US Gov’t Agencies Freak Out Over Juniper Backdoor; Perhaps They’ll Now Realize Why Backdoors Are A Mistake by Mike Masnick
From the post:
Last week, we wrote about how Juniper Networks had uncovered some unauthorized code in its firewall operating system, allowing knowledgeable attackers to get in and decrypt VPN traffic. While the leading suspect still remains the NSA, it’s been interesting to watch various US government agencies totally freak out over their own networks now being exposed:
The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issue Thursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.
One U.S. official described it as akin to “stealing a master key to get into any government building.”
And, yes, this equipment is used all throughout the US government:
Juniper sells computer network equipment and routers to big companies and to U.S. government clients such as the Defense Department, Justice Department, FBI and Treasury Department. On its website, the company boasts of providing networks that “US intelligence agencies require.”Its routers and network equipment are widely used by corporations, including for secure communications. Homeland Security officials are now trying to determine how many such systems are in use for U.S. government networks.
…
As regular readers know, disclosure disrupts zero-day markets, but this is a case where I would favor short-term non-disclosure.
Non-disclosure to allow an informal networks of hackers to drain as much information from government sources as their encrypted AWS storage could hold. Not bothering to check the data, just sucking down whatever is within reach. Any government, any network.
That happy state of affairs didn’t happen so you will have to fall back on poor patch maintenance and after all, it is the holidays. The least senior staffers will be in charge, if even them, after all, their rights come before patch maintenance.
Just guessing, I would say you have until March before most of the holes close up, possibly longer. BTW, that’s March of 2017. Given historical patch behavior.
What stories are you going to find because of this backdoor? Make them costly to the government in question. Might disabuse them of favoring backdoors.