The message that prompts ask the user to report the problem to Microsoft followed by the options to Send an error report or Not send. Most of the time Gentle users like you and me used to submit these error reports to aware the Microsoft about the problem. But What if these crash reports can be abused to identify the vulnerabilities of your system for Spying?
NSA is intercepting wide range of Internet Traffic including many Encrypted connections and naturally unencrypted also and surprisingly, by default Microsoft encrypts its reports, but the messages are transmitted unencrypted or over standard HTTP connections to watson.microsoft.com.
The latest revelations from the Snowden document leaks revealed by the German publication Der Spiegel described how the NSA's secret hacking unit called Tailored Access Operations Unit, or TAO Unit, breaking into a windows computer by gaining passive access to machines.
Der Spiegel's explains:
The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, the only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer.
Microsoft has Windows Error Reporting (a.k.a. Dr. Watson) technology from Windows XP to later versions. Windows crash reports give up all kinds of information about your system, allowing them to know what software is installed on your PC, respective versions and whether the programs or OS have been patched.
Websense Security Firm observed the Windows Error Reporting system and find that it sends out its crash logs in the clear text:
This information includes:
Websense Security Firm observed the Windows Error Reporting system and find that it sends out its crash logs in the clear text:
This information includes:
- Date
- USB Device Manufacturer
- USB Device Identifier
- USB Device Revision
- Host computer - default language
- Host computer - Operating system, service pack and update version
- Host computer - Manufacturer, model and name
- Host computer - Bios version and unique machine identifier
Why should we care about this? Because System or application Crashes signal about various possible Zero-day vulnerabilities that could be exploited and this is the exact information that the NSA or anyone else needs when tailoring a specific attack against your system, or when designing some kind of malware to infect it.
Der Spiegel also added:
When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA's powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.A Microsoft spokesperson asked to comment on the reports said, "Microsoft does not provide any government with direct or unfettered access to our customer's data. We would have significant concerns if the allegations about government actions are true."
Websense also recommends that Error report data should be encrypted with SSL at a minimum, ideally using TLS 1.2 in order to prevent it from NSA snooping. Alexander Watson, director of security research, Websense, will be presenting advanced findings related to this research at the 2014 RSA Conference in San Francisco.
How To Disable Error Reporting:
