A contract that’s come to light with the recent release of documents from a successful Freedom of Information Act request shows that the NSA bought software exploits from a French hacking firm called Vupen, headquartered in Montpelier.
The NSA contracted with Vupen for a year-long “subscription” to zero day exploits, previously unknown vulnerabilities in software and hardware. Knowledge of zero day exploits allows for both defense against their use and offensive use for the purposes of surveillance and data theft.
Vupen CEO Chaouki Bekrar told Slate’s Ryan Gallagher that his company’s services include highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.”
The amount paid for this subscription was redacted on the document, and Bekrar did not divulge it, but the company pulled in $1.2 million in 2011—86 percent from non-French clients.
French investigative hackers Reflets.info has had their eye on Vupen for some time, the publication’s Fabrice Epelboin told the Daily Dot. Hacker and Reflets journalist Kitetoa wrote about the group yesterday.
Among his discoveries: Vupen has close ties with the French Army and is deeply involved in the French Army cyber-command’s offensive online initiatives.
Read more at http://www.dailydot.com/politics/nsa-malware-vupen/
One of the latest reports claims that the NSA is able to access data from Apple iPhones, BlackBerry devices, and phones that use Google’s Android operating system. In addition, following document leaks which suggested the NSA was accessing email records, a number of companies offering secure email shut down, and in their place, encrypted mobile phone communication applications have risen.
A fresh report, brought on by a Freedom of Information (FOI) request by government transparency site MuckRock, shows that the NSA purchased data on zero-day vulnerabilities and the software to use them from French security company Vupen.
According to the documents, the NSA signed up to a one-year “binary analysis and exploits service” contract offered by Vupen last September.
Vupen describes itself as “the leading provider of defensive and offensive cyber security intelligence and advanced vulnerability research.” In other words, the security firm finds flaws in software and systems and then sells this data on to governments.
In addition, Vupen offers offensive security solutions, including “extremely sophisticated and government grade zero-day exploits specifically designed for critical and offensive cyber operations.”
Zero-day vulnerabilities are security flaws in systems discovered by researchers and cyberattackers which have not been found or patched by the vendor.
- NSA purchased zero-day exploits from French security firm Vupen (zdnet.com)
- Security Firm VUPEN Confirms the NSA Bought Exploits Service Subscription (news.softpedia.com)
- NSA Keeps Its Hands Clean, Buys Zero-Day Vulnerabilities From French Firm Vupen (siliconangle.com)
- NSA contracted to buy malware from French hacker company (dailydot.com)