The NSA Intercepted Microsoft's Windows Bug Reports

Bruce Schneier writes on his security blog: Back in 2013, Der Spiegel reported that the NSA intercepts and collects Windows bug reports... "When Tailored Access Operations selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft... this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer..."

The article talks about the (limited) value of this information with regard to specific target computers, but I have another question: how valuable would this database be for finding new zero-day Windows vulnerabilities to exploit?

Well, sure.

[Frosty+Piss]

I suppose this is "news", but I also suppose it should have been (and for many, was) assumed. And I'll bet the NSA and the foreign equivalents are not the only ones that thought of this obvious source...

Re:Well, sure.

[ls671]

Sure, just have a list of keys like .ssh/authorized_keys so anybody could stick its own key in there.

Re:Well, sure.

[AHuxley]

Re " and the foreign equivalents are not the only ones that thought of this obvious source"
The foreign equivalents don't watch the internet like the NSA and GCHQ do.
The net belongs to the NSA, so other nations don't waste funds on low return internet things.
Some of the cool things other nations did or learned from just went back to simple human spying.
France had all its diplomatic codes broken by the USA and UK in the 1950's. It took France a while to learn from that decade long communications mistake.
China learned of the importance of Little Sai Wan in Hong Kong and just sent human spies in. The UK was using translators it could not trust trying to keep up with the amount of collection into the 1960's. China just used well placed human spies to collect on the secret UK collect it all policy.
The UK collected from Cyprus. The UK base staff had long hours and very low pay. Soviet spies just to wait in the local bars and make a lot of new friends with stories to share.
Foreign equivalents spy on their own nations but have learned to be much more careful around the world using well supported human spies.

Really smart nations have worked around that US/UK global collection system many decades ago. Collect it all is great for contractor overtime and seeing the world.
Collect it all works wonders if the enemy never knows about it. The easy Enigma days are over.
What can be learned from Windows networks left wide open in other nations? The emery left a bait computer online and waits to see who comes looking?
Tech support or a charity over story? NGO? Who wants access to that building and network once its found?
The UK and USA have to watch every interesting computer network globally. The enemy just has to bait a few networks in their own select buildings with gems of unencrypted information.

Slashdot is speeding up

It's now reporting on articles from 2013!

can't be true.

the NSA intercepts and collects Windows bug reports.

No way can that be true. Even the NSA's Utah Data Center doesn't have that much storage capacity.

Re:can't be true.

[chill]

Deduplication works miracles on repetitive data. If there was ever a source of repetitive data, Microsoft crashes are it.

Re:can't be true.

Finally, a post that made me laugh. Very nice. I also think broadband speeds have been held back because of the need to match NSA data storage capacity with internet throughput.

Re:can't be true.

[AHuxley]

AC the Windows bug reports of interesting people.
The people who know interesting people.
The people who are 3 and 4 hops from interesting people.
The unknown people who then make contact with interesting people or people who know interesting people.
Whats a few million files collected per task?
All the interesting users computers get altered as needed.

Re:can't be true.

[ls671]

Maybe, maybe not, it depends on how deduplicable the records are. The same bug trace could very well have different output on different computers, memory addresses etc. could be different.

Re:can't be true.

[apraetor]

Broadband speeds have lagged the rest of the developed world because monopolies only produce up to the point marginal cost equals marginal revenue. This wouldn't be a problem if, like most natural monopolies (water, electricity), broadband was closely regulated, but it isn't. There's effectively no fixed wireline competition for cable broadband; without competition there is no pressure to increase efficiency. The problem is that regulators have been pretending cable internet, dsl (i.e. uverse) internet, and wireless internet are substitute goods, when in fact they are not.

Cable and DSL are similar, but not substitutes; DSL cannot come anywhere near matching the throughput of cable. And as natural monopolies, it would be massively inefficient and costly for a second company to set up physical infrastructure duplicating the cable system, when the existing infrastructure is largely adequate. What we need is competition for USE of that infrastructure, rather than the current status quo.

Re:Um, yay for them?

[sheramil]

I hope they'll decide to monetize it soon - there's a bunch of posts I made to talk.bizarre a long time ago, and google doesn't seem to have archival copies.

Re:Do I have to switch to Microsoft's OS to get th

[AHuxley]

Backdoor, front door, trapdoor, or in the window.
If one way in is closed by a user or unexpected update another way into Windows is found.
Collect it all always works.

those buggers

[turkeydance]

bugging

Re:Ok...and?

[AHuxley]

Someone still thought bug reports got encrypted and sent to the big private company secure from strange computer on the net.
Reality now sets in.
Windows is the way in.

This is actually serious

[FeelGood314]

The Microsoft bug reports are important to Microsoft. They do actually analyze them to try and find bugs or in their products or in code from common/popular vendors. The NSA is undermining this trust. This is similar to the way the USA undermined doctors in Pakistan by using doctors in their search for Bin Laden. Maybe if the USA had to compensate every single person who gets Polio 10 million dollars they might not think their plan was such a great idea. Same for the NSA, they should be trying to help close exploits but at this point their collateral damage has been far greater than anything they have prevented.

Make it simpler

[aepervius]

The NSA intercepted anything and everything which went in the direction of the US, possibly also stuff which never went in the US. Consider all your communication compromised by the NSA. Now whether you care (privacy minded people, people not liking government overreach and spying and crook/spy/other nations intelligence agencies) or not (most people) is up to you.

Re:Make it simpler

[apraetor]

Most people care, just not enough to make it worth the cost of doing anything. Make end-to-end encryption simpler and more ubiquitous (WhatsApp, Signal) and people will use it. Given two equivalent goods where the only differentiator is privacy, users will choose the more-secure option.

What about exploitable 3rd-party bugs + targeting?

[Aryeh+Goretsky]

Hello,

I seem to recall a discussion about this at the time of disclosure that the main concern was not so much finding exploitable bugs in Windows, per se, but finding bugs in third-party drivers like those from AMD and nVidia, as well as determining hardware and software a target might be using, in order to help perform vulnerability research on targets.

Regards,

Aryeh Goretsky

Re:Ok...and?

[DarkOx]

Windows and windows networks are a huge liability. CIOs and CSO need to have a come to Jesus moment on that.

I sometimes do internal pentest work, and Its rare even not in 2017 that some combination of null sessions to get user names, and password spray, or just shutting up and listening for LLMNR or old NetBios and than cracking the acquired hashes won't work at a big organization. That is before you even need to consider getting "fancy" with attacks on Kerberos or SPNs. Yes you need to be on the internal network to do these things but you one good phishing catch away from that with most big organizations too. Many of the other pentests I know rarely even both trying to exploit other types servers or internal web applications anymore.

I am not saying the traditional UNIX/Linux solutions like (YP|NIS|LDAP|Hesiod) with or without Kerberos are not worse in many ways than (AD/LDAP) + Kerberos. Its just the AD is the standard and most often I see UNIX land being made to talk to AD rather than and Windows infra being made to speak anything UNIXy.

My thesis here is that when your authentication/authorization infrastructure itself is the biggest liability and has been for nearly a decade something is terribly terribly wrong. Windows/Windows networking really is the way in and why that remains "acceptably" is beyond me. Sure you can harden it a lot, but that is a real challenge for anyone who isn't an expert and does not have $$$ to eliminate every old client, many of which are part of integrated solutions like controllers etc.

What M$ really needs to do is make the next windows server upgrade move the hardened configurations OOB. No NTLMv1, no LLMNR, no NetBIOS, no null sessions, password complexity enabled, and some others. They then need to provide a "Gateway" for legacy systems where the older protocols can be configured to only talk to certain hosts, and only allow the use of specific accounts easily.