During the early days of the Snowden revelations, one of the more extraordinary facts to emerge was that Microsoft was making information about zero-day vulnerabilities available to the NSA so that the latter could use them to gain entry to governments' and companies' networks. Of course, since then we’ve learned that many other companies are involved in the betrayal of their customers' trust. But a new report in the German news magazine Der Spiegel shows that Microsoft remains central to the NSA’s systems of surveillance and attack. Here’s what we’ve just discovered:
One example of the sheer creativity with which the TAO [NSA’s Tailored Access Operations] spies approach their work can be seen in a hacking method they use that exploits the error-proneness of Microsoft’s Windows. Every user of the operating system is familiar with the annoying window that occasionally pops up on screen when an internal problem is detected, an automatic message that prompts the user to report the bug to the manufacturer and to restart the program. These crash reports offer TAO specialists a welcome opportunity to spy on computers.
When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA’s powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.
The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer.
Again, it would seem that the many flaws in Microsoft’s products are key here, and provide gateways for deeper exploits – placing spyware or malware on the system. That’s not to say that other manufacturers aren’t hijacked by the NSA in various ways. Another article that appeared in Der Spiegel this weekend reveals how the NSA is subverting not just Microsoft products – a pretty easy task – but even the most unlikely elements of a computing system:
The ANT [NSA’s Advanced or Access Network Technology] developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.
This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.
Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.
And if you’re wondering how they manage to infect such systems, the main Der Spiegel article provides a chilling explanation:
If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called “load stations,” agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.
These minor disruptions in the parcel shipping business rank among the “most productive operations” conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks “around the world.”
What’s not clear from this is whether the interception is only possible with computer equipment originating in the US, and sent overseas, or whether the NSA can also add malware or spyware in other parts of the world. That seems quite likely – especially in places like the UK, where the government and its spies are happy to carry out the NSA’s bidding without a second thought for law or morality.
Over the last six months it has become quite clear that real computer security is currently a near-impossibility, thanks to the efforts of the NSA and GCHQ to break every system put in place to protect us and our data. At the moment, the best we can do is to minimise our exposure, and to increase the cost of attack. The simplest way to do that is to stop using all Microsoft products, and to switch to open source, where at least there’s a chance people might spot backdoors.