How NSA access was built into Windows

[+Mirumir]

NSA Built Back Door In All Windows Software by 1999

 

Government Built Spy-Access Into Most Popular Consumer Program Before 9/11

 

In researching the stunning pervasiveness of spying by the government (it?s much more wide spread than you?ve heard even now), we ran across the fact that the FBI wants software programmers to install a backdoor in all software.

 

Digging a little further, we found a 1999 article by leading European computer publication Heise which noted that the NSA had already built a backdoor into all Windows software:

 

How NSA access was built into Windows

 

Duncan Campbell 04.09.1999

 

A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

 

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.

 

Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer.

 

ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do.

 

Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery.

 

A second key

 

Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY".

 

Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge.

 

A third key?!

 

But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code.

 

Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers.

 

Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors".

 

According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards.

 

"For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US.

 

That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers".

 

"How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked.

 

Can the loophole be turned round against the snoopers?

 

Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy", he said.

 

Fernandez believes that NSA's built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website.

 

According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY."

[srbeen]

zip link is dead, well, only the 'special' are permitted to view... http://www.cryptonym.com/ Would sure love to change my key and become the NSA of my friends... Bravo MS!

 

Any reports on how OSX or any versions of BSD or linux are bugged? I can only presume Apple and Ubuntu are also targets.

[Steven P.]

It was already widely known back then that there was a NSA key in Windows 98.

[Mohitster]

Not sure if serious  :o

[+DonC]

Look.  I don't like the secrecy around the NSA and GCHQ's processes either but this story is sensationalist claptrap.  This story reads as if the NSA and some other organisation has the ability to remotely access Windows PCs!

 

Yes, there are alternative keys for loading cryptographic modules into Windows but they are not backdoors.  You still need to install them with administrative privileges.  At the point this happens, you've already given access to your computer away no matter how the software persists.  There are plenty of places in Windows that you could install something to snoop on or modify the experience for users: the driver system being the most obvious to me.  If you're worried about HTTPS snooping in particular then you should realise that tools like Fiddler 2 can do this without magic crypto modules.

 

As for somehow turning this "backdoor" around, you should note that if you're in a position to change the NSAKEY or the third key then you're also in a position to change the first key.  At this point you could re-sign the typical cryptographic modules as well as foreign code with your own private key.  You gain nothing from the existence of the NSAKEY or the third.

 

The fact that the keys are separate tells me that Microsoft were unwilling to let the NSA have access to their private key.

[Osiris]

Despite the recent revelations I just don't buy that this was ever the case, with alll the governments, with all the users, and especially with all the people that hate windows, if any of them found that in the software they would be screamiing it fromt heir lungs and posting the proof everywhere.  Microsoft also would have had far too much to lose (as they were basically the only OS provider, no one else was getting roped in with them unlike the current matter) not to mention there was and still is no lehal basis for such a move and not withstanding that such a backdoor would likely break laws in some of the countries MS Windows is sold in.

 

Yes, that is different to now because the target of the current issue is around their carriage services - not the product - just about all our countries have laws surrounding the lawful use of carriage services (no I am not defending the invasion of our privacy but rather just because that is happening doesn't mean this happened).

[neufuse]

Oh good gawd, this isn't what you think it is...... btw.. if you have RSA encryption, you know this was developed by the NSA right?..... lets start a trapdoor thing about that also!!!!! oh wait we already have....

[JonnyLH]

If the NSA was getting into your machine since '98 I'm pretty sure someone would of picked it up on the many years of constant wiresharking.

 

/thread

[neufuse]

You guys do know if they where to put a hidden key.... they wouldn't call it NSAKEY! you know NSA does not stand for national security agency...... it was at the time meaning Name Space Assembly Key... had a completely different purpose then the tin foil hatters want you to think.... but lets just ignore all the development documentation on windows back in the 90's and name it some big conspiracy

[+Dick Montage]

Well that was a whole bunch of misunderstandings, conspiracy theories and conjecture wrapped around something that was already widely know and moreover publicly stated.

 

Still, makes for a nice headline...

[TPreston]

If the NSA was getting into your machine since '98 I'm pretty sure someone would of picked it up on the many years of constant wiresharking.

 

/thread

Don't forget process monitor and network firewalls, And what about all those people on slow wan links wouldn't they notice it ?

[123456789A]

I guess I'm immune to this since I'm running Windows for Workgroups.

[+warwagon]

What was the name of that funny registry key from long ago.... was it nsakey?

[Hum]

That explains why my UFO photos disappeared ! :ninja:

[AnotherITguy]

oh noes, zey know everaything... picks up his tin foil hat.... lolz

[Growled]

Of course there is a NSA key in Windows. They'd be crazy not to put one in it.

[Silpheed2K]

Don't forget process monitor and network firewalls, And what about all those people on slow wan links wouldn't they notice it ?

You can actually hide stuff from process monitor. Good malware writers know this.

[thomastmc]

Any articles from last decade? Or, better yet, this decade?

 

Forget about encryption, if they wanted a real backdoor to any system and it was built from the lab into all RTM and retail copies that left MS, no one except those developers would ever know it was there. It would lay dormant until activated over the net or locally by an NSA agent. If it's ever needed it's activated and then loses much of it's stealth, but unless you know what you're looking for and how to look for it, it would be almost impossible to detect because it would use the OS's internal mechanisms legitimately to disguise it's activity. It wouldn't be "malware", or a rootkit, it would be a kernel level legitimate function of the system, designed to work with the system as any other legitimate mechanism does. It might even be wrapped by a legitimate and benign piece of the standard system.

 

It would probably also communicate through a protocol that is hidden intentionally on the network, by other additions by the NSA into software, such as routers. You'd probably have to write special code to even have a chance of finding it, and you'd have to know what you're looking for to write the code. Chicken and the egg. Then you'd still have to get the NSA to activate the backdoor on a system you're testing. By the time even someone educated and paranoid (or curious) enough found what they were looking for, it'd be too late, at least for them.

[JonnyLH]

Any articles from last decade? Or, better yet, this decade?

 

Forget about encryption, if they wanted a real backdoor to any system and it was built from the lab into all RTM and retail copies that left MS, no one except those developers would ever know it was there. It would lay dormant until activated over the net or locally by an NSA agent. If it's ever needed it's activated and then loses much of it's stealth, but unless you know what you're looking for and how to look for it, it would be almost impossible to detect because it would use the OS's internal mechanisms legitimately to disguise it's activity. It wouldn't be "malware", or a rootkit, it would be a kernel level legitimate function of the system, designed to work with the system as any other legitimate mechanism does. It might even be wrapped by a legitimate and benign piece of the standard system.

 

It would probably also communicate through a protocol that is hidden intentionally on the network, by other additions by the NSA into software, such as routers. You'd probably have to write special code to even have a chance of finding it, and you'd have to know what you're looking for to write the code. Chicken and the egg. Then you'd still have to get the NSA to activate the backdoor on a system you're testing. By the time even someone educated and paranoid (or curious) enough found what they were looking for, it'd be too late, at least for them.

Hows the tin foil hat?

[REM2000]

Hows the tin foil hat?

 

yeah it's not like the NSA has been caught accessing information from all major cloud providers... oh wait

 

It's pretty obvious that Windows has had a back door for use by government organisations, i wouldn't be surprised if MacOSX had it too. Oh course they are not going to be using it all the time, however i can imagine some kind of remote execution ability. Linux and Open source in general i would be more surprised about as it would be a lot easier to discover this through open source.

 

However it's worth taking stock, we know that government agencies have had access to cloud services, a few years ago it was proven that BlackBerry has done the same for it's messaging systems

 

http://www.guardian.co.uk/technology/2010/nov/17/india-blackberry-monitored-emails

 

It's the way of the world, it would be nice if governments were a little more transparent and i hope people continue to fight for freedoms of information, but this kind of stuff has been going on for centuries with governments intercepting, phone calls, letters, telegrams etc.. The only difference is that with each passing year it's getting easier and easier to collect more and more information.

[JonnyLH]

yeah it's not like the NSA has been caught accessing information from all major cloud providers... oh wait

 

It's pretty obvious that Windows has had a back door for use by government organisations, i wouldn't be surprised if MacOSX had it too. Oh course they are not going to be using it all the time, however i can imagine some kind of remote execution ability. Linux and Open source in general i would be more surprised about as it would be a lot easier to discover this through open source.

 

However it's worth taking stock, we know that government agencies have had access to cloud services, a few years ago it was proven that BlackBerry has done the same for it's messaging systems

 

http://www.guardian.co.uk/technology/2010/nov/17/india-blackberry-monitored-emails

 

It's the way of the world, it would be nice if governments were a little more transparent and i hope people continue to fight for freedoms of information, but this kind of stuff has been going on for centuries with governments intercepting, phone calls, letters, telegrams etc.. The only difference is that with each passing year it's getting easier and easier to collect more and more information.

To protect National Security? Do you condone events like Boston or a possible terrorist threat on the Olympics? 

 

The people which create these programs are normal people, they're doing it to protect national security not to see what porn people are watching. If there was a backdoor to any software system, it would of been found by now. You'd be able to spot it a mile off. Another point is, who's computer here actually has a public IP address? If not, you're sitting behind a NAT which will not let any un-prompted connections incoming unless the client initialized it. So a backdoor wouldn't even work in todays Internet.

 

So once again, hows the tinfoil hat?

[+Dick Montage]

Do you condone events like Boston

Oh dear.  You just threw your entire argument out of the window with that one ridiculous yet (hopefully) rhetorical question.

[JonnyLH]

Oh dear.  You just threw your entire argument out of the window with that one ridiculous yet (hopefully) rhetorical question.

Condoning a system which supports national security is indirectly related to events like this. Stop being so up-tight.

[+Dick Montage]

Stop being so up-tight.

Accusations of me being "up-tight" do not help your argument.

[thomastmc]

A possible terrorist threat on the Olympics?

 

Oh my gosh, you're so paranoid. How's the tin foil flack jacket? (That game can be played both ways. Don't dismiss what I said as if I'm paranoid. I was just stating what is possible, as you just did).

 

If there was a backdoor to any software system, it would of been found by now. You'd be able to spot it a mile off. Another point is, who's computer here actually has a public IP address? If not, you're sitting behind a NAT which will not let any un-prompted connections incoming unless the client initialized it. So a backdoor wouldn't even work in todays Internet.

 

So once again, hows the tinfoil hat?

 

You don't know what you're talking about, by the way.