Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions
from the portals-are-so-90s dept
Just under a year ago we wrote about Gamma International’s use of Mozilla’s trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the “Finfly Exploit Portal” providing:
access to a large library of 0-day and 1-Day Exploits for popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader and many more.
Here’s how it applies those exploits, as described by Privacy International:
By using the FinFly Exploit Portal, governments can deliver sophisticated intrusion technology, such as FinSpy, onto a target’s computer. While it’s been previously advertised that Gamma use fake software updates from some of the world’s leading technology companies to deliver FinSpy onto a target’s computer, the exploit portal puts even more power in the hands of government by offering more choices for deployment. Astonishingly, FinFly Exploit Portal guarantees users four viable exploits for some of the most-used software products in the world, such as Microsoft’s Internet Explorer and Adobe’s Acrobat programme.
Sadly, Gamma is not a one-off in this respect. Another company offering exploits to government agencies for the purpose of breaking into systems — that is, offensive rather than defensive actions — is Vupen Security. As its Web site explains:
As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).
While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN’s vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.
Privacy International comments:
Exploits are supremely valuable to security researchers, law enforcement agencies, governments in general, and surveillance companies. They have completely legitimate purposes and the research related to their development, especially vulnerability research, should be encouraged.
However, the possibility for abuse has lead to increasing calls for some kind of regulation into the industry that goes beyond mere self-regulation by the industry itself. These are difficult policy decisions; the factors and issues to be weighed are complex and challenging. It is indeed difficult to envisage a realistic form of regulation that can achieve the right balance. Privacy International firmly believes that export controls on exploits at the moment are not an appropriate response.
We know from Snowden’s leaks that the NSA uses zero-day exploits to compromise computer systems used by foreign governments. That probably means that the US would be unwilling to introduce any constraints on their use (even nominal ones), as will other governments around the world that are doubtless turning to malware as a way of spying on targets in the same way.
The only way to blunt those attacks is for members of the software community to find, publish and patch vulnerabilities, as fast as they can. That’s yet another compelling reason for using free software: even if open source is just as likely to have flaws as closed-source programs (and opinions will differ on that score), it’s inarguable that they are easier to find and fix since the barriers to doing so are much lower.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: finfly, governments, offensive attacks, security, surveillance, zero day exploits
Companies: gamma international, vupen, vupen security
Comments on “Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions”
Yet if I utilised such a tool, from the UK, to see what the NSA was up to, I would likely be facing extradition and criminal prosecution to the US for tampering and intrusion of their IT systems.
I fail to see a legitimate use of this sort of technology without explicit warrant from an appropriate court.
Re: Re:
The only acceptable use of these things is for security testing. Anything else is wrong.
Re: Re: Re:
wink
Re: Re: Re: Re:
No wink. AC is 100% right.
Re: Re:
Why isn’t selling exploits a violation of the CFAA? Because they’re selling them to the gubmint?
Re: Re: Re:
If by “selling exploits” you mean describing them, then they shouldn’t be a violation of the CFAA. I should be allowed to explain any computational process I wish to anybody I wish.
Using them should be a violation of the CFAA.
Re: Re:
The silly thing about the current situation is that private citizens have fewer restrictions on their ability to gather information, though they usually have much lower budgets too.
If it’s legal and constitutional for the NSA to do something without a warrant, then it is equally legal for you or I to do it.
Damn right about the open source software part, being able to disable things i dont use in software has closed more than a few security holes for me over the years.
Re: Re:
Plus the patch time for security critical bugs is usually measured in hours or days, not weeks, or months.
Nice of them to give us a list of vulnerable software
Offhand, I’d suggest that anyone with Adobe Acrobat Reader should uninstall it immediately. Wikipedia has a list of alternatives; I personally use Sumatra PDF.
Also, anyone out there using Microsoft Office should uninstall it and switch to LibreOffice.
Internet Explorer… Can you actually meaningfully uninstall IE on Windows 7/8? I know it used to be part of the OS, but I haven’t really paid attention to it in years.
Re: Nice of them to give us a list of vulnerable software
Thanks for the tip. I’ve uninstalled Adobe and as you suggested, installed Sumatra. I’ve been using LibreOffice for years and I only ever use IE whenever a web page refuses to load or simply doesn’t work in Firefox.
Speaking of Firefox, it’s primarily funded by Google. Do you have a suggestion for a browser that isn’t primarily funded by a US corporation that has most certainly been compromised?
Re: Nice of them to give us a list of vulnerable software
You can uninstall IE even in the newer versions of Windows. Under “Programs and Features” on the left hand side there is an option called “Turn Windows features on or off.” Under there you can uninstall the bundled parts of Windows, like IE, by unchecking its box and hitting “OK.”
Re: Re: Nice of them to give us a list of vulnerable software
it is not actually uninstalling the core components, just UI and user visible parts, if at all.
If you use Microsoft or Adobe products
Then you are an idiot.
Period, full stop.
This is not open for debate or question. If by now, in 2014, you haven’t realized that Microsoft and Adobe products aren’t merely insecure, but insecurable, then you are a first-class moron and you DESERVE to be hacked, spied on, victimized, exploited, defrauded, and scammed.
Avoiding these isn’t a guarantee any more than wearing a seat belt is a guarantee. But it’s a utterly reasonable thing to do, and no one with even the slightest clue would consider doing otherwise.
Re: If you use Microsoft or Adobe products
So what OS would you recommend in light of the fact that the NSA/GCHQ have exploits for Windows, OS X, Linux, FreeBSD, iOS, Android et al?
Re: Re: If you use Microsoft or Adobe products
Any OS that publishes its source code. The reason, while there exploits in all complex code, publishing the source code allows outside white-hats to test and propose real fixes to the maintainers. Closed source only allows on to describe the effects and how to exploit but not how to fix.
Also, if the source code is published, bug reports can be rapidly disseminated with a very specific warning about which module is problematic. The recent Linux bug reported the specific module that was problematic. Thus one can check to see if it is even installed or if installed one can remove it.
Re: Re: Re: If you use Microsoft or Adobe products
Is that good enough?
The recent Linux gnutls only got picked up due to the Apple “goto fail” drawing attention, until them the gnutls bug had existed for 9 years despite source code being freely available and lots of people interested in Linux.
Re: Re: Re:2 If you use Microsoft or Adobe products
We know how long the issue was present with gnutls because the source code and change history is available. We do not know the age of any announced zero-day in closed-source code because the information is not released except indirectly. Patch xyz fixes versions cdef and version c is 8 years old. The patch fixes a bug that is at least 8 years old but what about versions a and b, was it present then? We do not know.
Re: Re: Re:3 If you use Microsoft or Adobe products
Which is about as relevant as S.Arnolds of 1528 Plaza, Mexico City is wearing odd socks today.
Re: Re: Re:4 If you use Microsoft or Adobe products
Godamnit! Stop spying on me.
Re: Re: Re:5 If you use Microsoft or Adobe products
pink and blue tomorrow, we know your M.O
Re: Re: Re:4 If you use Microsoft or Adobe products
The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours. By the time the bug was being widely reported, the patch was already being pushed out by the Distributions.
Re: Re: Re:5 If you use Microsoft or Adobe products
Pure supposition.
Re: Re: Re:5 If you use Microsoft or Adobe products
The fact that it existed for 8 years means there was little or no exploitation of the bug. The free and open source community are very good at figuring out how systems got exploited, and getting a fix out within hours.
There could have been exploits that weren’t made public.
Re: Re: Re:6 If you use Microsoft or Adobe products
What the bug in GNUTLS allowed for was, specifically, a MITM attack. Improper checking of certificates presented allowed specifically crafted certs to be accepted.
Given the widespread use of GNUTLS in many applications, my guess is that it was reserved for high-value exploitation, and used minimally.
Re: Re: If you use Microsoft or Adobe products
What madasahatter said.
Also, the security-minded folks will choose their OS in part based on how low-profile it is. For example, there are more exploits against Windows than OSX not because Windows is less secure, but because there are a lot more installations of Windows, so it’s the very first target for exploit development.
Re: Re: Re: If you use Microsoft or Adobe products
Security by obscurity is probably the worst type of security.
Re: Re: Re:2 If you use Microsoft or Adobe products
Absolutely. But that’s not what I’m talking about.
Re: Re: Re:3 If you use Microsoft or Adobe products
In a way, it is. You said that “security-minded folks will choose their OS in part based on how low-profile it is.”
If that’s not security by obscurity, then you’re doing some NSA-esque word redefining there.
People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool. Anything else is fanboyism.
Re: Re: Re:4 If you use Microsoft or Adobe products
Not at all.
Acknowledging that some platforms are more attractive targets than others, and choosing not to use those platforsm, is not “security by obscurity” unless I said that was all you needed to do to be secure. And I said no such thing.
“People who are concerned with their security usually approach it holistically, by defining their practices and methods to be secure without regard to the conspicuousness of particular tool”
Absolutely. And the choice of platform is one of the factors in that holistic determination. If it isn’t, then the approach you’re taking to security isn’t actually holistic at all.
Similar to police “To Serve And Protect” slogans, computer security companies claim to protect against intrusions.
Re: Re:
Just like anti-virus companies create a lot of viruses and malware in order to sell more anti-virus software and subscriptions.
😉
Exploits and vulnerabilities used to get posted on the net for kudos and reputation but then the security firms got involved so the vulnerabilities are now sold for profit and kept private. The effect of this is that the holes don’t get patched as they are not generally known and everyone is less secure as a result.
Selling exploits should be made illegal worldwide so we go back to the full disclosure we had 15 years ago.
Re: Re:
Exploits got posted on the net after the companies started to sue the messenger.
hackers are united in NOT HELPING YOU
our resolve has long since passed in helping you fooking retards destroy our world….
the largest repository of hacker knowledge besides prolly the nsa it self is in my fookin hands and NOT THERES ….ever
let me tell you MIKE..if i wished i could alter this site and leave you a message ….but in so doing you and others and govts would put me away for 20 years….
enjoy your new nazi world
Re: hackers are united in NOT HELPING YOU
nazi?
lol
Re: hackers are united in NOT HELPING YOU
I have no clue what you’re trying to say here.
Re: hackers are united in NOT HELPING YOU
ORLY?!?
Your mad hack3r skillz are impress, bro!!
So you can alter this site, huh? Wow! Fucking script kiddie.