PRISM, The Guardian, slide #2.

Purpose:

PRISM is an NSA programme that exploits data collected by the FBI’s Data Intercept Technology Unit (DITU) from nine major US corporations including Facebook, Google and Apple. There is no single PRISM database. Rather, when the data arrives at the NSA, it is sorted and distributed to the following systems:

• MARINA: Internet metadata
• MAINWAY: telephone metadata
• NUCLEON: voice content
• PINWALE: selected email and other content

MARINA is the counterpart of PRISM, where MARINA stores metadata and PRISM provides access to content. The telephone counterparts are MAINWAY (metadata) and NUCLEON (content) (MOJ01).

Mother Jones Magazine, Four programmes.

According to the leaked slides, PRISM is the biggest single contributor to the NSA’s intelligence reporting (GUA01).

Capabilities:

• Access to content and metadata from service providers via the FBI

Data sources:

• Content and metadata from nine major US companies:
  • Google
  • Skype
  • Facebook
  • Yahoo
  • Microsoft
  • Apple
  • YouTube
  • AOL
  • PalTalk

Related programmes:

MARINA – NSA repository for Internet metadata.

PINWALE – NSA content repository.

Layers of operation:

• Application layer: Collection of content and metadata through interfaces created by service providers.
• Social layer: Aggregation of content and metadata from multiple applications.

Background:

PRISM is considered a downstream programme as it collects information from service providers. It is used in conjunction with upstream programmes that collect communications from fibre-optic cables and other infrastructure.

Although PRISM is an NSA programme, GCHQ is a key partner and has full access to the database (GUA02). In 2013, a UK parliamentary committee deemed GCHQ’s activity legal (BBC01). However, in 2015 the Investigatory Powers Tribunal deemed the activity unlawful (GUA03).

Company partners:

• Google
• Skype
• Facebook
• Yahoo
• Microsoft
• Apple
• YouTube
• AOL
• PalTalk

Sources:

BBC News (BBC)
1) http://www.bbc.co.uk/news/uk-23341597

Guardian (GUA)
1) http://www.theguardian.com/world/interactive/2013/nov/01/prism-slides-nsa-document
2) http://www.theguardian.com/technology/2013/jun/07/uk-gathering-secret-intelligence-nsa-prism
3) http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa

Mother Jones Magazine (MOJ)
1) http://www.motherjones.com/kevin-drum/2013/06/washington-post-provides-new-history-nsa-surveillance-programs

XKEYSCORE, ACLU document archive, slide #11.

Purpose:

XKEYSCORE is an NSA search and analysis system for data collected by other surveillance programmes. The system is described by Snowden as a search engine that provides a “one-stop shop” for access to content, metadata and real-time tracking and monitoring of user activities (COU01). Access to XKEYSCORE is shared with a number of other intelligence agencies including GCHQ (COU01, GUA01). In 2012, GCHQ’s TEMPORA programme was the largest source of XKEYSCORE data (EFF01).

The system incorporates user interfaces, databases and algorithms to select specific types of content and metadata that have already been collected by other surveillance programmes. Data can be retrieved using “strong selectors” such as email addresses and “soft selectors” such as keywords (ACU01). Rules for identifying particular kinds of data can be created and stored in the system. For example, analysts can target Tor users through rules that select web searches related to Tor and connections to the Tor network (NDR01). XKEYSCORE also has the ability to alert analysts to the activities of specific email and IP addresses (GUA02).

In 2008, the system included over 700 servers at approximately 150 locations around the world (ACU01). Content remains in the XKEYSCORE environment for three to five days, while metadata is stored for 30 days.

Capabilities (ACU01, EFF01):

• Ingestion of “full take” from NSA and partner agency bulk collection programmes.
• Federated query mechanism allows analysts to search multiple databases with a single query.
• Content and metadata can be searched using “strong selectors” and “soft selectors”.
• Rules for matching particular kinds of data can be created and stored in the system.
• Computer systems that are vulnerable to attack can be identified by monitoring network traffic.
• Documents can be traced back to their authors.
• Pattern-of-life analysis can develop profiles of individuals or find individuals matching a profile.

Data sources (ACU01, ELE01, SES01, WEE01):

• CIA/NSA Special Collection Service (F6).
• NSA Special Source Operations (such as PRISM, MUSCULAR and INCENSER).
• Foreign satellite data (FORNSAT).
• MARINA metadata repository.
• TRAFFICTHIEF metadata repository.

Related programmes (ACU01, EFF01, ELE01, SES01):

PRISM – NSA programme for content and metadata collection from service providers via the FBI.

MUSCULAR – GCHQ programme for bulk data collection from service provider data centres.

INCENSER – GCHQ programme for bulk data collection from fibre-optic cables.

TEMPORA – GCHQ programme for bulk data collection and buffering.

TRAFFICTHIEF – NSA repository for metadata about selected targets.

MARINA – NSA repository for bulk Internet metadata.

PINWALE – NSA repository for selected content.

Layers of operation:

• Network layer, transport layer and application layer: Matching content and metadata against rules defined by analysts.
• Social layer: Aggregation of content and metadata from multiple sources, pattern-of-life analysis.

Background:

XKEYSCORE training materials detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search (GUA02). Requests are not reviewed by a court or any NSA personnel before being processed. The programme covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata (GUA02). The programme also allows for on-going “real-time” interception of an individual’s Internet activity (GUA02).

Data storage is an issue. According to leaked documents, “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours” (GUA02). In response, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named PINWALE, which can store material for up to five years (GUA02).

Sources:

American Civil Liberties Union (ACU)
1) https://www.aclu.org/files/natsec/nsa/NSA%20XKeyscore%20Powerpoint.pdf

Courage Foundation (COU)
1) https://edwardsnowden.com/2014/01/27/video-ard-interview-with-edward-snowden

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/files/2014/06/23/report_on_the_nsas_access_to_tempora.pdf

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/27/nsa-online-metadata-collection
2) http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

NDR Panorama (NDR)
1) http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html

Robert Sesek (SES)
1) https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html

The Week (WEE)
1) http://theweek.com/articles/461482/4-nsa-terms-should-know

OPTIC NERVE, The Guardian, 28 February 2014.

Purpose:

OPTIC NERVE is a GCHQ programme that collects still images of Yahoo webcam chats in bulk and saves them to agency databases, whether or not an individual is an intelligence target (GUA01). The programme uses automated facial recognition technology to match existing targets and to discover potential new targets. Searching a facial recognition database allows for the identification of people who might use multiple online identities. The programme saves one image every five minutes from users’ feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ’s servers (GUA01).

Capabilities:

• Facial recognition

Data sources:

• Yahoo webcam application

Related programmes:

MUSCULAR – GCHQ programme collecting bulk data from Google and Yahoo data centres.

TEMPORA – GCHQ programme for bulk data collection and buffering.

XKEYSCORE – NSA system for searching and analysing Internet data.

MARINA – NSA repository for Internet metadata.

Layers of operation:

• Application layer: Extraction of content and metadata.

Background:

In a six-month period in 2008, OPTIC NERVE collected webcam images from over 1.8 million Yahoo user accounts worldwide (GUA01). The programme collects images from “unselected” people, meaning it is used for bulk rather than targeted collection. Yahoo has denied any prior knowledge of the program, and has since expanded encryption across its services.

Sources:

Guardian (GUA)
1) http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo

ANT Catalogue, NSA, https://nsa.gov1.info/dni/nsa-ant-catalog

Purpose:

ANT is a division of the NSA that provides software and hardware surveillance products to members of the ‘Five Eyes’ alliance, including the NSA and GCHQ. The ANT catalogue is a 50-page classified document from 2008 listing available technology, with summaries of hardware and software surveillance in eleven areas, including [SPI03]:

1. Room surveillance
CTX4000 – radar unit that can reveal the signals emitted by devices such as laser printers.
LOUDAUTO – audio-based radio frequency listening device capable of picking up conversations.
NIGHTWATCH – portable computer used to reconstruct and display video data from nearby computer monitors.
PHOTOANGLO – enables signals of passive bugging devices to be received from a considerable distance.
TAWDRYYARD – radio frequency position locator used to locate RAGEMASTER devices implanted in physical locations.

2. Computer monitor surveillance
RAGEMASTER – concealed device implanted into a computer’s video cable that intercepts image signals from a computer’s monitor.

3. Computers
GINSU – uses a hardware implant to restore a software implant that has been removed during an operating system upgrade or reinstall.
IRATEMONK – infiltration of hard drive firmware manufactured by Maxtor, Samsung, Seagate, and Western Digital. It replaces the Master Boot Record.
SWAP – enables remote control of a variety of operating systems including FreeBSD, Linux, Solaris and Windows.
WISTFULTOLL – harvests and returns forensic data from the Windows operating system.
HOWLERMONKEY – hardware implant used to extract data from systems or allow them to be controlled remotely.
JUNIORMINT – hardware chip implant configurable for a number of uses.
MAESTRO-II – multi-chip module approximately the size of a 20p coin with multiple uses.
SOMBERKNAVE – allows a Windows XP system to be controlled remotely using unused wireless interfaces that provide covert Internet connectivity.
TRINITY – configurable multi-chip module, smaller than a penny and implanted for a variety of uses.

4. Keyboards
SURLYSPAWN – hardware implant that enables keystroke monitoring remotely using a radar signal emitter, even if computers are not connected to the Internet.

5. USB
COTTONMOUTH-I – USB hardware implant that intercepts communication as well as having the capability of injecting Trojans.
COTTONMOUTH-II – USB socket implant that enables covert communication with the target system.
COTTONMOUTH-III – stacked Ethernet and USB plug that provides a wireless bridge allowing covert communication.
FIREWALK – hardware implant in the form of an Ethernet and USB connector that enables data extraction as well as injection of exploits through radio frequency communication.

6. Wireless LAN
NIGHTSTAND – mobile system that wirelessly installs Windows exploits from a distance of up to eight miles.
SPARROW II – small computer used to detect and map wireless networks from a drone or other capability.

7. Mobile phones
DROPOUTJEEP – used on first generation iPhones enabling remote access and control through SMS or data service, allowing for upload and download of files, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
GOPHERSET – GSM software that uses a phone’s SIM card API (SIM Toolkit or STK) to access the contacts list, SMS and logs of incoming and outgoing calls.
MONKEYCALENDAR – transmits a mobile phone’s geolocation using covert SMS texts.
TOTECHASER – Windows CE implant targeting the Thuraya 2520 satellite/GSM phone using hidden SMS texts.
TOTEGHOSTLY – implant that allows full remote control of Windows mobile phones, including upload and download of data, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
PICASSO – modified GMS handsets that enable location tracking and audio bugging.

8. Mobile phone networks
CROSSBEAM – GSM communications module that allows for interception of communication and covert remote access.
CANDYGRAM – mobile phone tower simulator that verifies locations through silent SMS.
CYCLONE-HX9 – GSM network simulator that enables eavesdropping on GSM 900 phones, which may have been used to eavesdrop on Chancellor Merkel’s phone.
EBSR – GSM base transceiver station with the ability to attack mobile phones on the GSM 900/1800/1900 frequency range.
ENTOURAGE – hardware receiver for direction finding that can detect the GPS coordinates of mobile phones.
GENESIS – modified mobile phone used to covertly perform network surveys as well as locate other mobile phones.
NEBULA – “network in a box” base station router for 2G and 3G networks.
TYPON HX – “network in a box” GSM base station simulator capable of tapping into mobile phones.
WATERWITCH – allows the operator to find the geolocation of specific mobile phones.

9. Firewalls
JETPLOW – firmware implant to create a permanent backdoor in Cisco PIX series and ASA firewalls.
HALLUXWATER – backdoor exploit for Huawei Eudemon firewalls, hidden in the boot ROM, enabling covert access to read and write memory, execute an address or execute a packet.
FEEDTROUGH – software implant that exploits Juniper Networks firewalls allowing remote access.
GOURMETTROUGH – configurable persistence implant for certain Juniper Networks firewalls.
SOUFFLETROUGH – BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls, installing a persistent backdoor.

10. Routers
HEADWATER – persistent backdoor technology enabling covert remote execution of code within Huawei routers.
SCHOOLMONTANA – implant that modifies the BIOS on Juniper JUNOS-based J-series routers.
SIERRAMONTANA – persistent software implant placed onto JUNOS-based M-series routers.
STUCCOMONTANA – persistent software implant that modifies the BIOS on JUNOS-based T-series routers.

11. Servers
IRONCHEF – exploits a computer’s motherboard BIOS to communicate with hidden hardware implants that provides two-way radio frequency (RF) communication on HP Proliant servers.
DEITYBOUNCE – software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s) that enables code execution while the operating system powers on.

Capabilities:

• Hardware implants across a variety of devices
• Software implants across a variety of devices

Exploitation of:

• Servers:
  • Dell PowerEdge
  • HP Proliant

• Firewalls:
  • Juniper Networks J & M series
  • Huawei Eudemon
  • Cisco PIX series and ASA

• Routers:
  • Huawei
  • Juniper J, M and T series

• Operating system:
  • Juniper JUNOS
  • Windows
  • FreeBSD
  • Linux
  • Solaris

• Hard drives:
  • Maxtor
  • Samsung
  • Seagate
  • Western Digital

Data extraction sources:

• Placing implants into physical devices manufactured by US companies
• Computers
• Mobile phones
• Physical locations

Combined with other state surveillance tools:

ANT tools combined with each other

Layers of operation:

• Physical Layer
• Link Layer
• Network Layer
• Transport Layer
• Application Layer
• Social Layer

Background:

The ANT product catalogue has been associated with the monitoring of Chancellor Merkel’s mobile phone [SPI02] as well as broader surveillance on US allies more broadly [GUA01], including the GCHQ programme Operation Socialist [SPI04]. Over 100,000 computers have received implants across the globe and use a covert radio frequency channel to exchange data [NYT01].

Company partners:

• Digital Network Technologies (NSA contractor)

Sources:

American Civil Liberties Union, ACLU (ACU)
1) https://www.aclu.org/files/natsec/nsa/20140130/NSA%27s%20Spy%20Catalogue.pdf

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/30/nsa-leaks-us-bugging-european-allies

New York Times (NYT)
1) http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0

Spiegel (SPI)
1) http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
2) http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html
3) http://www.spiegel.de/international/world/a-941262.html
4) http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html

SQUEAKY DOLPHIN, NBC news, slide #27.

Purpose:

SQUEAKY DOLPHIN is a GCHQ pilot programme demonstrating the ability to monitor social media in real time (NBC01). The programme monitors the following information extracted from GCHQ’s bulk collection programmes:

• Facebook ‘likes’
• YouTube video views
• Blogger visits
• Specific Twitter accounts

The programme uses off-the-shelf analytics and visualisation software (Splunk, Fire Ant and Distillery).

SQUEAKY DOLPHIN uses sentiment analysis to predict future events based on online behaviour patterns and demographic and geographic information.

Service providers have encrypted some of the content analysed by SQUEAKY DOLPHIN since the programme’s existence was revealed.

Capabilities:

• Real-time monitoring and analysis of online activity

Data sources:

• Digital content from major social media companies:
  • Facebook
  • Google
  • YouTube
  • Blogger
  • Twitter
  • Flickr

Related programmes:

TEMPORA – GCHQ programme for bulk data collection and buffering.

AIRWOLF – GCHQ programme for collecting YouTube profiles, comments and videos.

Layers of operation:

• Social layer: Analysis of patterns and trends in online activity.

Background:

The GCHQ presentation is titled “Psychology: A New Kind of SIGDEV: Establishing the Human Science Operation Cell”. The aim of the programme is to discover trends within given populations, and to extract personal information about specific users (NBC01). The programme also aims to ‘disrupt and strategically influence’ (NBC02).

The programme is operated by the GCHQ division known as Global Telecoms Exploitation (GTE), which collects Internet traffic that passes through UK territory. It is estimated that roughly 11% of global Internet traffic passes through the UK (NBC01). The programme’s aim is to understand human behaviour and sentiments across different social and cultural layers from individual, group and socio-cultural perspectives (NBC02).

SQUEAKY DOLPHIN, NBC news, slide #15.

Both Facebook and Google deny giving GCHQ access to their systems (BBC01). Facebook and Twitter have since encrypted their services, which could prevent governments from collecting data. Google has not encrypted YouTube or Blogger data.

Sources:

BBC News (BBC)
1) http://www.bbc.co.uk/news/technology-25927844

NBC News (NBC)
1) http://investigations.nbcnews.com/_news/2014/01/27/22469304-snowden-docs-reveal-british-spies-snooped-on-youtube-and-facebook
2) http://msnbcmedia.msn.com/i/msnbc/Sections/NEWS/snowden_youtube_nbc_document.pdf