Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

NSA Contracted With Zero-Day Vendor Vupen

NSA likely used French exploit service to keep tabs on the competition and run "deniable cyber ops," says cyber-weapon critic.

Iris Scans: Security Technology In Action
Iris Scans: Security Technology In Action
(click image for larger view)
The National Security Agency (NSA) has been a customer of France-based Vupen Security, which sells zero-day exploits.

That fact was revealed by public records service MuckRock, which filed a Freedom of Information Act (FOIA) request with the NSA earlier this month seeking "copies of contracts with Vupen Security and any final reports generated and delivered by Vupen to the agency over the past 10 years."

In response, the NSA shared a copy of an 18-page contract for a 12-month subscription to Vupen's "binary analysis and exploits service," dated Sept. 14, 2012. The contract was signed by both the NSA and Vupen CEO Chaouki Bekrar. Under the FOIA Act, some types of commercial and financial information can be withheld, and the cost of the NSA's Vupen subscription was blanked out.

Bekrar -- who's also Vupen's head researcher -- said via email that it was common sense that intelligence agencies would work with vulnerability sellers. "People seem surprised to discover that major government agencies are acquiring Vupen's vulnerability intelligence," he said. "There is no news here, governments need to leverage the most detailed and advanced vulnerability research to protect their infrastructures and citizens against adversaries."

[ Want to know about NSA's decryption capabilities and what they mean for you? See NSA Crypto Revelations: 7 Issues To Watch. ]

Indeed, the NSA's subscription with Vupen -- which bills itself as "the leading provider of defensive and offensive cyber security intelligence" -- is hardly surprising, given what's known about the practice of selling exploits to the U.S. government, especially in the wake of Stuxnet. That malware, which was allegedly built by a combined U.S.-Israeli cyber-weapons program to target centrifuges at a uranium refinery in Iran, included exploits for four different zero-day -- aka previously unknown -- vulnerabilities.

Beyond crafting some future Stuxnet, why else might the NSA contract with a vulnerability seller? "[The] likely reasons for NSA subscription to Vupen's 0day exploits: know what capabilities other [governments] can buy, and false flag, deniable cyber ops," Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project, said via Twitter. "There are times when U.S. special forces use AK-47s, even though they have superior guns available," he said. "Same for NSA's Vupen purchase. Deniability."

Vupen's website, meanwhile, makes no secret of the fact that it works with "government agencies and the intelligence community," and Bekrar emphasized that customers must meet "strict eligibility criteria," with customers being restricted to law enforcement and intelligence agencies in countries that are members or partners of NATO, the Australia, New Zealand, United States Security Treaty (ANZUS) or the Association of Southeast Asian Nations (ASEAN). Customers must also meet the requirements of the U.S. government's "Know Your Customer" guidance, and not be in any country that's on a restricted or embargo list maintained by the European Union, United States or United Nations.

Bekrar also said that although the company is based in France, it has no difficulty selling exploit information to eligible foreign governments. "France is one of the largest arms exporters, so why not cyber arms?" he said.

Vupen has previously drawn criticism from security experts, as well as privacy advocates such as Soghoian, who Monday characterized the firm as being a "zero-day cyber weapon merchant."

Why sell exploits? In fact, the vulnerability marketplace can be worth big bucks for bugs that can be turned into weaponized exploits. Last year, for example, the Bangkok-based vulnerability buyer and seller known as the GrugQ -- who takes a 15% commission on deals -- said that six-figure deals are common, and that he won't touch a vulnerability worth less than $50,000.

Vupen, however, differs from vulnerability brokers such as the GrugQ, or HP's Zero Day Initiative, which buy and sell other people's bugs. Bekrar said via Twitter Tuesday that "all of our research is done in-house," and that his firm doesn't buy or sell third-party exploits.

As the NSA contract suggests, business appears to be good for Vupen, which has made a name for itself by taking top prizes in multiple Pwn2Own competitions. Last month, Vupen also announced plans to expand to the United States by opening an office in Maryland and hiring vulnerability researchers who have clearance to handle top secret or sensitive compartmentalized information.

Learn more about defending your organization from cyber threats by attending the Interop conference track on Risk Management and Security in New York from Sept. 30 to Oct. 4.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
9/17/2013 | 4:19:25 PM
re: NSA Contracted With Zero-Day Vendor Vupen
Back in June, when the Prism scandal first broke, I wrote a column "Defending NSA's Prism Big Data Tools" http://ubm.io/12jwDfh I stand by my analysis that the technology itself is capable of handling data in a privacy sensitive way. But with everything I've read about NSA activities and actions since that time, I've lost confidence that the agency is being careful about respecting privacy. Quite to the contrary, between cracking encryption and seeking out exploits, it's quite apparent that NSA is willing to do whatever it takes to peer into every scrap of information available. There don't seem to be appropriate boundaries or a sense of accountability to the public.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...