NSA Bought Exploit Service From VUPEN

← Back to Stories (view on slashdot.org)

NSA Bought Exploit Service From VUPEN

Posted by Soulskill on Tuesday September 17, 2013 @07:51AM from the they-get-by-with-a-little-help-from-vupen dept.

New submitter Reverand Dave writes "The U.S. government – particularly the National Security Agency – is often regarded as having advanced offensive cybersecurity capabilities. But that doesn't mean that they're above bringing in a little outside help when it's needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN. The contract, made public through a Freedom of Information Act request by MuckRock, an open government project that publishes a variety of such documents, shows that the NSA bought VUPEN's services on Sept. 14, 2012. The NSA contract is for a one-year subscription to the company's 'binary analysis and exploits service.'"

16 of 81 comments (clear)

Min score:

Reason:

Sort:

The truth gets out... by CajunArson · 2013-09-17 07:53 · Score: 5, Interesting

It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:The truth gets out... by goombah99 · 2013-09-17 08:07 · Score: 3, Insightful
  
  It's not as conspiracy-theory cool as magical backdoors implanted in every piece of hardware, but this is how the NSA actually breaks into systems... they do it the same way everyone else does, just on a much larger scale and with even less fear of legal repercussions that the cyber criminals.
  rubbish. I'd be more concerned if they didn't closely monitor all zero Day hacks. This is a SECURITY firm, not a backroom russian exploits dealer, they sell this advanced knowledge because people want to protect themselves and know what is coming. The weather service is not about weather warfare it's about advanced knowledge of what's coming. Insert car analogy here if that's insufficiently obvious.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
2. Re:The truth gets out... by khasim · 2013-09-17 08:16 · Score: 4, Interesting
  
  This is a SECURITY firm, not a backroom russian exploits dealer, ...
  Bullshit.
  From TFA:
  
  VUPEN is one of a handful of companies that sell software exploits and vulnerability details.
  Just because they're French instead of Russian does not change the fact that they're selling exploits.
3. Re:The truth gets out... by Virtucon · 2013-09-17 08:19 · Score: 4, Interesting
  
  VUPEN sells access to their vulnerabilities on a sliding scale and It's well known that governments buy services from them. That's not news, but for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems. It would seem to me money well spent if they did and at least closed up these holes or made VUPEN's job harder, making it tougher for these data stealing, scum sucking government agencies breaking into everything and anything.
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
4. Re:The truth gets out... by MobSwatter · 2013-09-17 08:19 · Score: 2
  
  Realistically, one could enter conjecture to the aspect that this is the reasoning behind why there was significant backlash against white hat folks for finding vulnerabilities, approaching the vendor and when vendor failed to respond with either a projected fix date or at least acknowledgment, the finder ended up going public with it. Vendor was probably awaiting an answer from the goberment on what to do and how to conduct the "NSA's" business.
5. Re:The truth gets out... by fuzzyfuzzyfungus · 2013-09-17 08:42 · Score: 3, Insightful
  
  VUPEN is to a backroom russian exploits dealer what a 'defense contractor' is to a 'gunrunner' or 'arms trafficker'. Same business; but the prices are higher and they pinkie swear that they would never, ever, sell to anybody who is wicked, though they aren't overly forthcoming about who they will sell to.
6. Re:The truth gets out... by bill_mcgonigle · 2013-09-17 08:52 · Score: 4, Insightful
  
  for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems
  it's almost as if they've been persuaded not to, eh?
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
7. Re:The truth gets out... by Error27 · 2013-09-17 09:16 · Score: 3, Insightful
  
  This isn't the only way or even the main way that the NSA exploits systems.
  Things we know:
  1) The NSA collects SSL keys.
  2) The NSA can generate fake SSL keys.
  3) The NSA has performed MiTM attacks against Google and Microsoft.
  4) We know where many of the places are that the splice into the undersea cables.
  5) US embassies often have Echelon hardware for tracking satellite communication.
  6) The GCHQ stores three days of internet traffic (not metadata but everything).
  7) The NSA collects metadata from everything. Email. Phone. Letters. Facebook.
  8) The NSA planted spies in large corporations.
  9) The NSA have influenced/degraded encryption standards.
  10) The US government and Israel created stuxnet.
  11) The NSA monitors all credit card transactions outside of the US.
  We don't know the specifics though. We don't know:
  1) If there is a backdoor in Windows or Linux or libssl.
  2) If hardware random number generators have been backdoored.
  3) If there are backdoors on the motherboard or in the ethernet firmware.
  4) How they are tracking in other ways, via license plate readers or sensing your various personal radio devices.
  5) How are spy satellites used for domestic surveillance?
  6) Just how much information is shared between the agencies to avoid fourth amendment rules. We know that the NSA and the GCHQ share an office. We know that the NSA gave unfiltered data on non-criminals to Israel.
8. Re:The truth gets out... by omnichad · 2013-09-17 09:16 · Score: 2
  
  Is fskin a new brand of condom?
9. Re:The truth gets out... by gl4ss · 2013-09-17 09:30 · Score: 2
  
  they sell exploits.. to whoever pays for them.
  only thing they do different than so called russian exploit dealers is that they sell it as a subscriber service.
  heck, many of those reselling probably subscribe to such services. what difference is there where it is from? and if one would think that nsa just has to subscribe to their feed then by that logic the company can ask any fee they damn please from nsa. maybe they did.. and you yanks are wondering where the fuck all your money is going.
  
  --
  world was created 5 seconds before this post as it is.
A eyball everywhere by Dunbal · 2013-09-17 07:53 · Score: 2

Trust your government. That's what they meant by "trusted computing".

--
Seven puppies were harmed during the making of this post.
Re:NSA != cybersecurity by oodaloop · 2013-09-17 08:13 · Score: 2

No one has that responsibility. US Cybercom doesn't have it, nor does DHS. It's a known gap in our defensive posture. US businesses have resisted any attempts from the gov to regulate their cyber security. No one wants the gummint coming in and telling them how to set up and maintain their networks. And critical infrastructure, like power and other utilities, have likewise resisted any attempts at regulation, even though they are all hooked up to the internet with little thought to security. So, the current situation is we have little cyber security as a nation, and no one is responsible for it.

--
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
NO No no. You ATTACK enemies. You HELP friends. by dweller_below · 2013-09-17 09:15 · Score: 2, Interesting

We finally found the NSA mentioned in the same sentence as an actual, tangible, external threat. And now we see that instead of attacking them, they are giving them money?!? How can they get confused on this? You ATTACK enemies. You HELP friends.
The Exploit marketplace (here symbolized by VUPEN) is possibly the greatest threat to to existence of the internet. You can fight mistakes. You can fight attackers. But it is almost impossible to fight economics. The exploit market is creating an economy that creates and enables exploit. It is a great driving force reconfiguring the Internet for Attack, instead of Defense.
VUPEN is a worthy opponent. The NSA should hack them front, back and center. They should never pat them on the head and give them money.
It looks like the Exploit Marketplace was dreamed up, founded and sustained by the NSA. The leaked Black Budget showed that the NSA devotes huge resources to purchasing exploit. We have also learned that the NSA's budget included vast resources to create exploit:

"The NSA spends $250m a year on a program which, among other goals, works with technology companies to 'covertly influence' their product designs." (From last weeks New York Times and Guardian articles)
So, the NSA creates exploit in everything they can influence. And they can influence almost everything. The NSA purchases exploit. Many times, they must be purchasing info on the exploits that they created. They preserve exploit. They mask everything in secrecy. And it all enhances the exploit marketplace. The NSA is no longer debating the Equities issue (https://www.schneier.com/blog/archives/2008/05/dualuse_technol_1.html ) They have only token interest in defending the Internet.
If we could just get the NSA out of the exploit market, the whole thing would probably collapse like 2008's Housing bubble.
Good by the+eric+conspiracy · 2013-09-17 09:19 · Score: 3, Interesting

I paid a visit to Northern Va a few weeks ago. The place was crawling with construction projects and high end malls.
That I am paying for.
Using Vupen actually sounds like a fairly efficient use of taxpayer money.
So they don't by them AS THEMSELVES. by Ungrounded+Lightning · 2013-09-17 10:38 · Score: 3, Interesting

for the life of me I don't know why Cisco, Microsoft and other big players just don't pay up to get at least some insight into how these guys are finding exposures in their systems
I would assume that VUPEN would refuse to sell to Microsoft and Cisco on account of it diminishing the value of the zero-days they're holding.
Or at least not sell them the best stuff.
Obviously, if Cisco, Microsoft, etc. were going to buy this service, they wouldn't do it (only) as themselves, acting directly. They'd do it through a front, to insure they got the same things the bad guys were getting.
Just as a startup did, about a decade ago, when I was designing a next-generation routing chip, and we needed to obtain equipment from Cisco for testing it for function and compatibility.
It took two half-rack, 3/4 megabuck, top-of-the-line Cisco routers to drive it properly. We bought them through another company on a very hush-hush basis, just to be sure Cisco wouldn't be tempted to send us defective or gimmicked equipment, not support it properly, or hold up shipment and slip our schedule.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Re:Makes sense by Nyder · 2013-09-17 11:25 · Score: 2

The NSA needs to know when the back doors it has built are uncovered. So it probably subscribes to a number of software security services that look for such stuff.
No, that is not what is happening. The NSA, because it doesn't have backdoors everywhere, have to buy 0 day exploits to gain access to systems.
While NSA might be able to get some companies to put back doors in their software, they can't get most. So they have to use exploits to break into systems.
This is actually common sense, we just have some proof of it now.

--
Be seeing you...