NSA Apparently Purchasing Software Exploits From French Security Firm
from the and-everyone's-a-little-less-safe-now dept
The long history of US intelligence agencies' access to software exploits is well-documented. In the interest of "safety," the US government has undermined the safety of millions of users by gathering up exploits and utilizing them for as long as possible before patches and updates close the security holes. Some it acquires directly from companies that report holes in their systems directly to the NSA and other agencies. Others it buys from contractors that specialize in probing software for usable exploits.
Heather Akers-Healy, using Muckrock's FOIA service, recently obtained a document from the NSA (via a FOIA request) detailing its purchase of exploits from Vupen, a French security company specializing in sellable exploits. Unfortunately, the details in this "detailing" are incredibly sparse. Most of what might be interesting is redacted and a majority of the document is standard contractual clauses.
If there's anything of interest here (beyond the purchase of exploits), it's the fact that the transaction takes place on a nondescript form which can be used to handle a variety of products. Due to the standardized wording, it almost appears as though the NSA has the option to purchase exploits by the truckload -- and that said exploits can only be delivered during the normal receiving hours of 7:30 am - 2:30 pm.
That being said, the purchase of exploits is something the NSA has been pretty open about (comparatively). Vupen, or at least its founder and CEO Chaouki Bekrar (who refers to himself as the "Darth Vader of Cybersecurity"), seems rather open about the exploit market itself. As Muckrock points out, Bekrar suggested other FOIA request topics when confronted with this document.
@abbynormative @MuckRockNews You would better ask NSA for contracts with biggest zero-day sellers in US: Northrop, Lockheed Martin, Raytheon
— Chaouki Bekrar (@cBekrar) September 2, 2013
The "Binary Analysis and Exploits" subscription (pre-paid, yearly) that the NSA purchased is described on Vupen's site as more of a defensive product, but it's highly unlikely intelligence the agency viewed it the same way.
With 15 to 20 binary analysis and private 1-day exploits/PoCs released by VUPEN each month, the VUPEN Binary Analysis and Exploits service allows gov organizations to quickly and easily evaluate risks related the most recent vulnerabilities, and protect national infrastructures against critical vulnerabilities before they are exploited in the wild.Why the NSA didn't simply go with Vupen's more "proactive" product, "Exclusive and Sophisticated Exploits for Offensive Security", is unknown, unless better exploits were available in the defensive package.
While the NSA's document may lack a lot of details, a brochure obtained by Wikileaks shows what's available in Vupen's offensive package. This service targets law enforcement agencies (LEAs) as well as government agencies. LEAs could certainly be considered a "growth market," especially since so many are "rebranding" themselves as entities lying somewhere between a military force and an unofficial FBI field office.
What this program does is turn your subscription fee into credits and allow you (the LEA/government) to buy exploits with these credits (based on how valuable Vupen feels they are). It's like a Wii store for vulnerabilities. The ultimate aim?
VUPEN Exploits for Law Enforcement Agencies aim to deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by VUPEN security researchers. This is a reliable and secure approach to help LEAs and investigators in covertly attacking and gaining access to remote computer systems.Now, Vupen states on its site and in its brochures that it will only sell to "trusted countries and government agencies." Even if that is entirely true, the underlying issue doesn't go away. Instead of identifying holes and working with software companies to get them patched (or at least informing the general public), it's selling these off to various intelligence/law enforcement agencies.
If Vupen can find these exploitable holes, so can other untrustworthy actors, whether they're governments that don't quite make the "trusted" list or simply individuals looking to profit on the misery of others. Vupen can't corner this market. A security hole is a security hole and no one owns it or can prevent others from exploiting it (other than by closing the hole). What it's selling isn't necessarily scarce and what it's doing is allowing the public (including paying customers) to assume the risk while it profits.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: foia, nsa, nsa surveillance, purchases, security, software exploits
Companies: vupen
Reader Comments
Subscribe: RSS
View by: Time | Thread
Actually, I'm OK with this
The more-evil-me says they do it to know when the zero days they made are about to become public.
[ link to this | view in thread ]
Re: Actually, I'm OK with this
[ link to this | view in thread ]
Re: Actually, I'm OK with this
[ link to this | view in thread ]
Wouldn't that be a French INSECURITY firm?
Wouldn't that make it s French Insecurity firm?
[ link to this | view in thread ]
Even If . . .
> it will only sell to "trusted countries and government agencies."
> Even if that is entirely true . . .
It is not. They are selling to the NSA. Trusted government agencies? I think not.
[ link to this | view in thread ]
Re: Wouldn't that be a French INSECURITY firm?
[ link to this | view in thread ]
Equal justice for all under the law
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Equal justice for all under the law
[ link to this | view in thread ]
VUPEN
Since when you should trust your government ? History has clearly show that we should not.
I don't think Mr Bekrar do this for any national security purposes, he just want to play safe with the most powerful government. Also his behavior at pointing other companies which sells more exploit packs than VUPEN shows lot about him.
[ link to this | view in thread ]
What the FUCKING HELL are those morons thinking/smoking???
If they're good enough to know there are no back-doors installed, they're good enough to write it in-house.
I cannot believe the level of Stupid I'm seeing from Congress, The White house, and the so-called Security Services. I feel like I slowly transitioned to a "Bizarro" America, that no longer recognises reality.
[ link to this | view in thread ]
Vupen
And doublecheck that otherwise promising little thing called DNSSEC, will you ?
[ link to this | view in thread ]
NSA Exploits Purchases
[ link to this | view in thread ]
A pig...
[ link to this | view in thread ]
Re: Wouldn't that be a French INSECURITY firm?
[ link to this | view in thread ]