be dropped or lifted when the good intentions of a Government employee is weighed and proven to be lighter than, a school bus.
Thing is, while I am not a government hack, I am an optimist, I know if the US government reflects on events like this, they will realize that weakened security for surveillance reasons is an epically stupid idea, and persist in asking for it anyway.
Re: Mike, you just don't seem to get it
Just do it like with electronic cat flaps: the good guys get an RFID chip that lets them in, and the rats stay out. As long as the cat does not drag a rat in with it, of course.
Which is the basic government problem: good guys may associate with bad guys, and then both get in. And once they are in, they go everywhere.
Re: Re: Mike, you just don't seem to get it
Since EULAs are apparently absolutely binding, why not just have a click through agreement where you agree and certify that you will not be accessing anyone’s secret data for any improper purpose. Then we could do away with encryption and the whole problem goes away.
Re: Re: Mike, you just don't seem to get it
or if a government employee goes bad and sells the info to the criminals.
Or do you really trust your government not to abuse this to screw over law abiding citizens they just do not like for various reasons?
Re: Re: Re: Mike, you just don't seem to get it
A magical golden key to the back door is a wonderful solution to this problem.
The golden key only works for those with pure intentions.
If someone in the government goes bad, the golden key no longer works for them.
Why can’t anyone understand something so simple? A magical golden key to the back door would solve all our problems. Good guys can get in. Bad guys can not. If silicon valley could bring their pixee dust, and law enforcement could bring their genuine unicorn horn powder, and they get together, surely we could solve this problem.
Re: Mike, you just don't seem to get it
I don’t think you get it DannyB, the whole point of the article is that what the NSA wants is what has happened here. So their claims that a “golden key” would work are ludicrous… Yes, they want a backdoor that only the “good guys” can use, but the problem is any backdoor that has a key can be gotten into by anyone with the same key. If you have one, whether you’re a “good guy” or a “bad guy”, you can open the lock. Also, who’s to say that “good guy” is good 100% of the time? We have LoveInt for a reason… (don’t know what it is? look it up!)
Shhhhh
Hillary Clinton says she wants her Blackberry to work over Juniper protected networks so she can discuss the details of her New Manhattan project in secret using her private email server in order to keep the important information away from the bad guys.
http://newsroom.juniper.net/press-release/archives/juniper-networks-boost-global-research-and-development-new-facility-china
“stealing a master key to get into any government building.”
Isn’t it a good thing that nobody ever created such a key?
The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door
Great way to put that statement. I’m sure the NSA isn’t behind the back door – they came through it when they created it and are already inside.
Just ScreenOS?
I just finished installing a bunch of Juniper hardware, running JunOS… even though everything I’ve seen points to ScreenOS equipment, now I have to spend time and effort looking again at our JunOS equipment. Sigh.
…brig
Re: Just ScreenOS?
Yes, this affects just ScreenOS. JUNOS is a completely different thing from a completely different code base. It is unaffected by this breach.
And to “some_guy” at comment #38…. Israel? WTF?
Re: Re: Just ScreenOS?
Exactly, this affects legacy EOL firewalls that went bye bye years ago. It does not affect any newer Juniper JUNOS based products. The ScreenOS products have been out of production and EOL for 3+++ years. Also “some_guy”. Do a fact check on your info. It’s easy, it’s called Google. juniper is a 100% owned US company on the NYSE. Your info is so wrong.
Re: Re: Re: Just ScreenOS?
It’s easy, it’s called Google. juniper is a 100% owned US company on the NYSE.
Juniper Networks is a multinational corporation.
Your info is so wrong.
Ditto.
Maybe before figuring out how to make backdoors that only good guys will use, shouldn’t we figuring out how to avoid evil guys creating custom backdoors?
Of course, that assuming that the ones we are calling “good guys” are actually “good”. Or even “honest”.
Without backdoors how will identity thieves and credit card scammers be able to earn a living wage?
Re: Re:
Get themselves re-elected.
Deja Vu
Of course it’s the Chinese or Russians, just like it was North Korea not laid-off Sony employees who did the Sony data breach. Aren’t these law enforcement the same clowns who pushed the blame on North Korea despite the evidence?
If anything, we need a Manhattan Project AGAINST backdoors and poor Internet security.
Re: Re:
We had that – and they created the encrypted systems these dopes are now trying to cripple.
Wait, what?
> The breach is believed to be the work of a foreign government, U.S. officials said, because of the sophistication involved. The U.S. officials said they are certain U.S. spy agencies themselves aren’t behind the back door.
This seems to be an open admission that the USA has the least sophisticated spy agencies in the world.
Re: Wait, what?
Either that or they really, truly believe the NSA people “on their blue eyes” ans my native language puts it. Which opens a whole other can of worms like chain of possibilities.
Movie script
I think I’ve seen this one–where the beat cops have no idea what the undercover cops are up to, and inadvertently stumble across the sting and completely screw things up.
Just wait
I hear it now, We need back doors to prevent others from installing backdoors. Or how about, maybe a peep hole is acceptable. You know look but don’t touch.
Inventory list
I’d like to see an inventory list of which agencies have Juniper hardware/software. I imagine it might go something like this:
FBI: 124 devices, 723 installs
NSA: 0 devices, 0 installs
CIA: 334 devices, 1,354 installs
Re: Inventory list
I bet they’d still use them but install their own firmware patched to remove the backdoor(s).
Somebody kicked in Juniper’s frontdoor and hacked the crap out of the US government. Where’s James Comey? What’s he got to say about this?
Liability
If the NSA is responsible for the security of our nation, and the t knew about this exploit/back door. Then can the NSA be held liable for all the damage done to national security. After all, wouldn’t this be grounds to get fired at least, or grounds of treason for allowing the opponent the opportunity to attack us.
Re: Liability
Absolutely. The NSA knew.
Because the second “backdoor” (which isn’t really a backdoor to the system, but to its traffic), was a NIST standard EC-PRNG, which was deliberately compromised by the NSA.
Somebody at Juniper even changed the curve, so it was not (that?) vulnerable, but later somebody changed it back to the curve the NSA knew was vulnerable. It’s impossible the NSA did not notice that.
While it might not have been the NSA which changed it back (but it’s likely it was indeed the NSA), at least it knew and put knowingly every other government agency and all people at jeopardy.
Re: Re: Liability
While it might not have been the NSA which changed it back (but it’s likely it was indeed the NSA), at least it knew and put knowingly every other government agency and all people at jeopardy.
If you put the fox in charge of guarding the chicken house, don’t be surprised if a few chickens go missing.
Magic Unicorns
If they had been using magic unicorns to create the magic golden keys this would have never happened.
Not the NSA
I don’t think it was the NSA. They are more concerned about who calls the local pizza place and getting that Metadata instead of something sophisticated like this.
Russians or Chinese - PUHleeeze
Juniper is owned by Israelis and the Israelis have been spying on the US for decades. They’ve installed back doors on ALL of the equipment and software they supply to US corporations and government entities – they can easily hack into any of the telecomms and listen to phone conversations directly (just one example). Doesn’t surprise me that their controlled media would try to blame someone else … it’s SOP for Israel….
Re: Russians or Chinese - PUHleeeze
Uh… Juniper was founded at Xerox PARC in the United States by an Indian-American. They’re still headquartered in the US and as far as I know, their biggest stakeholders are American investment firms.
Please follow up with information on your claim that they’re owned by Israelis.
Why so angry?
Remember only good guys use back doors, so we are safe.
I think you are misunderstanding...
The government thinks that if there is a back door, they can use it on us but not on them. Sadly noone realizes if there is a “back door” so they can access our information, then there is a back door that anyone can use to access the government’s information. All those emails? Secure communications? data? military movements? All will be seen by everyone putting not only the soldiers at risk like you seem to want to blame Snowden for, but us Citizens themselves.
Remember the fiasco with Cisco routers being stopped in route to put in spyware by the NSA? Duh. We have another company who no one on the globe will want to purchase their products for because of this ‘hack’. Keep this up with the tech companies of Silicon Valley and before very much longer the US will no longer be a tech leader that others want products from.
What a great way to improve the economy!
Re: Re:
I still think this is a brilliant master plan by the government to turn the US into such a third world stink hole that no terrorist would bother attacking us. The only alternative is that the government is so arrogant, they didn’t think they could ever be caught.
Re: Cisco fiasco...
Wasn’t there a similar problem where purchase of Chinese made routers was highly discouraged because of potential for Chinese capture of traffic? Then again, the NSA could just as easily intercept Chinese made routers and Internet information available to two governments.
IIRC, wasn’t it recommended that purchasers of Cisco routers send a vehicle to the Cisco manufacturing facility for transport? Maybe they’re made outside the US.
Re: Re:
What a great way to improve the economy!
Why would they want to improve the economy? That only benefits you, not them.
Juniper executive: Thank God for CISA liability waivers!
Whew! That was a very close call!
If CISA hadn’t passed, we might now be on the hook for our incompetence.
Re: Juniper executive: Thank God for CISA liability waivers!
And now we get to see the REAL REASON for CISA – waiver of liability of hardware vendors. Make the ISPs be the cops for copyright, but waive any liability for “terrorism”.
China and Russia are among the top suspected governments
China & Russia: We did what??
Incompetent Noobs
US Gov’t Agencies Freak Out Over Juniper Backdoor; Perhaps They’ll Now Realize Why Backdoors Are A Mistake
This is gross incompetence on behalf of all the US government know-nothing nitwits involved.
How many billions of US dollars were squandered on this boondoggle?
Will these incompetent noobs be held to account?
Unfortunately failing spectacularly while working for the US government means failing upward so these worthless noobs will be promoted. After their promotions the noobs can then testify before congress about how they too believe in unicorns.
Ha
Nope… This will be an excuse to request back doors to ensure back doors dint exist. 🙁
This Is Not About No Backdoors!
Such wonderful, patriotic Americans. They comprimise National Security by Wilfully Betraying NSA secret Technologies like this. Luckily they found and exposed these nefarious Spying Backdoors put in by Unauthorized Foreign Parties. Did they check with teh Government before telling every Tom Dick and Harry about this? We need more people like this Guarding our FREEDOMS. They should be LOCKED UP for threatening our National Security! They help America stay safe! They are destroying the safety of America!
Pulling a Hillary
The government is going to pull a Hillary, changing their story as more information becomes available.
Roll it back to zero
The number of days since the Government made a stupid statement about encryption technology and backdoors.
Gov't Fraud Waste and Abuse
Yeah, they are probably buying multiple zeros, thinking they need to use a new one everyday.
they are going to continue to be hypocrites as that is how paid mouthpieces operate.
Damned fudge packers, always looking for a backdoor, not that there is anything wrong with that…
Our people, who buy 0 day exploits to abuse, would NEVER do something like this.
The problem has to be bad guys did this because they didn’t have our pure intentions anyone could access the backdoor.
Perhaps this might put the tiniest little idea in their heads that the people who inform them of how they are supposed to vote & what to say in the media might not be fully truthful. That maybe they should look to be educated about topics they wish to rule on beyond a talking points memo attached to a “donation”… but then that old line comes to mind… money talks.
Not if they are paid to not grasp it.