Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions

from the portals-are-so-90s dept

Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing:

access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more.
Here's how it applies those exploits, as described by Privacy International:
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target's computer. While it's been previously advertised that Gamma use fake software updates from some of the world's leading technology companies to deliver FinSpy onto a target's computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft's Internet Explorer and Adobe's Acrobat programme.
Sadly, Gamma is not a one-off in this respect. Another company offering exploits to government agencies for the purpose of breaking into systems -- that is, offensive rather than defensive actions -- is Vupen Security. As its Web site explains:
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).

While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN's vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.
Privacy International comments:
Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.

However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
We know from Snowden's leaks that the NSA uses zero-day exploits to compromise computer systems used by foreign governments. That probably means that the US would be unwilling to introduce any constraints on their use (even nominal ones), as will other governments around the world that are doubtless turning to malware as a way of spying on targets in the same way.

The only way to blunt those attacks is for members of the software community to find, publish and patch vulnerabilities, as fast as they can. That's yet another compelling reason for using free software: even if open source is just as likely to have flaws as closed-source programs (and opinions will differ on that score), it's inarguable that they are easier to find and fix since the barriers to doing so are much lower.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: finfly, governments, offensive attacks, security, surveillance, zero day exploits
Companies: gamma international, vupen, vupen security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    nasch (profile), 13 Mar 2014 @ 3:20pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours.

    There could have been exploits that weren't made public.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.