Monthly Archives: May 2020

The National Security Agency develops advanced hacking tools in-house for both offense and defensewhich you could probably guess even if some notable examples hadn't leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a "contribution to the nations cybersecurity community" in announcing it at RSA, it will no doubt be used far beyond the United States.

You can't use Ghidra to hack devices; it's instead a reverse-engineering platform used to take "compiled," deployed software and "decompile" it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wildlike malware being used to carry out attacksto understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.

"If youve done software reverse engineering, what youve found out is its both art and science; theres not a hard path from the beginning to the end," Joyce said. "Ghidra is a software reverse-engineering tool built for our internal use at NSA. We're not claiming that this is the one thats going to be replacing everything out thereit's not. But it helped us address some things in our workflow."

"Theres really no downside."

Former NSA Hacker Dave Aitel

Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA. But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool. Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for freea major contribution in training the next generation of cybersecurity defenders. (Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.

The NSA announced Joyces RSA talk, and Ghidras imminent release, in early January. But knowledge of the tool was already public thanks to WikiLeaks March 2017 Vault 7 disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA. The actual code hadnt seen the light of day, though, until Tuesdayall 1.2 million lines of it. Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect. But Joyce emphasized the tool's customizability. It is also designed to facilitate collaborative work among multiple people on the same reversing projecta concept that isn't as much of a priority in other platforms.

Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be. Joyce's personal favorite? An undo/redo mechanism that allows users to try out theories about how the code they are analyzing may work, with an easy way to go back a few steps if the idea doesn't pan out.

The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives. But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now. By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways. If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn't a concern.

Malware authors already know how to make it annoying to reverse their code, Aitel said. Theres really no downside to releasing Ghidra.

No matter what comes next for the NSA's powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defendersand that conspiracy theorists can rest easy. "Theres no backdoor in Ghidra," he said. "Come on, no backdoor. On the record. Scout's honor."

More Great WIRED Stories

Continue reading here:
The NSA Makes Ghidra, a Powerful Cybersecurity Tool, Open ...

Written by Shannon Vavra May 7, 2020 | CYBERSCOOP

Good hackers steal, great hackers borrow.

According to new research from ESET, a code obfuscation tool thats been linked to Chinese-based hackers has been used in tandem with an implant that has been attributed to Equation Group, a hacking faction that is broadly believed to have ties to the National Security Agency.

ESET says the obfuscation tool is linked with Winnti Group, while the implant, known as PeddleCheap, appeared in an April 2017 leak from the mysterious group known as theShadow Brokers.

Its unclear if the sample was used in a malicious campaign or if its the product of a security researcher experimenting with different tools,according to Marc-tienne Lveill, a malware researcher at ESET. It was uploaded to malware-sharing repository VirusTotal in 2017, according to Lveill.

The Winnti-linked packer was used in a series of intrusions at gaming organizations in 2018, which ESET has previously documented.

ESET published its findings in the hopes that some other researchers may have more visibility into the samples origins, Lvill told CyberScoop.

Its not clear who is behind the sample its possible Equation Group used the Winnti-linked portion to run its own intelligence collection, but it is also possible Winnti, which is suspected to have links with the Chinese government, used the leaked NSA implant for its operations.

Lveill said he views the latter as the likely explanation.

It is likely that the Winnti Group used tools from the Shadow Brokers leak as a first stage to compromise their victims in 2017. Another, less likely, scenario is that the Equation Group has seen and reused the Winnti Group packer in their operations, Lveill told CyberScoop. Yet another, even less-likely scenario is that a thirdparty who had access to this Winnti Group [tool], used it with PeddleCheap from the Shadow Brokers leak.

The malware combination shows the far-reaching ramifications of the Shadow Brokers leak: attributing attacks via tools that were used in the massive dump is much moredifficult, as any number of actors can use them to muddle up security researchers findings.

These samples are an example of how attribution is difficult, if not impossible, by looking only at malware samples without additional context. It is relatively easy to repurpose malware [artifacts] once they are discovered and documented, Lveill told CyberScoop. In addition to that, it is possible intelligence agencies discover these components before they are public knowledge, misleading attribution made by analysts later on.

While the actors behind the Winnti-PeddleCheaptool may be unknown, Chinese hackers had access to some other tools that appeared in the Shadow Brokers leak months before the Shadow Brokers revealedthem to the public.

It remains unclear if that group, known as Buckeye orAPT3, stole the tools by breaching NSA systems or if they caught them in the wild. It is also possible the Chinese hackers independently observed the same vulnerabilities and created similar tools to exploit them.

Follow this link:
A discovered malware sample uses code from the NSA and a Chinese hacking group - CyberScoop

The Centres decision to ask television channels to include weather reports and forecasts for Pakistan-occupied Kashmir and the Northern Areas signals a significant shift in Indias strategy on Imran Khans Pakistan, people familiar with the development told Hindustan Times on Friday.

The move was conceived by National Security Adviser Ajit Doval some time back, a top government official said.

The formal proposal, crafted a little over three months back, went out from Deputy National Security Adviser (Strategic Affairs) Rajinder Khannas office on 3 February to the secretaries of foreign and home ministries apart from chiefs of Indias two lead intelligence agencies: Intelligence Bureau and the Research and Analysis Wing.

Their formal approvals came last week.

At one of the early discussions that were held to finetune the proposal, the official recalled how Doval had spoken of the multiple messages that this one move would send.

Doordarshan News has included towns of territories occupied by Pakistan in its daily weather bulletins(DD News/Screengrab)

The central point, the official said, is that this is my area and I am asserting my sovereignty by taking all the steps.

This week, the government told public broadcaster Doordarshan to include weather forecasts of Mirpur and Muzaffarabad in Pakistan-occupied Kashmir and Gilgit in the Northern Areas that are described by Pakistan as Gilgit Baltistan. Some private news channels have already told the government that they will also make changes to their weather bulletins.

Doordarshan was also told to use weather maps that include the entire territory of Jammu and Kashmir that would serve as a daily, and public reiteration of Indias stand.

Doordarshan News has started putting out weather reports for three Muzaffarabad, Mirpur and Gilgit as part of its weather report in different parts of the country(DDNews/Screengrab)

A second senior government official said the move marked a shift in Indias approach that had been perceived to be hesitant to go all out to hammer the message to Pakistan, its allies and the world that Islamabad was in illegal occupation of over 86,000 square km of Jammu and Kashmir.

This changes.

For one, the assertion of sovereignty becomes particularly important because of the China-Pakistan Economic Corridor that passes through the Northern Areas or, the expansive Gilgit-Baltistan region that is almost twice the size of Kerala.

When China floated the Belt and Road Initiative a few years ago, it had expected India to be part of the project though it passes through the Northern Areas under Pakistani control. When India protested, Beijing told New Delhi to still join in because this would not affect the status of Kashmir as a dispute between the two countries.

The daily weather map reinforces Indias message on the entire territory of J&K, every day, the official said.

The daily weather forecast, and the map of India on the television screens, also underlines Indias strong views on the occupied territory but also the fact that Pakistan was making material changes to the region and exploiting the population of this region.

In many ways, the official said, the map of India on the television screens also spotlights the plight of the people living in these areas whose rights are violated by Islamabad on a daily basis.

There is another constituency that India hopes to message: the political establishment in the United Kingdom to ask them to not take sides.

A large proportion of the Pakistani expatriate population in the United Kingdom is from Mirpur who have close links with Labour Party leaders such as Jeremy Corbyn who had gone to the extent of passing a resolution to seek international intervention after India scrapped Jammu and Kashmirs special status.

Link:
NSA Ajit Doval packs in 3 blunt messages to Pak in daily PoK weather forecast - Hindustan Times

Next week the Senate is poised to resurrect some federal surveillance powers that expired in the midst of the coronavirus pandemic. A handful of senators are hoping to force through reforms to better protect Americans' privacy.

In March the USA Freedom Act expired, somewhat unceremoniously, as lawmakers were unable to reach a consensus on a renewal as the pandemic began to pick up steam and overtake all public policy priorities.

The USA Freedom Act authorized (but restricted) the collection of Americans' phone and internet record metadata that the National Security Agency (NSA) had been gathering without citizen knowledge before Edward Snowden exposed it. A compromise bill, the USA Freedom Act added some buffers to how the NSA would collect the data and required more reporting of the activities of the Foreign Intelligence Surveillance Act (FISA) courts, so citizens would have a better sense of the extent that this "foreign" surveillance was in fact targeting Americans.

The NSA has since abandoned the metadata collection, which had proven ineffective at tracking down terror threats even as it violated Americans' Fourth Amendment rights. But the Act has other surveillance components (authorizing roving wiretaps, tracking so-called "lone wolf" terrorists). And even though the NSA has stopped using its metadata collection powers, President Donald Trump's administration has asked for the entire USA Freedom Act to be renewed, intact, permanently.

Fortunately, that's not going to happen: The House passed a renewal bill in March that officially killed off the records program once and for all. Now surveillance critics in the Senate, such as Rand Paul (RKy.), Mike Lee (RUtah) and Ron Wyden (DOre.), are pushing for further reforms to the way the government targets American citizens for secret surveillance. Their demands for amendments to the House's bill stopped the bill from moving forward in March. Now the Senate plans to consider the House's bill along with these proposed amendments.

The USA Freedom Act played no role in the FBI's use of the FISA court to secretly wiretap former Trump aide Carter Page. But the discovery that the FBI played fast and loose with the truth when requesting these warrants from the FISA court, and the subsequent evidence that the FBI regularly does a terrible job of documenting its evidence when targeting any Americans for FISA surveillance, have created an opening for civil libertarians to call for stronger privacy protections.

The Hill reports:

Sen.Rand Paul (RKy.) will get a vote on his amendment that would bar the FISA court from issuing warrants for American citizens and instead require law enforcement agencies such as the FBI to obtain a warrant from a normal court established under Article III of the Constitution.

Sens.Mike Lee (RUtah) and Patrick Leahy (DVt.) will get a vote on their amendment to require the appointment of amicus curiae, or outside advisers, with expertise in privacy and civil liberties to advise the FISA court on surveillance warrants.

Sens.Steve Daines (RMont.) andRon Wyden (DOre.) will get a vote on an amendment to bar law enforcement from obtaining internet browsing and search history without a warrant.

These are all great amendments. Unfortunately, they will probably fail. Far too many lawmakers on both sides of the aisle are against serious surveillance reforms.

Senators like Paul are banking on Trump's outrage over what happened to Page to push these additional reforms through. Establishment Republicans and Democrats are banking on Trump only caring about how surveillance affects him and the people around him.

We'll soon find out which side is correct. My money's on the establishment, but I'll be happy to be wrong this time.

Original post:
FISA Surveillance and Possible Reforms Are Back on the Senate's Agenda - Reason

The Lompoc Aftershock is heading to Modesto over the 4th of July weekend for the NSA State Championships with games beginning at 8 a.m. on Independence Day. Then they're off to Las Vegas the following weekend to compete in the NSA Western World Series against some of the top teams in the West, with opening ceremonies on Wednesday, July 16 and pool play beginning at 8 a.m. Thursday. The team includes (front row, from left)Mariah Escobedo, Mariah Villalobos, Jasmin Salas, Tasi Taua; (second row, from left)Amber Hooks, Jacqueline Castaneda, Bianca Gonzales, Samantha Hernandez, Antoinette Terrones; (third row, from left)Alexia Wilhite, Yesenia Vega, Armani Garcia, Alina Terrones, Yesenia Carrillo, Sierra Preston; and (back row, from left) coach Emilio Salas, coach Chris Wilhite, manager Benny Garcia and coach Frank Hernandez. Not pictured is coach Scotty Marshall.In an effort to help defray the cost of competing in the NSA World Series, Aftershock is having a chicken barbecue fundraiser on Saturday, July 12, at the Elks Lodge in Lompoc from 11 a.m. until 2 p.m. or until sold out. The donation is $9 per plate. The team is also accepting donations via GoFundMe at http://www.gofundme.com/aftershockfastpitch.

Link:
Photos: Antoinette Terrones over the years | | santamariatimes.com - Santa Maria Times

A SHEEP farming group has welcomed the news that trade discussions with the US are due to start following disruptions caused by Covid-19.

Phil Stocker, chief executive of The National Sheep Association (NSA), has said they are pleased to hear these negotiations are now beginning after the delays caused by the pandemic.

He said: "We believe there are valuable opportunities for both our industry and the US sheep industry, in Britain, getting access for lamb and mutton into the US.

"The US sheep meat market is highly underdeveloped with very low lamb consumption across the country, and I am convinced that our genetics and British lamb and mutton, very different products to those produced by most US sheep farmers, could help stimulate real interest among American consumers and in turn help US sheep farmers see some growth.

For us, access into the US could create demand for those high-value cuts, particularly sheep meat with provenance and a story simply because of the close connections between our countries and the huge interest in our culture and heritage an aspect which sheep farming is steeped in.

He said the NSA is clear that market access to the EU is a priority but is enthusiastic to expand and build stronger connections further afield.

We dont see this as an alternative to the EU market," said Mr Stocker. "But it would be a positive trade that would complement both our exports and our domestic market. This is particularly prudent at current as the ongoing Covid-19 pandemic has shown how reliant our industry is on the catering and hospitality market and I could see future US demand for British lamb and mutton coming in alongside our own catering markets, all of which help to balance carcase demand and optimise value across the entire sheepmeat product range.

The NSA has previously expressed concerns about the quality of standards UK producers expect importers to meet.

Mr Stocker said: We welcome statements from Ministers and Government officials that in terms of reciprocal trade our standards will be protected and, while as a general statement, the Government is enthusiastic about free and open trade it does recognise that agriculture and food, like the NHS, is an industry that requires a level of protection and I do expect the commitments not to undermine our unique approach to farming, food, and the environment to be upheld.

See more here:
NSA welcomes start of trade talks with the US - Darlington and Stockton Times