Mar 5, 2019

Axios Codebook

Greetings from the RSA security conference in San Francisco! This is the Codebook cybersecurity newsletter.

1 big thing: NSA's new cybersecurity tool

Illustration: National Security Agency

The NSA will release an agency-designed tool to research malware as a free-to-the-public, open source program.

The big picture: The NSA program, known as GHIDRA, is a reverse engineering tool that takes malware and returns the source code used to make it, which otherwise remains inaccessible. That enables researchers and security pros to understand, attribute and even counter the malware.

Why it matters: This small move could be widely disruptive.

  • Reverse engineering tools aren't cheap, costing in the hundreds or thousands of dollars to license. Any group releasing a free, high-quality tool democratizes research into how cyberattacks are waged.
  • But the NSA isn't just any group. Spy agencies typically keep their tech close to the vest, and sharing it in this way changes the dynamic of the NSA's relationship with the American and global public.

GHIDRA will become an open source project, meaning any software developer can use it, modify it and contribute code to help improve the product.

  • Users familiar with GHIDRA describe it as comparable to (some said better than) commercially available offerings, although it may be a little buggy.
  • That's probably not a huge deal to anyone trying to learn or teach the art of malware analysis.
  • "GHIDRA will help level the playing field for cybersecurity personnel, where there is a well-documented skills gap, by providing a tool that they otherwise wouldn't have access to or could afford," said Patrick Miller, a Raytheon researcher and fan of the tool. "This will likely lead to the tool being used in cyber and coding competitions as well as in school curricula."
  • Miller noted that GHIDRA and commercial tools like IDA and Binary Ninja each offer advantages, and serious researchers would find uses for all three programs in their arsenals.

The impact: To the NSA, the move offers a number of advantages.

  • It brings an agency that's been maligned since the Edward Snowden revelations out of the shadows and demonstrates a commitment to the public good.
  • Making research easier raises the cost for foreign adversaries to attack Americans, both public and private.
  • It demonstrates NSA confidence in the tools it keeps secret and in those used by its sibling agency, Cyber Command, in offensive missions.

To answer your least pressing questions: GHIDRA is pronounced "Gee - dra," according to NSA official Rob Joyce, who will be presenting the tool to the RSA cybersecurity conference for its official release later Tuesday. We asked.

  • A Ghidra is (perhaps coincidentally) a character in the Final Fantasy series of video games — an apparent mistranslation of the Japanese word for Hydra.
  • The logo on the NSA site for GHIDRA is a snake with a dragon's head forming an infinity symbol, turning its tail into binary code as it eats it. The binary spells out the first statement programmers traditionally learn how to display: "Hello world."
2. Companies are catching on to hacks faster

It took companies 3–4 weeks less time to discover they had been hacked in 2018 than in 2017, according to a report from the security firm FireEye, dropping from 57.5 days to 32 days.

Yes, but: Attackers still have a real advantage. 32 days is still a long time given how quickly hackers can move from a single breached account to controlling large swaths of a network.

  • The fastest hackers begin to move laterally in a network in a matter of minutes (CrowdStrike clocks Russian spies' average at 20 minutes) to hours (cybercriminals take an average of 10 hours).

Also: Advanced persistent threats (APTs) are getting more persistent, according to the FireEye report. APTs — a jargony name for advanced nation state attackers — revisited more recent victims in 2018 than 2017.

  • 64% of all FireEye customers were targeted by groups that had hit them within the past 19 months again during 2018, up from 56% the year before.
3. Google sibling Chronicle launches a flagship product

Chronicle, the security firm owned by Google parent Alphabet, launched its flagship security product Backstory at an unofficial RSA event Monday.

The big picture: Backstory provides a quick search and analysis technique for organizations to find the order of events leading to a breach, taking data from a variety of security products and archiving how user accounts interact with the internet (including sites used by malware to upload stolen data).

Why it matters: While this isn't Chronicle's first product — Chronicle runs VirusTotal, a researcher clearinghouse for malware that Google purchased in 2012 — it is the first mass-market product for the company and the first conceived in house.

The intrigue: Many, including journalists at the launch event, expressed concern about privacy aspects of the program, given the cloud-based design of Backstory and Google's history of analyzing data users provide it.

  • The company was quick to note that Chronicle is completely walled off from Google, and it works out custom privacy agreements with its clients — both preventing Google from using uploaded data commercially.

The companies in the beta test of Backstory included Siemens and the security firm Carbon Black, whose own data analyzing security tool can integrate with Backstory.

4. Sharpshooter is probably North Korea, decides McAfee

Kim Jong-un. Photo: AFP/Getty Images

North Korea appears to have helmed a hacking campaign previously identified as "Operation Sharpshooter," according to a new report from McAfee, who first reported on the attacks in December.

The big picture: McAfee originally believed the attacks showed so much evidence they were from North Korea that it might indicate a different actor trying to frame Pyongyang. But the company's researchers now say that analysis of code and data from an intermediary server indicates the attacks really did originate from North Korea.

Details: According to the new report, the Sharpshooter campaign dated back to at least September 2017, a year earlier than was previously known.

  • Sharpshooter pivoted its targeting during the year it has been active. It currently appears to target financial services, government and critical infrastructure, with a primary focus on Germany, Turkey, the U.K. and the U.S. Earlier hacking mainly targeted telecommunications, government and financial sectors, largely in the U.S., Switzerland and Israel.

Other interesting notes from the report:

  • The attackers appear to have conducted test campaigns in the city of Windhoek, Namibia, before taking the campaign global. This might give the U.S. a window into other attacks in the works, the same way that the U.S. sees Russian attacks against Ukraine as clues to what Russia might do next.

Go Deeper: Report: North Korea likely led "Sharpshooter" hacking

5. A busy day in unpatched security flaws
  • Google's Project Zero revealed a vulnerability in MacOS that has not yet been patched. They're calling this one "BuggyCow."
  • Researchers at Worcester Polytechnic Institute found a hard-to-patch flaw in the same Intel microprocessor function that spawned the Spectre and Meltdown bugs. They're calling this one "SPOILER."
6. Odds and ends

Codebook will be back on Thursday.