Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions

from the portals-are-so-90s dept

Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing:

access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more.
Here's how it applies those exploits, as described by Privacy International:
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target's computer. While it's been previously advertised that Gamma use fake software updates from some of the world's leading technology companies to deliver FinSpy onto a target's computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft's Internet Explorer and Adobe's Acrobat programme.
Sadly, Gamma is not a one-off in this respect. Another company offering exploits to government agencies for the purpose of breaking into systems -- that is, offensive rather than defensive actions -- is Vupen Security. As its Web site explains:
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).

While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN's vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.
Privacy International comments:
Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.

However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
We know from Snowden's leaks that the NSA uses zero-day exploits to compromise computer systems used by foreign governments. That probably means that the US would be unwilling to introduce any constraints on their use (even nominal ones), as will other governments around the world that are doubtless turning to malware as a way of spying on targets in the same way.

The only way to blunt those attacks is for members of the software community to find, publish and patch vulnerabilities, as fast as they can. That's yet another compelling reason for using free software: even if open source is just as likely to have flaws as closed-source programs (and opinions will differ on that score), it's inarguable that they are easier to find and fix since the barriers to doing so are much lower.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: finfly, governments, offensive attacks, security, surveillance, zero day exploits
Companies: gamma international, vupen, vupen security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    MadAsASnake (profile), 13 Mar 2014 @ 12:57am

    Yet if I utilised such a tool, from the UK, to see what the NSA was up to, I would likely be facing extradition and criminal prosecution to the US for tampering and intrusion of their IT systems.

    I fail to see a legitimate use of this sort of technology without explicit warrant from an appropriate court.

    link to this | view in thread ]

  2. identicon
    Marak, 13 Mar 2014 @ 2:01am

    Damn right about the open source software part, being able to disable things i dont use in software has closed more than a few security holes for me over the years.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 13 Mar 2014 @ 3:10am

    Re:

    Plus the patch time for security critical bugs is usually measured in hours or days, not weeks, or months.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 13 Mar 2014 @ 3:21am

    Re:

    The only acceptable use of these things is for security testing. Anything else is wrong.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 13 Mar 2014 @ 3:26am

    Nice of them to give us a list of vulnerable software

    Offhand, I'd suggest that anyone with Adobe Acrobat Reader should uninstall it immediately. Wikipedia has a list of alternatives; I personally use Sumatra PDF.
    Also, anyone out there using Microsoft Office should uninstall it and switch to LibreOffice.
    Internet Explorer... Can you actually meaningfully uninstall IE on Windows 7/8? I know it used to be part of the OS, but I haven't really paid attention to it in years.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 13 Mar 2014 @ 3:28am

    If you use Microsoft or Adobe products

    Then you are an idiot.

    Period, full stop.

    This is not open for debate or question. If by now, in 2014, you haven't realized that Microsoft and Adobe products aren't merely insecure, but insecurable, then you are a first-class moron and you DESERVE to be hacked, spied on, victimized, exploited, defrauded, and scammed.

    Avoiding these isn't a guarantee any more than wearing a seat belt is a guarantee. But it's a utterly reasonable thing to do, and no one with even the slightest clue would consider doing otherwise.

    link to this | view in thread ]

  7. icon
    Rikuo (profile), 13 Mar 2014 @ 4:46am

    Re: Nice of them to give us a list of vulnerable software

    Thanks for the tip. I've uninstalled Adobe and as you suggested, installed Sumatra. I've been using LibreOffice for years and I only ever use IE whenever a web page refuses to load or simply doesn't work in Firefox.
    Speaking of Firefox, it's primarily funded by Google. Do you have a suggestion for a browser that isn't primarily funded by a US corporation that has most certainly been compromised?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 13 Mar 2014 @ 5:06am

    Re: Nice of them to give us a list of vulnerable software

    You can uninstall IE even in the newer versions of Windows. Under "Programs and Features" on the left hand side there is an option called "Turn Windows features on or off." Under there you can uninstall the bundled parts of Windows, like IE, by unchecking its box and hitting "OK."

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 13 Mar 2014 @ 5:18am

    Similar to police "To Serve And Protect" slogans, computer security companies claim to protect against intrusions.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 13 Mar 2014 @ 6:24am

    Re: If you use Microsoft or Adobe products

    So what OS would you recommend in light of the fact that the NSA/GCHQ have exploits for Windows, OS X, Linux, FreeBSD, iOS, Android et al?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 13 Mar 2014 @ 6:51am

    Exploits and vulnerabilities used to get posted on the net for kudos and reputation but then the security firms got involved so the vulnerabilities are now sold for profit and kept private. The effect of this is that the holes don't get patched as they are not generally known and everyone is less secure as a result.

    Selling exploits should be made illegal worldwide so we go back to the full disclosure we had 15 years ago.

    link to this | view in thread ]

  12. identicon
    Guardian, 13 Mar 2014 @ 6:58am

    hackers are united in NOT HELPING YOU

    our resolve has long since passed in helping you fooking retards destroy our world....

    the largest repository of hacker knowledge besides prolly the nsa it self is in my fookin hands and NOT THERES ....ever

    let me tell you MIKE..if i wished i could alter this site and leave you a message ....but in so doing you and others and govts would put me away for 20 years....

    enjoy your new nazi world

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 13 Mar 2014 @ 7:01am

    Re: hackers are united in NOT HELPING YOU

    nazi?
    lol

    link to this | view in thread ]

  14. icon
    madasahatter (profile), 13 Mar 2014 @ 7:43am

    Re: Re: If you use Microsoft or Adobe products

    Any OS that publishes its source code. The reason, while there exploits in all complex code, publishing the source code allows outside white-hats to test and propose real fixes to the maintainers. Closed source only allows on to describe the effects and how to exploit but not how to fix.

    Also, if the source code is published, bug reports can be rapidly disseminated with a very specific warning about which module is problematic. The recent Linux bug reported the specific module that was problematic. Thus one can check to see if it is even installed or if installed one can remove it.

    link to this | view in thread ]

  15. icon
    John Fenderson (profile), 13 Mar 2014 @ 7:54am

    Re: Re: If you use Microsoft or Adobe products

    What madasahatter said.

    Also, the security-minded folks will choose their OS in part based on how low-profile it is. For example, there are more exploits against Windows than OSX not because Windows is less secure, but because there are a lot more installations of Windows, so it's the very first target for exploit development.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 13 Mar 2014 @ 8:25am

    Re: Re: Re: If you use Microsoft or Adobe products

    Is that good enough?

    The recent Linux gnutls only got picked up due to the Apple "goto fail" drawing attention, until them the gnutls bug had existed for 9 years despite source code being freely available and lots of people interested in Linux.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 13 Mar 2014 @ 8:26am

    Re: Re: Re: If you use Microsoft or Adobe products

    Security by obscurity is probably the worst type of security.

    link to this | view in thread ]

  18. icon
    crashsuit (profile), 13 Mar 2014 @ 8:53am

    Re: Re:

    wink

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 13 Mar 2014 @ 9:18am

    Re:


    Exploits and vulnerabilities used to get posted on the net for kudos and reputation but then the security firms got involved so the vulnerabilities are now sold for profit and kept private. The effect of this is that the holes don't get patched as they are not generally known and everyone is less secure as a result.


    Exploits got posted on the net after the companies started to sue the messenger.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 13 Mar 2014 @ 9:22am

    Re: Re: Nice of them to give us a list of vulnerable software

    it is not actually uninstalling the core components, just UI and user visible parts, if at all.

    link to this | view in thread ]

  21. icon
    John Fenderson (profile), 13 Mar 2014 @ 9:43am

    Re: Re: Re: Re: If you use Microsoft or Adobe products

    Absolutely. But that's not what I'm talking about.

    link to this | view in thread ]

  22. icon
    John Fenderson (profile), 13 Mar 2014 @ 9:43am

    Re: Re: Re:

    No wink. AC is 100% right.

    link to this | view in thread ]

  23. icon
    madasahatter (profile), 13 Mar 2014 @ 9:53am

    Re: Re: Re: Re: If you use Microsoft or Adobe products

    We know how long the issue was present with gnutls because the source code and change history is available. We do not know the age of any announced zero-day in closed-source code because the information is not released except indirectly. Patch xyz fixes versions cdef and version c is 8 years old. The patch fixes a bug that is at least 8 years old but what about versions a and b, was it present then? We do not know.

    link to this | view in thread ]

  24. icon
    John Fenderson (profile), 13 Mar 2014 @ 10:38am

    Re: hackers are united in NOT HELPING YOU

    I have no clue what you're trying to say here.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 13 Mar 2014 @ 10:43am

    Re: hackers are united in NOT HELPING YOU

    ORLY?!?

    Your mad hack3r skillz are impress, bro!!

    So you can alter this site, huh? Wow! Fucking script kiddie.

    link to this | view in thread ]

  26. identicon
    Ruben, 13 Mar 2014 @ 11:28am

    Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    In a way, it is. You said that "security-minded folks will choose their OS in part based on how low-profile it is."

    If that's not security by obscurity, then you're doing some NSA-esque word redefining there.

    People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool. Anything else is fanboyism.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 13 Mar 2014 @ 11:46am

    Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Which is about as relevant as S.Arnolds of 1528 Plaza, Mexico City is wearing odd socks today.

    link to this | view in thread ]

  28. icon
    nasch (profile), 13 Mar 2014 @ 11:47am

    Re:

    Why isn't selling exploits a violation of the CFAA? Because they're selling them to the gubmint?

    link to this | view in thread ]

  29. identicon
    S.Arnolds, 13 Mar 2014 @ 12:10pm

    Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Godamnit! Stop spying on me.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 13 Mar 2014 @ 12:17pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    pink and blue tomorrow, we know your M.O

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 13 Mar 2014 @ 12:47pm

    Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours. By the time the bug was being widely reported, the patch was already being pushed out by the Distributions.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 13 Mar 2014 @ 1:41pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Pure supposition.

    link to this | view in thread ]

  33. icon
    nasch (profile), 13 Mar 2014 @ 3:20pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours.

    There could have been exploits that weren't made public.

    link to this | view in thread ]

  34. icon
    Bergman (profile), 13 Mar 2014 @ 4:11pm

    Re:

    The silly thing about the current situation is that private citizens have fewer restrictions on their ability to gather information, though they usually have much lower budgets too.

    If it's legal and constitutional for the NSA to do something without a warrant, then it is equally legal for you or I to do it.

    link to this | view in thread ]

  35. icon
    John Fenderson (profile), 14 Mar 2014 @ 9:32am

    Re: Re:

    If by "selling exploits" you mean describing them, then they shouldn't be a violation of the CFAA. I should be allowed to explain any computational process I wish to anybody I wish.

    Using them should be a violation of the CFAA.

    link to this | view in thread ]

  36. icon
    John Fenderson (profile), 14 Mar 2014 @ 9:35am

    Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Not at all.

    Acknowledging that some platforms are more attractive targets than others, and choosing not to use those platforsm, is not "security by obscurity" unless I said that was all you needed to do to be secure. And I said no such thing.

    "People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool"

    Absolutely. And the choice of platform is one of the factors in that holistic determination. If it isn't, then the approach you're taking to security isn't actually holistic at all.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 17 Mar 2014 @ 4:49am

    Re: Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    What the bug in GNUTLS allowed for was, specifically, a MITM attack. Improper checking of certificates presented allowed specifically crafted certs to be accepted.

    Given the widespread use of GNUTLS in many applications, my guess is that it was reserved for high-value exploitation, and used minimally.

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 17 Mar 2014 @ 4:53am

    Re:

    Just like anti-virus companies create a lot of viruses and malware in order to sell more anti-virus software and subscriptions.

    ;)

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.