August 08, 2019

Welcome to Codebook, coming at you live from Las Vegas, where Black Hat and DEF CON, America's premier cybersecurity research conferences, take place back to back.

I will bet $5 on the championship success of an NFL team of Codebook readers' choosing. Vote by replying to this email. Or just send me news tips.

Today's Smart Brevity: 785 words, 3 minute read

1 big thing: NSA's free malware research tool gaining traction

After 6 months, Ghidra adoption is looking good. Illustration: Rebecca Zisser/Axios

In March the National Security Agency released an internal malware research tool for free to the public, a first for the secretive agency. Six months later, by most indications, the release is an even bigger event than the NSA thought.

Why it matters: Some aspects of researching malware have long required expensive software. The release of Ghidra, the NSA tool, has profoundly changed the field, opening it up to students, part-timers and hobbyists who otherwise couldn't afford to participate.

It's been a good six months for Ghidra. The software has been downloaded more than 500,000 times from GitHub.

  • "We had a bet on how many downloads it would be," Brian Knighton, senior researcher at the NSA, told Axios. "We were off by quite a factor."
  • Ghidra also netted the NSA two nominations for "Pwnie" awards at the typically NSA-adverse Black Hat cybersecurity conference this week.
  • The NSA was also pleasantly surprised with the number of outside developers modifying code and creating new features for the now open-source program.
  • The toolkit is popular enough that the NSA now offers touring classes on Ghidra for colleges and universities.

The big picture: It's still too early to judge Ghidra's success based on its use in published malware research or incidents in which hackers have been thwarted. But based on engagement of new and old researchers alike, that kind of evidence seems likely to follow.

Background: Ghidra is a reverse-engineering tool that allows researchers to translate computer-executable programs into human-readable programming language commands. When Ghidra was released, observers speculated that the purpose of the release was to create a global research explosion to counter national threats.

  • That was certainly one NSA goal. But another that's been overlooked is cutting down the training time for NSA recruitment.
  • “Now we can hire someone who has already used Ghidra,” said Knighton.

Knighton will present an update on Ghidra at Black Hat on Thursday, including new NSA-developed features and answers to some of the lingering questions about the program.

  • “We’ll explain why we called it 'Ghidra,'” said Knighton, which is still an open question, beyond the fact that King Ghidra is a formidable rival of Godzilla.
  • More practically, the conference talk will address the choice to design the program in Java, a programming language that some experts now view as cumbersome and dated.

2. Yes, North Korea funds its weapons program with cybercrime

Reuters reported Monday that, according to a UN report, North Korea has funded its weapons programs with $2 billion in proceeds from cybercrime.

If only the UN read Codebook, it would know North Korea funds everything using cybercrime. Sanctions have taken away the country's legitimate revenue sources, and a combination of ransomware, cryptocurrency theft and digital bank heists are its main gambit to meet its budget.

3. In case you're missing Black Hat and DEF CON

Fancy Bear lurks in IoT: Fancy Bear, the Russian hacker group most famous for its involvement in 2016 election tampering, is attempting to enter corporate networks through internet-connected devices, Microsoft's Eric Doerr will present today.

  • Why it matters: Internet of things devices are notoriously poorly secured. In the Microsoft report, Fancy Bear allegedly breached a VOIP phone, an office printer and a video device in multiple locations — and 2 out of 3 of these breaches were possible because users kept the factory default usernames and passwords.
  • From there, Fancy Bear monitored network traffic from those devices and used them as a foothold in networks to launch attacks.

Apple sending hackers phones: Apple is expected to announce a program to give outside researchers early access to phones, allowing them to discover security flaws before wider release. The announcement was first reported by Forbes.

Wicked6 Cyber Games: The first Wicked6 Cyber Games, a college cybersecurity competition, will take place today across the street from Black Hat.

  • The games, which will raise funds for programs aimed at increasing women's involvement in cybersecurity, are the first attempt to turn cybersecurity competitions into a spectator sport. They will take place in the Luxor Hotel's esports arena, with sporting-type commentators calling the event.

Hackers are in the mail: IBM released a fun report in conjunction with the conferences detailing how hackers could use snail mail to breach computer networks, which Axios detailed here.

The most broken blockchain: Kudelski Security is presenting FumbleChain, an intentionally insecure blockchain, at both conferences.

  • "We wanted a vulnerable implementation for people to use to teach them about blockchain security," Nathan Hamiel, Kudelski's director of cybersecurity research, told Codebook.
  • FumbleChain comes with lesson modules, a broken wallet and a broken store.

4. Odds and ends

DOJ: AT&T employees were bribed to unlock phones. (Wired)

A Spanish brothel chain exposed a trove of internal data, including its employee's real names. (ZDNet)

CafePress, which puts slogans on T-shirts, had a breach affecting 23 million. (Infosecurity Magazine)

The NSA and FBI might relax hiring standards for qualified hackers who may have smoked marijuana. (The Register)

The White House is drafting an order to stop alleged social media bias. (Politico)

FireEye goes deep on the criminal/espionage hybrid group known as Winnti. (FireEye)

5. No, it isn't

A blue hat that says Black Hat

This is not a black hat.