Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions
from the portals-are-so-90s dept
Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing:
access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more.
Here's how it applies those exploits, as described by Privacy International:
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target's computer. While it's been previously advertised that Gamma use fake software updates from some of the world's leading technology companies to deliver FinSpy onto a target's computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft's Internet Explorer and Adobe's Acrobat programme.
Sadly, Gamma is not a one-off in this respect. Another company offering exploits to government agencies for the purpose of breaking into systems -- that is, offensive rather than defensive actions -- is Vupen Security. As its Web site explains:
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).
Privacy International comments:
While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN's vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.
We know from Snowden's leaks that the NSA uses zero-day exploits to compromise computer systems used by foreign governments. That probably means that the US would be unwilling to introduce any constraints on their use (even nominal ones), as will other governments around the world that are doubtless turning to malware as a way of spying on targets in the same way.
However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
The only way to blunt those attacks is for members of the software community to find, publish and patch vulnerabilities, as fast as they can. That's yet another compelling reason for using free software: even if open source is just as likely to have flaws as closed-source programs (and opinions will differ on that score), it's inarguable that they are easier to find and fix since the barriers to doing so are much lower.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: finfly, governments, offensive attacks, security, surveillance, zero day exploits
Companies: gamma international, vupen, vupen security
Reader Comments
Subscribe: RSS
View by: Time | Thread
I fail to see a legitimate use of this sort of technology without explicit warrant from an appropriate court.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Using them should be a violation of the CFAA.
[ link to this | view in chronology ]
Re:
If it's legal and constitutional for the NSA to do something without a warrant, then it is equally legal for you or I to do it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Nice of them to give us a list of vulnerable software
Also, anyone out there using Microsoft Office should uninstall it and switch to LibreOffice.
Internet Explorer... Can you actually meaningfully uninstall IE on Windows 7/8? I know it used to be part of the OS, but I haven't really paid attention to it in years.
[ link to this | view in chronology ]
Re: Nice of them to give us a list of vulnerable software
Speaking of Firefox, it's primarily funded by Google. Do you have a suggestion for a browser that isn't primarily funded by a US corporation that has most certainly been compromised?
[ link to this | view in chronology ]
Re: Nice of them to give us a list of vulnerable software
[ link to this | view in chronology ]
Re: Re: Nice of them to give us a list of vulnerable software
[ link to this | view in chronology ]
If you use Microsoft or Adobe products
Period, full stop.
This is not open for debate or question. If by now, in 2014, you haven't realized that Microsoft and Adobe products aren't merely insecure, but insecurable, then you are a first-class moron and you DESERVE to be hacked, spied on, victimized, exploited, defrauded, and scammed.
Avoiding these isn't a guarantee any more than wearing a seat belt is a guarantee. But it's a utterly reasonable thing to do, and no one with even the slightest clue would consider doing otherwise.
[ link to this | view in chronology ]
Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: If you use Microsoft or Adobe products
Also, if the source code is published, bug reports can be rapidly disseminated with a very specific warning about which module is problematic. The recent Linux bug reported the specific module that was problematic. Thus one can check to see if it is even installed or if installed one can remove it.
[ link to this | view in chronology ]
Re: Re: Re: If you use Microsoft or Adobe products
The recent Linux gnutls only got picked up due to the Apple "goto fail" drawing attention, until them the gnutls bug had existed for 9 years despite source code being freely available and lots of people interested in Linux.
[ link to this | view in chronology ]
Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
There could have been exploits that weren't made public.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
Given the widespread use of GNUTLS in many applications, my guess is that it was reserved for high-value exploitation, and used minimally.
[ link to this | view in chronology ]
Re: Re: If you use Microsoft or Adobe products
Also, the security-minded folks will choose their OS in part based on how low-profile it is. For example, there are more exploits against Windows than OSX not because Windows is less secure, but because there are a lot more installations of Windows, so it's the very first target for exploit development.
[ link to this | view in chronology ]
Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: If you use Microsoft or Adobe products
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
If that's not security by obscurity, then you're doing some NSA-esque word redefining there.
People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool. Anything else is fanboyism.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products
Acknowledging that some platforms are more attractive targets than others, and choosing not to use those platforsm, is not "security by obscurity" unless I said that was all you needed to do to be secure. And I said no such thing.
"People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool"
Absolutely. And the choice of platform is one of the factors in that holistic determination. If it isn't, then the approach you're taking to security isn't actually holistic at all.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
;)
[ link to this | view in chronology ]
Selling exploits should be made illegal worldwide so we go back to the full disclosure we had 15 years ago.
[ link to this | view in chronology ]
Re:
Exploits got posted on the net after the companies started to sue the messenger.
[ link to this | view in chronology ]
hackers are united in NOT HELPING YOU
the largest repository of hacker knowledge besides prolly the nsa it self is in my fookin hands and NOT THERES ....ever
let me tell you MIKE..if i wished i could alter this site and leave you a message ....but in so doing you and others and govts would put me away for 20 years....
enjoy your new nazi world
[ link to this | view in chronology ]
Re: hackers are united in NOT HELPING YOU
lol
[ link to this | view in chronology ]
Re: hackers are united in NOT HELPING YOU
[ link to this | view in chronology ]
Re: hackers are united in NOT HELPING YOU
Your mad hack3r skillz are impress, bro!!
So you can alter this site, huh? Wow! Fucking script kiddie.
[ link to this | view in chronology ]