Tag

OSINT

Browsing

Open-source software is any kind of program where the developer behind it chooses to release the source code for free. Whenever software has an open-source license, it means anyone in the world can download, modify, and distribute it without paying fees to its original creator.

Since the open-source movement took off as a software development philosophy at the end of the 1990s, it’s changed the world. Estimates even suggest that a mind-blowing 96% of all web servers globally are running on some form of open-source Linux operating system, for example.

It’s important to remember that open source doesn’t just mean “free”. Lots of companies release their software for free but maintain full copyright ownership of their code, so other developers aren’t able to modify it. By contrast, successful open source initiatives are built on the hard work of potentially thousands of collaborators who have voluntarily given up their time to create something awesome.

Such an accessible development system has some serious advantages. Open-source software is often more secure because people from around the world scrutinize new releases and bugs get reported and addressed fast. Also, people are motivated to add cool new features to open source platforms which means open-source software is often just as good, if not better, than competing pay-to-use programs.

In the list below you’ll find SANS  Institute’s open-source software options, sorted by type. Each piece of software is feature-rich and highly customizable.

Loader Loading...
EAD Logo Taking too long?
Reload Reload document
| Open Open in new tab

THE NATIONAL SECURITY Agency develops advanced hacking tools in-house for both offense and defense—which you could probably guess even if some notable examples hadn’t leaked in recent years. But on Tuesday at the RSA security conference in San Francisco, the agency demonstrated Ghidra, a refined internal tool that it has chosen to open source. And while NSA cybersecurity adviser Rob Joyce called the tool a “contribution to the nation’s cybersecurity community” in announcing it at RSA, it will no doubt be used far beyond the United States.

You can’t use Ghidra to hack devices; it’s instead a reverse-engineering platform used to take “compiled,” deployed software and “decompile” it. In other words, it transforms the ones and zeros that computers understand back into a human-readable structure, logic, and set of commands that reveal what the software you churn through it does. Reverse engineering is a crucial process for malware analysts and threat intelligence researchers, because it allows them to work backward from software they discover in the wild—like malware being used to carry out attacks—to understand how it works, what its capabilities are, and who wrote it or where it came from. Reverse engineering is also an important way for defenders to check their own code for weaknesses and confirm that it works as intended.

“If you’ve done software reverse engineering, what you’ve found out is it’s both art and science; there’s not a hard path from the beginning to the end,” Joyce said. “Ghidra is a software reverse-engineering tool built for our internal use at NSA. We’re not claiming that this is the one that’s going to be replacing everything out there—it’s not. But it helped us address some things in our workflow.”

“There’s really no downside.”

FORMER NSA HACKER DAVE AITEL

Similar reverse-engineering products exist on the market, including a popular disassembler and debugger called IDA. But Joyce emphasized that the NSA has been developing Ghidra for years, with its own real-world priorities and needs in mind, which makes it a powerful and particularly usable tool. Products like IDA also cost money, whereas making Ghidra open source marks the first time that a tool of its caliber will be available for free—a major contribution in training the next generation of cybersecurity defenders. (Like other open source code, though, expect it to have some bugs.) Joyce also noted that the NSA views the release of Ghidra as a sort of recruiting strategy, making it easier for new hires to enter the NSA at a higher level or for cleared contractors to lend their expertise without needing to first come up to speed on the tool.

The NSA announced Joyce’s RSA talk, and Ghidra’s imminent release, in early January. But knowledge of the tool was already public thanks to WikiLeaks’ March 2017 “Vault 7” disclosure, which discussed a number of hacking tools used by the CIA and repeatedly referenced Ghidra as a reverse-engineering tool created by the NSA. The actual code hadn’t seen the light of day, though, until Tuesday—all 1.2 million lines of it. Ghidra runs on Windows, MacOS, and Linux and has all the components security researchers would expect. But Joyce emphasized the tool’s customizability. It is also designed to facilitate collaborative work among multiple people on the same reversing project—a concept that isn’t as much of a priority in other platforms.

Ghidra also has user-interface touches and features meant to make reversing as easy as possible, given how tedious and generally challenging it can be. Joyce’s personal favorite? An undo/redo mechanism that allows users to try out theories about how the code they are analyzing may work, with an easy way to go back a few steps if the idea doesn’t pan out.

The NSA has made other code open source over the years, like its Security-Enhanced Linux and Security-Enhanced Android initiatives. But Ghidra seems to speak more directly to the discourse and tension at the heart of cybersecurity right now. By being free and readily available, it will likely proliferate and could inform both defense and offense in unforeseen ways. If it seems like releasing the tool could give malicious hackers an advantage in figuring out how to evade the NSA, though Dave Aitel, a former NSA researcher who is now chief security technology officer at the secure infrastructure firm Cyxtera, said that that isn’t a concern.

“Malware authors already know how to make it annoying to reverse their code,” Aitel said. “There’s really no downside” to releasing Ghidra.

No matter what comes next for the NSA’s powerful reversing tool, Joyce emphasized on Tuesday that it is an earnest contribution to the community of cybersecurity defenders—and that conspiracy theorists can rest easy. “There’s no backdoor in Ghidra,” he said. “Come on, no backdoor. On the record. Scout’s honor.”

At 19, Santiago Lopez is already counting earnings totaling over USD 1 million from reporting security vulnerabilities through vulnerability coordination and bug bounty program HackerOne. He’s the first to make this kind of money on the platform.

In 2015 when he was 16-years old, Lopez started to learn about hacking. He is self-taught, his hacker school being the internet, where he watched and read tutorials on how to bypass or defeat security protections.

Two years to get to $1M in bounties

The rewards came a year later when he got a $50 payout for a cross-site request forgery (CSRF) vulnerability. His largest bounty was $9,000, for a server-side request forgery (SSRF).

He spent his first bug bounty money on a new computer, and as he accumulated more in rewards, he moved to cars.

At the moment, he has a record of 1676 distinct vulnerabilities submitted for online assets belonging to big-name companies like Verizon, Automattic, Twitter, HackerOne, private companies, and even to the US government. Lopez ranks second on HackerOne.

A hacker’s work week, tools and experience

In 2018, the researchers on HackerOne earned over $19 million in bounties; the amount is a big jump from the more than $24 million paid in the previous five years. However, the goal of the program is to reach $100 million by the end of 2020.

The recent report from the platform shows that there are over 300,000 registered hackers that submitted more than 100,000 valid vulnerabilities.

Most of the hackers (35.7%) spend up to 10 hours on average per week looking for bugs. A quarter of them works between 10 and 20 hours every week.

According to the survey, the researchers with plenty of experience in cybersecurity, over 21 years, represent the smallest percentage. The majority of the hackers, 72.3% have between one and five years of the experience.

Over 72% of the hackers surveyed by HackerOne for the report look into website security and 6.8% research APIs and technology that holds its own data. The favorite tool of the trade is Burp Suite for testing web apps.

Making money, leaning the ropes, being challenged and having fun are the top reasons for the work of the researchers submitting bugs via HackerOne, while bragging rights fall in the last place.

HackerOne’s 2019 report also shows that cross-site scripting (XSS) is the preferred attack method, followed by SQL injection. The full report is available here.