By Jim Finkle
BOSTON Dec 21 Networking equipment maker Cisco
Systems Inc said on Monday it has launched a product
review to look for tampering after rival Juniper Networks Inc's
disclosure it found code in firewall software that made
in vulnerable to cyber attacks.
Juniper warned customers on Thursday that it had uncovered
"unauthorized code" in its firewall software, saying it could be
exploited to allow an attacker to unscramble encrypted
communications that travel through the security devices.
That prompted the code review by Cisco. Security experts
said they expect other technology companies to conduct similar
investigations after last week's unprecedented news from
Juniper.
It was the first time a major technology firm discovered the
addition of an unauthorized 'back door," or code that could be
exploited to facilitate cyber attacks, according to security
experts.
"I can't imagine there is a major vendor that isn't doing a
major code audit now," said HD Moore, chief research officer
with Rapid7 Inc.
Technology companies regularly audit their code for bugs,
including "back doors" that attackers could leverage to launch
cyber attacks on customer networks.
But Moore said that such reviews focus on "back doors" that
are unintentionally created, not ones inserted without the
manufacturer's knowledge.
"The challenge is that nobody has been looking for this in
the past," said Moore, an expert in software vulnerabilities.
"If you know you are looking for a malicious backdoor, you have
a much better chance of finding something."
Cryptologist Bruce Schneier said that technology companies
should have long been looking for unauthorized code, but that
many ignored the problem since the reviews boost expenses.
"The fundamental problem is that the market doesn't reward
the things we want like secure code. Nobody wants to pay for
it," he said.
Cisco said on its blog that the testing will include code
reviews by engineers with deep networking and cryptography
experience as well as penetration testing, a process where
technicians attempt to attack products to find bugs the way
malicious hackers might seek to exploit them.
Meanwhile, the U.S. Department of Homeland Security said it
was investigating how the Juniper "back door" might impact
government networks.
"As we routinely do when such vulnerabilities are brought to
light, we are assessing the potential impact, if any, on federal
networks, and will take any appropriate mitigation measures in
close coordination with interagency partners," said agency
spokesman S.Y. Lee.
