Juniper
Juniper has disclosed unauthorised code in ScreenOS. Two distinct backdoors — administrative authentication, and VPN traffic decryption. Disclosed during the Christmas patch lull.
Superfish
Lenovo shipped consumer laptops with Superfish, an ad-injection package that interposes a self-signed root certificate. The same private key on every machine. A predictable, terrible week.
Flame
A week after Crysys, Kaspersky, and the Iranian MAHER CERT published their initial Flame analyses. The MD5-collision-based code-signing pivot, the Microsoft Update path, and what this tells us about the operational tempo of the people who built Stuxnet.
Lockheed Martin
The Coviello letter from Monday is the admission. The seed records, or whatever was actually taken from RSA in March, have now been used. Ninety thousand SecurID tokens to be re-seeded at Lockheed.