NSA Trawls Crash Data For App Vulnerabilities – Report

The National Security Agency (NSA) is reportedly using a key tool in hunting down and fixing application bugs.

The spy agency supposedly uses crash data in order to remotely find vulnerable software within the companies and organisations it is monitoring.

Crash Data

The tool, known as Dr. Watson and developed by Microsoft, records information about the state of a Windows system when an application crashes. The service sends the crash information to Microsoft and has helped the software maker and third-party application developers eradicate many flaws that caused program instability.

Yet, the data has also been secretly collected by the National Security Agency using a distributed system of network taps as a way to remotely detect software vulnerabilities, according to a report published in Der Spiegel on 29 December.

By combining its ability to sift through large amounts of data and the fact that the crash reports are unencrypted, it’s entirely possible that the National Security Agency could collect information on the software vulnerabilities inside specific networks or companies, Alex Watson, director of research for security firm Websense, told eWEEK.

“Your typical organisation generates enough reports that over a period of time you can create a blueprint of what the vulnerable applications are on the network,” he said.

The NSA’s capability to dig into the application crashes of organisations worldwide comes out of a report in Der Spiegel documenting the NSA’s Office of Tailored Access Operations, a cyber operations group inside the agency which finds ways to get at the hard-to-reach information that the spy agency deems essential to its mission.

The report, co-authored by digital rights activist and security researcher Jacob Appelbaum, outlined the catalogue of capabilities offered by the TAO, including so-called “implants” – hardware devices and software programs designed to be secreted in computer systems or networks for surveillance purposes.

The ability to collect information produced by the crash reporting tool known as Dr. Watson gives the NSA and other potential attackers the ability to collect information on systems to which they have no access, Websense’s Watson said. In a detailed analysis of what information is provided by the tool, Websense warned that the data, while valuable, present a very real potential of data leakage because much of the information is uploaded without encryption.

Valuable Insight

“Applications that report this information without encrypting data risk leaking information at multiple points,” Watson wrote in the analysis. “This includes any upstream proxies, firewalls, and ISPs that are in between the corporate network and the destination as well as the application developer and their partner organisations.”

Microsoft is not the only company to collect crash dumps. Apple’s Mac OS X has a similar facility for sending information back to the company to improve the quality of software.

While companies may be threatened by the risk of data leakage presented by the spy agency’s alleged collection of crash dumps, the information can be valuable in detecting advanced attackers, says Websense’s Watson. Attempts at exploiting software flaws often lead to program crashes. This enables target organisations to determine whether a crash was caused by suspicious activities and allows them to set up defences against attackers, he said.

“These reports have been used to date to understand application crashes, but I think there is tremendous opportunity to use them to find indicators of attack activity,” he said.

What do you know about whistleblowers and their tech? Take our quiz!

Originally published on eWeek.