Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

Cory Doctorow at 3:42 pm Fri, Mar 30, 2012

— FEATURED —

Science

Last chance to enter the Armchair Taxonomist challenge!

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

Book Review

We Can Fix it! - a graphic novel time travel memoir

Science

The technology that links taxonomy and Star Trek

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.

While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million. But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.

EFF calls out governments for trafficking in these vulnerabilities, rather than demanding their disclosure and repair. Any unpatched vulnerability puts every user of the affected software at risk. For a government to appropriate a vulnerability to itself and keep it secret in the name of "national security," rather than fixing it for the nation's citizens, is "security for the 1%."

“Zero-day” exploit sales should be key point in cybersecurity debate

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  Business • computer science • eff • lawful interception • politics • security • spyware

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

  • Palomino

    I have a house with ten doors. Each door has a coded lock from a different company.   One company, not wanting to be liable for a break-in, and to prove their lock is more superior, hires VUPEN  to secretly come to my home to figure out a way to break at least one of the other nine companies codes. VUPEN then sells the info to all ten companies, who may or may not employ a band of thieves or rapists. 

  • hdon

    May I be the first to say, “DURRRRR!”

    Of course if you’re a terrorist and want to avoid all these vulns, all you probably have to do is run a web browser like Lynx.

  • corydodt

    Have fun keeping Anon from burning down your house, VUPEN. You may know a list of vulnerabilities, but I bet you don’t know all of them. And you depend on your software too.

    • SoItBegins

       What’s to keep Anon from finding their list of vulnerabilities and posting them to the world?

      • EH

        The honeypot.

      • corydodt

        Oh, of course they will post the list. Right after they shred the company.

        • Charlie B

           I think your assessment of the capabilities of a bunch of script kiddies is extremely unrealistic.

  • Eark_the_Bunny

    If I were a good software company, I think I would have some high grade in-house hackers to constantly try to exploit my software in order to know where the vulnerabilities are and not just wait for someone else to find out.

    • http://www.openbuddha.com/ Al Billings

       Where will you find these hackers? Why will they come work for you? If they’re good enough to do that, they’re usually good enough to be consultants or work for a private security firm for a hell of a lot more than you’ll be able to pay them.

  • dweller_below

    I dream about a future time when the US has become wiser on internet security.

    In my dream, the CDC has a branch that handles the epidemiology of computer infection. The CDC collates infection rates and  publishes meaningful metrics that allow us to judge the relative effectiveness of various programs of IT Security measures.

    A couple years ago, I doodled the outlines of those metrics at: https://it.wiki.usu.edu/SecurityPerformanceMetric

    In my dream, governments and ISPs have coordinated to isolate and reform any ISP that tolerates the insertion of spoofed source packets. Prolonged DoS attacks are a faint, distasteful memory.

    I dream that the US government refuses to do business with any organization that interferes with effective and timely disclosure of security vulnerabilities. Once the NSA started regularly disclose all it’s known IT vulnerabilities the world vulnerability market-place collapsed.

    And a pony. In my dreams I’m riding a blue, hypo-allergenic pony.

    • Andrew Singleton

      Can i share your dreams?

    • jeligula

       Enjoy the pony.

  • Marc45

    Just a fantasy but wouldn’t it be sweet if the CEO of VUPEN had their identity stolen as a result?

  • domanite

    Is anyone concerned about the obvious next step: governments using their influence and access to *inject* vulnerabilities and back doors? For all I know, the Patriot Act might make that legal. It might even gag the targets. (Putting in tinfoil hat now…)

    • Andrew Singleton

      Stay where you are Citizen. A security detail will be with you shortly. Remain Calm and stay put. This is merely for your own protection.

      • http://carrierlost.com/ Tonweight

        Please assume the Party Escort Submission Position…

  • phisrow

    Here is what I don’t understand:

    Obviously, the assorted spooks inhabiting NATO enjoy having exploits with which to access various computer systems.

    However, it is widely asserted that hacks against the US and other NATO-bloc nations are a serious security issue(and, as a nation with major financial, industrial, and scientific endeavors online compared to most other countries capable of fielding hackers, this isn’t exactly implausible).

    Further, the routes for legal access to most domestic systems are already quite wide(CALEA, warrants, national security letters) and extralegal access probably wider still, and you don’t need an exploit if you have a warrant and a gun.

    Given these things, why are such entities tolerated? Sure, in the CIA’s ideal world, they’d have access to absolutely everything; but this isn’t their ideal world: they know that outfits like China have fairly sophisticated hackers, and even petty racketeers have script kiddies and basic virus kits. Surely it would be in their interest to promote computer security, no?

    An insecure system can be broken with an exploit, and all sorts of people have exploits. A secure system can be broken with a warrant or a gun and rather fewer people have those. It seems like even the most nakedly self-interested intelligence entities would prefer the latter case, given their access to warrants and guns…

    • jeligula

      Hell, I broke my Gunny’s Officer Voting System password in 1990 merely by guessing what a man like him might use.  I got it on the 14th attempt.  Turned out it was “lesbians”‘. Nothing is as exploitable as personal knowledge.

  • itsgene

    Remember, the governments of the world got software companies to embed detection algorithms to protect us from accidentally scanning banknotes, and got printer companies to add barely visible tracking information to every print. What makes you think they wouldn’t add government-accessible holes to their OSes?

  • anharmyenone

    Ask your congressperson about this at the next townhall meeting and write to your congressperson in the meantime. Also email this article to journalists.

    • http://www.openbuddha.com/ Al Billings

       Because my congressperson (I hate that word) controls French companies?

      • http://boingboing.net/ The Life Of Bryan

        They do if you’re represented by a Democrat.

  • Guest

    The scariest part about all this is that people actually assumed that the government was on their side in the first place. Surprise!!??????

  • Cowicide

    Maybe it’s time to attack assholes like VUPEN?  I’m just askin’ questions.

  • David Weintraub

    Hold on. The only thing we have is the word of one scuzzy “Security company” word that they only sell to “Nato governments” and “Nato Partners”, and you REALLY believe this scumbag?

    I wish the U.S. government was actually one of the customers. It would then be reported to the National Vulnerability Database http://nvd.nist.gov/ and reported back to the firms that make the software. After all, security vulnerabilities hurt trust in the overall economy and makes the nation weaker. Not something any government really wants to do.

    Nor are banks VUPEN customers. U.S. regulations require banks to share known security vulnerabilities with other banks and with the company that produced the software. That would hurt VUPEN’s bottom line.

    I doubt that VUPEN is selling these exploits to either governments or banks.

  • donovan acree

    Aren’t the actions of VUPEN illegal under WIPO and the DMCA?