Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'

7 of 61 comments (clear)

  1. Well, like my papa used to say by penguinoid · · Score: 5, Insightful

    Never attribute to a National Security Letter what can adequately be explained by incompetence. Or was it something else?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  2. End of Juniper by Anonymous Coward · · Score: 2, Insightful

    Good job NSA!

    1. Re:End of Juniper by arth1 · · Score: 1, Insightful

      Not too good. It got caught.

      "someone â" maybe a foreign government"

      Yeeeerright...
      This reeks of CIA and/or Shin Bet.

  3. This is getting crazy by Anonymous Coward · · Score: 4, Insightful

    This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary.

    Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was.

    The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places.

  4. Re:Man, it is incredible by Anonymous Coward · · Score: 2, Insightful

    RSA was paid $10 million by the NSA to include the broken dual elliptic curve RBG to backdoor their software. I wonder how much Juniper charged for it?

  5. Re:Explaining to your Foxnewser Uncle at Xmas dinn by Streetlight · · Score: 1, Insightful

    The problem with back doors is that they can lie in the software for long periods of time while data theft continues unknown to its owner. Stealing a physical key, stealing a pickup (and sending it to Syria) or car will likely be noticed quickly. And of course, there may be multiple back doors, so swatting down one of them doesn't ensure data security.

    As many writers in these forums have noted, once a back door is installed, anyone, good or bad, with the appropriate tools and skill can open the door. The distinction between bad and good guys seems to be blurred these days.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  6. Call me cynical by grasshoppa · · Score: 3, Insightful

    But who's to say this isn't the cover story for the "Government VPN Encryption" program where a foreign entity managed to "steal" the backdoor password so now everyone has to patch.

    Bet we hear similar things from cisco in the coming weeks/months.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!