Windows' error- and crash-reporting system sends
a wealth of data unencrypted and in the clear, information that
eavesdropping hackers or state security agencies can use to refine and
pinpoint their attacks, a researcher said today.
Not coincidentally, over the weekend the popular German newsmagazine Der Spiegel reported that the U.S. National Security Agency (NSA) collects Windows crash reports
from its global wiretaps to sniff out details of targeted PCs,
including the installed software and operating systems, down to the
version numbers and whether the programs or OSes have been patched;
application and operating system crashes that signal vulnerabilities
that could be exploited with malware; and even the devices and
peripherals that have been plugged into the computers.
"This information would definitely give an attacker a significant
advantage. It would give them a blueprint of the [targeted] network,"
said Alex Watson, director of threat research at Websense, which on
Sunday published preliminary findings
of its Windows error-reporting investigation. Watson will present
Websense's discovery in more detail at the RSA Conference in San
Francisco on Feb. 24.
Sniffing crash reports using low-volume "man-in-the-middle" methods
-- the classic is a rogue Wi-Fi hotspot in a public place -- wouldn't
deliver enough information to be valuable, said Watson, but a wiretap at
the ISP level, the kind the NSA is alleged to have in place around the
world, would.
"At the [intelligence] agency level, where they can spend the time to
collect information on billions of PCs, this is an incredible tool,"
said Watson.
And it's not difficult to obtain the information.
Microsoft does not encrypt the initial crash reports, said Watson,
which include both those that prompt the user before they're sent as
well as others that do not. Instead, they're transmitted to Microsoft's
servers "in the clear," or over standard HTTP connections.
If a hacker or intelligence agency can insert themselves into the
traffic stream, they can pluck out the crash reports for analysis
without worrying about having to crack encryption.
And the reports from what Microsoft calls "Windows Error Reporting"
(ERS), but which is also known as "Dr. Watson," contain a wealth of
information on the specific PC.
When a device is plugged into a Windows PC's USB port, for example --
say an iPhone to sync it with iTunes -- an automatic report is sent to
Microsoft that contains the device identifier and manufacturer, the
Windows version, the maker and model of the PC, the version of the
system's BIOS and a unique machine identifier.
By comparing the data with publicly-available databases of device and
PC IDs, Websense was able to establish that an iPhone 5 had been
plugged into a Sony Vaio notebook, and even nail the latter's machine
ID.
If hackers are looking for systems running outdated, and thus,
vulnerable versions of Windows -- XP SP2, for example -- the
in-the-clear reports will show which ones have not been updated.
Windows Error Reporting is installed and activated by default on all
PCs running Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1,
Watson said, confirming that the Websense techniques of deciphering the
reports worked on all those editions.
Watson characterized the chore of turning the cryptic reports into
easily-understandable terms as "trivial" for accomplished attackers.
0 comments :
Post a Comment