A key tool in hunting down and fixing application bugs has reportedly been used by the National Security Agency as a way to remotely find vulnerable software within companies and organizations targeted by the U.S. spy agency.
The tool, known as Dr. Watson and developed by Microsoft, records information about the state of a Windows system when an application crashes. The service sends the crash information to Microsoft and has helped the software maker and third-party application developers eradicate many flaws that caused program instability.
Yet the data has also been secretly collected by the National Security Agency using a distributed system of network taps as a way to remotely detect software vulnerabilities, according to a report published in Der Spiegel on Dec. 29.
By combining its ability to sift through large amounts of data and the fact that the crash reports are unencrypted, it’s entirely possible that the National Security Agency could collect information on the software vulnerabilities inside specific networks or companies, Alex Watson, director of research for security firm Websense, told eWEEK.
“Your typical organization generates enough reports that over a period of time you can create a blueprint of what the vulnerable applications are on the network,” he said.
The NSA’s capability to dig into the application crashes of organizations worldwide comes out of a report in Der Spiegel documenting the NSA’s Office of Tailored Access Operations, a cyber-operations group inside the agency which finds ways to get at the hard-to-reach information that the spy agency deems essential to its mission.
The report, co-authored by digital rights activist and security researcher Jacob Appelbaum, outlined the catalog of capabilities offered by the TAO, including so-called “implants”—hardware devices and software programs designed to be secreted in computer systems or networks for surveillance purposes.
The ability to collect information produced by the crash-reporting tool known as Dr. Watson gives the NSA and other potential attackers the ability to collect information on systems to which they have no access, Websense’s Watson said. In a detailed analysis of what information is provided by the tool, Websense warned that the data, while valuable, present a very real potential of data leakage because much of the information is uploaded without encryption.
“Applications that report this information without encrypting data risk leaking information at multiple points,” Watson wrote in the analysis. “This includes any upstream proxies, firewalls and ISPs that are in between the corporate network and the destination as well as the application developer and their partner organizations.”
Microsoft is not the only company to collect crash dumps. Apple’s Mac OS X has a similar facility for sending information back to the company to improve the quality of software.
While companies may be threatened by the risk of data leakage presented by the spy agency’s alleged collection of crash dumps, the information can be valuable in detecting advanced attackers, says Websense’s Watson. Attempts at exploiting software flaws often lead to program crashes. This enables target organizations to determine whether a crash was caused by suspicious activities and allows them to set up defenses against attackers, he said.
“These reports have been used to date to understand application crashes, but I think there is tremendous opportunity to use them to find indicators of attack activity,” he said.