Tooled Up

This week has been the week of the annual RSA security conference held this year at the Moscone Centre in lovely San Francisco.

As with all vendor-sponsored events, quite a lot of the event is all about tools. Old tools, new tools, tools that are but a twinkle in the eye of the creator being sold as if they were fully-grown. You get the picture.

In Wikileaks Vault 7, the existence of an NSA malware reverse engineering tool called Ghidra was published. Putting this into perspective, this was along with a massive number of NSA exploits, which the Shadow Brokers tried to sell.

Amongst the trouble that this massive leak caused, is the fact that the NSA could neither confirm/deny or publish details of these exploits because clearly some of them might be in use and missions would be compromised. People might be hurt.

It is common knowledge that a former employee (surprise) pleaded guilty to his naughtiness. It now seems as if the NSA is turning this to its advantage.

At the RSA conference this week, the NSA announced and published the entire source code for its malware reverse engineering solution Ghidra (named after a character in a game), encouraging its use by the community.

This toolset is very powerful and since it is free, represents extraordinary value compared with commercial offerings (e.g. OllyDBG, HexRays, IDApro).

This will make malware exploration and decoding accessible to a new army of wannabe malware hunters and hackers alike. On the one hand more bad code will be discovered and documented, on the other, the operation of nasty payloads may be examined and copied to build more bad stuff.

The NSA is publically claiming that exposure to this software will enable potential recruits to come better equipped for the job on day one, although it is almost certain that they use more advanced versions of this and other tools.

Of course GCHQ released Cyber Chef in 2016 (without a fanfare), which is fairly widely used. Not as functional, but useful.

The industry consensus appears to be the more tooling the better, however there are significant security issues. Apparently Ghidra in debug mode opens port 18001, we are sure that this can be managed.

If you fancy some malware debugging, please do give us a call. Contact us at: [email protected] or call 020 7517 3900.