Der Spiegel makes light of an incredible tidbit they extracted from a 50-page catalog of exploit technology apparently developed by the NSA’s Tailored Access Operations (TAO).  The German newspaper describes, and dismisses as not very threatening the ability of an analyst using XKeyscore to identify a target’s machine, probably by IP address.

Then, if that machine ever files a crash report with Microsoft (or presumably any application such as Mozilla’s Firefox) the vast store of data that the NSA has collected is investigated with XKeyscore to recover a copy of that crash report –which was captured, along with everything else, by the NSA’s taps into most network traffic.

Wait, what? Crash reports are not encrypted when sent to Microsoft or Mozilla? Apparently, not. Microsoft’s documentation states that Personally Identifiable Information (PII) is encrypted via HTTPS but not the rest of the information.

As if we needed it, here is yet another reminder that software developers can be woefully ignorant of the need for security. Crash reports often contain a snapshot of memory at the time of the crash. An attacker could use that information to understand the processes running on the target machine. Even passwords, or at least hashes of passwords, can be revealed in crash reports. This is a process vulnerability that Microsoft will have to address immediately.

But take a moment to contemplate the power of XKeyscore. We first learned of XKeyscore in July, 2013 when Glenn Greenwald reported on Snowden documents that described the program:  “The NSA boasts in training materials that … XKeyscore, is its “widest-reaching” system for developing intelligence from the Internet.”

XKeyscore exploits a loophole in the restrictions on NSA surveillance of US persons. The NSA claims that collecting the data is not surveillance. They just collect all the data and make it available for future data mining. Any legal restrictions against surveillance must be enforced at the analysis end of the process.

But look what they apparently can do with that analysis. They can query XKeyscore for all crash reports sent from a particular IP address. That is impressive. What else could they possibly extract?

  • Every time a target connects to a VPN proxy, a common way to prevent at least your ISP from knowing where you are browsing.
  • Every SSL negotiation your browser makes. SSL is pretty good but all cryptanalysis is helped along by access to lots of negotiated connections.
  • Every comment posted to blogs/news sites. You can profile someone’s political leanings pretty quickly from seeing their comments posted on Reddit, HN, etc.
  • Every legal document, business plan, financial statement, tax return, and communication with another target (say a journalist).

We already knew about XKeyscore. But now we know more about the ingenuity of the apparent hackers at the NSA’s Tailored Access Operations.

Leave a Reply