Network equipment vendor Juniper has issued an urgent security alert for its Netscreen range of enterprise firewalls, after discovering “unauthorised code” in the device operating system that allows them to be fully compromised.
According to Juniper chief information officer Bob Worrall, the code was discovered during an internal review of the ScreenOS operating system for the Netscreen firewalls.
One vulnerability could be triggered to permit an attacker to log in via Secure Shell or telnet connections, and gain administrative privileges on Netscreen firewalls.
More from another source:
*How Does the Backdoor Occur?*
The backdoor occurred due to a pair of critical vulnerabilities: The first allows anyone to decrypt VPN traffic and leave no trace of their actions. The second allows anyone to completely compromise a device via an unauthorized remote access vulnerability over SSH or telnet. In short, an attacker could remotely log-in to the firewall with administrator privileges, decrypt and spy on thought-to-be-secure traffic, and then even remove every trace of their activity.
So it is state security. Is it US, China, or some other actor? This is more likely the US. How do I know? I know how the US State Security operates, and that a foreign entity would have great trouble gaining the necessary access. Reportedly Juniper is NIST compliant and certified by the Federal Government for use in all government networks, as well as the secure networks of those who engage in business with the government. That means the US security state will deploy counter-intelligence on the entire operation which produces these firewalls, to proactively protect the software from being compromised. That means government specialists have already identified how they would compromise this software, in this exact same way, and their agencies have deployed surveillance assets to secure those holes. How does that work?
If you were going to compromise this software, you would first acquire sources inside the company, and have them acquire the employee list and their assigned responsibilities. Then you identify who would have the access to get your code inserted into the software, in that small window between when the final release image is approved, and when it begins being burned off and turned into product. 99 times out of 100 this will entail finding an insider who will swap the final release image for you at the critical point. That means either inserting your own person into the relevant position, or finding everyone who can do that, and deploying surveillance on them until you can find which one can be compromised with as little risk as possible.
You do not just walk up blindly to the first person you see on the list, and ask them if they want a little extra money, unless you want a high probability of them reporting your approach, and your operation being burned before it gets off the ground. You want to examine each individual to first find the best sticks, then find the best carrots, and then combine all of that with a psychological analysis of each individual as you look for the ideal target – and you want to do all of that without anybody knowing anyone is even looking around.
As you hone in on targets, you begin to invade their lives. You put a guy in next to your target at his Karate class, and have him make friends – as closely as possible. You put a pretty girl in next to him at the laundromat each day, and have her make small talk. You have somebody follow him into the doctor’s office, to see if maybe he is in need of some security for his family after he dies from a terminal illness. You clock every purchase in every store and you identify every friend and contact, to look for weaknesses there. You want to know who those people are, what their weakness and motivators are, and how they think.
The conundrum of such an operation is that it’s theoretical likelihood of success is inversely proportional to the amount of resources deployed on it. Conversely, from a practical standpoint, the more resources you expend, the more opportunities for exposure you create. Deploy lots of resources, and eventually you can almost guarantee it will succeed. But lots of resources means an alert target may notice the surveillance and warn the company, and any counter-intelligence operating in the area has an increased opportunity to pick up on it. How does counter-intelligence operate?
Counter-intelligence identifies the employees with the access by approaching the problem as if it were launching the compromising operation itself. It looks for who such an operation might target, and it deploys its own counter-surveillance on them – that is surveillance monitoring the potential targets for signs of being compromised (such as a meeting with a foreign agent), or for signs of foreign surveillance designed to compromise them.
This sounds resource intensive, and it is to some extent. However the surveillance state is growing, and thus it needs to train up numerous surveillance agents. Agents still being trained can be used to limit the cost of vehicle and foot operatives, since the targets are low risk criminally, and soft in terms of surveillance awareness. Technical surveillance can be deployed to fill in additional gaps at low cost, from web monitoring, to deployed cameras, to bank account monitoring, and spending pattern analysis. Surveillance can be rolled out only during critical periods prior to a product finalization, when such a compromising operation would have to make a move. Finally, since tech companies tend to congregate geographically, such as in Silicon Valley, numerous targets at numerous sensitive companies can be monitored by one small team conducting rotating surveillance on all targets in a certain area, or a few small teams phasing coverage, with each responsible for targets within certain geographical sectors of that area.
Costs can be further contained by conducting surveillance that penetrates deeper than a target might think a government agency would or could pursue. Get covert, but deniable ears inside the deepest areas inside houses, inside cars, offices, law offices, and other areas where a target would never think a bug might be placed, and you are suddenly in the one area a target will go to try to talk about a highly sensitive topic they don’t want eavesdropped on. In a famous Philadelphia mob case, the FBI installed bugs in the personal offices, conference rooms, coffee room, and bathrooms of a mobster’s lawyer, to catch mobsters talking about business. The mobsters, ever suspicious, even called in a Technical Surveillance and Countermeasure Specialist, who for “unknown” reasons, failed to discover the bugs. FBI agents afterward said the TSCM specialist was a great development, because after he left, the mobsters proceeded to discuss their most sensitive information, feeling safe from all eavesdropping.
As a cost-saving measure, a single bug in the most secure area a target has can yield more intelligence, more reliably, than five twelve man mobile surveillance teams conducting 24/7 follows of a target into every destination he travels to – and it can do it for a small fraction of the cost. Add in some low cost CI’s recruited from taxi drivers, bus drivers, deliverymen, and others who spend their day on the roads in target areas with open eyes, and running decent counter-intelligence on sensitive computer security companies can be much more cost-effective than allowing a Chinese backdoor into sensitive government servers.
Now a foreign state agency seeking to insert a backdoor must not only run an extensive surveillance and intelligence operation to try and avoid detection prior to approaching a target or inserting an agent, it must also evade an extensive domestic surveillance operation blanketing the very targets it needs to get close to, and scrutinizing any hires with access for any foreign state associations. If you have enough targets congregated in one area, this surveillance blanket can be nearly impenetrable. For a company producing the security for US government servers, it will be.
Notice how, just as with a bug in a highly secure area, if you can penetrate anyone’s secure server without leaving any tracks at all, you can get better surveillance coverage than you would with a vastly more expensive surveillance solution. People will actually want to put information they don’t want compromised through such a system. Notice how other surveillance operations suddenly can become more effective for less cost, freeing up surveillance operatives and assets for other operations.
Imagine how tempting it must be to be running these counter-intelligence operations knowing how best to insert the code, having already identified the ideal targets, figured out who is most compromisable, having run the surveillance to get the intel to compromise them, and then be sitting there on top of the ideal operation, which would be of immense use to you on other operations.
No other intelligence entity is in your way, because you’ve cleared them out beforehand, and locked down the entire area with pole surveillance. You have the authority of the US government, so it is even easier to recruit your assets than it would be if you were a foreign state. If the operation were burned, your agency will control the law enforcement apparatus which will be called to investigate it.
You can see how tempting it would be, but you can also see what a slippery slope it could become. As you break that first rule, it can become necessary to break other rules and begin surveilling other entities to cover potential avenues of exposure, and gain control of anyone who could be problematic at some future point. Soon judges, media entities, news reporters, lawyers, politicians, police officers, District Attorneys, TSCM specialists, and so on. The more power-players you control, the farther you can push the envelope. The farther you push the envelope, the more players you need to control. It is a self-perpetuating cycle. Once you break that first law, it is in for a penny, in for a dollar.
It is not impossible Juniper’s issue was a foreign state actor, but knowing some measure of the extent and penetration of the US surveillance state today, and how it acts to preemptively contain threats, I find it highly unlikely. I believe this is one more example of the US surveillance state that is increasingly extending its reach and penetration into every corner of our nation.
This is coming to a head. When the media realizes just how deeply this penetration has extended into their lives, I expect you will begin to see stories about it – and they will be shocking. Until then, all you will see are bits and pieces of the leviathan underneath.
Apocalypse cometh™
UPDATE: Looks similar to known NSA programs leaked by Snowden:
A December 2013 story in the German publication Der Spiegel described a 50-page catalog of hardware and software tools used by the NSA to infiltrate the equipment, including one targeted at Juniper’s NetScreen appliances.
The document describes a technique nicknamed FEEDTROUGH, which is used to keep two kinds of software implants on a Juniper NetScreen firewall. The technique is aimed at keeping the software implants on the device even if it reboots or is upgraded.
The NSA also targeted other major networking manufacturers, including Cisco and Huawei, Der Spiegel reported.
Notice, this is documented action by domestic agencies (read Law Enforcement Intelligence), and there is no warrant, no court authority, no company approval, no attempt at coordination with the company, and it would be in direct contravention to untold numbers of laws. It is run wholly off the books, exactly like a criminal operation by a criminal entity. You or I would get decades for trying this, and so would they – if they didn’t control Law Enforcement. Warrantless tampering with a company’s software to gain access to secure private communications of United States companies and private citizens, obtained with the black arts of surveillance, blackmail, bribery, and coercion, applied to citizens by sworn law enforcement. Think about that.
Being this far out on the ledge, they didn’t fuck around with limited control of the targets or the operational vulnerabilities. They knew everything the CEO said every minute of every day to everyone. They knew everyone his security chief met with and talked to. They were on every phone call, read every email, heard everything in his office and around his cellphone, watched for any counter-move, looked for any play by Juniper to catch the surveillance in the act or turn the asset back around the other way and burn the op. They looked for any sign of being blown – this shit was not just a career killer if it was blown – it could be the one op that destroyed hundreds, if not thousands of other ops just like it. I wouldn’t be surprised if the team leader could be killed in an “accident” just to keep it quiet, if necessary. I’ll bet even the local news anchors’ personal assistants were blanketed just to make sure nobody from the company called them with the story, and they never even knew it. Within minutes of this being discovered, I will also bet that a phone call went out to some headquarters somewhere, apprising the leadership that the exploit had just been burned by a security review, and the planning for the next op began being fleshed out.
And yet – there will be no investigation, no big expose on the news, no possibility of consequences for anyone, and in a year it will be forgotten. They could have video of the actors doing it, and the cops would probably shitcan the report, and the media would ignore the story, once intel rolled out all the leverage their surveillance had acquired on the editors and executives at the media outlet.
You can get around all of that, and even do it on a budget – nothing is hopeless, but it isn’t easy, and few techies have the brains, balls, or understanding to figure out how. Remember this as the Apocalypse approaches – nothing will be secure unless you are as paranoid as you can possibly be, and even then your best friend next to you may have been turned.
I told you things were changing…
A new environment for K-types to deal with.
And what would you use this info for?
http://www.stewwebb.com/2014/02/03/aipac-and-abramoff-operated-child-sex-blackmail-ring/finders_through_a_glass_very_darkly/
http://www.washingtonsblog.com/2014/07/governments-gather-evidence-child-pornography-blackmail-officials.html