Re: [j-nsp] juniper hack news

2015-12-28 Thread Hugo Slabbert 

On Sun 2015-Dec-27 03:46:48 +, Scott Granados  
wrote:

So I wonder about your statements about the governments.  I would tend to 
agree and trust me there’s little about the scumbags in Washington (or 
insert your nations capitol here) that would surprise me but I’m not 
convinced.  There’s been a ton of bellyaching at least in the US and 
probably globally about strong cryptography.  For example here in the US 
the folks in jackboots are trying to convince us that strong cryptography 
was used in the Paris attacks and if we could only break the cyphers the 
world would be a  safer place. Maybe if we send all our snail mail on post 
cards as well.  But this bellyaching makes me think they aren’t nearly as 
good at this signals thing as we’re lead to believe.  So while I have 
heard of hacks before and it is absolutely with in the realm of 
possibility the NSA or whom ever has backdoors in everything but if they 
did would they cry so much about being able to get in the middle and do 
what spooks do?  Or is this complaining a false cover and they are so 
intertwined and back door hacked in to everything it doesn’t matter and 
they want to create a false sense to throw off potential baddies?  


I think an important factor here is that the current political 
"Cryptopocalypse" talk around crypto is not *just* about "strong 
cryptography" but more about end-to-end encryption schemes that leverage 
strong crypto.  Compromising Internet infrastructure points (or appliances 
that handle crypto for a large number of users e.g. this ScreenOS issue) 
results in a large amount of successfully compromised traffic per 
compromised host/vector, as the traffic of dozens, thousands, or millions 
of users may flow through those points.  Basically: there is good ROI on 
your exploit work.


The "problem" (from the perspectives of those wanting to eavesdrop) with 
e2e is that getting in the middle somewhere doesn't get you the cleartext 
anymore.  So, rather than being able to compromise ScreenOS or Junos or 
IOS/-XE/-XR and then getting a nice spigot of data from that, you need to 
do any of:


1) compromise the private keys of the specific users you are targeting and 
still pick up their traffic through existing taps of Internet transit 
traffic


2) compromise whatever myriad software/solutions are being used for e2e 
encryption by the targeted users, get the targeted users to use the 
compromised version of those applications/solutions, and still pick up 
their traffic through existing taps of Internet transit traffic


3) compromise the hosts/devices of the targeted users to get on-host, 
cleartext copies of the data post-decryption


That's a *lot* more work than being able to tap reams of data in flight on 
a specific nexus point and makes dragnet surveillance *much* less feasible 
as the time and costs involved would grow significantly.


Just my 2c.

This is something I’ve been very curious about and the Government’s 
ability to collect this intelligence fascinates me.  I also wonder, if in 
fact this was in the ScreenOS source code does that mean that an agency or 
2 has plants in Juniper?  I think something similar to this happened with 
a company producing SIM cards and a plant on the inside was able to gather 
information enabling the cards to be compromised by the NSA.  Wonder how 
far this is spread and how many vendors.


Excuse me while I go fashion a hat out of tin foil and stock up on canned 
goods.:)


Thank you
Scott



--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)



signature.asc
Description: PGP signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Scott Granados 
So I wonder about your statements about the governments.  I would tend to agree 
and trust me there’s little about the scumbags in Washington (or insert your 
nations capitol here) that would surprise me but I’m not convinced.  There’s 
been a ton of bellyaching at least in the US and probably globally about strong 
cryptography.  For example here in the US the folks in jackboots are trying to 
convince us that strong cryptography was used in the Paris attacks and if we 
could only break the cyphers the world would be a  safer place. Maybe if we 
send all our snail mail on post cards as well.  But this bellyaching makes me 
think they aren’t nearly as good at this signals thing as we’re lead to 
believe.  So while I have heard of hacks before and it is absolutely with in 
the realm of possibility the NSA or whom ever has backdoors in everything but 
if they did would they cry so much about being able to get in the middle and do 
what spooks do?  Or is this complaining a false cover and they are so 
intertwined and back door hacked in to everything it doesn’t matter and they 
want to create a false sense to throw off potential baddies?  This is something 
I’ve been very curious about and the Government’s ability to collect this 
intelligence fascinates me.  I also wonder, if in fact this was in the ScreenOS 
source code does that mean that an agency or 2 has plants in Juniper?  I think 
something similar to this happened with a company producing SIM cards and a 
plant on the inside was able to gather information enabling the cards to be 
compromised by the NSA.  Wonder how far this is spread and how many vendors.

Excuse me while I go fashion a hat out of tin foil and stock up on canned 
goods.:)

Thank you
Scott




> On Dec 26, 2015, at 6:08 PM, Aaron Dewell  wrote:
> 
> 
> While that may be completely correct (while not completely provable, it is 
> entirely reasonable to assume it), the immediate question was whether this 
> particular vulnerability affected JunOS also, or only ScreenOS.
> 
> The answer to that more narrow question is that it only affects ScreenOS.
> 
> I think we can assume that most of the software we use today (Windows, MacOS, 
> IOS, JunOS, Linux, FreeBSD, etc.) all contain some form of government-induced 
> weakness.  Exactly what those are have yet to be discovered.  I for one am 
> confident that they all contain at least one if not many.  
> 
> However, the question asked only concerned this particular vulnerability, for 
> which JunOS is not affected.  The malicious code in question was introduced 
> into ScreenOS source code and not into JunOS.
> 
>> On Dec 26, 2015, at 3:21 PM, Chris Cappuccio  wrote:
>> 
>> Hugo Slabbert [h...@slabnet.com] wrote:
>>> 
>>> Am I missing something that indicates this is known to affect Junos as well?
>>> 
>> 
>> I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- 
>> from
>> 2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
>> a new vulnerability in this class of software.
>> 
>> I think the best we can hope is that Juniper was privately informed and has
>> quietly patched any JunOS vulnerabilities.
>> 
>> Juniper has a lot of international business to lose from public
>> vulnerabilities in core Internet infrastructure. Cisco already took a large
>> hit.
>> 
>> I don't know what else to say. Anyone who thinks that the NSA did not develop
>> this capability in 2011 needs to read. Anyone who thinks NSA can't develop
>> this capability again (once their old vulnerabilities are burned) does not
>> understand the class of this attacker.
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Hugo Slabbert 
What he said ;-)
--
Hugo
h...@slabnet.com: email, xmpp/jabber
also on Signal

 From: Aaron Dewell  -- Sent: 2015-12-26 - 15:08 


>
> While that may be completely correct (while not completely provable, it is 
> entirely reasonable to assume it), the immediate question was whether this 
> particular vulnerability affected JunOS also, or only ScreenOS.
>
> The answer to that more narrow question is that it only affects ScreenOS.
>
> I think we can assume that most of the software we use today (Windows, MacOS, 
> IOS, JunOS, Linux, FreeBSD, etc.) all contain some form of government-induced 
> weakness.  Exactly what those are have yet to be discovered.  I for one am 
> confident that they all contain at least one if not many.
>
> However, the question asked only concerned this particular vulnerability, for 
> which JunOS is not affected.  The malicious code in question was introduced 
> into ScreenOS source code and not into JunOS.
>
>> On Dec 26, 2015, at 3:21 PM, Chris Cappuccio  wrote:
>>
>> Hugo Slabbert [h...@slabnet.com] wrote:
>>>
>>> Am I missing something that indicates this is known to affect Junos as well?
>>>
>>
>> I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- 
>> from
>> 2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
>> a new vulnerability in this class of software.
>>
>> I think the best we can hope is that Juniper was privately informed and has
>> quietly patched any JunOS vulnerabilities.
>>
>> Juniper has a lot of international business to lose from public
>> vulnerabilities in core Internet infrastructure. Cisco already took a large
>> hit.
>>
>> I don't know what else to say. Anyone who thinks that the NSA did not develop
>> this capability in 2011 needs to read. Anyone who thinks NSA can't develop
>> this capability again (once their old vulnerabilities are burned) does not
>> understand the class of this attacker.
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>




signature.asc
Description: PGP/MIME digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Aaron Dewell 

While that may be completely correct (while not completely provable, it is 
entirely reasonable to assume it), the immediate question was whether this 
particular vulnerability affected JunOS also, or only ScreenOS.

The answer to that more narrow question is that it only affects ScreenOS.

I think we can assume that most of the software we use today (Windows, MacOS, 
IOS, JunOS, Linux, FreeBSD, etc.) all contain some form of government-induced 
weakness.  Exactly what those are have yet to be discovered.  I for one am 
confident that they all contain at least one if not many.  

However, the question asked only concerned this particular vulnerability, for 
which JunOS is not affected.  The malicious code in question was introduced 
into ScreenOS source code and not into JunOS.

> On Dec 26, 2015, at 3:21 PM, Chris Cappuccio  wrote:
> 
> Hugo Slabbert [h...@slabnet.com] wrote:
>> 
>> Am I missing something that indicates this is known to affect Junos as well?
>> 
> 
> I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- from
> 2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
> a new vulnerability in this class of software.
> 
> I think the best we can hope is that Juniper was privately informed and has
> quietly patched any JunOS vulnerabilities.
> 
> Juniper has a lot of international business to lose from public
> vulnerabilities in core Internet infrastructure. Cisco already took a large
> hit.
> 
> I don't know what else to say. Anyone who thinks that the NSA did not develop
> this capability in 2011 needs to read. Anyone who thinks NSA can't develop
> this capability again (once their old vulnerabilities are burned) does not
> understand the class of this attacker.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Chris Cappuccio 
Hugo Slabbert [h...@slabnet.com] wrote:
> 
> Am I missing something that indicates this is known to affect Junos as well?
>

I just gave you a link to a formal NSA/GCHQ "TOP SECRET" documentation -- from
2011 -- which says they are DOING IT. It only takes NSA ~90 days to develop
a new vulnerability in this class of software.

I think the best we can hope is that Juniper was privately informed and has
quietly patched any JunOS vulnerabilities.

Juniper has a lot of international business to lose from public
vulnerabilities in core Internet infrastructure. Cisco already took a large
hit.

I don't know what else to say. Anyone who thinks that the NSA did not develop
this capability in 2011 needs to read. Anyone who thinks NSA can't develop
this capability again (once their old vulnerabilities are burned) does not
understand the class of this attacker.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Hugo Slabbert 
On Sat 2015-Dec-26 07:58:47 -0800, Chris Cappuccio  
wrote:



Hugo Slabbert [h...@slabnet.com] wrote:

>Does this affect any other juniper gear ?

Not as of this moment, no.  It's limited to ScreenOS.



Sorry, this is false. It's clear in the documentation that
JunOS was targeted as well.


Not by any means to discourage people from doing their own due diligence 
and vetting for themselves whether their gear is affected, but either you 
or I are reading different sources, or the holidays are affecting my 
reading comprehension even more than I thought...


http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554


Q: What devices do these issues impact?

Administrative access (CVE-2015-7755) only affects devices running ScreenOS 
6.3.0r17 through 6.3.0r20.


VPN Decryption (CVE-2015-7756) only affects devices running ScreenOS 
6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.


We strongly recommend that all customers update their systems and apply the 
patched releases with the highest priority
 


Q: Is the SRX or any other Junos®-based system affected by these issues?

These vulnerabilities are specific to ScreenOS. We have no evidence that 
the SRX or other devices running Junos are impacted at this time.



https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST&smlogin=true

Administrative Access (CVE-2015-7755) allows unauthorized remote 
administrative access to the device. Exploitation of this vulnerability 
can lead to complete compromise of the affected device.


This issue only affects ScreenOS 6.3.0r17 through 6.3.0r20.  No other 
Juniper products or versions of ScreenOS are affected by this issue.


...

VPN Decryption (CVE-2015-7756) may allow a knowledgeable attacker who can 
monitor VPN traffic to decrypt that traffic. It is independent of the 
first issue.


This issue affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 
6.3.0r20. No other Juniper products or versions of ScreenOS are affected by 
this issue.



https://adamcaudill.com/2015/12/17/much-ado-about-juniper/

This morning, Juniper Networks announced an out-of-cycle update for their 
ScreenOS firewall operating system (not the newer Junos[1]) to patch two 
unrelated issues (both identified as CVE-2015-7755):


Am I missing something that indicates this is known to affect Junos as 
well?


--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)

[1] https://twitter.com/llorenzin/status/677663294132457472



signature.asc
Description: PGP signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Chris Cappuccio 
Hugo Slabbert [h...@slabnet.com] wrote:
> >Does this affect any other juniper gear ?
> 
> Not as of this moment, no.  It's limited to ScreenOS.
> 
> -- 
> Hugo
> 
> h...@slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
> 
> (also on Signal)
> 
> On Mon 2015-Dec-21 10:45:04 -0600, Aaron  wrote:
> 
> >Y'all know anything about this ?  Folks in my organization are concerned.
> >It seems to be that it only affects certain versions of Juniper Netscreen
> >ScreenOS.
> >
> >
> >
> >Does this affect any other juniper gear ?
> >
> >

Interesting, even Edward Snowden thinks that Juniper was _not_
complicit in the password backdoor exploit (despite the fact that it was
compiled into ScreenOS)

https://twitter.com/Snowden/status/680056603987558401
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Chris Cappuccio 
Hugo Slabbert [h...@slabnet.com] wrote:
> >Does this affect any other juniper gear ?
> 
> Not as of this moment, no.  It's limited to ScreenOS.
> 
> -- 
> Hugo
> 
> h...@slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
> 
> (also on Signal)
> 
> On Mon 2015-Dec-21 10:45:04 -0600, Aaron  wrote:
> 
> >Y'all know anything about this ?  Folks in my organization are concerned.
> >It seems to be that it only affects certain versions of Juniper Netscreen
> >ScreenOS.
> >
> >
> >
> >Does this affect any other juniper gear ?
> >

https://assets.documentcloud.org/documents/2653542/Juniper-Opportunity-Assessment-03FEB11-Redacted.pdf

there's also plenty of comments out there like this:

https://twitter.com/daviottenheimer/status/677629923595522048
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-26 Thread Chris Cappuccio 
Hugo Slabbert [h...@slabnet.com] wrote:
> >Does this affect any other juniper gear ?
> 
> Not as of this moment, no.  It's limited to ScreenOS.
> 

Sorry, this is false. It's clear in the documentation that
JunOS was targeted as well.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] juniper hack news

2015-12-21 Thread Hugo Slabbert 

Does this affect any other juniper gear ?


Not as of this moment, no.  It's limited to ScreenOS.

--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on Signal)

On Mon 2015-Dec-21 10:45:04 -0600, Aaron  wrote:


Y'all know anything about this ?  Folks in my organization are concerned.
It seems to be that it only affects certain versions of Juniper Netscreen
ScreenOS.



Does this affect any other juniper gear ?



http://kb.juniper.net/InfoCenter/index?page=content
 &id=JSA10713&actp=search





http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme
nt-about-ScreenOS/ba-p/285554






http://thehackernews.com/2015/12/hacking-juniper-firewall-security.html






Aaron



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


signature.asc
Description: Digital signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] juniper hack news

2015-12-21 Thread Aaron 
Y'all know anything about this ?  Folks in my organization are concerned.
It seems to be that it only affects certain versions of Juniper Netscreen
ScreenOS.  

 

Does this affect any other juniper gear ?

 

http://kb.juniper.net/InfoCenter/index?page=content
 &id=JSA10713&actp=search

 

 

http://forums.juniper.net/t5/Security-Incident-Response/Important-Announceme
nt-about-ScreenOS/ba-p/285554
 

 

 

http://thehackernews.com/2015/12/hacking-juniper-firewall-security.html
 

 

 

Aaron

 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp