One of the revelations from latest Snowden document leaks described how the U.S. National Security Agency was able to intercept Microsoft Windows Error Reporting logs in order to fingerprint machines for potential compromise.
The German publication Der Spiegel says the documents indicated the NSA uses its XKeyscore tool to intercept the Windows crash reports. Making matters worse, the reports are sent unencrypted to Microsoft and Windows machines post-XP have this feature turned on by default. Windows admins must change a Group Policy setting in order to force encryption upon the initial transmission.
Reports of XKeyscore, meanwhile, surfaced in July hours before NSA Director Gen. Keith Alexander delivered the keynote address at the annual Black Hat Briefings in Las Vegas. Whistleblower Edward Snowden shared training materials with The Guardian that instruct agency analysts how to mine the agency’s vast intelligence databases for terrorism targets in the U.S. and abroad.
The crash reports, also known as Dr. Watson reports, are a wealth of system data, similar to what some strains of malware use in targeted attacks in order to identify potential system, network and application weaknesses that can be used to move laterally through an enterprise or government agency network.
Not only are these reports sent when there is a Windows crash, but also when there is a hardware change—and that includes the first-time use of a new USB device, including mobile devices. Researchers at Websense said the reports are sent over HTTP and the information includes the timestamp information, device manufacturer, identifier and revision, along with host computer information such as default language, operating system service pack and update version, hardware manufacturer, model and name, as well as BIOS version and unique machine identifier.
The Der Spiegel report says the NSA’s Tailored Access Operations (TAO) unit, a team of elite and young hackers, will use these identifiers to monitor for system crashes and learn about potential vulnerabilities that can be exploited.
Microsoft has more than one billion PCs on the planet reporting this information, and according to Websense director of security research Alex Watson, 80 percent do so in the clear. The reports aid Microsoft in improving the user experience but also identify bugs in Windows code that need attention. While IT security teams can leverage this information to understand soft spots on their networks, government agencies and nation state attackers can do the same.
“What these crash reports are—when you get enough of them—they create a blueprint of the applications running on a network that could be used by a skilled adversary to develop or deliver very specific attacks with a low chance of getting detected,” Watson said.
These Windows Error Reporting logs are different from the application crash reports that users are familiar with. For example, when Outlook or Internet Explorer crashes, users are presented with a dialog box and have the option of sending a crash report to Microsoft and asking Microsoft to find a solution. The Windows Error Reporting feature is different and is on by default; admins must opt-out of sending them to Microsoft, Watson said.
“This is for hardware changes or plugging in a USB device—which is considered to be a hardware change—it could be a thumb drive, anything you could think of and that will send that information to Microsoft without requiring that user to click ‘Yes,’” Watson said. “That is assuming the default setting [is on]— that you’re participating in the error program.”
Microsoft can reach back to the computer in question for a memory dump or core dump of the application when it crashed in order to further research the problem. Those requests and transmissions are encrypted using TLS 1.1 or 1.2 if available, protecting any sensitive information stored by Windows or an application such as log-in credentials. The first stage, however, is likely sent in the clear for performance reasons, Watson said.
The risk is, however, not necessarily if an attacker is on your computer or whether the machine is infected; chances are the attacker has already fingerprinted the compromised machine in order to hack it. Where the data is vulnerable is upstream as it’s sent between the machine and Microsoft, for example through a proxy or untrusted ISP used by multinational organizations.
“You would know exactly what applications were running on a network,” Watson said. “You could craft specific exploits or just pick the highest chance of likelihood of success of exploit and get the application and OS environment of your target.”
Watson said he hopes the revelations will raise awareness of the problem—which he believes is low in regard to IT managers being aware of the content of the reports and that they’re sent in the clear. He also hopes to encourage admins to look at these logs as a tool in the fight against advanced threats and use them as means of finding indicators a network has been compromised.
“When you’re executing an attack, there is going to be evidence or collateral damage happening as you move through the network,” Watson said. “You’re forcing a program to crash and then execute code in an order that’s not meant to happening. Exploits generate error report logs so we’ve been doing a lot of research into error report logs that are indicators of an advanced attack versus IE crashing on a webpage it doesn’t know how to render. This could be the first indicator of an attack.”
Websense said it has reported the issue to Microsoft through its MAPP partner sharing program, and added that it is also working with other vendors on similar reporting weaknesses in other massively distributed applications.
“By no means is Microsoft the only culprit that’s leaking information,” Watson said. “A lot of widely deployed applications, browsers and things like that, are at risk of leaking information.”