Vulnerability Management

NSA sought services of French security firm, zero-day seller Vupen

The National Security Agency (NSA), which is already under scrutiny for circumventing widely used encryption methods for online data, obtained services from a French firm known for selling zero-day exploits.

On Tuesday, MuckRock published the evidence: a year-long contract between NSA and security company Vupen.

Self-described as a public records service that files Freedom of Information Act (FOIA) requests, MuckRock brought attention to key details in the FOIA-obtained contract. Namely, the NSA purchased a 12-month subscription for a “binary analysis and exploits service” from Vupen.

The contract was signed on Sept. 14, 2012, but specific information, such as the cost of the services offered to the NSA, was redacted.  

Soon after news of NSA's dealings with Vupen became public, Vupen's CEO and Head of Research Chaouki Bekrar, eventually took to Twitter on Wednesday saying the company would no longer reply to media inquiries about the NSA contract.

The revelations incited public criticism, particularly as other details about NSA's mission to undermine encryption of online communications was revealed weeks ago.  

Earlier this month, The Guardian, The New York Times and ProPublica collaborated to shed light on the fact that the NSA pressured tech companies into giving the agency backdoor access to encryption software and, in some cases, outright stole company encryption keys by hacking organizations' servers, according to documents leaked by whistleblower Edward Snowden.

Furthermore, The Washington Post highlighted NSA's intense interest in the exploit market in August, bringing forth the agency's budget for zero-day purchases. NSA spent more than $25 million this year to obtain information on software vulnerabilities discovered by private firms, the paper revealed.

UPDATE: In a Wednesday evening email to SCMagazine.com, Vupen's CEO Bekrar addressed the recent findings on its contract.

"Vupen has been advertising and selling its private vulnerability research and intelligence for years and there is no real news here since we have always been transparent about the fact that we work with major government agencies to help them defend their infrastructures and citizens against cyber-world and real-world threats," Bekrar wrote. "Many of these agencies work with various local and foreign exploit providers to get the largest coverage and protection possible against software and hardware vulnerabilities."

Bekrar also added that its binary analysis and exploits service allows customers to "protect their systems against sophisticated attacks."

Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, told SCMagazine.com that there was no way to tell whether the NSA would use zero-day information for defensive or offensive measures.

"They may use it for their tailored operations, and given the revelations about their activities, we can't be certain that the NSA will use [the information] within the bounds of the Constitution," Opsahl said. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.