KARMA POLICE, The Intercept

Purpose:

KARMA POLICE is a mass surveillance programme that collects web-browsing habits from “every visible user on the Internet”. It is used to create profiles that show the web browsing histories of people who browse the Internet unencrypted (e.g. without the use of Virtual Private Network or services such as TOR). The programme keeps a record of all websites visited including social media and news websites, search engines, chat forums, and blogs (INT01). The programme requires the interception of data from the fibre-optic cables that transport Internet data and communications across the globe. The system then analyses metadata that reveals people behaviours and activities online.

Capabilities (INT01):

• Creates profiles of web-browsing habits
• Analyses instant messenger communications, emails, Skype calls, text messages, cell phone locations, and social media interactions.
• Watches for “suspicious” Google searches and use of Google Maps.

Exploitation of:

• Metadata

Data extraction sources:

• Unencrypted Internet traffic such as: HyperText Transfer Protocol (http) activity, an insecure protocol used to send and receive data from the web.

Combined with other state surveillance tools:

TEMPORA – fibre-optic cable tapping

Layers of operation:

• Application layer
• Social Layer

Background:

KARMA POLICE was created by Government Communications Headquarters (GCHQ) approximately seven years. The programme collects mass amounts of data and not targeted to specific individuals. The data repository, Black Hole, is used to store metadata from between 30 days to 6 months.

Sources:

The Intercept (INT)
1) PROFILED: From Radio to Porn, British Spies Track Web Users’ Online Identities
https://theintercept.com/2015/09/25/gchq-radio-porn-spies-track-web-users-online-identities/

PRISM, The Guardian, slide #2.

Purpose:

PRISM is an NSA programme that exploits data collected by the FBI’s Data Intercept Technology Unit (DITU) from nine major US corporations including Facebook, Google and Apple. There is no single PRISM database. Rather, when the data arrives at the NSA, it is sorted and distributed to the following systems:

• MARINA: Internet metadata
• MAINWAY: telephone metadata
• NUCLEON: voice content
• PINWALE: selected email and other content

MARINA is the counterpart of PRISM, where MARINA stores metadata and PRISM provides access to content. The telephone counterparts are MAINWAY (metadata) and NUCLEON (content) (MOJ01).

Mother Jones Magazine, Four programmes.

According to the leaked slides, PRISM is the biggest single contributor to the NSA’s intelligence reporting (GUA01).

Capabilities:

• Access to content and metadata from service providers via the FBI

Data sources:

• Content and metadata from nine major US companies:
  • Google
  • Skype
  • Facebook
  • Yahoo
  • Microsoft
  • Apple
  • YouTube
  • AOL
  • PalTalk

Related programmes:

MARINA – NSA repository for Internet metadata.

PINWALE – NSA content repository.

Layers of operation:

• Application layer: Collection of content and metadata through interfaces created by service providers.
• Social layer: Aggregation of content and metadata from multiple applications.

Background:

PRISM is considered a downstream programme as it collects information from service providers. It is used in conjunction with upstream programmes that collect communications from fibre-optic cables and other infrastructure.

Although PRISM is an NSA programme, GCHQ is a key partner and has full access to the database (GUA02). In 2013, a UK parliamentary committee deemed GCHQ’s activity legal (BBC01). However, in 2015 the Investigatory Powers Tribunal deemed the activity unlawful (GUA03).

Company partners:

• Google
• Skype
• Facebook
• Yahoo
• Microsoft
• Apple
• YouTube
• AOL
• PalTalk

Sources:

BBC News (BBC)
1) http://www.bbc.co.uk/news/uk-23341597

Guardian (GUA)
1) http://www.theguardian.com/world/interactive/2013/nov/01/prism-slides-nsa-document
2) http://www.theguardian.com/technology/2013/jun/07/uk-gathering-secret-intelligence-nsa-prism
3) http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa

Mother Jones Magazine (MOJ)
1) http://www.motherjones.com/kevin-drum/2013/06/washington-post-provides-new-history-nsa-surveillance-programs

XKEYSCORE, ACLU document archive, slide #11.

Purpose:

XKEYSCORE is an NSA search and analysis system for data collected by other surveillance programmes. The system is described by Snowden as a search engine that provides a “one-stop shop” for access to content, metadata and real-time tracking and monitoring of user activities (COU01). Access to XKEYSCORE is shared with a number of other intelligence agencies including GCHQ (COU01, GUA01). In 2012, GCHQ’s TEMPORA programme was the largest source of XKEYSCORE data (EFF01).

The system incorporates user interfaces, databases and algorithms to select specific types of content and metadata that have already been collected by other surveillance programmes. Data can be retrieved using “strong selectors” such as email addresses and “soft selectors” such as keywords (ACU01). Rules for identifying particular kinds of data can be created and stored in the system. For example, analysts can target Tor users through rules that select web searches related to Tor and connections to the Tor network (NDR01). XKEYSCORE also has the ability to alert analysts to the activities of specific email and IP addresses (GUA02).

In 2008, the system included over 700 servers at approximately 150 locations around the world (ACU01). Content remains in the XKEYSCORE environment for three to five days, while metadata is stored for 30 days.

Capabilities (ACU01, EFF01):

• Ingestion of “full take” from NSA and partner agency bulk collection programmes.
• Federated query mechanism allows analysts to search multiple databases with a single query.
• Content and metadata can be searched using “strong selectors” and “soft selectors”.
• Rules for matching particular kinds of data can be created and stored in the system.
• Computer systems that are vulnerable to attack can be identified by monitoring network traffic.
• Documents can be traced back to their authors.
• Pattern-of-life analysis can develop profiles of individuals or find individuals matching a profile.

Data sources (ACU01, ELE01, SES01, WEE01):

• CIA/NSA Special Collection Service (F6).
• NSA Special Source Operations (such as PRISM, MUSCULAR and INCENSER).
• Foreign satellite data (FORNSAT).
• MARINA metadata repository.
• TRAFFICTHIEF metadata repository.

Related programmes (ACU01, EFF01, ELE01, SES01):

PRISM – NSA programme for content and metadata collection from service providers via the FBI.

MUSCULAR – GCHQ programme for bulk data collection from service provider data centres.

INCENSER – GCHQ programme for bulk data collection from fibre-optic cables.

TEMPORA – GCHQ programme for bulk data collection and buffering.

TRAFFICTHIEF – NSA repository for metadata about selected targets.

MARINA – NSA repository for bulk Internet metadata.

PINWALE – NSA repository for selected content.

Layers of operation:

• Network layer, transport layer and application layer: Matching content and metadata against rules defined by analysts.
• Social layer: Aggregation of content and metadata from multiple sources, pattern-of-life analysis.

Background:

XKEYSCORE training materials detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search (GUA02). Requests are not reviewed by a court or any NSA personnel before being processed. The programme covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata (GUA02). The programme also allows for on-going “real-time” interception of an individual’s Internet activity (GUA02).

Data storage is an issue. According to leaked documents, “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours” (GUA02). In response, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named PINWALE, which can store material for up to five years (GUA02).

Sources:

American Civil Liberties Union (ACU)
1) https://www.aclu.org/files/natsec/nsa/NSA%20XKeyscore%20Powerpoint.pdf

Courage Foundation (COU)
1) https://edwardsnowden.com/2014/01/27/video-ard-interview-with-edward-snowden

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/files/2014/06/23/report_on_the_nsas_access_to_tempora.pdf

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/27/nsa-online-metadata-collection
2) http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

NDR Panorama (NDR)
1) http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html

Robert Sesek (SES)
1) https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html

The Week (WEE)
1) http://theweek.com/articles/461482/4-nsa-terms-should-know

MUSCULAR , Washington Post, “Google Cloud Exploitation” slide.

MUSCULAR is a joint GCHQ and NSA programme that collects data travelling between internal data centres owned by Google and Yahoo. It achieves this by accessing the cables through which the companies’ internal network traffic passes. The programme is used to collect emails, documents, pictures, search queries and other data.

The programme relies on the telecommunications provider Level 3 to offer secret access to a fibre-optic cable at a point where Google and Yahoo traffic passes (NYT01). The access point, known as DS-200B, is located somewhere in the UK (WAH01).

MUSCULAR stores data for a three to five day period, during which GCHQ and NSA decode the proprietary data formats used by each company and extract information they want to keep (WAH02).

Capabilities:

• Bulk collection from private networks
• Bypassing encryption used on public networks
• Decoding proprietary data formats

Data sources:

• DS-200B, cable location owned by Level 3
• Digital content from two major US companies

Related programmes:

WINDSTOP – NSA umbrella programme for bulk collection in partnership with “trusted second party” countries (UK, Canada, Australia and New Zealand). The programme targets “communications into and out of Europe and the Middle East” (ELE01).

Layers of operation:

• Physical layer Tapping of fibre-optic cables.
• Link layer, network layer and transport layer: Reconstruction of communication sessions.
• Application layer: Extraction of content and metadata.

Background:

MUSCULAR is one of at least four similar “trusted second party programs” which together are known as WINDSTOP within the NSA (ELE01). This programme taps into the private leased fibre-optic cables that are used to connect the companies’ data centres across the globe (WAH02). These corporate internal networks have historically been unencrypted; however, both companies are beginning to encrypt their networks as a result of the MUSCULAR leak.

Company partners (NYT01):

• Level 3: Provider of fibre-optic cables for Google

Sources:

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

New York Times (NYT)
1) http://www.nytimes.com/2013/10/31/technology/nsa-is-mining-google-and-yahoo-abroad.html

Washington Post (WAH)
1) http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/04/how-we-know-the-nsa-had-access-to-internal-google-and-yahoo-cloud-data
2) http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

OPTIC NERVE, The Guardian, 28 February 2014.

Purpose:

OPTIC NERVE is a GCHQ programme that collects still images of Yahoo webcam chats in bulk and saves them to agency databases, whether or not an individual is an intelligence target (GUA01). The programme uses automated facial recognition technology to match existing targets and to discover potential new targets. Searching a facial recognition database allows for the identification of people who might use multiple online identities. The programme saves one image every five minutes from users’ feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ’s servers (GUA01).

Capabilities:

• Facial recognition

Data sources:

• Yahoo webcam application

Related programmes:

MUSCULAR – GCHQ programme collecting bulk data from Google and Yahoo data centres.

TEMPORA – GCHQ programme for bulk data collection and buffering.

XKEYSCORE – NSA system for searching and analysing Internet data.

MARINA – NSA repository for Internet metadata.

Layers of operation:

• Application layer: Extraction of content and metadata.

Background:

In a six-month period in 2008, OPTIC NERVE collected webcam images from over 1.8 million Yahoo user accounts worldwide (GUA01). The programme collects images from “unselected” people, meaning it is used for bulk rather than targeted collection. Yahoo has denied any prior knowledge of the program, and has since expanded encryption across its services.

Sources:

Guardian (GUA)
1) http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo

QUANTUM THEORY, The Intercept, slide #3.

Purpose:

QUANTUM THEORY is a programme that capitalises on vulnerabilities within applications and networks using a number of hacking techniques. It includes a variety of sub-programmes such as [ELE01, INT02]:

• QUANTUMBOT – IRC botnet hijacking
• QUANTUMBISQUIT – targets that are behind large proxies
• QUANTUMCOOKIE – forces cookies onto target browsers
• QUANTUMINSERT – HTML web page redirection to spy agency servers known as FOXACID.
• QUANTUMSQUEEL – for injection of MySQL databases
• QUANTUMSPIM – instant messaging hijacking
• QUANTUMDNS – domain name server (DNS) injection and redirection
• QUANTUMHAND – exploits the computer of a person who logs into Facebook
• QUANTUMPHANTOM – hijacks an IP address to redirect to a covert infrastructure
• QUANTUMSKY – denies access to a webpage using RST packet spoofing
• QUANTUMCOPPER – file upload/download disruption and corruption
• QUANTUMSMACKDOWN – prevents downloading implants to DoD computers

In the case of QUANTUMINSERT, for example, the programme relies upon the placement of secret servers across key areas of the Internet backbone [SCH01]. This is done so that requests to visit web sites can be intercepted before the legitimate server is contacted, which tricks a web browser into visiting a bogus web site on a government server. It uses a well known hacking technique called “man-in-the-middle” attacks. However, the government agencies have an added capacity of conducting “man-on-the-side” attacks that require access to the Internet backbone. Once a web browser is redirected, malware can be inserted directly into the users’ computer.

Capabilities:

• HTTP injection
• DNS injection allowing bogus certificates, breaking SSL and redirection of traffic to NSA servers
• Packet-injection to block attacks on government servers by terminating a requested connection
• Plug-in to inject into MySQL connections

Exploitation of:

• Vulnerabilities in network standards
• Vulnerabilities in software, e.g. persistent “push” connections from Facebook, where a user’s browser would leave an idle connection open, waiting for a command from the server [WIR01]

Data extraction sources:

• IRC and other botnets
• Web services (e.g. Yahoo, Facebook, Gmail, LinkedIn)
• Peer-to-peer networks (e.g. TOR)

Combined with other state surveillance tools:

TURBINE – Internet traffic sifting that shifts data to a variety of databases.
FOXACID – Spy agency web servers used to redirect Internet traffic (e.g. TOR users) [GUA01].
XKEYSCORE – search engine for access to content, metadata and real-time tracking and monitoring of website traffic and user activities.
MUSCULAR – intercepts data going into and out of Google and Yahoo services.
MARINA – metadata repository for Internet traffic.

Layers of operation:

• Network Layer
• Application Layer

Background:

QUANTUM made headlines when it was uncovered that GCHQ was behind the Belgacom cyber attack conducted under the codename “Operation Socialist” [SPI01]. The company provides telecommunications access to the European Commission, the European Council and the European Parliament. GCHQ used QUANTUMINSERT to target Belgacom employees, redirecting them to websites that would implant malware onto their computers which could then be used to manipulate those machines. The technique was also used by GCHQ to compromise users of LinkedIn [SPI02].

Spy agencies maintain a library of exploits, each based on a different vulnerability in a system [GUA01].

Sources:

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/search?q=quantum

Guardian (GUA)
1) http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity

Intercept (INT)
1) https://firstlook.org/theintercept/document/2014/03/12/nsa-gchqs-quantumtheory-hacking-tactics
2) https://firstlook.org/theintercept/document/2014/03/12/one-way-quantum

Schneier (SCH)
1) https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html

Spiegel (SPI)
1) http://www.spiegel.de/international/europe/british-spy-agency-gchq-hacked-belgian-telecoms-firm-a-923406.html
2)  http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html

Wired (WIR)
1) http://www.wired.com/2014/03/quantum

BULLRUN, EFF document archive, slide #2.

Purpose:

BULLRUN is an NSA programme aimed at decrypting encrypted network traffic [GUA01]. Decryption capabilities include inserting vulnerabilities into commercial encryption tools and IT systems, collaboration with other intelligence agencies, and “advanced mathematical techniques” [NYT01, GUA02]. The programme has the ability to decrypt data flowing through major communications provides and peer-to-peer tools such as Skype [NYT02].

Encryption keys are harvested from servers and held in a Key Provisioning Service, which can automatically decrypt traffic if a key is available, or otherwise ask a Key Recovery Service to obtain the key [NYT02].

The programme also seeks to “influence policies, standards and specifications for commercial public key technologies” [NYT02]. The NSA is believed to have inserted a cryptographic backdoor into a standard published by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), and to have paid a U.S. software company to implement the flawed standard [REU01].

GCHQ has a similar programme named EDGEHILL [GUA01]. GCHQ has been working to develop methods to decrypt the traffic of Hotmail, Google, Yahoo and Facebook, and proposed a system to decrypt data from fibre-optic cable tapping programmes such as TEMPORA in “near-real time” [GUA01].

Capabilities:

• Decryption of:
  • Transport Layer Security/Secure Sockets Layer (TLS/SSL)
  • Encrypted web traffic (HTTPS)
  • Secure Shell (SSH)
  • Virtual Private Networks (VPNs)
  • Voice over Internet Protocol (VoIP)
  • 4G mobile networks

Exploitation of:

• Service provider internal networks and cloud storage
• Commercial encryption software
• Standards for encryption systems

Data extraction sources:

• Fibre-optic cables
• Commercial encryption software
• Web services (e.g. Hotmail)

Combined with other state surveillance tools:

TEMPORA – fibre-optic cable tapping

Layers of operation:

• Transport Layer

Background:

The BULLRUN programme partners with technology companies to insert vulnerabilities, and also uses covert activities to manipulate the development of international encryption standards [GUA01]. However, some companies state that they were coerced into handing over their master encryption keys or creating security holes [NYT01].

The programme can be compared with the Clipper Chip proposal of the 1990s, which aimed to mandate weakened encryption in order to facilitate surveillance [NYT02]. The EFF, U.S. congress and others thwarted that earlier proposal, arguing that it was against the 4^th amendment of the U.S. constitution.

Company partners:

• Unnamed commercial software companies
• RSA encryption [REU01]
• Standards organisations

Sources:

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/document/20141228-spiegel-gchq-presentation-bullrun-programs-decryption-capabilities

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/search?q=bullrun

Guardian (GUA)
1)     http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
2)     http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide

New York Times (NYT)
1) http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
2) http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html

Reuters (REU)
1) http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

ANT Catalogue, NSA, https://nsa.gov1.info/dni/nsa-ant-catalog

Purpose:

ANT is a division of the NSA that provides software and hardware surveillance products to members of the ‘Five Eyes’ alliance, including the NSA and GCHQ. The ANT catalogue is a 50-page classified document from 2008 listing available technology, with summaries of hardware and software surveillance in eleven areas, including [SPI03]:

1. Room surveillance
CTX4000 – radar unit that can reveal the signals emitted by devices such as laser printers.
LOUDAUTO – audio-based radio frequency listening device capable of picking up conversations.
NIGHTWATCH – portable computer used to reconstruct and display video data from nearby computer monitors.
PHOTOANGLO – enables signals of passive bugging devices to be received from a considerable distance.
TAWDRYYARD – radio frequency position locator used to locate RAGEMASTER devices implanted in physical locations.

2. Computer monitor surveillance
RAGEMASTER – concealed device implanted into a computer’s video cable that intercepts image signals from a computer’s monitor.

3. Computers
GINSU – uses a hardware implant to restore a software implant that has been removed during an operating system upgrade or reinstall.
IRATEMONK – infiltration of hard drive firmware manufactured by Maxtor, Samsung, Seagate, and Western Digital. It replaces the Master Boot Record.
SWAP – enables remote control of a variety of operating systems including FreeBSD, Linux, Solaris and Windows.
WISTFULTOLL – harvests and returns forensic data from the Windows operating system.
HOWLERMONKEY – hardware implant used to extract data from systems or allow them to be controlled remotely.
JUNIORMINT – hardware chip implant configurable for a number of uses.
MAESTRO-II – multi-chip module approximately the size of a 20p coin with multiple uses.
SOMBERKNAVE – allows a Windows XP system to be controlled remotely using unused wireless interfaces that provide covert Internet connectivity.
TRINITY – configurable multi-chip module, smaller than a penny and implanted for a variety of uses.

4. Keyboards
SURLYSPAWN – hardware implant that enables keystroke monitoring remotely using a radar signal emitter, even if computers are not connected to the Internet.

5. USB
COTTONMOUTH-I – USB hardware implant that intercepts communication as well as having the capability of injecting Trojans.
COTTONMOUTH-II – USB socket implant that enables covert communication with the target system.
COTTONMOUTH-III – stacked Ethernet and USB plug that provides a wireless bridge allowing covert communication.
FIREWALK – hardware implant in the form of an Ethernet and USB connector that enables data extraction as well as injection of exploits through radio frequency communication.

6. Wireless LAN
NIGHTSTAND – mobile system that wirelessly installs Windows exploits from a distance of up to eight miles.
SPARROW II – small computer used to detect and map wireless networks from a drone or other capability.

7. Mobile phones
DROPOUTJEEP – used on first generation iPhones enabling remote access and control through SMS or data service, allowing for upload and download of files, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
GOPHERSET – GSM software that uses a phone’s SIM card API (SIM Toolkit or STK) to access the contacts list, SMS and logs of incoming and outgoing calls.
MONKEYCALENDAR – transmits a mobile phone’s geolocation using covert SMS texts.
TOTECHASER – Windows CE implant targeting the Thuraya 2520 satellite/GSM phone using hidden SMS texts.
TOTEGHOSTLY – implant that allows full remote control of Windows mobile phones, including upload and download of data, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
PICASSO – modified GMS handsets that enable location tracking and audio bugging.

8. Mobile phone networks
CROSSBEAM – GSM communications module that allows for interception of communication and covert remote access.
CANDYGRAM – mobile phone tower simulator that verifies locations through silent SMS.
CYCLONE-HX9 – GSM network simulator that enables eavesdropping on GSM 900 phones, which may have been used to eavesdrop on Chancellor Merkel’s phone.
EBSR – GSM base transceiver station with the ability to attack mobile phones on the GSM 900/1800/1900 frequency range.
ENTOURAGE – hardware receiver for direction finding that can detect the GPS coordinates of mobile phones.
GENESIS – modified mobile phone used to covertly perform network surveys as well as locate other mobile phones.
NEBULA – “network in a box” base station router for 2G and 3G networks.
TYPON HX – “network in a box” GSM base station simulator capable of tapping into mobile phones.
WATERWITCH – allows the operator to find the geolocation of specific mobile phones.

9. Firewalls
JETPLOW – firmware implant to create a permanent backdoor in Cisco PIX series and ASA firewalls.
HALLUXWATER – backdoor exploit for Huawei Eudemon firewalls, hidden in the boot ROM, enabling covert access to read and write memory, execute an address or execute a packet.
FEEDTROUGH – software implant that exploits Juniper Networks firewalls allowing remote access.
GOURMETTROUGH – configurable persistence implant for certain Juniper Networks firewalls.
SOUFFLETROUGH – BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls, installing a persistent backdoor.

10. Routers
HEADWATER – persistent backdoor technology enabling covert remote execution of code within Huawei routers.
SCHOOLMONTANA – implant that modifies the BIOS on Juniper JUNOS-based J-series routers.
SIERRAMONTANA – persistent software implant placed onto JUNOS-based M-series routers.
STUCCOMONTANA – persistent software implant that modifies the BIOS on JUNOS-based T-series routers.

11. Servers
IRONCHEF – exploits a computer’s motherboard BIOS to communicate with hidden hardware implants that provides two-way radio frequency (RF) communication on HP Proliant servers.
DEITYBOUNCE – software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s) that enables code execution while the operating system powers on.

Capabilities:

• Hardware implants across a variety of devices
• Software implants across a variety of devices

Exploitation of:

• Servers:
  • Dell PowerEdge
  • HP Proliant

• Firewalls:
  • Juniper Networks J & M series
  • Huawei Eudemon
  • Cisco PIX series and ASA

• Routers:
  • Huawei
  • Juniper J, M and T series

• Operating system:
  • Juniper JUNOS
  • Windows
  • FreeBSD
  • Linux
  • Solaris

• Hard drives:
  • Maxtor
  • Samsung
  • Seagate
  • Western Digital

Data extraction sources:

• Placing implants into physical devices manufactured by US companies
• Computers
• Mobile phones
• Physical locations

Combined with other state surveillance tools:

ANT tools combined with each other

Layers of operation:

• Physical Layer
• Link Layer
• Network Layer
• Transport Layer
• Application Layer
• Social Layer

Background:

The ANT product catalogue has been associated with the monitoring of Chancellor Merkel’s mobile phone [SPI02] as well as broader surveillance on US allies more broadly [GUA01], including the GCHQ programme Operation Socialist [SPI04]. Over 100,000 computers have received implants across the globe and use a covert radio frequency channel to exchange data [NYT01].

Company partners:

• Digital Network Technologies (NSA contractor)

Sources:

American Civil Liberties Union, ACLU (ACU)
1) https://www.aclu.org/files/natsec/nsa/20140130/NSA%27s%20Spy%20Catalogue.pdf

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/30/nsa-leaks-us-bugging-european-allies

New York Times (NYT)
1) http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0

Spiegel (SPI)
1) http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
2) http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html
3) http://www.spiegel.de/international/world/a-941262.html
4) http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html

FASCIA, Washington Post, slide 1.

Purpose:

FASCIA is the US National Security Agency’s (NSA) data storage and analyse programme focused on mobile phone location metadata. Approximately 5 billion records per day are collected [WAH01]. The programme exploits the SS7 (Signaling System No. 7) data exchange protocol, which links mobile network providers together.

Two kinds of data are collected from mobile devices [WAH01].

• Information from phones, both mobile devices and landlines. This includes information held in these network such as location – known as Dialed Number Recognition (DNR) data.
• Information collected from the Internet – This includes personal data communications, known as Digital Network Intelligence (DNI).

Additionally it has the ability to analyse communication security (COMMSEC) behaviours such as Behaviours around communication security “frequent power-down, handset swapping, SMS behaviour” [NSA01].

The leaked documents show that the GCHQ works in partnership with the NSA in DNI collection, specifically to track location using the Google tracking cookie PREFID that is gathered with personal data communications. This cookie can be used to hack into devices [WAH02].

The FASCIA programme uses a variety of data analysis techniques to locate and track individuals using these two sources of data (DNR and DNI) including [WAH01; NSA01]:

• CHALKFUN: This is a ‘co-travel analytics’ tool that analyses “date, time, and network location of a mobile phone over a given time period, and then looks for other mobile phones that were seen in the same network locations around a one hour time window” [NSA01].
• DSD Co-Travel Analytic: Examines mobile Call Detail Records (CDRs) to predict “target locations and co-travelers by calculating time-based travel trajectories. Probable travel routes are calculated using observed locations and determining the most likely paths and travel times similar to that used in turn-by-turn navigation systems” [NSA01]. “The analytic predicts the approximate time that the target would theoretically arrive at each segment waypoint based on projected travel times between known locations.” It also “discovers candidate co-travellers that intersect locations along the buffered travel path.” The NSA whitepaper states that the “system has shown that more candidate co-travellers were discovered by analyzing the travel paths than by considering common meeting locations alone”. Future plans for the system include identifying “targets based on COMSEC behaviors such as identifying mobiles that are turned off right before convergence between two travel paths occurs”.
• TMI Co-Traveler Analytic: “The analytic is oriented to work on 7 to 30 days worth of regional collection.” It computes “target “closeness” based on latitude and longitude information.
• PACT NGA-NSA GATC Analytic: To identify Thuraya satellite phones.
• RT-RG Sidekicks: “compares average travel velocity between pairs of selectors to infer whether or not could co-travel would practically be possible. Locations are defined by CELL IDs (for GSM) or GEO-Hashes.”
• Scalable Analytics Tradecraft Center (SATC) Geospatial Lifelines Co-Travel QFD: This “applies the concept of “dwell times” to identify DNR co-travelers. Dwell times describe the time period spent at the beginning or ending destination. A location is considered a beginning or ending location if the dwell time at that location is greater than 2 hours.”
• SSG Common IMSIs Analytic: “Finds SIM card activity seen on cell tower panels in multiple areas (e.g.- border crossings commonly used by traffickers) … The analyst inputs areas of interest and time range. The analytic returns an excel file with a list of IMSIs seen in those areas at that time.”
• The Café project: “This analytic uses IP geolocation of active user/presence events as travel indication.” It focuses on targets who have travelled between two countries in a range of time between 30 days. It is also searchable by travel within “countries of interest” and “the days on which the countries were visited”.
• Other Data Sources: this includes information from other databases such as “air travelers on the same reservation number”, “users sharing a MAC address” and “similarities between IP addresses may indicate proximity on the same LAN” [NSA01].

Capabilities:

• Mobile phone network and internet analysis
• Pattern-of-life analysis

Data sources:

• Mobile networks
  • GCID: Global Cell-Tower ID – This is the unique number associated with any given tower. It acts as a proxy for location since
  • CELLID – mobile base station coordinates
  • VLR – (Visitor Location Registers); databases that track current associations between cellular users and towers, which can be used to infer a user’s location
  • IMSI – (International Mobile Subscriber Identity)
  • MSISDN – the telephone number associated with a SIM card indicating the country it was activated in and the service provider
• Internet data transfer
  • Mobile phone apps
  • IP address

Related programmes:

R6 SORTINGLEAD – Cloud-based version of CHALKFUN that includes additional features such as search by countries or locations of interest [NSA01].

HAPPY FOOT – Analytic tool that aggregates leaked location-based service data to map the physical locations of IP addresses [WAH01].

TAPERLAY –  The NSA’s tool for looking up the registered location of a mobile device — the provider and country where a phone was originally activated — in the Global Numbering Database [WAH01].

TUSKATTIRE – System used for metadata processing [WAH01]

JUGGERNAUT – A signals processing system that can process raw feeds between mobile carriers through the SS7 protocol [WAH01].

GHOSTMACHINE – The NSA’s cloud analytics platform [WAH03].

Layers of operation:

• Social layer: Aggregation of metadata from multiple sources, pattern-of-life analysis.
• Link layer – How devices connected to a physical layer share access to the physical medium and exchange data.
• Network layer – How data is routed between devices that may be connected to different link layers.
• Application layer – How applications provide services and exchange information over a transport layer.

Background:

FASCIA is the National Security Agency’s enormous database containing trillions of device-location records that are collected from a variety of sources. The leaked documents show the volume and types of device-location data collected. Mobile phone metadata analysis can reveal a high-level of detail regarding people’s movements.

When mobile devices are turned on and begin searching for wireless signals, they show their locations to any radio receivers in the vicinity. When a mobile phone connects to a network, it registers its location to one or more signalling towers that store this information in databases (known as Home Location Registers and Visitor Location Registers) maintained by telephone providers and clearing houses so that calls can be made and received.

These registers store a device’s approximate location using service providers positioning of devices by triangulating their distance between multiple towers in the vicinity. These can reveal the country, town, and even street level of the person. In addition, some mobile devices use WiFi and GPS signals to fix their locations, which provides geo-location data. Smartphones can also display their location through mobile apps, built-in location based services and IP addresses [WAH01].

Sources:

National Security Agency (NSA)   document, (provided by the Washington Post)

1) National Security Agency white paper: Summary of DNR and DNI Co-Travel Analytics
https://s3.amazonaws.com/s3.documentcloud.org/documents/888734/cotraveler-tracking-redacted.pdf

Washington Post (WAH)

1) http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/new-documents-show-how-the-nsa-infers-relationships-based-on-mobile-location-data

2) http://apps.washingtonpost.com/g/page/world/nsa-signal-surveillance-success-stories/647

3) http://apps.washingtonpost.com/g/page/world/ghostmachine-the-nsas-cloud-analytics-platform/644/#document/p2/a135353

4) http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html

The Intercept – Applying Advanced Cloud-based Behavior Analytics, slide 1.

Purpose:

SKYNET is a behaviour profiling programme that attempts to identify “interesting travel patterns”, including how often a person travels and to where [SKYNET-02, Slide13]. Specifically, the programme aims to identify “courier-like travel patterns” [SKYNET-02, Slide20].

It achieves this by analysing mobile phone metadata that reveals both location and communication data from bulk call records [INT01]. Using this metadata SKYNET looks for patterns amongst different people who use phones in similar ways [SKYNET-02, Slide2].

For this programme “call data is acquired from major Pakistani telecom providers” but the technical means for obtaining the data is not divulged in the slides [INT01]. It uses a cloud computing technology to store and analyse  Call Data Records (CDRs) from Pakistani Telecoms uploaded to an NSA cloud [SKYNET-01, Slide6]. Analysis of the data examines [SKYNET-02, Slide3]:

• Pattern of life
• Social network
• Travel behaviour

This is done using geospatial, geotemporal, pattern-of-life and travel analytics [SKYNET-01, Slide3]. Specifically, by identifying a mobile phone’s IMSI or International Mobile subscriber Identity [SKYNET-01, Slide13]. This number is a unique identification associated with all mobile phones on a cellular network. It is stored as a 64-bit field and is sent by the phone to the network [TFA01].

Behaviours SKYNET attempts to identify include [INT01]:

• Who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month?
• Who does the traveler call when he arrives?”
• “Excessive SIM or handset swapping,”
• “Incoming calls only,”
• “Visits to airports,”
• “Overnight trips”

Capabilities:

• Mobile phone metadata storage and analysis
• Pattern-of-life analysis
• Travel analysis
• Social network analysis

Data sources:

• Mobile phone metadata
• Global System for Mobile Communications (GSM)
• International Mobile Subscriber Identity (IMSI)

Related programmes:

DEMONSPIT – dataflow of Call Data Records (CDRs) from Pakistan [SKYNET-01, Slide6]

MAINWAY – collection of telephone metadata

Layers of operation:

• Social layer: Aggregation of metadata from multiple sources, pattern-of-life analysis.

Background:

The SKYNET programme collected 55 million cell phone records from Pakistan to identify ‘interesting’ or ‘suspect’ behaviours [INT01].

Questions are being raised about the “method of identifying terrorist targets based on metadata” [INT01] because it may identify false positives especially when it comes to the activities of journalists who seek to contact terrorists. In particular an Al Jazeera journalist, Ahmad Muaffaq Zaidan was singled out as someone whose “movements and calls mirrored those of known Al Qaeda couriers” [INT01].

Partners:

• MIT Lincoln Labs [SKYNET-01, slide 3]
• Harvard [SKYNET-01, slide 3]:
• Pakistan Telecoms (unnamed) [SKYNET-01, slide 6]

Sources:

Intercept (INT)
1) https://firstlook.org/theintercept/2015/05/08/u-s-government-designated-prominent-al-jazeera-journalist-al-qaeda-member-put-watch-list/
2) SKYNET01 – https://firstlook.org/theintercept/document/2015/05/08/skynet-applying-advanced-cloud-based-behavior-analytics/
3) SKYNET02 – https://firstlook.org/theintercept/document/2015/05/08/skynet-courier/

Tech Faq (TFA)
1) http://www.tech-faq.com/imsi.html