Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions

from the portals-are-so-90s dept

Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing:

access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more.
Here's how it applies those exploits, as described by Privacy International:
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target's computer. While it's been previously advertised that Gamma use fake software updates from some of the world's leading technology companies to deliver FinSpy onto a target's computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft's Internet Explorer and Adobe's Acrobat programme.
Sadly, Gamma is not a one-off in this respect. Another company offering exploits to government agencies for the purpose of breaking into systems -- that is, offensive rather than defensive actions -- is Vupen Security. As its Web site explains:
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).

While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN's vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.
Privacy International comments:
Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.

However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
We know from Snowden's leaks that the NSA uses zero-day exploits to compromise computer systems used by foreign governments. That probably means that the US would be unwilling to introduce any constraints on their use (even nominal ones), as will other governments around the world that are doubtless turning to malware as a way of spying on targets in the same way.

The only way to blunt those attacks is for members of the software community to find, publish and patch vulnerabilities, as fast as they can. That's yet another compelling reason for using free software: even if open source is just as likely to have flaws as closed-source programs (and opinions will differ on that score), it's inarguable that they are easier to find and fix since the barriers to doing so are much lower.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: finfly, governments, offensive attacks, security, surveillance, zero day exploits
Companies: gamma international, vupen, vupen security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 13 Mar 2014 @ 9:18am

    Re:


    Exploits and vulnerabilities used to get posted on the net for kudos and reputation but then the security firms got involved so the vulnerabilities are now sold for profit and kept private. The effect of this is that the holes don't get patched as they are not generally known and everyone is less secure as a result.


    Exploits got posted on the net after the companies started to sue the messenger.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.