NSA Helped British Spies Find Security Holes in Juniper Firewalls (opens in new tab)

(theintercept.com)

189 pointsslasaus10y ago57 comments

57 comments

39 comments · 9 top-level

tptacek10y ago· 8 in thread

Did The Intercept just publish a document about Juniper insecurity that they've had since 2013, or had they already published this?

If they hadn't already published it, why not? It could have done some good before, but does no good now.

striking10y ago

To me, it almost seems like they haven't gotten to reading through all of the content of the archives that they have. But when there's a serious 0-day on the loose, it's not too difficult to Ctrl-F the archives to check if the NSA has anything to do with it.

akerro10y ago

> the archives

https://search.edwardsnowden.com/ https://search.wikileaks.org

what more you have?

1 more reply

vox_mollis10y ago

Greenwald is still sitting on an estimated 90% of the original Snowden document cache.

It's quite likely that Juniper's security advisory was sufficient cause to release this from the cache.

per: https://cryptome.org/2013/11/snowden-tally.htm

cinquemb10y ago

>If they hadn't already published it, why not?

I must be naive in thinking that you just don't have a billionaire fund an organization to leak secrets in any timely fashion ;)

jtgeibel10y ago

I wonder if this document was supplied to Juniper first, leading to the security audit that found the 2 recent vulnerabilities. Now that there are press reports of government officials saying the NSA wasn't responsible for these 2 exploits, they publish proof that at the very least the NSA viewed Juniper as a target and likely had exploits of their own (or via GHCQ).

sangnoir10y ago

> If they hadn't already published it, why not? It could have done some good before, but does no good now.

My guess is that there are a lot of documents to go through, which will take years.

Are you advocating for a Wikileaks-style unreducted data dump (against Snowdens wishes), or you want Greenwald to "work faster"?

akerro10y ago

The document was created in documentcloud.org today.

strictnein10y ago

They must have published it previously, because it's been floating around here for a couple of days. A slide just showing that they targeted Juniper products.

edit: First picture here: http://boingboing.net/2015/12/21/juniper-networks-backdoor-c...

MichaelGG10y ago· 6 in thread

> ...it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the “NetScreen” line of security products...

It does? Sounds like this is a rather normal, expected, analysis. They're just reviewing products; probably they already had similar capabilities on IOS and wanted to make sure they could handle other targets or a shift in the market. This does not sound like getting backdoors placed, at all.

I hate to be suspicious or cynical here, but is this just The Intercept being opportunistic? Is there any reason to relate this to the recent "unauthorized code" issues?

BinaryIdiot10y ago

You are completely correct. There isn't any correlation indicating that a security agency was behind the backdoors setup in their OS. Granted this could still be the case but there isn't any evidence, known to the public at least, that any security agency had a hand in creating the backdoors.

The timing of this article is obviously done in order to capitalize on the recent Juniper news. I would suspect all security agencies to be looking at the security of al networking products that they can get a hand on.

atmosx10y ago

> There isn't any correlation indicating that a security agency was behind the backdoors setup in their OS.

I am not so sure. There are strong indications pointing[1] at state actors.

[1] http://securityaffairs.co/wordpress/42971/hacking/juniper-sc...

sbov10y ago

As to what you're quoting, yes, it does. It seems likely that they found ways to penetrate NetScreen. At the end of the original top secret document:

> The vast majority of current Juniper exploits are against firewalls running the ScreenOS operating system.

This reads like a statement of fact. That they knew of multiple exploits against ScreenOS. Enough to use the term "vast majority". That doesn't mean the most recent backdoors are their work, but it does seem to imply that they found ways to penetrate NetScreen.

strictnein10y ago

I think they're trying hard to connect dots that aren't really connected. Glenn gets a little overzealous at times, in my opinion.

revelation10y ago

Presumably you should direct your anger at the parties responsible for the occlusion and uncertainty here.

If that fails, let's hate on Juniper. In any case, the linked PDF says that they do indeed have current exploitation capabilities for Juniper products and are working on more, even if it initially reads like a product brochure.

MichaelGG10y ago

Current as of that time. Juniper's released a lot of security advisories since them. Though it's likely that they continue to find exploits. I'd be surprised if they don't have similar reports for any popular product, hardware or software, closed or open source.

discardorama10y ago· 5 in thread

I have a feeling that this is how these agencies skirt the law: agency X is not allowed to do "A", so it helps agency B do it, and share the findings with X. And vice versa. So the GCHQ spies on Americans willy-nilly, and the Americans spy on Brits, with full knowledge of each other.

akerro10y ago

That's how British government "doesn't use drons". They tell US to use drons to automatically bomb a target and kill hundreds of people, whole attack is organised by UK, but technically, it was done by US. In such case UK says in report they didn't kill anyone and US say they rented weapons.

mattmanser10y ago

Our government does use drones? Has done for years.

ck210y ago

This is like right out of a movie script and you are probably right.

How did Google engineers put it? Oh yeah:

https://plus.google.com/108799184931623330498/posts/SfYy8xbD...

samstave10y ago

This is explicitly revealed in how the NSA is sharing info with Israel.

venomsnake10y ago

That has been open secret since the early 90s I think.

tptacek10y ago· 5 in thread

Worth considering: every serious SIGINT agency probably had this capability against Netscreen VPNs. If you do a lot of network infiltration, these boxes are among the most useful targets; unlike routers running JunOS, the VPN concentrators have a large outside-the-packet-filter attack surface, and everyone runs them.

It'd be surprising if NSA and GCHQ didn't have similarly powerful capabilities against all the current VPN products.

adrtessier10y ago

> If you do a lot of network infiltration, these boxes are among the most useful targets; unlike routers running JunOS, the VPN concentrators have a large outside-the-packet-filter attack surface, and everyone runs them.

Don't forget that the newer SRX-series VPN gateways are JunOS-based, and seem to be recommended by most Juniper sales people these days. There are certainly a ton of ScreenOS devices, but Juniper seems to have mostly deprecated them in their messaging.

The primary Juniper security track certifications are JunOS-focused, and there's only a basic specialization available from them for ScreenOS. Juniper has mostly staked their future on JunOS from what I can tell.

epistasis10y ago

While I don't doubt that's true for closed-source products, would it also be true for open source products? I've heard that some methods of IPSec key exchange are compromised, but don't know details. Would it also be good to suspect OpenVPN's method of key exchange?

jcrawfordor10y ago

The vast majority of defects groups like intelligence agencies are exploiting are not going to be intentionally-placed backdoors - they're going to be typical vulnerabilities discovered the normal way, just by an organization with immense resources and no motivation to share.

So the bottom-line is that it comes down to how much you trust the people that made the software. Is it a very high quality vendor? Is it a very high quality open-source project?

The nice thing about open-source software is that you have a much better ability to evaluate this from the inside. Get on mailing lists, poke around trackers, and see how they usually deal with security disclosures. Do they even have a formal program to do so? I'm not sure that OpenVPN does, although a lot of distros watch that carefully.

1 more reply

superuser210y ago

Take a look at the CVEs. People find vulnerabilities in trusted open source projects all the time. The NSA hires a lot of smart people to spend all day looking for them and not share their findings with the Internet.

No infiltration required.

1 more reply

vox_mollis10y ago

Since it's now clear that "many eyes makes all bugs shallow" is patently false, the MO for said agencies to compromise OSS projects is to play the long game of making numerous benign commits, becoming trusted, then committing subtly compromised code.

This would be much easier than compromising specific algorithms or KE protocols. Cheap, too. All it takes is plenty of patience.

5 more replies

oroup10y ago· 3 in thread

Seems like a prime opportunity for a class action lawsuit. Juniper was selling a class of products that categorically did not do what it claimed. What would be interesting is their method of defense. As was pointed out to me in an earlier thread, companies have legal immunity when assuring the intelligence community with their work.[1] But Juniper already claims that they do not assist third parties to compromise their products. So they would either need to change their statements or be ineligible for this defense.

superuser210y ago

There is no indication that Juniper cooperated with the NSA or acted intentionally to compromise its products.

All software has defects, and if bugs entitled customers to civil damages there would be 0 technology companies left alive. The standard is negligence, but the NSA is sophisticated enough to compromise designs that were not negligent.

chei0aiV10y ago

http://blog.cryptographyengineering.com/2015/12/on-juniper-b...

phicoh10y ago

It seems to me that having Dual_EC_DRBG in your code today is an extreme case of incompetence. Ideally, that should be enough to sue them out of business.

biot10y ago· 3 in thread

Interesting that Juniper merely claims that putting in a backdoor or working with others to do the same is against their policy. They seem to be avoiding saying a very simple, clear statement: "We never have and never will intentionally compromise the security of or put backdoors into our products, whether for ourselves or on behalf of a third party". That they can't come out and say that makes their claims suspect.

jlgaddis10y ago

From TFA:

> "As we’ve stated previously … it is against established Juniper policy to intentionally include ‘backdoors’ that would potentially compromise our products or put our customers at risk. Moreover, it is Juniper policy not to work with others to introduce vulnerabilities into our products.”

-- Juniper

chei0aiV10y ago

Seems they were lying when they said that:

http://blog.cryptographyengineering.com/2015/12/on-juniper-b...

1 more reply

biot10y ago

That's the point I'm making, only I didn't bother to quote that exact paragraph myself. What you've quoted states only that their policy is against it; Juniper makes no claims that they've never violated their policy. It's like the NSA stating that collecting information on Americans is against their policy. I'm sure you can appreciate that there may be differences between policy and practice.

nickpsecurity10y ago

Not sure about whether it's subversion or basic hacking. You should assume, though, that they might have hacks in any common product that can be used for a security bypass. Here's why: IT markets usually become oligopolies where a few players products are all over the place. Firewalls, routers, VPN's, OS's on desktop, OS's on mobile, net configuration, build systems... handfuls of implementations in each dominate in market share. So, rather than beating everything, you can focus on 0-days in a tiny few to beat almost everyone [that matters to a TLA].

Another side of this coin is that they'll add to their hitlist whatever they encounter the most. They probably run into Juniper firewalls all the time. So, it's higher priority. Using high-quality, but lower-priority-to-them, components reduces you risk of being hit by them. So, one of my recommendations is to build/use strong systems, use diverse components of good quality, and obscure the workings of both at the interface. They'll trip your alarms trying to figure out what you're using before they hack you.

AndyMcConachie10y ago

So how long has Glen Greenwald and others with access to the Snowden cache known about this?

There was only one Snowden cache. If the document was provided by Snowden, did we hear about it earlier?

Who has access to the Snowden cache now? Do we know?

NN8810y ago

So the US isn't supposed to gather intel now? IS that what you're saying Glenn?

j / k navigate · click thread line to collapse

57 comments

39 comments · 9 top-level

tptacek10y ago· 8 in thread

Did The Intercept just publish a document about Juniper insecurity that they've had since 2013, or had they already published this?

If they hadn't already published it, why not? It could have done some good before, but does no good now.

striking10y ago

akerro10y ago

> the archives

https://search.edwardsnowden.com/ https://search.wikileaks.org

what more you have?

1 more reply

vox_mollis10y ago

Greenwald is still sitting on an estimated 90% of the original Snowden document cache.

It's quite likely that Juniper's security advisory was sufficient cause to release this from the cache.

per: https://cryptome.org/2013/11/snowden-tally.htm

cinquemb10y ago

>If they hadn't already published it, why not?

I must be naive in thinking that you just don't have a billionaire fund an organization to leak secrets in any timely fashion ;)

jtgeibel10y ago

sangnoir10y ago

> If they hadn't already published it, why not? It could have done some good before, but does no good now.

My guess is that there are a lot of documents to go through, which will take years.

Are you advocating for a Wikileaks-style unreducted data dump (against Snowdens wishes), or you want Greenwald to "work faster"?

akerro10y ago

The document was created in documentcloud.org today.

strictnein10y ago

They must have published it previously, because it's been floating around here for a couple of days. A slide just showing that they targeted Juniper products.

edit: First picture here: http://boingboing.net/2015/12/21/juniper-networks-backdoor-c...

MichaelGG10y ago· 6 in thread

> ...it does make clear that, like the unidentified parties behind those hacks, the agencies found ways to penetrate the “NetScreen” line of security products...

I hate to be suspicious or cynical here, but is this just The Intercept being opportunistic? Is there any reason to relate this to the recent "unauthorized code" issues?

BinaryIdiot10y ago

atmosx10y ago

> There isn't any correlation indicating that a security agency was behind the backdoors setup in their OS.

I am not so sure. There are strong indications pointing[1] at state actors.

[1] http://securityaffairs.co/wordpress/42971/hacking/juniper-sc...

sbov10y ago

As to what you're quoting, yes, it does. It seems likely that they found ways to penetrate NetScreen. At the end of the original top secret document:

> The vast majority of current Juniper exploits are against firewalls running the ScreenOS operating system.

strictnein10y ago

I think they're trying hard to connect dots that aren't really connected. Glenn gets a little overzealous at times, in my opinion.

revelation10y ago

Presumably you should direct your anger at the parties responsible for the occlusion and uncertainty here.

MichaelGG10y ago

discardorama10y ago· 5 in thread

akerro10y ago

mattmanser10y ago

Our government does use drones? Has done for years.

ck210y ago

This is like right out of a movie script and you are probably right.

How did Google engineers put it? Oh yeah:

https://plus.google.com/108799184931623330498/posts/SfYy8xbD...

samstave10y ago

This is explicitly revealed in how the NSA is sharing info with Israel.

venomsnake10y ago

That has been open secret since the early 90s I think.

tptacek10y ago· 5 in thread

It'd be surprising if NSA and GCHQ didn't have similarly powerful capabilities against all the current VPN products.

adrtessier10y ago

epistasis10y ago

jcrawfordor10y ago

So the bottom-line is that it comes down to how much you trust the people that made the software. Is it a very high quality vendor? Is it a very high quality open-source project?

1 more reply

superuser210y ago

No infiltration required.

1 more reply

vox_mollis10y ago

This would be much easier than compromising specific algorithms or KE protocols. Cheap, too. All it takes is plenty of patience.

5 more replies

oroup10y ago· 3 in thread

superuser210y ago

There is no indication that Juniper cooperated with the NSA or acted intentionally to compromise its products.

chei0aiV10y ago

http://blog.cryptographyengineering.com/2015/12/on-juniper-b...

phicoh10y ago

It seems to me that having Dual_EC_DRBG in your code today is an extreme case of incompetence. Ideally, that should be enough to sue them out of business.

biot10y ago· 3 in thread

jlgaddis10y ago

From TFA:

-- Juniper

chei0aiV10y ago

Seems they were lying when they said that:

http://blog.cryptographyengineering.com/2015/12/on-juniper-b...

1 more reply

biot10y ago

nickpsecurity10y ago

AndyMcConachie10y ago

So how long has Glen Greenwald and others with access to the Snowden cache known about this?

There was only one Snowden cache. If the document was provided by Snowden, did we hear about it earlier?

Who has access to the Snowden cache now? Do we know?

NN8810y ago

So the US isn't supposed to gather intel now? IS that what you're saying Glenn?

j / k navigate · click thread line to collapse