Vupen

Last updated
Vupen Security
Type Société anonyme
Industrycomputer programming  OOjs UI icon edit-ltr-progressive.svg
Founded2004 (2004)
DefunctMay 5, 2015 (2015-05-05) [1]
Headquarters
Montpellier
,
France
Area served
 Information security, Espionage
Websitevupen.com

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which use them to achieve both defensive and offensive cyber-operations. [2] Vupen ceased trading in 2015, and the founders created a new company Zerodium.

Contents

Work

In 2011, 2012, 2013 and 2014 Vupen won first prize in the hacking contest Pwn2Own, most notably in 2012 by exploiting a bug in Google Chrome. Their decision not to reveal the details of the vulnerability to Google, but rather to sell them, was controversial. [3] Unlike in 2012, during Pwn2Own 2014, Vupen decided to reveal to the affected vendors, including Google, all its exploits and technical details regarding the discovered vulnerabilities, which led to the release of various security updates from Adobe, Microsoft, Apple, Mozilla, and Google to address the reported flaws. [4]

Some years ago, Vupen was still providing information about vulnerabilities in software for free but then decided to earn money with its services. "The software companies had their chance", said Vupen-founder Chaouki Bekrar according to the article, "now it's too late". [5] On 15 September 2013, it was revealed that the NSA was a client of Vupen and had a subscription to its exploit service. [6] On 9 November 2014, the German magazine Der Spiegel reported that the German information security agency BSI, tasked with the protection of federal government networks, was also a client of Vupen. [7] On 22 July 2015, it was revealed that Vupen provided exploits to the Italian company Hacking Team between 2010 and 2011. [8]

On 5 May 2015, Vupen's founders filed documents to close the company [1] and moved to the US to start a new cybersecurity startup named Zerodium.

Zerodium

On 23 July 2015, Vupen's founders launched their new cybersecurity company Zerodium in the US. The company has a different business model as it acquires zero-day capabilities from independent researchers and reports them, along with protective measures and security recommendations, to its government clients. [9]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Trellix is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in April 2021. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Cyberweapon is commonly defined as a malware agent employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce corrupted code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or less, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the Finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

The cyber-arms industry are the markets and associated events surrounding the sale of software exploits, zero-days, cyberweaponry, surveillance technologies, and related tools for perpetrating cyberattacks. The term may extend to both grey and black markets online and offline.

Zerodium is an American information security company founded in 2015 with operations in Washington, D.C., and Europe. Its main business is developing and acquiring premium zero-day exploits from security researchers and reporting the research, along with protective measures and security recommendations to its government clients as part of the ZERODIUM Zero Day Research Feed. The company has reportedly more than 1,500 researchers and has paid more than $50,000,000 in bounties between 2015 and 2021.

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit. As technology and encryption advance, entities around the globe are gravitating towards common platforms and systems, such as Microsoft, Linux, and Apple. This convergence in usage creates a conflict between patching system vulnerabilities to protect one's own information, and exploiting the same system vulnerabilities to discover information about an adversary. To handle this conflict, the NSA developed the NOBUS system in which they evaluate the likelihood that an adversary would be able to exploit a known vulnerability in a system. If they determine the vulnerability is only exploitable by the NSA for reasons such as computational resources, budget, or skill set, they label it as NOBUS and will not move to patch it, but rather leave it open to exploit against current or future targets. Broadly, the concept of NOBUS refers to the gap in signals intelligence (SIGINT) capabilities between the US and the rest of the world. Critics believe that this approach to signals intelligence poses more of a threat to the US than an advantage as the abilities of other entities progress and the market for buying vulnerabilities evolves.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

Alisa Shevchenko, professionally known as Alisa Esage, is a Russian-born computer security researcher, entrepreneur and hacker with Ukrainian roots. She is known for working independently with dominant software corporations such as Google and Microsoft to find and exploit security weaknesses in their products; being the first female participant in Pwn2Own, the world's premiere professional hacking competition with significant cash prizes; and being accused by the government of the United States of hacking the presidential elections in 2016.

DarkMatter Group is a computer security company founded in the United Arab Emirates (UAE) in 2014 or 2015. The company describes itself as a purely defensive company, but several whistleblowers have alleged that it is involved in offensive cybersecurity, including on behalf of the Emirati government.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

References

  1. 1 2 Registre des sociétés, Societe.com
  2. Andy Greenberg (21 March 2012). "Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)". Forbes .
  3. Kim Zetter (3 September 2012). "How to Pwn the Pwn2Own Contest". Wired .
  4. Google (14 March 2014). "Chrome Stable Channel Update".{{cite news}}: |author= has generic name (help)
  5. Philipp Alvares de Souza Soares: Cyberspionage: Durch die Hintertuer, in: Die Zeit October 2nd 2013.
  6. NSA Contracted With Zero-Day Vendor Vupen, Darkreading
  7. BND will Informationen ueber Software-Sicherheitsluecken einkaufen, in: Der Spiegel November 9th 2014.
  8. Hacking Team: a zero-day market case study, Vlad Tsyrklevich's blog
  9. Fisher, Dennis (July 24, 2015). "VUPEN Founder Launches New Zero-Day Acquisition Firm Zerodium". ThreatPost.com. Retrieved November 3, 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.