VUPEN Restricts Access to Dual-Use Exploits as Part of Wassenaar Arrangement

international_wassenaar_arrangement_privacy_international_468Are 0-Days and exploits going to soon to be regulated here in the US next?

I found this page over on VUPENs website interesting. Basically, they are now following the Wassenaar Arrangement that classifies their 0-days and exploits as regulated and export-controlled “dual-use” technologies. Going forward they will only sell to approved government agencies in approved countries.

The interesting thing to note is that the US is listed as a “Participating State” of this agreement as well. Does anyone know of proposed or existing laws that force the same restrictions in the US? The recently passed 2014 National Defense Authorization Act spending bill we discussed last week might just be the start.

The big question is where the government will draw the line in terms of defining “dual-use.” Will day-to-day security tools (e.g., Nessus and Nmap) fit into this category? What about a quick bash script you write up to bruteforce web application session ids? Only time will tell…

via VUPEN.com

As the leading source of advanced vulnerability research, VUPEN provides government-grade zero-day exploits specifically designed for law enforcement agencies and the intelligence community to help them achieve their offensive cyber missions and network operations using extremely sophisticated and exclusive zero-day codes created by VUPEN Vulnerability Research Team (VRT).

While other companies in the offensive cyber security field mainly act as brokers (buy vulnerabilities from third-party researchers and then sell them to customers), VUPEN’s vulnerability intelligence and codes result exclusively from in-house research efforts conducted by our team of world-class researchers.

Our offensive and exclusive exploits take advantage of undisclosed zero-day vulnerabilities discovered by VUPEN researchers, and bypass all modern security protections and exploit mitigation technologies including DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), sandboxes, and Antivirus products.

Continued here.

#####

Today’s post pic is from Ifex.org.

7 comments for “VUPEN Restricts Access to Dual-Use Exploits as Part of Wassenaar Arrangement

  1. January 6, 2014 at 2:33 am

    BLOGGED: Are 0-Days & Exploits Soon to Be Regulated? http://t.co/Hy4FA6dB1z

  2. January 7, 2014 at 11:04 am

    VUPEN Restricts Access to Dual-Use Exploits as Part of Wassenaar Arrangement Find out more here http://t.co/jBwIXrz8S3 #infosec

  3. January 7, 2014 at 11:23 am

    VUPEN Restricts Access to Dual-Use Exploits as Part of Wassenaar Arrangement https://t.co/onIAsTBT9p

  4. January 7, 2014 at 10:07 pm

    Comment from @cBekrar on Twitter:

    US Commerce Control List will comply/include any new Wassenaar list, thus export of exploits/trojans will be also regulated in US

  5. January 8, 2014 at 9:32 am

    To answer your question, the U.S. has long had export control regimes in place that support their status as a Wassenaar signatory. If you look at the Commerce Control List in the export regulations, you’ll see a number of information security-related categories, including:

    Information security equipment software …………………………………………………………………….5D992 Information security technology support software ……………………………………………………..5D002.b Information security equipment and components, n.e.s. ………………………………………………..5A992 Information security software …………………………………………………………………………………….5D002 Information security systems/equipment/devices/components………………………………………..5A002 Information security technology ………………………………………………………………………………… 5E992 Information security – test, inspection, and production equipment ……………………………….5B002

    There are others that relate, encryption being an obvious example.

    As to whether they “force” the same controls, the answer almost certainly is “it depends.”

    With export controls and “dual-use” products, the devil really is in the details. Sometimes small differences in feature set, export destination, or even use case can make a difference in the status and whether a particular piece of technology falls into a controlled category or not.

    It doesn’t help that some of the BIS rules can get a little Kafka-esque. For example, in the case of encryption, there are many cases where they will flat out tell you that “it is not controlled,” but that you still have a legal obligation to provide certain notices and technical information to certain parts of the U.S. Government BEFORE you ever make it available.

    For all the exploit developers out there, it’s also important to remember that consulting can be considered an export, as can having non-U.S. people present in the lab in some cases. This is all in the unclassified world, to boot.

  6. January 8, 2014 at 11:46 am

    Strat: Thanks for the info. As usual the devil is in the details.

  7. September 17, 2014 at 3:35 am

    VUPEN Restricts Access to Dual-Use Exploits as Part of Wassenaar Arrangement https://t.co/T28zuAYslN

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.