Juniper’s ScreenOS source code base was hacked, backdoors were installed, code was deployed everywhere, for years

Important Announcement about ScreenOS®; Bob Worrall (Juniper); 2015-12-17.
Bob Worrall is Senior Vice President & Chief Information Officer, Juniper.

<quote>During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.</quote>


  • patches
  • Affected
    • ScreenOS 6.2.0r15 through 6.2.0r18
      released “in” 2008.
    • ScreenOS 6.3.0r12 through 6.3.0r20.
      released “in” 2009.
  • Not Affected (per Juniper)
    • SRX
    • Junos
  • Effect
    • Remote administrator access
      • SSH
      • Telnet
    • “enabling” VPN decryption (whatever that means)


  • In place since 2012.
    • source: a tweet
  • The compromise in place since 2008.
    • source: The Register, speculation.


in archaeological order; derivative effluent on top, more original work below.

Via: backfill.


Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice | Adrian et al. (+13 others)

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, Paul Zimmermann; Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice; Available at; 2015-05-20; 13 pages.


We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present a novel flaw in TLS that allows a man-in-the-middle to downgrade connections to “export-grade” Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in this group in minutes. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups.

We go on to consider Diffie-Hellman with 768- and 1024-bit groups. A small number of fixed or standardized groups are in use by millions of TLS, SSH, and VPN servers. Performing precomputations on a few of these groups would allow a passive eavesdropper to decrypt a large fraction of Internet traffic. In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.


  • System Administration Guide
    Remediations (and see below)

    • Diffie-Hellman Key Exchange (DHKE) > 1024 bits
    • Elliptic Curve Diffie-Hellman (ECDH)
  • Elliptic Curve Diffie-Hellman (ECDH)
  • Logjam
    a pun on Discrete Logarithm


Summarization of the Guide to Deploying Diffie-Hellman for TLS from



Yes, there were references






  • Chromodo
  • Dragon
  • IceDragon


  • Advisory; by PrivDog
  • Vulnerability Note VU#366544Adtrustmedia PrivDog fails to validate SSL certificates
  • Vulnerability Note VU#529496Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA certificates and private keys


Melih Abdulhayoğlu

Announcing PrivDog
Announcing Comodo

 Melih Abdulhayoğlu


In archaeological order … derivatives on top, more original sources below…


  • had issues before
  • “Superfish’s mistake was using the same root certificate across all deployments. PrivDog’s mistake is not validating certificates at all.” attributed to Amichai Shulman, CTO of security firm Imperva in PC World.


Actualities; Screenshot from 2015-02-24 19:02:14PrivDog Secure Connection Inspector CA
Bank of America MITM
Via: backfill

The laptop was protected with a strong 8-character password

The focus group did a nickel in Lucile’s fine institution over a decade ago. Today we receive…

And it bears repeating…


Pretty sure though that you are not allowed to use the word “strong” in combination with the word “password” on the internet unless you have twelve. Just like they sell eggs, and hanging juries, honest, strong and true. You need twelve. And twelve is the number of the counting; so shall it be twelve, not eight or seven. But twelve. Or maybe thirteen or thirty. But not eight. Definitely not eight.  cite

“We were doing the best we could, with the tools they give us. Dammit, we’re doctors Jim, not opsec jocks!”   Fair enough.  Redmond laptop was it?  Why didn’t you say so in the missal?