The Spy Who Hacked Me?
By now, you’ve read about how Juniper Networks discovered “spy code” in a number of its firewall products. That’s unnerving when you think that firewalls — those from a reputable company like Juniper at that — are the first line of defense for keeping unwanted visitors out of your network.
Juniper reported finding the unauthorized code during an internal review. According to Computerworld, the vulnerability affected a whole range of appliances used for firewalls and VPNs. And some of them were introduced as far back as late 2012.
Juniper has already issued patches to close the hole. But that’s still a lot of firewalls to be patched.
If even your best preventive measures can’t be trusted, how can you tell if someone’s been spying on your company’s data?
Who hacked Juniper and why?
This is more than another Company X making the news for having been hacked. It’s more basic than that. The code in question was inserted and compiled into the actual OS that runs the firewall appliances.
That suggests that either Juniper itself was hacked a few years back, allowing an outsider to access their source code management system. Or that someone inside the company was working with a third party to do the same thing. Either way, the result was twofold. A prior vulnerability in VPN password decryption was reintroduced, and a new “backdoor” was compiled into the NetScreen appliance OS.
The backdoor allows “someone” to login to the firewall, without brute-force hacking, and to monitor and even record all the data flowing through the device. It also lets them through to access any systems behind that firewall, which may or may not be vulnerable to intrusion.
Although such spy code smacks of “state-sponsored” tampering, we don’t know (or Juniper hasn’t said) who the third party might have been. Whoever it is, they could have quietly accessed and monitored the data of any company using one of these firewall or VPN devices since 2012.
Prevention alone isn’t enough
This isn’t just about Juniper. In fact, the company has been very forthcoming about its investigation and quick to produce patches. One hopes that they and other appliance providers will be doing more frequent code reviews in the future.
You can patch your firewalls today, of course. But whether you use Juniper, Cisco or any other trusted name, a hacker is a hacker — whether they’re a thief or a well-meaning government agency.
Inside the firewall, a traditional SIEM solution might log the break-ins exploiting the affected code. But a seasoned hacker would likely just edit the logs to remove his tracks. And if you can’t trust your firewalls or traditional SIEM logs, how would you ever know you’ve been hacked?
The key is to detect intrusion in real-time so you can act to minimize the damage. That means going beyond firewalls and beyond passive SIEM. Continuous, intelligent intrusion detection is the only way to catch — and stop — the “spy who hacks you.”
Originally published at www.paranet.com.