Friday Five: 3/8 Edition
The NSA open sources a reverse engineering tool, Chinese hackers hit US universities, and a Chrome zero day - catch up on the week's news with this roundup!
1. The NSA Makes GHIDRA, A Powerful Cybersecurity Tool, Open Source by Lily Hay Newman
Seemingly all of infosec Twitter rejoiced Tuesday night, shortly after 7 p.m. EST, when the NSA open sourced Ghidra, a previously classified software reverse engineering framework. Rob Joyce, the NSA's senior cybersecurity adviser, previewed the tool shortly before it was released in a session at the RSA Conference in San Francisco. While there are plenty of tools out there that can reverse engineer applications, very few of them are free and readily available on GitHub. In the eyes of Joyce, few of those tools have seen the exhaustive development that Ghidra, which the NSA has used in real time scenarios, either. For all intents and purposes, the tool has been a hit in the community with experts like Dave Aitel and Google's Tavis Ormandy heaping praise on it.
2. Chinese hackers targeted US universities in pursuit of maritime military secrets: report by Lucia I. Suarez Sang
The second major hacking scoop via WSJ this week – after its Iranian hackers story – involves a gang of Chinese hackers who have apparently been pillaging universities, many in the U.S. but some in Canada and Southeast Asia, in pursuit of sensitive technology data. In a series of attacks dating back almost two years, the campaign targeted submarine program code and research on undersea technology. Central to the research, scheduled to be published by Accenture's iDefense next week, is that all of the universities were working with Woods Hole Oceanographic Institution, a research and education nonprofit located in Woods Hole, Mass. Woods Hole, for what it’s worth, says it has no evidence it was compromised.
3. New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild by Mohit Kumar
Most Google Chrome users have the browser configured to automatically update every time there's a new release, something that happens almost weekly. If you're one of the few who don't, hopefully you saw this story and heeded the advice of experts this week. A nasty use-after-free vulnerability (CVE-2019-5786) in the browser, one that could lead to remote code execution attacks, was discovered and patched by the Chrome security team recently. Chrome rolled out a fix last Friday in update 72.0.3626.121 but that the fact the bug was actually being exploited in the wild, something stressed by Google employees this week, caused the story to get a lot of play over the last several days. Details on the bug should come to light in about 90 days, as is customary for vulnerability disclosure for the company; here's hoping everyone has patched by then.
4. Alphabet’s Chronicle finally reveals its cybersecurity moonshot by Rachel England
We’ve mentioned before here how rare it is to include product news in this space but sometimes news is so interesting and is commands headlines so that it’s almost impossible. That’s the case this week when Alphabet, Google’s parent company, announced at RSA that its cybersecurity company, Chronicle, was set to debut Backstory, its first product, a global, cloud-based telemetry platform. A la Splunk, the SIEM can comb through vast storage, indexing, and search capabilities to trace a malicious attack. While Chronicle's CEO Stephen Gillett categorized the product as "distinctly not Google," Backstory is obviously going to have a veritable treasure trove of data at its fingertips. Google, unlike a lot of companies, isn't going to have any difficulty parsing through and managing that data over a long period of time.
5. Locking More Than the Doors as Cars Become Computers on Wheels by Jim Motavalli
Last on the docket: a fine recap of car hacking trends over the last decade or so via The New York Times. Yes, Chris Valasek and Charlie Miller's Jeep Cherokee hack is in there. It also drills into efforts made by automakers of late to remedy issues, even if they're largely kept in the background. A handful of not so popular private firms, like Upstream Security in Israel, and Kugler Maag Cie, that are working to bolster automotive security, are mentioned throughout. The best line, even though it's a little on the money, comes via Ron Plesco, a principal at KPMG Cyber Security Services: "Car thieves used to have crowbars; now they use laptops.”