Tuesday, January 12, 2016

Juniper, Citrix and Fortinet

No, this is not about the famous Donovan song.

Most of this list was compiled by M. Jennings:

NSA Helped British Spies Find Security Holes In Juniper Firewalls [theintercept.com] Quote: "... British spy agency GCHQ, with the knowledge and apparent cooperation of the NSA, acquired the capability to covertly exploit security vulnerabilities in 13 different models of firewalls made by Juniper Networks..."

Secret Code Found in Juniper's Firewalls Shows Risk of Government Backdoors [wired.com] Quote: "This is a very good showcase for why backdoors are really something governments should not have in these types of devices because at some point it will backfire."

New Discovery Around Juniper Backdoor Raises More Questions About the Company [wired.com] Quote: "Juniper added the insecure algorithm to its software long after the more secure one was already in it, raising questions about why the company would have knowingly undermined an already secure system."

Juniper 'fesses up to TWO attacks from 'unauthorised code' [theregister.co.uk]

'Unauthorized code' that decrypts VPNs found in Juniper's ScreenOS [theregister.co.uk] Quote: "And it may have been there since 2008, making this a late contender for FAIL of the year."

How to log into any backdoored Juniper firewall -- hard-coded password published [theregister.co.uk]

Juniper promises to fix ScreenOS cryptography ... eventually [infoworld.com]

Listen up, FBI: Juniper code shows the problem with backdoors [infoworld.com] Quote: "FBI director James Comey should be taking notes: The Juniper debacle shows why security experts are up in arms over government-ordered backdoors."

Another quote from that article:

"Cryptographic backdoors are one of the best ways for attackers to break into systems. '[The backdoors] take care of the hard work, the laying of plumbing and electrical wiring, so attackers can simply walk in and change the drapes,' Green said.

And ditto for Fortinet [arstechnica.com], the Deep Packet Inspection filter company, who also thought it wise to install a SSH server with a hard coded password.

Not to be outdone, Citrix also makes products with the same stupidity and a fixed password of Citrix123.

It is amazing that Fortinet, Citrix, Juniper and its spawn Pulse Secure, are still doing business. The only explanation is that literally nobody cares about security and only pays lip service to it.

GIGO: Garbage In, Garbage Out...

Herman

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.