from the key-point-is-to-mind-your-Ps-and-Qs dept.
Wired reports:
Security researchers believe they have finally solved the mystery around how a sophisticated backdoor embedded in Juniper firewalls works. Juniper Networks, a tech giant that produces networking equipment used by an array of corporate and government systems, announced on Thursday that it had discovered two unauthorized backdoors in its firewalls, including one that allows the attackers to decrypt protected traffic passing through Juniper's devices.
The researchers' findings suggest that the NSA may be responsible for that backdoor, at least indirectly. Even if the NSA did not plant the backdoor in the company's source code, the spy agency may in fact be indirectly responsible for it by having created weaknesses the attackers exploited.
Evidence uncovered by Ralf-Philipp Weinmann, founder and CEO of Comsecuris, a security consultancy in Germany, suggests that the Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes. Weinmann reported his findings in an extensive post published late Monday.
Previously on SN: "Unauthorized Code" in Juniper Firewalls Decrypts Encrypted VPN Traffic.
Related Stories
An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.
It's not clear how the code got there or how long it has been there. An advisory published by the company said that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. There's no evidence right now that the backdoor was put in other Juniper OSes or devices.
"During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections," Juniper Chief Information officer Bob Worrall wrote. "Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS."
It's said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software.
However, curiously enough, the NSA has been unable to find a copy of that report.
On Wednesday, Reuters reporter Joseph Menn published an account of US Senator Ron Wyden's efforts to determine whether the NSA is still in the business of placing backdoors in US technology products.
[...] Juniper acknowledged in 2015 that "unauthorized code" had been found in ScreenOS, which powers its NetScreen firewalls. It's been suggested that the code was in place since around 2008.
The Reuters report, citing a previously undisclosed statement to Congress from Juniper, claims that the networking biz acknowledged that "an unnamed national government had converted the mechanism first created by the NSA."
Wyden staffers in 2018 were told by the NSA that a "lessons learned" report about the incident had been written. But Wyden spokesperson Keith Chu told Reuters that the NSA now claims it can't find the file. Wyden's office did not immediately respond to a request for comment.
Previously: "Unauthorized Code" in Juniper Firewalls Decrypts Encrypted VPN Traffic
Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA
(Score: -1, Troll) by Ethanol-fueled on Sunday January 03 2016, @07:38AM
Of course it was plants, that's why Debian had to die.
That was the next step, that I had predicted (or just luckily guessed out of cynicism) here - all the big vendors have plants working for them, plants that are paid double (salaries to be official under cover while they collect another from their home intelligence agency) to introduce bugs in big-name software while those companies you're also working for pay you peanuts and you're looking for jobs feeding your family Ramen noodles.
The problem with Debian guy is that he stumbled onto something and knew too much. And they said, "let's call him a racist and call Debian something else. Historical revisionism, narrow the range of thought. Nobody will know". Everybody hates racism now, our Jew buddies have seen to that, haha. Down into the memory hole they go, with Hastings.
How's Baraq Hussein domestic assassinator working out for all you libfags?
(Score: 2) by Azuma Hazuki on Sunday January 03 2016, @08:19AM
1) what are you drinking?
2) can i have some?
I am "that girl" your mother warned you about...
(Score: 3, Insightful) by bradley13 on Sunday January 03 2016, @10:33AM
He's drinking the good stuff, but sometimes truth is at the bottom of a bottle.
The most likely way for the NSA to plant a backdoor is, in fact, to have one of their employees working for the vendor. The employee doesn't even have to write the code; they just have to provide a conduit. The person has to be in a position to commit code without raising questions. System architect, lead developer, whatever. Funnel in the backdoor code next to perfectly legitimate stuff, not hard at all in most companies.
Everyone is somebody else's weirdo.
(Score: 2) by Hyperturtle on Sunday January 03 2016, @04:20PM
That's right.
Having access is all they need; the plant can just let the agency in to do their thing.
There are seeds places everywhere; the plants grow and take root. In time, when the vigilance wanes or if there never was any to begin with, the fertile grounds of industry become clogged, right in their own back yards. Weeds can be hard to eliminate when they're choking the garden. Sometimes, most of the greenery comes from the parasite plants as they entangle their hosts and block out the light.
(Score: 0) by Anonymous Coward on Sunday January 03 2016, @09:02AM
You're right
(Score: -1, Offtopic) by Anonymous Coward on Sunday January 03 2016, @05:22PM
Hey! Ramen is not so bad. just because they're not straight and skinnier then normal spaghetti doesn't mean .. well nevermind.
however i agree that ramen that come pre-powdered with "seasoning" -aka- mono-sodium-glutamate are sh1t.
i try to buy the ramen-packs, where the noddles are "virgin"/bland and the seasoning comes in special packs (which i throw away).
adding your own seasoning and vegetables and tofu and meatballs and mushrooms is soooo much better ^_^
(Score: 0) by Anonymous Coward on Monday January 04 2016, @09:04AM
"Of course it was plants, that's why Debian had to die."
M$ recently infused OpenBSD with cash, too. The darkness is everywhere.
(Score: 3, Insightful) by PiMuNu on Sunday January 03 2016, @08:03AM
Nothing in the article points at NSA. It reads like a fob to cover up a bad QA process or something. Indeed, they even say that modus operandi doesn't really fit with NSA (stupid master password), although presumably every agency has mediocre staff who make quick hacks to get the job done, just like everyone else. (Remember, it aint Tom Cruise, its that guy from the IT crowd).
(Score: 2) by frojack on Sunday January 03 2016, @08:44AM
I'm still trying to determine if the UPDATE at the top of the article totally shoots down their theory (and if so, why leave the article up).
No, you are mistaken. I've always had this sig.
(Score: 2) by martyb on Sunday January 03 2016, @01:25PM
Parent comment stated:
NOTE: The update referenced in the parent comment comes from: Some Analysis of the Backdoored Backdoor [rpw.sh] "The Article"; to wit:
There are two pseudo-random number generators under discussion here: the Dual_EC DRBG and the ANSI X9.31 PRNG. The story claims that the Dual_EC one was backdoored.
The Article references Juniper's knowledge base article KB28205 [juniper.net] which states:
So, even if Dual_EC were backdoored, its being used to feed into the ANSI one would render the backdoor ineffective: the output would be random based on the output of the ANSI code.
The Update suggests that this is NOT the case, that after the first iteration through the loop, a global variable is set which renders the ANSI code ineffectual. In other words, a backdoor in the Dual_EC code WOULD manifest; the ANSI code would not be an effective mitigation.
The forgoing is based entirely on what I read in the linked articles. IANAC (I Am Not A Cryptographer). Feedback and corrections welcome.
Wit is intellect, dancing.
(Score: 5, Informative) by rigrig on Sunday January 03 2016, @05:14PM
As far as I understand the encryption backdoor:
1) NSA designes Dual_EC_DRBG
2) Researchers point out that by carefully crafting some of the constants used, an attacker is able to decrypt Dual_EC_DRBG output
3) NIST [wikipedia.org] includes Dual_EC_DRBG in some standards. Somehow the standard is written in such a way that the only way to get FIPS 140-2 [wikipedia.org] validation is by using the NSA-provided constants. Most people assume the NSA is able to decrypt this Dual_EC_DRBG output
4) Juniper Networks uses Dual_EC_DRBG in ScreenOS, but with different constants. Whoever picked those constants is likely to be able to decrypt their Dual_EC_DRBG output
5) The ScreenOS Dual_EC_DRBG output was supposed to be obfuscated, and only used as seed value for a PRNG
6) A bug prevents the obfuscation, meaning that attackers who picked the ScreenOS constants can decrypt things after all
7) Some unknown attacker modifies ScreenOS to use yet another set of constants, so presumably they are now able to decrypt traffic. They also install a hard-coded master password into the software
So basically you have three parties to blame:
A) NSA creating a broken algorithm, and pushing to have it used
B) Juniper Networks using the broken algorithm, with buggy code that makes it look secure while it isn't
C) An unknown attacker modifying the code in a such a way that they can break the encryption, re-using the brokenness that the NSA and Juniper Networks introduced
Apparently the installation of a (relatively easy to find) hard-coded master password makes the final attack look a bit too sloppy for the NSA.
This would mean that some other party has been exploiting flaws that the NSA deliberately put in Dual_EC_DRBG, which is the kind of problem security researchers have been warning about for a while now.
No one remembers the singer.
(Score: 5, Insightful) by MrGuy on Sunday January 03 2016, @08:45AM
I'll believe that the code wasn't deliberately put there with Jupiter's knowldge AFTER they come up with a plausible explanation of how some external party managed to make sophisticated changes to their core OS surreptitiously. Not before.
You don't get benefit of the doubt from me you're not a willing NSA collaborator [wikipedia.org] who got caught just on your own say so that it must have been teh hax0rz.
(Score: 4, Interesting) by Hyperturtle on Sunday January 03 2016, @04:22PM
You realize they have to say what they are saying, right?
Your cynical view is not misguided, but they cannot expect to stay in business while claiming what we expect to be true.
(Score: 0) by Anonymous Coward on Sunday January 03 2016, @09:59AM
My recommendation for the next big $$$ purchase of networking equipment at my company is for sure going to be from US based manufacturers which one can always depend on. hahahahaha JK
(Score: 2) by q.kontinuum on Sunday January 03 2016, @11:23AM
Alternatives? Something from Huawei [techeye.net]? Are there any trustworthy^wcompanies who didn't prove themselves untrustworthy?
BTW: Why don't we have <strike> tags? More readable than ^w
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1) by driverless on Sunday January 03 2016, @12:04PM
Alternatives? Something from Huawei? Are there any trustworthy^wcompanies who didn't prove themselves untrustworthy?
You need to distinguish between companies that deliberately collaborate with governments to place backdoors, and ones whose gear gets 0wned and exploited. Despite Huawei (and Chinese vendors in general) being everyone's favourite whipping-boy, I don't know of any cases of deliberately-placed backdoors (rather than third-party exploits) being found, unlike US gear with its "lawful-intercept" backdoors, or unlawful-surveillance ones. Admittedly, Huawei's quality control (or absence thereof) makes it pretty easy to exploit them, so there's not much need for a deliberate backdoor, but they have so far proven more trustworthy than their US competitors.
(Score: 2) by q.kontinuum on Sunday January 03 2016, @02:24PM
I think the pillars of IT security are reliability, confidentiality and (plausible deniability or proven authenticity). For a backdoor I'd assume plausible deniability would be key. For any exploitable bug there is the chance it might be a deliberately planted backdoor. I'm not claiming this is the case for Huawai; to make such a claim, we would need to know what the Chinese government uses for their critical infrastructure, and if the firmware there has the same vulnerabilities / if they take some specific counter-measures.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 1) by driverless on Sunday January 03 2016, @03:29PM
Chinese corporates use gear from standard commercial vendors, including Huawei. Their data centres will include boxes built and installed by a couple of companies whose names you'll never see listed anywhere, but which are fronts for the PLA. These serve the same purpose as gear from companies like Narus does in the US.
You'll also occasionally run into boxes that to all intents and purposes are Cisco routers with the one distinction being that Cisco didn't make them. Philip K Dick's "Second Variety" came to mind when I saw some of those...
(Score: 0) by Anonymous Coward on Sunday January 03 2016, @02:43PM
(Score: 0) by Anonymous Coward on Sunday January 03 2016, @04:02PM
(Score: 2, Insightful) by requerdanos on Sunday January 03 2016, @08:46PM
Having read TFA, and the comments and further analysis posted in this discussion so far, it would appear that a better title for this posting might have included the phrase "Signs Don't Point to NSA" rather than what was actually chosen. Or even the possibly more honest "Nothing To Do With It, But 'NSA' Because Evil Spy Agency Pointless Namedropping".
I am not an expert in such matters, so I ask: Am I reading this right?