NSA Apparently Purchasing Software Exploits From French Security Firm

from the and-everyone's-a-little-less-safe-now dept

The long history of US intelligence agencies' access to software exploits is well-documented. In the interest of "safety," the US government has undermined the safety of millions of users by gathering up exploits and utilizing them for as long as possible before patches and updates close the security holes. Some it acquires directly from companies that report holes in their systems directly to the NSA and other agencies. Others it buys from contractors that specialize in probing software for usable exploits.

Heather Akers-Healy, using Muckrock's FOIA service, recently obtained a document from the NSA (via a FOIA request) detailing its purchase of exploits from Vupen, a French security company specializing in sellable exploits. Unfortunately, the details in this "detailing" are incredibly sparse. Most of what might be interesting is redacted and a majority of the document is standard contractual clauses.

If there's anything of interest here (beyond the purchase of exploits), it's the fact that the transaction takes place on a nondescript form which can be used to handle a variety of products. Due to the standardized wording, it almost appears as though the NSA has the option to purchase exploits by the truckload -- and that said exploits can only be delivered during the normal receiving hours of 7:30 am - 2:30 pm.

That being said, the purchase of exploits is something the NSA has been pretty open about (comparatively). Vupen, or at least its founder and CEO Chaouki Bekrar (who refers to himself as the "Darth Vader of Cybersecurity"), seems rather open about the exploit market itself. As Muckrock points out, Bekrar suggested other FOIA request topics when confronted with this document.

Vupen's looking to open an office in Maryland, which would put it in the same neighborhood as several other government contractors -- and the NSA's headquarters. It certainly wouldn't hurt to be a short drive away from some well-funded government agencies. Bekrar also tweeted a link to story by the Washington Post that noted the NSA had $25 million to throw in the direction of software vulnerabilities.

The "Binary Analysis and Exploits" subscription (pre-paid, yearly) that the NSA purchased is described on Vupen's site as more of a defensive product, but it's highly unlikely intelligence the agency viewed it the same way.
With 15 to 20 binary analysis and private 1-day exploits/PoCs released by VUPEN each month, the VUPEN Binary Analysis and Exploits service allows gov organizations to quickly and easily evaluate risks related the most recent vulnerabilities, and protect national infrastructures against critical vulnerabilities before they are exploited in the wild.
Why the NSA didn't simply go with Vupen's more "proactive" product, "Exclusive and Sophisticated Exploits for Offensive Security", is unknown, unless better exploits were available in the defensive package.

While the NSA's document may lack a lot of details, a brochure obtained by Wikileaks shows what's available in Vupen's offensive package. This service targets law enforcement agencies (LEAs) as well as government agencies. LEAs could certainly be considered a "growth market," especially since so many are "rebranding" themselves as entities lying somewhere between a military force and an unofficial FBI field office.

What this program does is turn your subscription fee into credits and allow you (the LEA/government) to buy exploits with these credits (based on how valuable Vupen feels they are). It's like a Wii store for vulnerabilities. The ultimate aim?
VUPEN Exploits for Law Enforcement Agencies aim to deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by VUPEN security researchers. This is a reliable and secure approach to help LEAs and investigators in covertly attacking and gaining access to remote computer systems.
Now, Vupen states on its site and in its brochures that it will only sell to "trusted countries and government agencies." Even if that is entirely true, the underlying issue doesn't go away. Instead of identifying holes and working with software companies to get them patched (or at least informing the general public), it's selling these off to various intelligence/law enforcement agencies.

If Vupen can find these exploitable holes, so can other untrustworthy actors, whether they're governments that don't quite make the "trusted" list or simply individuals looking to profit on the misery of others. Vupen can't corner this market. A security hole is a security hole and no one owns it or can prevent others from exploiting it (other than by closing the hole). What it's selling isn't necessarily scarce and what it's doing is allowing the public (including paying customers) to assume the risk while it profits.





Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    pegr, Sep 18th, 2013 @ 1:44pm

    Actually, I'm OK with this

    The NSA is supposed to help protect us too, right? By buying zero days, they know before the issue becomes public, thereby warning (us|vendors|defense contractors) first.

    The more-evil-me says they do it to know when the zero days they made are about to become public.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Sep 18th, 2013 @ 1:53pm

    Re: Actually, I'm OK with this

    Yeah, I frequently get warned by the NSA about exploits.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Sep 18th, 2013 @ 2:23pm

    Re: Actually, I'm OK with this

    I don't think that how there using this.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    DannyB (profile), Sep 18th, 2013 @ 2:29pm

    Wouldn't that be a French INSECURITY firm?

    > NSA Apparently Purchasing Software Exploits From French Security Firm

    Wouldn't that make it s French Insecurity firm?

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    DannyB (profile), Sep 18th, 2013 @ 2:37pm

    Even If . . .

    > Now, Vupen states on its site and in its brochures that
    > it will only sell to "trusted countries and government agencies."
    > Even if that is entirely true . . .

    It is not. They are selling to the NSA. Trusted government agencies? I think not.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous, Sep 18th, 2013 @ 2:48pm

    Re: Wouldn't that be a French INSECURITY firm?

    I can hardly wait till they get hacked. :)

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    artp (profile), Sep 18th, 2013 @ 3:49pm

    Equal justice for all under the law

    So this apparently doesn't violate the Computer Fraud and Abuse Act (CFAA) or the Department of Justice would be all over Vupen like stink on a skunk, right?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Sep 18th, 2013 @ 5:21pm

    It's FinFisher's sister company.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Sep 18th, 2013 @ 5:42pm

    Re: Equal justice for all under the law

    CFAA only applies to geeks that are not employed by the goverment...didnt you get the memo?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous, Sep 18th, 2013 @ 6:04pm

    VUPEN

    VUPEN is one of these criminal companies that sells our security and privacy to doubtful government agencies for big money. It means, that there is no ethics in such company, how can you know if this exploit code you sold to the NSA will not be used to mass snooping on your fellow citizens ?
    Since when you should trust your government ? History has clearly show that we should not.
    I don't think Mr Bekrar do this for any national security purposes, he just want to play safe with the most powerful government. Also his behavior at pointing other companies which sells more exploit packs than VUPEN shows lot about him.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Wolfy, Sep 18th, 2013 @ 10:41pm

    Purchasing ANY security-related software/services from a foreign vendor should be prohibited.

    What the FUCKING HELL are those morons thinking/smoking???

    If they're good enough to know there are no back-doors installed, they're good enough to write it in-house.

    I cannot believe the level of Stupid I'm seeing from Congress, The White house, and the so-called Security Services. I feel like I slowly transitioned to a "Bizarro" America, that no longer recognises reality.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Long memory is illegal?, Sep 19th, 2013 @ 2:53am

    Vupen

    Ok. That came out too. When will newspapers publish the rest of buyers for exploits against their own citizens.

    And doublecheck that otherwise promising little thing called DNSSEC, will you ?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Paul Keating, Sep 19th, 2013 @ 4:46am

    NSA Exploits Purchases

    I wonder how many of NSA's purchases deal with exploits of NSA's own systems?

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    RyanNerd (profile), Sep 19th, 2013 @ 8:25am

    A pig...

    A french Pig!

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    btrussell (profile), Sep 20th, 2013 @ 3:14am

    Re: Wouldn't that be a French INSECURITY firm?

    All security firms are in security. The "firm" is the giveaway.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This