NSA's Word Problem

By Nicholas Weaver
Friday, June 10, 2016, 4:23 PM

There is an interesting exchange in the new Snowden FOIA release (h/t Marcy Wheeler) that has me concerned as a technologist. In it Snowden provides some technical support from NSA Hawaii to NSA headquarters.

NSA analysists fill out lots of paperwork. That paper work is a core protection against NSA abuse. It constrains their activities, and facilitates legal and compliance review. As Justice Sotomayor has noted in her famous Jones concurrence the importance of costs as a constraint on surveillance. Some costs are monetary, but some costs are time. And when presented with things that require time or money, there is a natural inclination to find efficiencies.

Back in 2012, faced with the need to write the identical thing—language regarding FISA minimization procedures—many, many times, NSA tried to develop some efficiency by automating a portion of their Word templates. This worked fine, until for whatever reason, NSA Hawaii redesigned its network to block external access from other parts of the NSA.  There are plenty of good security reasons for this kind of compartmentalization, and I’d suspect NSA has moved towards even more compartmentalized systems post-Snowden. This caused some collateral damage: when someone tried to open documents prepared in Hawaii at Fort Meade, Word would stall.

The cause is a mind-blowing combination of Microsoft mal-features and NSA workflow problems. The Word documents contained macros and templates which referred to separate resources on the local Hawaii network. When opened outside this network, Word would stall for 5 minutes as it tried repeatedly to access local data. The easy work around of saving in Rich Text Format (RTF) didn’t work because Word still tried to open links that it included in the RTF document. An interim solution required Fort Meade personnel to use WordPad to open the RTF files and a better long-term solution was promised.

I have a few thoughts on the implications of this exchange.

1.     Oh God, the Insecurity!

Word Macros are a plague. A Word Macro, unlike say JavaScript in a web page, doesn’t exist in a “Sandbox” which limits everything they might do to the current document. Instead macros are able to do anything that the person running Word can do—including install malcode. I’d argue that Microsoft is criminally negligent for not sandboxing macros after the "Melissa" mail worm a decade and a half ago. Today, malicious macros are commonly used for everything from ransomware to nation-state attacks. It’s a crude analogy, but enabling Word Macros in a corporate environment is akin to infecting a brothel with herpes—in short, it’s a bad, bad idea.

It is difficult to overstate how much of a threat Word macros posed to the NSA’s internal network. If a single bad insider managed to get one malicious macro-infected Word document onto this network it could be designed to self-propagate, and spread through the network before shifting to steal secrets for eventual infiltration by an insider. It could even be used to conduct bulk sabotage by shutting down the entire NSA analyst network at some specified time.

2.      Too Much Freedom in FOIA? 

The documents are four years old, so presumably this problem has been resolved. But this could be evidence of why it is critical for engineers, and not only lawyers, to review documents prior to release. I’m delighted at NSA’s transparency, but the Chinese probably are too. In fact, right now they may be wondering if they could bait an analyst into reading or including a Word document collected “on the wire.”

3.      Dude, you’re supported by Dell?

Turns out the wake of Snowden doesn’t just damage the reputation of Booz Allen. Apparently it took Dell—Snowden’s employer at the time—a full week to address a high-priority ticket, which was seriously impacting NSA headquarters’ ability to conduct mandatory oversight. Apparently it took additional nagging and high profile action to get Dell to do its job. Attach this email as Exhibit 10275215 on “How Government Contractors Earn Their Bad Reputation.”

4.      (Fail To) Workflow?

The eventual solution required analysts writing their reports in Word, then copy-pasting it into WordPad before saving as RTF. Annoying, but maybe civil libertarians should applaud. If I had to go through such a painful process I’d never spy on anyone.

5.      If you Got Macros, Use Em!  

This is also Exhibit 10275216 on “How Government Contractors Earn Their Bad Reputation.” Macros are an abomination, but they are specifically designed to provide methods of reducing a “ten click” process to dissociate all templates with a single click of “Export” with a big button embedded in the document. If you are going to run the risk of using Macros, at least use them productively!

6.      NIT Anyone? 

Rumors suggest contractors charge a fortune for NIT beacons—documents that call back when opened. I’ve heard of other beacons that exist in Word document (.doc and docx) formats. But I didn’t know you could have a beacon in RTF documents. Someone should package this up and sell it to the FBI for a small fortune, stat!


Correction:  I wrongly misidentified the old Macro worm as ILOVEYOU.  Thanks to @VessOnSecurity for pointing out my error.