Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Juniper VPN Backdoor: Buggy Code With a Dose of Shady NSA Crypto (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'

34 of 61 comments (clear)

  1. Well, like my papa used to say by penguinoid · · Score: 5, Insightful

    Never attribute to a National Security Letter what can adequately be explained by incompetence. Or was it something else?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  2. Well, like James Comey used to say by q4Fry · · Score: 4, Funny

    This isn't a "backdoor," it's an officially sanctioned terrorist detector.

    1. Re:Well, like James Comey used to say by davester666 · · Score: 1

      Hoover just got a boner in his grave.

      --
      Sleep your way to a whiter smile...date a dentist!
  3. End of Juniper by Anonymous Coward · · Score: 2, Insightful

    Good job NSA!

    1. Re:End of Juniper by arth1 · · Score: 1, Insightful

      Not too good. It got caught.

      "someone â" maybe a foreign government"

      Yeeeerright...
      This reeks of CIA and/or Shin Bet.

    2. Re:End of Juniper by Rakarra · · Score: 1

      Not necessarily the end. When Hillary or Donald mandate that those backdoors be included on all US networking products, then every networking company will be in Juniper's boat!

  4. This is why by s.petry · · Score: 5, Interesting

    The demands for "Government Backdoor to All Encryption" need to stop! Installing a back door makes it available for _EVERYONE_, not just some agency which may or may not have a warrant. Not that we _will_ see it stop, just that it should.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:This is why by Anonymous Coward · · Score: 1

      This is why it should be called "Buggery code" when backdooring.

  5. This is getting crazy by Anonymous Coward · · Score: 4, Insightful

    This isn't the first excellent post by Matthew Green. His other on ECC was also informative and scary.

    Juniper equipment manages industrial control systems, (like the kind used in nuclear power plants) and we rely on encryption for every part of our online experience - not to mention classified data that presumably protects Americans. The passive collection of VPN data Mr. Green suggests probably happened, and the active exploitation of equipment Snowden revealed by the NSA is a much bigger story than collecting phone records ever was.

    The infosec community making fun of Hillary for suggesting a manhattan project for encryption is funny, but this underlines a serious lack of understanding by too many people in high places.

    1. Re:This is getting crazy by mikael · · Score: 1

      There were several Manhattan projects for the internet. The first was the design of the original network stacks (OSI, DECnet, and many others all replaced by TCP/IP). The second was the http protocol, and the third was the SSL (Secure Socket Layer) that is the basis for encryption for Internet commerce. Unfortunately, that and any other encryption scheme always ended up getting a bit nobbled in places. Probably thousands others if you read the RFC's.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  6. Criminalize back doors mandate strong encryption. by Anonymous Coward · · Score: 1

    For the good of all internet users and as Internet of Things becomes more prevalent.
    Back doors must be banned and criminalized with severe punishments enacted and strong encryption must be mandated for all devices living on the internet.
    From smart electric meters, household appliances, thermostats, door locks to light bulbs any IoT or other device accessible from the internet all present a risk from malicious actors individuals or nation states.

  7. Re:Explaining to your Foxnewser Uncle at Xmas dinn by Anonymous Coward · · Score: 1

    Getting into encryption at the vpn/router level does not really make it easier to catch the bad guys, unless that bad guys actually own the router. Bad guys using encryption are encrypting end to end, not the that level. Maybe I am missing something.

  8. Man, it is incredible by Lisandro · · Score: 3, Interesting

    Judging from what i've read so far it is pretty obvious that the original Dual_EC_DRBG-based backdoor was placed there quite intentionally. Juniper has a lot to answer for.

    1. Re:Man, it is incredible by Anonymous Coward · · Score: 2, Insightful

      RSA was paid $10 million by the NSA to include the broken dual elliptic curve RBG to backdoor their software. I wonder how much Juniper charged for it?

    2. Re:Man, it is incredible by Lisandro · · Score: 2

      No. They should be crucified for not disclosing it. Juniper has been selling backdoored security products which, as the article explains, allowed not only the NSA to eavesdrop communications but anyone else as well. RSA took money from the NSA to default that same compromised RNG and never announced it; they should held accountable.

      As for your second question, no. Backdoors are never a proper answer when discussing cryptography, on any form.

    3. Re:Man, it is incredible by houghi · · Score: 1

      I am sure they are willing to do so, but not allowed. You know things are fucked up when the people with the tin foil hats are right.

      --
      Don't fight for your country, if your country does not fight for you.
  9. Re:Explaining to your Foxnewser Uncle at Xmas dinn by mikael · · Score: 3, Informative

    The US government does that with suitcases. You now get to buy suitcases that have a three digit combination lock, as well as a special DHS lock that bypasses that combination lock.

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  10. Re:Explaining to your Foxnewser Uncle at Xmas dinn by Streetlight · · Score: 1, Insightful

    The problem with back doors is that they can lie in the software for long periods of time while data theft continues unknown to its owner. Stealing a physical key, stealing a pickup (and sending it to Syria) or car will likely be noticed quickly. And of course, there may be multiple back doors, so swatting down one of them doesn't ensure data security.

    As many writers in these forums have noted, once a back door is installed, anyone, good or bad, with the appropriate tools and skill can open the door. The distinction between bad and good guys seems to be blurred these days.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  11. Re:Explaining to your Foxnewser Uncle at Xmas dinn by epyT-R · · Score: 1

    If you want to compromise networks carrying sensitive data, you do.

  12. Re:Explaining to your Foxnewser Uncle at Xmas dinn by Sowelu · · Score: 1

    That makes more sense for physical locks. You can reasonably criminalize unauthorized possession of one of those keys, which means if someone commits a crime with one and gets caught, you can nail them to the wall. And because you can't unlock a suitcase from across the planet, it's fairly likely that you can catch someone eventually, and that they'll be in your jurisdiction to actually arrest them.

    Someone in a hostile country gets ahold of a master encryption key? You might never find out, and if you do you can't catch them, and if you catch them you can't prosecute them.

  13. Re:Explaining to your Foxnewser Uncle at Xmas dinn by bytesex · · Score: 1

    That's a service to you. They do that so that your suitcase remains intact. Otherwise, the lock on your suitcase would simply be broken, rendering the locking mechanism useless and the bag ugly.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  14. Re:You all should realize... by stooo · · Score: 1

    >> knowing damn well it'll never happen

    Yeah. It just happened. And it's still not properly repaired. (RNG still broken) And that's just the tip of one of the icebergs.

    --
    aaaaaaa
  15. Call me cynical by grasshoppa · · Score: 3, Insightful

    But who's to say this isn't the cover story for the "Government VPN Encryption" program where a foreign entity managed to "steal" the backdoor password so now everyone has to patch.

    Bet we hear similar things from cisco in the coming weeks/months.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
  16. This is why I bought a 100% free libreCMC router by Anonymous Coward · · Score: 1

    I know what is in it cause we have the complete set of source code and it's actually easy to buid cause it's properly documented and everything. For those who don't know libreCMC is the only real embedded distribution for routers that is 100% free. With other distributions there are non-free parts and even digital restrictions in some cases. Of course most off the shelf routers are non-free and locked now due to FCC rule changes sadly. If your not aware check out ww.savewifi.org

  17. Re:Explaining to your Foxnewser Uncle at Xmas dinn by Anonymous Coward · · Score: 1

    First it is an incredibly simple key the DHS uses, a plastic thing with 3 prongs on it, they have to make thousands one for each DHS/TSA agent.
    People already made copies of it and started stealing things from your bag at the airport.

  18. Re: Explaining to your Foxnewser Uncle at Xmas din by Anonymous Coward · · Score: 1

    A physical key like the TSA one can be duplicated by just having a picture of it. The analogy is actually pretty good here.

    Suspect there's a back door and you'll probably find it. KNOW there's a back door and it really doesn't take so long.

  19. Re:Explaining to your Foxnewser Uncle at Xmas dinn by AK+Marc · · Score: 1

    Or, like real keys, someone opens the lock and reverse engineers the master key. Then every lock is compromised. That's why people panic when root certs have issues. They are essentially master keys to certain types of locks.

    --
    Learn to love Alaska
  20. Re:Explaining to your Foxnewser Uncle at Xmas dinn by AK+Marc · · Score: 1

    Watch some of the border security shows sometime. They can get into your suitcase without opening the lock, then seal it back like they were never in. Only a keyed hardcase with real latches will keep anyone out. Zippers are secure against someone who doesn't have 5 spare seconds to untraceably open and reseal it.

    --
    Learn to love Alaska
  21. Re:Snowden docs by AHuxley · · Score: 2

    Crypto experts should have understood this from the 1920's on over every generation of telco and network as a standard given to "other" nations to connect with.
    Every generation has its crypto subverted by 5 eye nations due to location (global capture) and raw computing power to "collect it all".
    US network equipment designers had to fit in domestic production lines around what was Communications Assistance for Law Enforcement Act (CALEA).
    Every big brand device as exported, shipped, designed, upgraded, sold is trap door, back door ready.
    All other nations can do now is design domestically, build and code locally. Suffer the heat, cooling, power, cpu limits and know the domestic code their nation is using is now running on their own hardware. Get out of any import bids for upgrades with a security clause and start designing domestically.
    Allowing, demanding a nation to import any trap door, back door ready "export grade" hardware is really getting strange given all the public crypto news.

    --
    Domestic spying is now "Benign Information Gathering"
  22. Malicious code and the firewall .. by nickweller · · Score: 2

    "malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls."

    Given todays computing model, where clicking on a link opens up a two-way connection to a server and executes remote code on your computer, the firewall is next to useless.

  23. Re:Snowden docs by Anonymous Coward · · Score: 1

    http://uk.businessinsider.com/...

  24. NSA wants a back door to all encryption. by Anonymous Coward · · Score: 1

    Anybody now understand what would happen.

    Retards the lot.

  25. Re:This is why I bought a 100% free libreCMC route by Ambient+Sheep · · Score: 2

    Now you just have to hope that the compiler hasn't got a backdoor generator built into it (the Ken Thompson hack)...

  26. How do we get mainstream press to connect the dots by srijon · · Score: 1

    We need a mainstream front page news article "Government encryption backdoor is exploited by criminals." Instead the mainstream coverage fails to connect the Juniper story to the debate on backdoors at all. e.g. CNN runs with: "Newly discovered hack has US fearing foreign infiltration", an article stoking fears over hackers and cybersecurity without once mentioning the keys put under the mat by the government.