This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

NSA sought services of French security firm, zero-day seller Vupen

Share this article:

The National Security Agency (NSA), which is already under scrutiny for circumventing widely used encryption methods for online data, obtained services from a French firm known for selling zero-day exploits.

On Tuesday, MuckRock published the evidence: a year-long contract between NSA and security company Vupen.

Self-described as a public records service that files Freedom of Information Act (FOIA) requests, MuckRock brought attention to key details in the FOIA-obtained contract. Namely, the NSA purchased a 12-month subscription for a 'binary analysis and exploits service' from Vupen.

The contract was signed on 14th September 2012, but specific information, such as the cost of the services offered to the NSA, was redacted.  

Soon after news of NSA's dealings with Vupen became public, Vupen's CEO and head of research Chaouki Bekrar eventually took to Twitter saying the company would no longer reply to media inquiries about the NSA contract.

The revelations incited public criticism, particularly as other details about NSA's mission to undermine encryption of online communications was revealed weeks ago.  

Earlier this month, The Guardian, The New York Times and ProPublica collaborated to shed light on the fact that the NSA pressured technology companies into giving the agency backdoor access to encryption software and, in some cases, outright stole company encryption keys by hacking organisations' servers, according to documents leaked by whistle-blower Edward Snowden.

Furthermore, The Washington Post highlighted NSA's intense interest in the exploit market in August, bringing forth the agency's budget for zero-day purchases. NSA spent more than $25 million this year to obtain information on software vulnerabilities discovered by private firms, the paper revealed.

UPDATE: In an email sent to SCMagazine.com on Wednesday evening, Vupen's CEO Bekrar addressed the recent findings on its contract.

"Vupen has been advertising and selling its private vulnerability research and intelligence for years and there is no real news here since we have always been transparent about the fact that we work with major government agencies to help them defend their infrastructures and citizens against cyber-world and real-world threats," Bekrar wrote. "Many of these agencies work with various local and foreign exploit providers to get the largest coverage and protection possible against software and hardware vulnerabilities."

Bekrar also added that its binary analysis and exploits service allows customers to "protect their systems against sophisticated attacks".

Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, told SCMagazine.com that there was no way to tell whether the NSA would use zero-day information for defensive or offensive measures.

"They may use it for their tailored operations, and given the revelations about their activities, we can't be certain that the NSA will use [the information] within the bounds of the Constitution," Opsahl said. 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

New Androids will encrypt your data just like iPhones

New Androids will encrypt your data just like ...

Google has promised that the next generation of Android phones will automatically encrypt data - preventing police and other agencies snooping on their users.

Russian cyber attack exploits Scottish independence vote

Russian cyber attack exploits Scottish independence vote

UK oil firms warned to guard against new campaign as Russian malware exploits Scottish independende vote.

Card and banking fraud back on the rise again

Card and banking fraud back on the rise ...

Banking and card fraud back on the rise again says the FFA UK as crime increasingly moves online.