The US Navy wants to buy your zero-day vulnerabilities

Village People# In the navy... Yes, you can sail the seven seas
In the navy... With our vulnerabilities #

# They want you, they want you
They want you as a new recruit #

(With apologies to The Village People)

Guess who has been advertising for zero-day vulnerabilities?

None other than the US Navy!

As EFF researcher Dave Maass uncovered, the United States Navy's Naval Supply Systems Command posted a request for vulnerabilities on FedBizOpps.gov, a site used by government agencies to post contracts on.

Vulnerabilities needed

"This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software.

- These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others."

"The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries."

"Based on the Government's direction, the vendor will develop exploits for future released COmmon Vulnerabilities and Exposures (CVE's).

The posting was swiftly deleted from FedBizOpps.gov after its discovery by Maass, but he has helpfully posted an archived copy of it here.

One likes to assume that the US Navy is planning to use the exploits to test and harden its own systems, rather than potentially exploit the computer systems of others.

One would also like to think that the US Navy would inform the likes of Adobe, Apple. Microsoft and Google if their search for vulnerabilities bubbled up any zero-day vulnerabilities that the rest of the world would appreciate being patched.

But in this day and age, who knows what their intentions are.

And now, the moment you've all been waiting for...

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

6 Responses

  1. Watching

    June 16, 2015 at 12:55 pm #

    "But in this day and age, who knows what their intentions are"???

    Your left wing paranoia is on display, again.

    Yesterday a "Murdoch paywall" reference to introduce your topic and dismiss it at the same time, today the US Navy is camped out in your bedroom watching from the camera on your computer.

    Today a cite to an EFF paranoiac, yesterday to a treasonous professional whiner, Murray (who seems to have a fondness for "dissent" and lap dancers).

    Just report computer security news and advice and leave the "opinions" to folks with the brains to actually have one worth posting

    • Graham Cluley in reply to Watching.

      June 16, 2015 at 1:14 pm #

      Clearly I've upset you somehow. Otherwise you wouldn't have made guesses regarding my political leanings and mental health.

      Anyway, you sound like you have got some interesting opinions. If you feel the urge to redress the perceived imbalance, feel free to put an article forward for consideration. Details of contributor guidelines here: https://www.grahamcluley.com/about-this-site/contributor-guidelines/

      I do require authors to use their real names I'm afraid.

    • Coyote in reply to Watching.

      June 16, 2015 at 10:19 pm #

      'Just report computer security news and advice and leave the "opinions" to folks with the brains to actually have one worth posting'

      Giving an opinion while calling out opinions. Brilliant.

      1. Most people have ONE brain; are you implying you have more than one? Are you thinking of the same thing others do with the word 'brain'? Perhaps you mean neuron? You might have more than one of those but you have one brain. Yes, yes, I should know what you mean. I do. But being a literal thinker (extremely) and also being scientifically inclined, I'm going to point out these facts.
      2. Computer security news is exactly what this is. In fact it is more than that, see below.
      3. Opinions don't always involve facts: Opinions don't need facts; opinions are from the imagination at times. Ironically your response is only (or mostly) opinion and consequently somewhat hypocritical.
      4. Your suggestion that it is paranoia when there is actually evidence… (Doesn't take much effort to find it; indeed EFF has a mirror of the very document!) As for paranoia: you have no idea what you speak about; I would take offence to that (because I know what REAL paranoia is like) except your statements (and any similar statements) are so ridiculous (and shows ignorance on the subject). But forgetting true paranoia (which being ever aware is not), being aware of espionage is important (I wonder why nations don't like other nations spying…): those who think they have nothing to be afraid of with being monitored (also giving too much information; having too much information given about them; or even those who think they aren't being monitored), are those who are most vulnerable to abuse from it. The truth of the matter is, spying IS a problem to those who are being spied on (which might as well be everyone including spies). That is WHY it is as old as mankind (and older; some dinosaurs were predators, for insance): the more information you have, the easier it is to plan an attack (and succeed). Indeed, one of the first things an attacker will do when targeting a network is to get as much information as they can about the target[1], including the personal information of the staff, scan for any weaknesses, sniffing (which is eavesdropping) where applicable and much more; the more information the better. But what would I know? I'm paranoid (not exactly but I have been in the past). But all that makes you what… gullible ? Naive ? Certainly not aware.

      The above is black marketing exploits, 0-days no less! It is a most serious problem, and not what you would hope for a military (military, authorised, not paramilitary!) to not get in to. But they do. As do other nations. Yet it is a problem to everyone including themselves and yes, yourself. Each exploited system is more vulnerable to further attacks, and each exploited system is a thorn in the side to others (spammers often employ computers under their control because they were exploited for an example of many).

      Lastly, and most importantly is this: humour is important… his fun above takes a serious problem and adds some light to it. But different people have different ways of expressing themselves, which is somewhat like opinions. To expect someone to write only seriously is taking life far too seriously (something I don't understand but if it works for you then that is your choice). Even then, the points are quite valid. In short, your post is highly opinionated (not much else) while simultaneously calling out opinions (which every one has whether they admit it or not; while some of my points are facts there is opinion here, too).

      [1] You'd actually see that the Navy understands this if you bothered to read their document.

    • 0z_ in reply to Watching.

      June 17, 2015 at 7:47 pm #

      I seriously doubt the US Navy would waste their resources spying on regular people in their bedrooms. That's what school systems that give laptops to your kids are for.

  2. 0z_

    June 17, 2015 at 8:06 pm #

    I guess this means the Navy will have a new job opening soon to replace whoever foolishly posted that request. The US military branches do have a serious unmet need for more and better infosec people, but I'm not sure just offering to buy vulns and hackware from almost anybody is the best way of addressing the problem. I've occasionally met some of these so-called contract vulnerability researchers. Half of them can't even program, most just use prepackaged software and the 'exploits' they find are often best described as "switches the Q and Z keys on a keyboard and only works during leap years". Even worse, the reason they eventually wind up on MY radar and blow their cover is because they're engaging in some sort of nasty or illegal behavior online.
    There're plenty of talented hackers, but the US gov is notorious for picking neither the best nor the brightest.

  3. Coyote

    June 19, 2015 at 1:08 am #

    "But in this day and age, who knows what their intentions are."

    It is an interesting thing: If they meant well they wouldn't have deleted it from their host (of course you don't simply delete things from the Internet…and they are just one of many organisations that prove this). But they did. That means at best their intentions weren't benign.

Leave a Reply