Cisco reviews code after Juniper breach; more scrutiny expected

BOSTON (Reuters) - Networking equipment maker Cisco Systems Inc said on Monday it has launched a product review to look for tampering after rival Juniper Networks Inc’s disclosure found code in firewall software that made it vulnerable to cyber attacks.

The Cisco Systems logo is seen as part of a display at the Microsoft Ignite technology conference in Chicago, Illinois, May 4, 2015. REUTERS/Jim Young

Juniper warned customers on Thursday that it had uncovered “unauthorized code” in its firewall software, saying it could be exploited to allow an attacker to unscramble encrypted communications that travel through the security devices.

That prompted the code review by Cisco. Security experts said they expect other technology companies to conduct similar investigations after last week’s unprecedented news from Juniper.

It was the first time a major technology firm discovered the addition of an unauthorized ‘back door,” or code that could be exploited to facilitate cyber attacks, according to security experts.

“I can’t imagine there is a major vendor that isn’t doing a major code audit now,” said HD Moore, chief research officer with Rapid7 Inc.

Technology companies regularly audit their code for bugs, including “back doors” that attackers could leverage to launch cyber attacks on customer networks.

But Moore said that such reviews focus on “back doors” that are unintentionally created, not ones inserted without the manufacturer’s knowledge.

“The challenge is that nobody has been looking for this in the past,” said Moore, an expert in software vulnerabilities. “If you know you are looking for a malicious backdoor, you have a much better chance of finding something.”

Cryptologist Bruce Schneier said that technology companies should have long been looking for unauthorized code, but that many ignored the problem since the reviews boost expenses.

“The fundamental problem is that the market doesn’t reward the things we want like secure code. Nobody wants to pay for it,” he said.

Cisco said on its blog that the testing will include code reviews by engineers with deep networking and cryptography experience as well as penetration testing, a process where technicians attempt to attack products to find bugs the way malicious hackers might seek to exploit them.

Meanwhile, the U.S. Department of Homeland Security said it was investigating how the Juniper “back door” might impact government networks.

“As we routinely do when such vulnerabilities are brought to light, we are assessing the potential impact, if any, on federal networks, and will take any appropriate mitigation measures in close coordination with interagency partners,” said agency spokesman S.Y. Lee.

Reporting by Jim Finkle. Additional reporting by Dustin Volz; Editing by Alan Crosby