The contract, released under a Freedom of Information Act request, shows firm proof of the massive malware purchasing program run by the United States.
While it was most recently revealed that the FBI employs hackers, this is the first time that a document has been publicly released that clearly shows the NSA’s exploit purchasing program.
The contract, released by MuckRock, shows that the NSA paid a redacted sum to Vupen, a company based in Montpelier, France, for a year’s worth of exploits.
The exploits purchased are sometimes called “zero-day attacks” due to the fact that they remain undetected and unpatched by software developers.
They are “complex codes custom-written by hackers to target undisclosed security weaknesses in widely used operating systems like Windows and software programs like Google Chrome, Internet Explorer, Java, and Flash,”
according to Ryan Gallagher of Future Tense.
Such exploits can be used by spy agencies like the NSA to stealthily gain access to target systems for everything from surveillance to sabotage.
Gallagher also points out that such exploits can be used simply to strengthen an entity’s own computer networks in an effort to bolster cybersecurity. While that is true, the U.S. government has a much larger purchasing program that is clearly offensive in nature.
After all, American spy agencies launched a whopping 231 offensive cyber-operations in 2011 alone. The Pentagon also massively expanded their so-called cybersecurity forces in early 2013.
It is anyone’s guess how much the NSA spent, since it was totally redacted from the documents. Chaouki Bekrar, Vupen’s CEO, also declined to answer questions about the deal with the NSA when contacted by Gallagher.
However, Berar did say that Vupen’s binary analysis and exploits service includes “highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.”
The aim of the service is to “allow customers protect their systems against sophisticated attacks,” according to Bekrar.
While it is indeed possible that the NSA purchased such services for purely defensive reasons, it doesn’t seem all that likely given that the NSA offensively uses exploits, as The Washington Post revealed in an August story.
The Vupen contract could have been part of the tens of millions of dollars set aside by the agency for purchase of software vulnerabilities. After all, the Post revealed that the NSA budgeted $25.1 million for such purposes in 2013 alone.
Gallagher reported in January that Vupen’s latest financial records show they generated around $1.2 million in revenue in 2011 alone. Only 14 percent of that revenue came from French buyers.
Other companies involved in selling zero-day exploits reportedly include defense contracting giants like Raytheon and Northrop Grumman alongside lesser known names like Endgame Systems and Harris Corp.
While legislators in the United States remain relatively silent on the development and sale of these types of exploits, European lawmakers have expressed concern.
Marietje Schaake, a Dutch Member of the European Parliament, said last week that Europe should be at the forefront of regulating the burgeoning industry.
“We must end the export and proliferation of digital arms now,” Schaake said in a plenary speech. “We have to close the regulatory vacuum, and that includes curbing the trade in zero-day exploits.”
She cited the deliberate degradation of encryption as proof that freedom is being eroded in the name of security.
“Syria and the United States do not have much in common these days except for their use of surveillance, hacking, tracking, tracing and monitoring technologies,” Schaake said. “And far too many of those systems are made in Europe.”
No comments:
Post a Comment