On Thursday, tech giant Juniper Networks revealed in a startling announcement that it had found “unauthorized” code embedded in an operating system running on some of its firewalls.
The code, which appears to have been in multiple versions of the company’s ScreenOS software going back to at least August 2012, would have allowed attackers to take complete control of Juniper NetScreen firewalls running the affected software. It also would allow attackers, if they had ample resources and skills, to separately decrypt encrypted traffic running through the Virtual Private Network, or VPN, on the firewalls.
The security community is particularly alarmed because at least one of the backdoors appears to be the work of a sophisticated nation-state attacker.
Merry Christmas, everybody.
“The weakness in the VPN itself that enables passive decryption is only of benefit to a national surveillance agency like the NSA,â€ says Nicholas Weaver, a researcher at the International Computer Science Institute and UC Berkeley. â€œYou need to have wiretaps on the internet for that to be a valuable change to make [in the software].â€
There, fixed it for them!
This is where a user like me throws his hands in the air and says “If the experts can’t keep me safe, what chance do I have”?
This is over 3 years ago. And not from any company but from Juniper. This is the tech-equivalence of VW cheating massively on their environmental tests, only worse because environmental tests are a side-issue for VW where security is the main business for Juniper. Just like in the VW example I expect others to announce they “had similar issues” and “are working on a solution for the future”.