[ISN] NSA Paid French Hacker Company For Software Exploits, Contract Reveals

http://www.slate.com/blogs/future_tense/2013/09/17/nsa_paid_french_hacker_company_vupen_for_software_exploits.html By Ryan Gallagher Slate.com Sept. 17, 2013 France was one of several countries in Europe whose people are outraged by revelations about the National Security Agency’s surveillance programs. But it turns out that a French company has quietly bolstered the NSA’s capabilities. According to a contract newly released in response to a Freedom of Information request, last year the NSA purchased a 12-month subscription to a “binary analysis and exploits service” sold by Vupen, a company based in Montpelier, France. These exploits, sometimes described as “zero days,” are complex codes custom-written by hackers to target undisclosed security weaknesses in widely used operating systems like Windows and software programs like Google Chrome, Internet Explorer, Java, and Flash. A spy agency can use exploits to help infiltrate targets’ computers in espionage operations or to strengthen its own computer networks as part of cybersecurity efforts. It is unclear how much money the NSA spent on the Vupen exploits package because the cost has been redacted in the released contract. Vupen CEO Chaouki Bekrar declined to answer questions about his deal with the NSA, but told me in an emailed statement that his company’s binary analysis and exploits service includes “highly technical documentation and private exploits written by Vupen’s team of researchers for critical vulnerabilities affecting major software and operating systems.” Bekrar added that the aim of the service was to “to allow customers protect their systems against sophisticated attacks.” It seems possible that the NSA purchased the Vupen service for defensive reasons, with the purpose being to secure U.S. government infrastructure from adversaries. However, the NSA is believed to use zero days in offensive hacking operations, too. A Washington Post scoop in August detailed how the NSA has apparently turned to exploits as part of its covert attempts to spy on foreign computer networks. The Post reported that the NSA designs most of its own “implants” used for this purpose, but set aside $25.1 million in 2013 for “additional covert purchases of software vulnerabilities” from private providers. […]