NSA Apparently Purchasing Software Exploits From French Security Firm

from the and-everyone's-a-little-less-safe-now dept

The long history of US intelligence agencies' access to software exploits is well-documented. In the interest of "safety," the US government has undermined the safety of millions of users by gathering up exploits and utilizing them for as long as possible before patches and updates close the security holes. Some it acquires directly from companies that report holes in their systems directly to the NSA and other agencies. Others it buys from contractors that specialize in probing software for usable exploits.

Heather Akers-Healy, using Muckrock's FOIA service, recently obtained a document from the NSA (via a FOIA request) detailing its purchase of exploits from Vupen, a French security company specializing in sellable exploits. Unfortunately, the details in this "detailing" are incredibly sparse. Most of what might be interesting is redacted and a majority of the document is standard contractual clauses.

If there's anything of interest here (beyond the purchase of exploits), it's the fact that the transaction takes place on a nondescript form which can be used to handle a variety of products. Due to the standardized wording, it almost appears as though the NSA has the option to purchase exploits by the truckload -- and that said exploits can only be delivered during the normal receiving hours of 7:30 am - 2:30 pm.

That being said, the purchase of exploits is something the NSA has been pretty open about (comparatively). Vupen, or at least its founder and CEO Chaouki Bekrar (who refers to himself as the "Darth Vader of Cybersecurity"), seems rather open about the exploit market itself. As Muckrock points out, Bekrar suggested other FOIA request topics when confronted with this document.

Vupen's looking to open an office in Maryland, which would put it in the same neighborhood as several other government contractors -- and the NSA's headquarters. It certainly wouldn't hurt to be a short drive away from some well-funded government agencies. Bekrar also tweeted a link to story by the Washington Post that noted the NSA had $25 million to throw in the direction of software vulnerabilities.

The "Binary Analysis and Exploits" subscription (pre-paid, yearly) that the NSA purchased is described on Vupen's site as more of a defensive product, but it's highly unlikely intelligence the agency viewed it the same way.
With 15 to 20 binary analysis and private 1-day exploits/PoCs released by VUPEN each month, the VUPEN Binary Analysis and Exploits service allows gov organizations to quickly and easily evaluate risks related the most recent vulnerabilities, and protect national infrastructures against critical vulnerabilities before they are exploited in the wild.
Why the NSA didn't simply go with Vupen's more "proactive" product, "Exclusive and Sophisticated Exploits for Offensive Security", is unknown, unless better exploits were available in the defensive package.

While the NSA's document may lack a lot of details, a brochure obtained by Wikileaks shows what's available in Vupen's offensive package. This service targets law enforcement agencies (LEAs) as well as government agencies. LEAs could certainly be considered a "growth market," especially since so many are "rebranding" themselves as entities lying somewhere between a military force and an unofficial FBI field office.

What this program does is turn your subscription fee into credits and allow you (the LEA/government) to buy exploits with these credits (based on how valuable Vupen feels they are). It's like a Wii store for vulnerabilities. The ultimate aim?
VUPEN Exploits for Law Enforcement Agencies aim to deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by VUPEN security researchers. This is a reliable and secure approach to help LEAs and investigators in covertly attacking and gaining access to remote computer systems.
Now, Vupen states on its site and in its brochures that it will only sell to "trusted countries and government agencies." Even if that is entirely true, the underlying issue doesn't go away. Instead of identifying holes and working with software companies to get them patched (or at least informing the general public), it's selling these off to various intelligence/law enforcement agencies.

If Vupen can find these exploitable holes, so can other untrustworthy actors, whether they're governments that don't quite make the "trusted" list or simply individuals looking to profit on the misery of others. Vupen can't corner this market. A security hole is a security hole and no one owns it or can prevent others from exploiting it (other than by closing the hole). What it's selling isn't necessarily scarce and what it's doing is allowing the public (including paying customers) to assume the risk while it profits.



Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: foia, nsa, nsa surveillance, purchases, security, software exploits
Companies: vupen


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    pegr, 18 Sep 2013 @ 1:44pm

    Actually, I'm OK with this

    The NSA is supposed to help protect us too, right? By buying zero days, they know before the issue becomes public, thereby warning (us|vendors|defense contractors) first.

    The more-evil-me says they do it to know when the zero days they made are about to become public.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 18 Sep 2013 @ 1:53pm

    Re: Actually, I'm OK with this

    Yeah, I frequently get warned by the NSA about exploits.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 18 Sep 2013 @ 2:23pm

    Re: Actually, I'm OK with this

    I don't think that how there using this.

    link to this | view in thread ]

  4. icon
    DannyB (profile), 18 Sep 2013 @ 2:29pm

    Wouldn't that be a French INSECURITY firm?

    > NSA Apparently Purchasing Software Exploits From French Security Firm

    Wouldn't that make it s French Insecurity firm?

    link to this | view in thread ]

  5. icon
    DannyB (profile), 18 Sep 2013 @ 2:37pm

    Even If . . .

    > Now, Vupen states on its site and in its brochures that
    > it will only sell to "trusted countries and government agencies."
    > Even if that is entirely true . . .

    It is not. They are selling to the NSA. Trusted government agencies? I think not.

    link to this | view in thread ]

  6. identicon
    Anonymous, 18 Sep 2013 @ 2:48pm

    Re: Wouldn't that be a French INSECURITY firm?

    I can hardly wait till they get hacked. :)

    link to this | view in thread ]

  7. icon
    artp (profile), 18 Sep 2013 @ 3:49pm

    Equal justice for all under the law

    So this apparently doesn't violate the Computer Fraud and Abuse Act (CFAA) or the Department of Justice would be all over Vupen like stink on a skunk, right?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 18 Sep 2013 @ 5:21pm

    It's FinFisher's sister company.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 18 Sep 2013 @ 5:42pm

    Re: Equal justice for all under the law

    CFAA only applies to geeks that are not employed by the goverment...didnt you get the memo?

    link to this | view in thread ]

  10. identicon
    Anonymous, 18 Sep 2013 @ 6:04pm

    VUPEN

    VUPEN is one of these criminal companies that sells our security and privacy to doubtful government agencies for big money. It means, that there is no ethics in such company, how can you know if this exploit code you sold to the NSA will not be used to mass snooping on your fellow citizens ?
    Since when you should trust your government ? History has clearly show that we should not.
    I don't think Mr Bekrar do this for any national security purposes, he just want to play safe with the most powerful government. Also his behavior at pointing other companies which sells more exploit packs than VUPEN shows lot about him.

    link to this | view in thread ]

  11. identicon
    Wolfy, 18 Sep 2013 @ 10:41pm

    Purchasing ANY security-related software/services from a foreign vendor should be prohibited.

    What the FUCKING HELL are those morons thinking/smoking???

    If they're good enough to know there are no back-doors installed, they're good enough to write it in-house.

    I cannot believe the level of Stupid I'm seeing from Congress, The White house, and the so-called Security Services. I feel like I slowly transitioned to a "Bizarro" America, that no longer recognises reality.

    link to this | view in thread ]

  12. identicon
    Long memory is illegal?, 19 Sep 2013 @ 2:53am

    Vupen

    Ok. That came out too. When will newspapers publish the rest of buyers for exploits against their own citizens.

    And doublecheck that otherwise promising little thing called DNSSEC, will you ?

    link to this | view in thread ]

  13. icon
    Paul Keating (profile), 19 Sep 2013 @ 4:46am

    NSA Exploits Purchases

    I wonder how many of NSA's purchases deal with exploits of NSA's own systems?

    link to this | view in thread ]

  14. icon
    RyanNerd (profile), 19 Sep 2013 @ 8:25am

    A pig...

    A french Pig!

    link to this | view in thread ]

  15. icon
    btrussell (profile), 20 Sep 2013 @ 3:14am

    Re: Wouldn't that be a French INSECURITY firm?

    All security firms are in security. The "firm" is the giveaway.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.