NSA Paid French Hacker Company For Software Exploits, Contract Reveals

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.slate.com/blogs/future_tense/2013/09/17/nsa_paid_french_hacker_company_vupen_for_software_exploits.html

France was one of several countries in Europe whose people are
outraged<http://www.france24.com/en/20130630-france-demands-usa-explain-spying-allegations-europe>
by
revelations about the National Security Agency’s surveillance programs. But
it turns out that a French company has quietly bolstered the NSA’s
capabilities.

According to a contract newly
released<https://www.muckrock.com/foi/united-states-of-america-10/vupen-contracts-with-nsa-6593/#787525-responsive-documents>
in
response to a Freedom of Information request, last year the NSA purchased a
12-month subscription to a “binary analysis and exploits service” sold by
Vupen, a company based in Montpelier, France. These exploits, sometimes
described as “zero days,” are complex codes custom-written by hackers to
target undisclosed security weaknesses in widely used operating systems
like Windows and software programs like Google Chrome, Internet Explorer,
Java, and Flash. A spy agency can use exploits to help infiltrate targets’
computers in espionage operations or to strengthen its own computer
networks as part of cybersecurity efforts.

It is unclear how much money the NSA spent on the Vupen exploits package
because the cost has been redacted in the released contract. Vupen CEO
Chaouki Bekrar declined to answer questions about his deal with the NSA,
but told me in an emailed statement that his company’s binary analysis and
exploits service includes “highly technical documentation and private
exploits written by Vupen’s team of researchers for critical
vulnerabilities affecting major software and operating systems.” Bekrar
added that the aim of the service was to “to allow customers protect their
systems against sophisticated attacks.”

It seems possible that the NSA purchased the Vupen service for defensive
reasons, with the purpose being to secure U.S. government infrastructure
from adversaries. However, the NSA is believed to use zero days in *
offensive* hacking operations, too. A *Washington Post*
scoop<http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story.html>
in
August detailed how the NSA has apparently turned to exploits as part of
its covert attempts to spy on foreign computer networks. The *Post* reported
that the NSA designs most of its own “implants” used for this purpose, but
set aside $25.1 million in 2013 for “additional covert purchases of
software vulnerabilities” from private providers.

Internationally, the zero-day marketplace is growing and largely
unregulated. Many of the larger sellers are based in the United States, and
reportedly include companies such as Raytheon, Endgame Systems, Harris
Corp., and Northrop Grumman. But the market is also burgeoning in Europe,
with Vupen leading the field. As I reported here back in
January<http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html>,
Vupen’s latest financial accounts show that it generated revenue of about
$1.2 million in 2011, 86 percent of which was earned from exports outside
France.

Lawmakers in Europe, concerned about how the technology could be abused if
in the wrong hands, are pushing for the introduction of new restrictions
that would limit sales. Last week, Dutch Member of the European Parliament
Marietje Schaake
argued<http://www.marietjeschaake.eu/2013/09/plenary-speech-on-cyber-security-and-digital-arms-trade/>
that
Europe should take the lead in reining in the industry.  “We must end the
export and proliferation of digital arms now,” Schaake said. “We have to
close the regulatory vacuum, and that includes curbing the trade in
zero-day exploits.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.