UPDATED 08:15 EDT / SEPTEMBER 18 2013

NEWS

NSA Keeps Its Hands Clean, Buys Zero-Day Vulnerabilities From French Firm Vupen

So it seems the NSA doesn’t do all of its own dirty work after all. On occasion, it’s also prepared to stump up a fair bit of cash to get its hands on so-called ‘zero-day vulnerabilities” (previously unknown bigs) that it can use to attack computer systems, according to a new freedom-of-information request.

The request was made by the public records service MuckRock, and shows that the NSA took out a contract with a notorious French company called Vupen that specializes in finding zero-day flaws in software and computer systems. Once a vulnerability has been discovered, Vupen then develops exploits and sells these to governments that wish to take advantage of them.

Not that anyone will be surprised that the NSA has taken out this kind of contract. The US government has been caught buying exploits in the past – while the Stuxnet malware that wreaked havoc on Iran’s nuclear program contained at least four different zero-day exploits that were most likely purchased from private individuals or companies like Vupen.

More surprising are the NSA’s reasons for wanting to buy such vulnerabilities, and this is where it gets a little more interesting. Thanks to Ed Snowden, we’ve learned that the NSA’s spooks are more than capable of hacking into just about any program or server as it is, but that doesn’t always serve its purposes.

According to Christopher Soghoian, principal technologist and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, the most likely reasons for the Vupen contract are so the NSA can carry out false flag and deniable cyber operations, and of course, simply to learn what other governments may know.

“There are times when U.S. special forces use AK-47s, even though they have superior guns available,” Soghoian tweeted. “Same for NSA’s Vupen purchase. Deniability.”

Vupen itself doesn’t try to hide what it gets up to, stating on its website that it works alongside “government agencies and the intelligence community.” However, as CEO Chaouki Bekrar pointed out in an interview with ThreatPost last year, Vupen insists that all customers must meet its “strict eligibility criteria,” which includes being a member or partner of NATO, ANZUS (Australia, New Zealand, United States Security Treaty) or ASEAN (Association of Southeast Asian Nations). In addition, Vupen states that its customers must also meet the United States’ “Know Your Customer” guidance, and must not be subject to any sanctions issued by the USA, EU or the United Nations.

But this doesn’t mean that the trade in zero-day security flaws is any the less controversial. While Vupen is one of the cleaner operators in this ‘industry’, it’s still attracted criticism from some quarters. Meanwhile there are plenty of other security researchers out there who’ll sell to the highest bidder without any of the restrictions that Vupen imposes.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU