Aug 8, 2019

NSA's free malware research tool gains traction, 6 months on

Illustration: Rebecca Zisser/Axios

In March the National Security Agency released an internal malware research tool for free to the public, a first for the secretive agency. Six months later, by most indications, the release is an even bigger event than the NSA thought.

Why it matters: Some aspects of researching malware have long required expensive software. The release of Ghidra, the NSA tool, has profoundly changed the field, opening it up to students, part-timers and hobbyists who otherwise couldn't afford to participate.

It's been a good six months for Ghidra. The software has been downloaded more than 500,000 times from GitHub.

  • "We had a bet on how many downloads it would be," Brian Knighton, senior researcher at the NSA, told Axios. "We were off by quite a factor."
  • Ghidra also netted the NSA two nominations for "Pwnie" awards at the typically NSA-adverse DEF CON hacker conference this week.
  • The NSA was also pleasantly surprised with the number of outside developers modifying code and creating new features for the now open-source program.
  • The toolkit is popular enough that the NSA now offers touring classes on Ghidra for colleges and universities.

The big picture: It's still too early to judge Ghidra's success based on its use in published malware research or incidents in which hackers have been thwarted. But based on engagement of new and old researchers alike, that kind of evidence seems likely to follow.

The background: Ghidra is a reverse-engineering tool that allows researchers to translate computer-executable programs into human-readable programming language commands.

When Ghidra was released, observers speculated that the purpose of the release was to create a global research explosion to counter national threats.

  • That was certainly one NSA goal. But another that's been overlooked is cutting down the training time for NSA recruitment.
  • “Now we can hire someone who has already used Ghidra,” said Knighton.

Knighton will present an update on Ghidra at the Black Hat cybersecurity conference Thursday, including new NSA-developed features and answers to some of the lingering questions about the program.

  • “We’ll explain why we called it 'Ghidra',” said Knighton, which is still an open question, beyond the fact that King Ghidra is a formidable rival of Godzilla.
  • More practically, the conference talk will address the choice to design the program in Java, a programming language that some experts now view as cumbersome and dated.

Go deeper

A new window onto China's Uighur spying

A screen showing images of Chinese President Xi Jinping in Xinjiang where a pervasive security apparatus has subdued the ethnic unrest, June 2019. Photo: Greg Baker/AFP/Getty Images

Those websites we reported on last week that target iPhone users with malware appear to have been part of China's long-running effort to monitor its Uighur population.

The big picture: The security vulnerabilities that mobile malware takes advantage of are scarce and expensive, and countries are loath to risk burning their tools by widely exposing them.

Go deeperArrowSep 5, 2019

Report: Websites hacked iPhones for years

A Brazillian crowd records a Luan Santana concert on iPhones in August, 2019. Photo by Mauricio Santana/Getty Images

According to a report from Google's security research team Project Zero, hacked websites implanted surveillance software onto iPhone users between 2016 and their discovery in February of this year.

Threat level: Project Zero alerted Apple in February to attacks they found, and Apple patched the security flaws fueling the atttacks that month. If you use the most current version of the operating system, you are protected from these attacks, and the surveillance software only survived until a victim restarted their phone.

Go deeperArrowAug 30, 2019

The 2020 candidates who have released their latest tax returns

Tom Steyer. Photo: Ethan Miller/Getty Images

Personal financial disclosures have become a litmus test for Democratic 2020 hopefuls, as candidates link their tax disclosures with the long-standing fight to obtain President Trump’s tax returns.

Our thought bubble, per Axios' Alexi McCammond: It will likely be politically toxic for any 2020 Democrat not to release their tax returns, since this is an example of how anything they demand of Trump they must do themselves. This is Democrats’ way of separating themselves from Trump, trying to get back to norms and pushing for transparency.

Go deeperArrowUpdated Aug 29, 2019