We’re exercising our freedom and taking off the 3rd to celebrate the 4th. See you Monday!Hide

Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions

from the portals-are-so-90s dept

Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing:

access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more.
Here's how it applies those exploits, as described by Privacy International:
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target's computer. While it's been previously advertised that Gamma use fake software updates from some of the world's leading technology companies to deliver FinSpy onto a target's computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft's Internet Explorer and Adobe's Acrobat programme.
Sadly, Gamma is not a one-off in this respect. Another company offering exploits to government agencies for the purpose of breaking into systems -- that is, offensive rather than defensive actions -- is Vupen Security. As its Web site explains:
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).

While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN's vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.
Privacy International comments:
Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.

However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
We know from Snowden's leaks that the NSA uses zero-day exploits to compromise computer systems used by foreign governments. That probably means that the US would be unwilling to introduce any constraints on their use (even nominal ones), as will other governments around the world that are doubtless turning to malware as a way of spying on targets in the same way.

The only way to blunt those attacks is for members of the software community to find, publish and patch vulnerabilities, as fast as they can. That's yet another compelling reason for using free software: even if open source is just as likely to have flaws as closed-source programs (and opinions will differ on that score), it's inarguable that they are easier to find and fix since the barriers to doing so are much lower.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    MadAsASnake (profile), Mar 13th, 2014 @ 12:57am

    Yet if I utilised such a tool, from the UK, to see what the NSA was up to, I would likely be facing extradition and criminal prosecution to the US for tampering and intrusion of their IT systems.

    I fail to see a legitimate use of this sort of technology without explicit warrant from an appropriate court.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Marak, Mar 13th, 2014 @ 2:01am

    Damn right about the open source software part, being able to disable things i dont use in software has closed more than a few security holes for me over the years.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 3:10am

    Re:

    Plus the patch time for security critical bugs is usually measured in hours or days, not weeks, or months.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 3:21am

    Re:

    The only acceptable use of these things is for security testing. Anything else is wrong.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 3:26am

    Nice of them to give us a list of vulnerable software

    Offhand, I'd suggest that anyone with Adobe Acrobat Reader should uninstall it immediately. Wikipedia has a list of alternatives; I personally use Sumatra PDF.
    Also, anyone out there using Microsoft Office should uninstall it and switch to LibreOffice.
    Internet Explorer... Can you actually meaningfully uninstall IE on Windows 7/8? I know it used to be part of the OS, but I haven't really paid attention to it in years.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 3:28am

    If you use Microsoft or Adobe products

    Then you are an idiot.

    Period, full stop.

    This is not open for debate or question. If by now, in 2014, you haven't realized that Microsoft and Adobe products aren't merely insecure, but insecurable, then you are a first-class moron and you DESERVE to be hacked, spied on, victimized, exploited, defrauded, and scammed.

    Avoiding these isn't a guarantee any more than wearing a seat belt is a guarantee. But it's a utterly reasonable thing to do, and no one with even the slightest clue would consider doing otherwise.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Rikuo (profile), Mar 13th, 2014 @ 4:46am

    Re: Nice of them to give us a list of vulnerable software

    Thanks for the tip. I've uninstalled Adobe and as you suggested, installed Sumatra. I've been using LibreOffice for years and I only ever use IE whenever a web page refuses to load or simply doesn't work in Firefox.
    Speaking of Firefox, it's primarily funded by Google. Do you have a suggestion for a browser that isn't primarily funded by a US corporation that has most certainly been compromised?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 5:06am

    Re: Nice of them to give us a list of vulnerable software

    You can uninstall IE even in the newer versions of Windows. Under "Programs and Features" on the left hand side there is an option called "Turn Windows features on or off." Under there you can uninstall the bundled parts of Windows, like IE, by unchecking its box and hitting "OK."

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 5:18am

    Similar to police "To Serve And Protect" slogans, computer security companies claim to protect against intrusions.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 6:24am

    Re: If you use Microsoft or Adobe products

    So what OS would you recommend in light of the fact that the NSA/GCHQ have exploits for Windows, OS X, Linux, FreeBSD, iOS, Android et al?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 6:51am

    Exploits and vulnerabilities used to get posted on the net for kudos and reputation but then the security firms got involved so the vulnerabilities are now sold for profit and kept private. The effect of this is that the holes don't get patched as they are not generally known and everyone is less secure as a result.

    Selling exploits should be made illegal worldwide so we go back to the full disclosure we had 15 years ago.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Guardian, Mar 13th, 2014 @ 6:58am

    hackers are united in NOT HELPING YOU

    our resolve has long since passed in helping you fooking retards destroy our world....

    the largest repository of hacker knowledge besides prolly the nsa it self is in my fookin hands and NOT THERES ....ever

    let me tell you MIKE..if i wished i could alter this site and leave you a message ....but in so doing you and others and govts would put me away for 20 years....

    enjoy your new nazi world

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 7:01am

    Re: hackers are united in NOT HELPING YOU

    nazi?
    lol

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    madasahatter (profile), Mar 13th, 2014 @ 7:43am

    Re: Re: If you use Microsoft or Adobe products

    Any OS that publishes its source code. The reason, while there exploits in all complex code, publishing the source code allows outside white-hats to test and propose real fixes to the maintainers. Closed source only allows on to describe the effects and how to exploit but not how to fix.

    Also, if the source code is published, bug reports can be rapidly disseminated with a very specific warning about which module is problematic. The recent Linux bug reported the specific module that was problematic. Thus one can check to see if it is even installed or if installed one can remove it.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    John Fenderson (profile), Mar 13th, 2014 @ 7:54am

    Re: Re: If you use Microsoft or Adobe products

    What madasahatter said.

    Also, the security-minded folks will choose their OS in part based on how low-profile it is. For example, there are more exploits against Windows than OSX not because Windows is less secure, but because there are a lot more installations of Windows, so it's the very first target for exploit development.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 8:25am

    Re: Re: Re: If you use Microsoft or Adobe products

    Is that good enough?

    The recent Linux gnutls only got picked up due to the Apple "goto fail" drawing attention, until them the gnutls bug had existed for 9 years despite source code being freely available and lots of people interested in Linux.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 8:26am

    Re: Re: Re: If you use Microsoft or Adobe products

    Security by obscurity is probably the worst type of security.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    crashsuit (profile), Mar 13th, 2014 @ 8:53am

    Re: Re:

    wink

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 9:18am

    Re:


    Exploits and vulnerabilities used to get posted on the net for kudos and reputation but then the security firms got involved so the vulnerabilities are now sold for profit and kept private. The effect of this is that the holes don't get patched as they are not generally known and everyone is less secure as a result.


    Exploits got posted on the net after the companies started to sue the messenger.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 9:22am

    Re: Re: Nice of them to give us a list of vulnerable software

    it is not actually uninstalling the core components, just UI and user visible parts, if at all.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    John Fenderson (profile), Mar 13th, 2014 @ 9:43am

    Re: Re: Re: Re: If you use Microsoft or Adobe products

    Absolutely. But that's not what I'm talking about.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    John Fenderson (profile), Mar 13th, 2014 @ 9:43am

    Re: Re: Re:

    No wink. AC is 100% right.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    madasahatter (profile), Mar 13th, 2014 @ 9:53am

    Re: Re: Re: Re: If you use Microsoft or Adobe products

    We know how long the issue was present with gnutls because the source code and change history is available. We do not know the age of any announced zero-day in closed-source code because the information is not released except indirectly. Patch xyz fixes versions cdef and version c is 8 years old. The patch fixes a bug that is at least 8 years old but what about versions a and b, was it present then? We do not know.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    John Fenderson (profile), Mar 13th, 2014 @ 10:38am

    Re: hackers are united in NOT HELPING YOU

    I have no clue what you're trying to say here.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 10:43am

    Re: hackers are united in NOT HELPING YOU

    ORLY?!?

    Your mad hack3r skillz are impress, bro!!

    So you can alter this site, huh? Wow! Fucking script kiddie.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Ruben, Mar 13th, 2014 @ 11:28am

    Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    In a way, it is. You said that "security-minded folks will choose their OS in part based on how low-profile it is."

    If that's not security by obscurity, then you're doing some NSA-esque word redefining there.

    People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool. Anything else is fanboyism.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 11:46am

    Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Which is about as relevant as S.Arnolds of 1528 Plaza, Mexico City is wearing odd socks today.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    nasch (profile), Mar 13th, 2014 @ 11:47am

    Re:

    Why isn't selling exploits a violation of the CFAA? Because they're selling them to the gubmint?

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    S.Arnolds, Mar 13th, 2014 @ 12:10pm

    Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Godamnit! Stop spying on me.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 12:17pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    pink and blue tomorrow, we know your M.O

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 12:47pm

    Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours. By the time the bug was being widely reported, the patch was already being pushed out by the Distributions.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Mar 13th, 2014 @ 1:41pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Pure supposition.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    nasch (profile), Mar 13th, 2014 @ 3:20pm

    Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours.

    There could have been exploits that weren't made public.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    Bergman (profile), Mar 13th, 2014 @ 4:11pm

    Re:

    The silly thing about the current situation is that private citizens have fewer restrictions on their ability to gather information, though they usually have much lower budgets too.

    If it's legal and constitutional for the NSA to do something without a warrant, then it is equally legal for you or I to do it.

     

    reply to this | link to this | view in thread ]

  35.  
    icon
    John Fenderson (profile), Mar 14th, 2014 @ 9:32am

    Re: Re:

    If by "selling exploits" you mean describing them, then they shouldn't be a violation of the CFAA. I should be allowed to explain any computational process I wish to anybody I wish.

    Using them should be a violation of the CFAA.

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    John Fenderson (profile), Mar 14th, 2014 @ 9:35am

    Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    Not at all.

    Acknowledging that some platforms are more attractive targets than others, and choosing not to use those platforsm, is not "security by obscurity" unless I said that was all you needed to do to be secure. And I said no such thing.

    "People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool"

    Absolutely. And the choice of platform is one of the factors in that holistic determination. If it isn't, then the approach you're taking to security isn't actually holistic at all.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Mar 17th, 2014 @ 4:49am

    Re: Re: Re: Re: Re: Re: Re: Re: If you use Microsoft or Adobe products

    What the bug in GNUTLS allowed for was, specifically, a MITM attack. Improper checking of certificates presented allowed specifically crafted certs to be accepted.

    Given the widespread use of GNUTLS in many applications, my guess is that it was reserved for high-value exploitation, and used minimally.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Anonymous Coward, Mar 17th, 2014 @ 4:53am

    Re:

    Just like anti-virus companies create a lot of viruses and malware in order to sell more anti-virus software and subscriptions.

    ;)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.