NSA Releases Security Research Tool But Can You Trust It?
Article by Davey Winder – Forbes
7 March 2019
In recent years it has become almost commonplace for leaked National Security Agency (NSA) hacking tools to hit the headlines thanks to being used in attacks such as WannaCry, NotPetya and even the Democratic National Committee (DNC) email breach during Hilary Clinton’s U.S. election campaign. But now the NSA has released an open-source, reverse-engineering, hacking tool, called Ghidra into the public domain itself. The question is, would you trust a security tool developed by spooks?
What is it for?
Perhaps it would be better to first explain what it isn’t for, and that’s hacking into stuff. Well, if that ‘stuff’ is hardware at any rate. This is a reverse-engineering platform so instead it allows security researchers and malware analysts to hack into the code behind the nasty software stuff. Think of it as a magic window into the binary world of software, all the zeros and ones, that translates that installed and compiled code into something that reveals exactly what the software actually does. As Lily Hay Newman, writing for Wired, puts it, security researchers using this tool to investigate malware can “understand how it works, what its capabilities are, and who wrote it or where it came from.” The big question though is can they trust it, given the nature of the NSA beast? During a speech at the annual RSA security conference in San Francisco this week, Senior Advisor for Cybersecurity Strategy to the Director of the NSA, Rob Joyce, insisted that there is no backdoor in Ghidra. “This is the last community you want to release something out to with a backdoor installed, to people who hunt for this stuff to tear apart” Joyce said. I decided to ask around amongst security professionals to see if they were in a trusting mood and, indeed, whether they would be using Ghidra.
Do you trust it, will you use it?
You might be forgiven for thinking, taking the plentiful opinions of security and privacy advocates regarding NSA surveillance techniques into account, that there might be little trust in such a tool from the cybersecurity profession. Forgiven, but wrong. The vast majority of those people I contacted were incredibly welcoming of the Ghidra public release. Take Ian Trump, head of security at AmTrust International, who told me that “there will be folks that will be turned off, it turns out infosec has trust issues, who would have guessed?” However, he also reckons that creating and giving away free professional tools is a non-political gesture which should be applauded and encouraged. “Whatever the case” Trump concluded “this is a gesture which I think is both bold and will be appreciated by the majority of the infosec community.” So, is he right? Chris Doman, security researcher at AT&T Cybersecurity, thinks so. His argument being that there really hasn’t been any competition to the main reverse-engineering tool, IDA Pro, which “can be cost prohibitive and there are hurdles to obtain.” Doman is hopeful that Ghidra may “level the reverse engineering playing field, enabling students and newer security researchers to use a high grade reverse engineering tool.”
The compliments and trust keep coming, this time from Dr Darren Williams, CEO and founder of cyber-security firm BlackFog, who told me that he “welcomes the assistance of the NSA to fight the global effort in identifying and removing bad actors from our devices.” Ghidra shows that the NSA is “serious in working together with industry to solve these very real and potentially very damaging problems” Williams insists. Adding yet another complimentary voice (with a touch of caution) is Ben Herzberg, director of threat research at Imperva. “While this is definitely a positive step from the NSA, we must remember that this release is just the tip of the iceberg” Herzberg says, adding “More importantly, this definitely does not mean that the agency is becoming a transparent organization.” By which he means that the move should not be directly connected to other issues surrounding the NSA such as Snowden for example.
Not everyone is so positive though. Rufus Caldecott, an operations analyst at the Blackstone Consultancy, thinks one has to “ask why the NSA, a spy agency, is really giving this out for free, when similar tools can cost somewhere in the thousands.” He also refers to the Snowden incident, but says “putting aside suspicions regarding the NSA’s enigmatic motives, the tool itself seems to have rapidly gathered a reputation among cyber experts for being both extremely advanced and reliable.” Others are also less than convinced. “The whole community is wary whenever the NSA or governments release a tool for the general public to use” says Ben McCarthy, senior content developer at Immersive Labs, who continues “I will not be using this tool on a network-connected computer until I have analyzed the source code fully to check it is not doing anything suspicious – as would most people.” McCarthy does concede that if all his checks are OK then he sees no reason not to use it. Bridget Kenyon, the global CISO with Thales eSecurity, shares similar concerns. “I’d use it in a sandbox for starters, to monitor what it’s doing and see if it comes with any hidden party tricks” Kenyon said, continuing that she would trust it dependent on the open source community “working through the code for surprises.” Kenyon mitigates the trust risk a little by adding that the scope of Ghidra’s professed capabilities is limited and relatively benign. “It shouldn’t be impossible to rely on it for general commercial use” Kenyon says, concluding “but if I were a foreign power, then nope.” Suzanne Spaulding is an advisor to Nozomi Networks and a former Department of Homeland Security Under Secretary, she told me that she understands the mistrust but would certainly use Ghidra herself. “First, it’s incredibly useful for forensic threat analysts” she explains, continuing “second, it’s open source, so NSA would be taking a huge risk that anything malicious it might build in would be detected eventually.”
So, how might it improve Security?
I put that very question to Michael McNerney, a former cyber policy advisor in the U.S. Office of the Secretary of Defense and now product manager for cyber threat intelligence at NETSCOUT. “Similar reverse engineering platforms might already exist on the market” he said “but the widespread experimentation I expect to see with this tool will set it apart.” Regardless of its current capabilities, the huge open source feedback loop invites progress. “That’s one of the two key things about releasing it open-source, with the other it being free” McNerney added. Overall then, he is certain that the accessibility of Ghidra, from every perspective, will ultimately “help unlock threat intelligence for many and level the playing field for cybersecurity professionals across different sectors and levels of understanding.”
Let’s not forget that this isn’t the first time that ‘spooks’ have released security tools into the public domain. Kevin Whelan, CTO at ITC Secure, reminded me that the U.K. Government Communmications Headquarters (GCHQ) released Cyber Chef into the public domain back in 2016. This particular Swiss Army knife tool for analyzing and decoding data is “not as functional as Ghidra but still useful” Whelan says, concluding “more tools = more power.”