Alert: NSA Buys Zero-Day Exploits from French security firm Vupen

A contract that’s come to light with the recent release of documents from a successful Freedom of Information Act request shows that the NSA bought software exploits from a French hacking firm called Vupen, headquartered in Montpelier. 

The NSA contracted with Vupen for a year-long “subscription” to zero day exploits, previously unknown vulnerabilities in software and hardware. Knowledge of zero day exploits allows for both defense against their use and offensive use for the purposes of surveillance and data theft. 

In 2011, according to leaked documents, the U.S. launched 231 offensive cyber-operations.  Other leaks, reported last week, indicated that the country spends $4.3 billion on such operations.

Vupen CEO Chaouki Bekrar told Slate’s Ryan Gallagher that his company’s services include highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.” 

The amount paid for this subscription was redacted on the document, and Bekrar did not divulge it, but the company pulled in $1.2 million in 2011—86 percent from non-French clients. 

French investigative hackers Reflets.info has had their eye on Vupen for some time, the publication’s Fabrice Epelboin told the Daily Dot. Hacker and Reflets journalist Kitetoa wrote about the group yesterday

Among his discoveries: Vupen has close ties with the French Army and is deeply involved in the French Army cyber-command’s offensive online initiatives

Read more at http://www.dailydot.com/politics/nsa-malware-vupen/

One of the latest reports claims that the NSA is able to access data from Apple iPhones, BlackBerry devices, and phones that use Google’s Android operating system. In addition, following document leaks which suggested the NSA was accessing email records, a number of companies offering secure email shut down, and in their place, encrypted mobile phone communication applications have risen.

A fresh report, brought on by a Freedom of Information (FOI) request by government transparency site MuckRock, shows that the NSA purchased data on zero-day vulnerabilities and the software to use them from French security company Vupen.

According to the documents, the NSA signed up to a one-year “binary analysis and exploits service” contract offered by Vupen last September.

Vupen describes itself as “the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research.” In other words, the security firm finds flaws in software and systems and then sells this data on to governments.

In addition, Vupen offers offensive security solutions, including “extremely sophisticated and government grade zero-day exploits specifically designed for critical and offensive cyber operations.”

Zero-day vulnerabilities are security flaws in systems discovered by researchers and cyberattackers which have not been found or patched by the vendor.

Read more at http://www.zdnet.com/nsa-purchased-zero-day-exploits-from-french-security-firm-vupen-7000020825/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s