800px-Windows_Error_Reporting_problem_details
An example of the information contained in a Windows Error Report.

securityAgents with the U.S. National Security Agency are able to intercept crash reports from specific Microsoft Windows-based machines to better understand how to exploit a computer with spyware, according to the latest revelations about the U.S. government’s electronic surveillance program, published this weekend by Der Spiegel newsmagazine.

The system is the one encountered by users after a program crashes, asking if they want to send information to Microsoft about the problem. The NSA tactic, revealed in a presentation viewed by Der Spiegel, reportedly uses the agency’s high-tech spying tools to access a machine being used by someone targeted in an NSA investigation. The tools allow NSA agents to receive notifications when the target’s computer crashes.

Here is Der Spiegel’s explanation of how the information is used:

The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer.

Although the method appears to have little importance in practical terms, the NSA’s agents still seem to enjoy it because it allows them to have a bit of a laugh at the expense of the Seattle-based software giant. In one internal graphic, they replaced the text of Microsoft’s original error message with one of their own reading, “This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine.” (“Sigint” stands for “signals intelligence.”)

In a statement issued over the weekend, the Redmond company said, “Microsoft does not provide any Government with direct or unfettered access to our customers’ data. We would have significant concerns if the allegations about Government actions are true.” The company notes that the information sent by the error reporting system is “limited.”

The same Der Spiegel report said that a special NSA unit can also intercept computer shipments to plant malware on a machine being sent to someone they want to spy on.

Microsoft has been taking steps to encrypt its server traffic, among other tactics to thwart NSA spying, which the company has labeled an “advanced persistent threat,” that it intends to battle like malware and online attacks. Microsoft and Google have both filed suit against the government seeking the ability to be more transparent about the data they hand over in response to Foreign Intelligence Surveillance Act (FISA) orders.

Update, 9:41 a.m.: Here is Microsoft’s full statement.

Secure Socket Layer (SSL) connections are regularly established to communicate details contained in Windows error reports. Customers who choose to use error reports send limited information about, for example, the process, application, or device driver, that may have encountered a problem.  Reports are then reviewed and used to improve customer experiences. Microsoft does not provide any Government with direct or unfettered access to our customer’s data. We would have significant concerns if the allegations about Government actions are true.  Regardless, we continue to review our encryption technologies and practices and have commented on the multiple investments we continue to make, on our Microsoft on the Issues blog.

Comments

  • http://NuAngel.net NuAngel

    So it is important to understand what they are saying. They aren’t using crash reports themselves to spy on individual users submitting the reports… they are using the contents of the crash reports to understand faults within Windows and exploit them to create their own 0-Day malware and spyware which could be deployed however they wish.

    • tsupasat

      It seems like they are doing both. They can see crash reports for targeted individuals, which helps them craft malware specifically for those machines.

  • Lauren Glenn

    Isn’t decrypting copywritten material without consent of the people or owner a violation of the DMCA?

  • hungryHippo

    Since Win 7 64 I really haven’t had any crashes….no, seriously, and I’m running VBox with three different OS’s on top of Win 8.1 and driving pointers to the ether zone. So…they aint gettin any crash reports from me.

Job Listings on GeekWork