PRISM, The Guardian, slide #2.

Purpose:

PRISM is an NSA programme that exploits data collected by the FBI’s Data Intercept Technology Unit (DITU) from nine major US corporations including Facebook, Google and Apple. There is no single PRISM database. Rather, when the data arrives at the NSA, it is sorted and distributed to the following systems:

• MARINA: Internet metadata
• MAINWAY: telephone metadata
• NUCLEON: voice content
• PINWALE: selected email and other content

MARINA is the counterpart of PRISM, where MARINA stores metadata and PRISM provides access to content. The telephone counterparts are MAINWAY (metadata) and NUCLEON (content) (MOJ01).

Mother Jones Magazine, Four programmes.

According to the leaked slides, PRISM is the biggest single contributor to the NSA’s intelligence reporting (GUA01).

Capabilities:

• Access to content and metadata from service providers via the FBI

Data sources:

• Content and metadata from nine major US companies:
  • Google
  • Skype
  • Facebook
  • Yahoo
  • Microsoft
  • Apple
  • YouTube
  • AOL
  • PalTalk

Related programmes:

MARINA – NSA repository for Internet metadata.

PINWALE – NSA content repository.

Layers of operation:

• Application layer: Collection of content and metadata through interfaces created by service providers.
• Social layer: Aggregation of content and metadata from multiple applications.

Background:

PRISM is considered a downstream programme as it collects information from service providers. It is used in conjunction with upstream programmes that collect communications from fibre-optic cables and other infrastructure.

Although PRISM is an NSA programme, GCHQ is a key partner and has full access to the database (GUA02). In 2013, a UK parliamentary committee deemed GCHQ’s activity legal (BBC01). However, in 2015 the Investigatory Powers Tribunal deemed the activity unlawful (GUA03).

Company partners:

• Google
• Skype
• Facebook
• Yahoo
• Microsoft
• Apple
• YouTube
• AOL
• PalTalk

Sources:

BBC News (BBC)
1) http://www.bbc.co.uk/news/uk-23341597

Guardian (GUA)
1) http://www.theguardian.com/world/interactive/2013/nov/01/prism-slides-nsa-document
2) http://www.theguardian.com/technology/2013/jun/07/uk-gathering-secret-intelligence-nsa-prism
3) http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa

Mother Jones Magazine (MOJ)
1) http://www.motherjones.com/kevin-drum/2013/06/washington-post-provides-new-history-nsa-surveillance-programs

XKEYSCORE, ACLU document archive, slide #11.

Purpose:

XKEYSCORE is an NSA search and analysis system for data collected by other surveillance programmes. The system is described by Snowden as a search engine that provides a “one-stop shop” for access to content, metadata and real-time tracking and monitoring of user activities (COU01). Access to XKEYSCORE is shared with a number of other intelligence agencies including GCHQ (COU01, GUA01). In 2012, GCHQ’s TEMPORA programme was the largest source of XKEYSCORE data (EFF01).

The system incorporates user interfaces, databases and algorithms to select specific types of content and metadata that have already been collected by other surveillance programmes. Data can be retrieved using “strong selectors” such as email addresses and “soft selectors” such as keywords (ACU01). Rules for identifying particular kinds of data can be created and stored in the system. For example, analysts can target Tor users through rules that select web searches related to Tor and connections to the Tor network (NDR01). XKEYSCORE also has the ability to alert analysts to the activities of specific email and IP addresses (GUA02).

In 2008, the system included over 700 servers at approximately 150 locations around the world (ACU01). Content remains in the XKEYSCORE environment for three to five days, while metadata is stored for 30 days.

Capabilities (ACU01, EFF01):

• Ingestion of “full take” from NSA and partner agency bulk collection programmes.
• Federated query mechanism allows analysts to search multiple databases with a single query.
• Content and metadata can be searched using “strong selectors” and “soft selectors”.
• Rules for matching particular kinds of data can be created and stored in the system.
• Computer systems that are vulnerable to attack can be identified by monitoring network traffic.
• Documents can be traced back to their authors.
• Pattern-of-life analysis can develop profiles of individuals or find individuals matching a profile.

Data sources (ACU01, ELE01, SES01, WEE01):

• CIA/NSA Special Collection Service (F6).
• NSA Special Source Operations (such as PRISM, MUSCULAR and INCENSER).
• Foreign satellite data (FORNSAT).
• MARINA metadata repository.
• TRAFFICTHIEF metadata repository.

Related programmes (ACU01, EFF01, ELE01, SES01):

PRISM – NSA programme for content and metadata collection from service providers via the FBI.

MUSCULAR – GCHQ programme for bulk data collection from service provider data centres.

INCENSER – GCHQ programme for bulk data collection from fibre-optic cables.

TEMPORA – GCHQ programme for bulk data collection and buffering.

TRAFFICTHIEF – NSA repository for metadata about selected targets.

MARINA – NSA repository for bulk Internet metadata.

PINWALE – NSA repository for selected content.

Layers of operation:

• Network layer, transport layer and application layer: Matching content and metadata against rules defined by analysts.
• Social layer: Aggregation of content and metadata from multiple sources, pattern-of-life analysis.

Background:

XKEYSCORE training materials detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search (GUA02). Requests are not reviewed by a court or any NSA personnel before being processed. The programme covers “nearly everything a typical user does on the internet”, including the content of emails, websites visited and searches, as well as their metadata (GUA02). The programme also allows for on-going “real-time” interception of an individual’s Internet activity (GUA02).

Data storage is an issue. According to leaked documents, “At some sites, the amount of data we receive per day (20+ terabytes) can only be stored for as little as 24 hours” (GUA02). In response, the NSA has created a multi-tiered system that allows analysts to store “interesting” content in other databases, such as one named PINWALE, which can store material for up to five years (GUA02).

Sources:

American Civil Liberties Union (ACU)
1) https://www.aclu.org/files/natsec/nsa/NSA%20XKeyscore%20Powerpoint.pdf

Courage Foundation (COU)
1) https://edwardsnowden.com/2014/01/27/video-ard-interview-with-edward-snowden

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/files/2014/06/23/report_on_the_nsas_access_to_tempora.pdf

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/27/nsa-online-metadata-collection
2) http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data

NDR Panorama (NDR)
1) http://daserste.ndr.de/panorama/aktuell/NSA-targets-the-privacy-conscious,nsa230.html

Robert Sesek (SES)
1) https://robert.sesek.com/2014/9/unraveling_nsa_s_turbulence_programs.html

The Week (WEE)
1) http://theweek.com/articles/461482/4-nsa-terms-should-know

MUSCULAR , Washington Post, “Google Cloud Exploitation” slide.

MUSCULAR is a joint GCHQ and NSA programme that collects data travelling between internal data centres owned by Google and Yahoo. It achieves this by accessing the cables through which the companies’ internal network traffic passes. The programme is used to collect emails, documents, pictures, search queries and other data.

The programme relies on the telecommunications provider Level 3 to offer secret access to a fibre-optic cable at a point where Google and Yahoo traffic passes (NYT01). The access point, known as DS-200B, is located somewhere in the UK (WAH01).

MUSCULAR stores data for a three to five day period, during which GCHQ and NSA decode the proprietary data formats used by each company and extract information they want to keep (WAH02).

Capabilities:

• Bulk collection from private networks
• Bypassing encryption used on public networks
• Decoding proprietary data formats

Data sources:

• DS-200B, cable location owned by Level 3
• Digital content from two major US companies

Related programmes:

WINDSTOP – NSA umbrella programme for bulk collection in partnership with “trusted second party” countries (UK, Canada, Australia and New Zealand). The programme targets “communications into and out of Europe and the Middle East” (ELE01).

Layers of operation:

• Physical layer Tapping of fibre-optic cables.
• Link layer, network layer and transport layer: Reconstruction of communication sessions.
• Application layer: Extraction of content and metadata.

Background:

MUSCULAR is one of at least four similar “trusted second party programs” which together are known as WINDSTOP within the NSA (ELE01). This programme taps into the private leased fibre-optic cables that are used to connect the companies’ data centres across the globe (WAH02). These corporate internal networks have historically been unencrypted; however, both companies are beginning to encrypt their networks as a result of the MUSCULAR leak.

Company partners (NYT01):

• Level 3: Provider of fibre-optic cables for Google

Sources:

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

New York Times (NYT)
1) http://www.nytimes.com/2013/10/31/technology/nsa-is-mining-google-and-yahoo-abroad.html

Washington Post (WAH)
1) http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/04/how-we-know-the-nsa-had-access-to-internal-google-and-yahoo-cloud-data
2) http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

OPTIC NERVE, The Guardian, 28 February 2014.

Purpose:

OPTIC NERVE is a GCHQ programme that collects still images of Yahoo webcam chats in bulk and saves them to agency databases, whether or not an individual is an intelligence target (GUA01). The programme uses automated facial recognition technology to match existing targets and to discover potential new targets. Searching a facial recognition database allows for the identification of people who might use multiple online identities. The programme saves one image every five minutes from users’ feeds, partly to comply with human rights legislation, and also to avoid overloading GCHQ’s servers (GUA01).

Capabilities:

• Facial recognition

Data sources:

• Yahoo webcam application

Related programmes:

MUSCULAR – GCHQ programme collecting bulk data from Google and Yahoo data centres.

TEMPORA – GCHQ programme for bulk data collection and buffering.

XKEYSCORE – NSA system for searching and analysing Internet data.

MARINA – NSA repository for Internet metadata.

Layers of operation:

• Application layer: Extraction of content and metadata.

Background:

In a six-month period in 2008, OPTIC NERVE collected webcam images from over 1.8 million Yahoo user accounts worldwide (GUA01). The programme collects images from “unselected” people, meaning it is used for bulk rather than targeted collection. Yahoo has denied any prior knowledge of the program, and has since expanded encryption across its services.

Sources:

Guardian (GUA)
1) http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo

ANT Catalogue, NSA, https://nsa.gov1.info/dni/nsa-ant-catalog

Purpose:

ANT is a division of the NSA that provides software and hardware surveillance products to members of the ‘Five Eyes’ alliance, including the NSA and GCHQ. The ANT catalogue is a 50-page classified document from 2008 listing available technology, with summaries of hardware and software surveillance in eleven areas, including [SPI03]:

1. Room surveillance
CTX4000 – radar unit that can reveal the signals emitted by devices such as laser printers.
LOUDAUTO – audio-based radio frequency listening device capable of picking up conversations.
NIGHTWATCH – portable computer used to reconstruct and display video data from nearby computer monitors.
PHOTOANGLO – enables signals of passive bugging devices to be received from a considerable distance.
TAWDRYYARD – radio frequency position locator used to locate RAGEMASTER devices implanted in physical locations.

2. Computer monitor surveillance
RAGEMASTER – concealed device implanted into a computer’s video cable that intercepts image signals from a computer’s monitor.

3. Computers
GINSU – uses a hardware implant to restore a software implant that has been removed during an operating system upgrade or reinstall.
IRATEMONK – infiltration of hard drive firmware manufactured by Maxtor, Samsung, Seagate, and Western Digital. It replaces the Master Boot Record.
SWAP – enables remote control of a variety of operating systems including FreeBSD, Linux, Solaris and Windows.
WISTFULTOLL – harvests and returns forensic data from the Windows operating system.
HOWLERMONKEY – hardware implant used to extract data from systems or allow them to be controlled remotely.
JUNIORMINT – hardware chip implant configurable for a number of uses.
MAESTRO-II – multi-chip module approximately the size of a 20p coin with multiple uses.
SOMBERKNAVE – allows a Windows XP system to be controlled remotely using unused wireless interfaces that provide covert Internet connectivity.
TRINITY – configurable multi-chip module, smaller than a penny and implanted for a variety of uses.

4. Keyboards
SURLYSPAWN – hardware implant that enables keystroke monitoring remotely using a radar signal emitter, even if computers are not connected to the Internet.

5. USB
COTTONMOUTH-I – USB hardware implant that intercepts communication as well as having the capability of injecting Trojans.
COTTONMOUTH-II – USB socket implant that enables covert communication with the target system.
COTTONMOUTH-III – stacked Ethernet and USB plug that provides a wireless bridge allowing covert communication.
FIREWALK – hardware implant in the form of an Ethernet and USB connector that enables data extraction as well as injection of exploits through radio frequency communication.

6. Wireless LAN
NIGHTSTAND – mobile system that wirelessly installs Windows exploits from a distance of up to eight miles.
SPARROW II – small computer used to detect and map wireless networks from a drone or other capability.

7. Mobile phones
DROPOUTJEEP – used on first generation iPhones enabling remote access and control through SMS or data service, allowing for upload and download of files, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
GOPHERSET – GSM software that uses a phone’s SIM card API (SIM Toolkit or STK) to access the contacts list, SMS and logs of incoming and outgoing calls.
MONKEYCALENDAR – transmits a mobile phone’s geolocation using covert SMS texts.
TOTECHASER – Windows CE implant targeting the Thuraya 2520 satellite/GSM phone using hidden SMS texts.
TOTEGHOSTLY – implant that allows full remote control of Windows mobile phones, including upload and download of data, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
PICASSO – modified GMS handsets that enable location tracking and audio bugging.

8. Mobile phone networks
CROSSBEAM – GSM communications module that allows for interception of communication and covert remote access.
CANDYGRAM – mobile phone tower simulator that verifies locations through silent SMS.
CYCLONE-HX9 – GSM network simulator that enables eavesdropping on GSM 900 phones, which may have been used to eavesdrop on Chancellor Merkel’s phone.
EBSR – GSM base transceiver station with the ability to attack mobile phones on the GSM 900/1800/1900 frequency range.
ENTOURAGE – hardware receiver for direction finding that can detect the GPS coordinates of mobile phones.
GENESIS – modified mobile phone used to covertly perform network surveys as well as locate other mobile phones.
NEBULA – “network in a box” base station router for 2G and 3G networks.
TYPON HX – “network in a box” GSM base station simulator capable of tapping into mobile phones.
WATERWITCH – allows the operator to find the geolocation of specific mobile phones.

9. Firewalls
JETPLOW – firmware implant to create a permanent backdoor in Cisco PIX series and ASA firewalls.
HALLUXWATER – backdoor exploit for Huawei Eudemon firewalls, hidden in the boot ROM, enabling covert access to read and write memory, execute an address or execute a packet.
FEEDTROUGH – software implant that exploits Juniper Networks firewalls allowing remote access.
GOURMETTROUGH – configurable persistence implant for certain Juniper Networks firewalls.
SOUFFLETROUGH – BIOS injection software that can compromise Juniper Networks SSG300 and SSG500 series firewalls, installing a persistent backdoor.

10. Routers
HEADWATER – persistent backdoor technology enabling covert remote execution of code within Huawei routers.
SCHOOLMONTANA – implant that modifies the BIOS on Juniper JUNOS-based J-series routers.
SIERRAMONTANA – persistent software implant placed onto JUNOS-based M-series routers.
STUCCOMONTANA – persistent software implant that modifies the BIOS on JUNOS-based T-series routers.

11. Servers
IRONCHEF – exploits a computer’s motherboard BIOS to communicate with hidden hardware implants that provides two-way radio frequency (RF) communication on HP Proliant servers.
DEITYBOUNCE – software implant on Dell PowerEdge servers via the motherboard BIOS and RAID controller(s) that enables code execution while the operating system powers on.

Capabilities:

• Hardware implants across a variety of devices
• Software implants across a variety of devices

Exploitation of:

• Servers:
  • Dell PowerEdge
  • HP Proliant

• Firewalls:
  • Juniper Networks J & M series
  • Huawei Eudemon
  • Cisco PIX series and ASA

• Routers:
  • Huawei
  • Juniper J, M and T series

• Operating system:
  • Juniper JUNOS
  • Windows
  • FreeBSD
  • Linux
  • Solaris

• Hard drives:
  • Maxtor
  • Samsung
  • Seagate
  • Western Digital

Data extraction sources:

• Placing implants into physical devices manufactured by US companies
• Computers
• Mobile phones
• Physical locations

Combined with other state surveillance tools:

ANT tools combined with each other

Layers of operation:

• Physical Layer
• Link Layer
• Network Layer
• Transport Layer
• Application Layer
• Social Layer

Background:

The ANT product catalogue has been associated with the monitoring of Chancellor Merkel’s mobile phone [SPI02] as well as broader surveillance on US allies more broadly [GUA01], including the GCHQ programme Operation Socialist [SPI04]. Over 100,000 computers have received implants across the globe and use a covert radio frequency channel to exchange data [NYT01].

Company partners:

• Digital Network Technologies (NSA contractor)

Sources:

American Civil Liberties Union, ACLU (ACU)
1) https://www.aclu.org/files/natsec/nsa/20140130/NSA%27s%20Spy%20Catalogue.pdf

Guardian (GUA)
1) http://www.theguardian.com/world/2013/jun/30/nsa-leaks-us-bugging-european-allies

New York Times (NYT)
1) http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0

Spiegel (SPI)
1) http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
2) http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html
3) http://www.spiegel.de/international/world/a-941262.html
4) http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html

Purpose:

MARINA is an NSA repository for metadata. It stores information about millions of Internet users for up to a year (GUA01). The repository contains contact information, browsing history and other metadata. It also has the ability to export data in a variety of formats, including charts that assist in pattern-of-life analysis (GUA01).

MARINA aggregates metadata from a variety of sources, including online social networks, billing records, bank transactions, insurance information, passenger manifests, voter registration rolls, GPS location information, property records, and unspecified tax data (NYT01).

MAINWAY is the counterpart programme for storing telephone metadata (MOJ01).

Capabilities:

• Metadata storage and analysis
• Pattern-of-life analysis

Data sources:

• Internet traffic
• Commercial and financial transactions
• Travel records
• Government records

Related programmes:

XKEYSCORE – NSA system for searching and analysing data from a wide range of sources.

PRISM – NSA programme for collecting content and metadata from service providers via the FBI.

TEMPORA – GCHQ programme for bulk data collection and buffering.

MAINWAY – NSA repository for telephone metadata.

Layers of operation:

• Social layer: Aggregation of metadata from multiple sources, pattern-of-life analysis.

Background:

MARINA exploits a trend known as convergence, referred to in an NSA slide as “The gradual ‘blurring’ of telecommunications, computers, and the Internet” (ACU01).

This convergence of computerised data makes it easier to combine data from various sources, thus developing an understanding of both the social networks and the activities of people. MARINA is part of the Target Knowledge Database (TKB), a repository of data about targeted individuals including German Chancellor Angela Merkel (SPI01).

Sources:

American Civil Liberties Union (ACU)
1) https://www.aclu.org/sites/default/files/assets/social_convergence.pdf

Guardian (GUA)
1) http://www.theguardian.com/world/2013/sep/30/nsa-americans-metadata-year-documents

Mother Jones Magazine (MOJ)
1) http://www.motherjones.com/kevin-drum/2013/06/washington-post-provides-new-history-nsa-surveillance-programs

New York Times (NYT)
1) http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html

Spiegel (SPI)
1) http://www.spiegel.de/international/germany/gchq-and-nsa-targeted-private-german-companies-a-961444.html

Submarine Cable Map (submarinecablemap.com)

Purpose:

TEMPORA is a GCHQ programme for physically tapping fibre-optic cablesto collect data in bulk. The programme collects content and metadata that travels over fibre-optic cables around the world, including cables entering and exiting the UK (GUA01). The programme taps at least 200 cables at various locations (GUA01).

TEMPORA stores the collected data in a buffer to enable retrospective analysis. Content is stored for three days, and metadata for 30 days (GUA01).

The TEMPORA programme incorporates bulk data from the INCENSER programme (ORG01). Data collected by TEMPORA is shared with the NSA through the WINDSTOP programme, and can be analysed using the XKEYSCORE search interface and a search language called GENESIS (ORG01, EFF01).

Capabilities:

• Fibre-optic cable tapping
• Temporary storage of content and metadata

Data sources:

• Cable taps installed at the following locations (EFF01):
  • 16 x 10 gigabit/second cables at the CPC processing center
  • 7 x 10 gigabit/second cables at the OPC processing center
  • 23 x 10 gigabit/second cables at the RPC1 processing center
• The centres above have been associated with the following locations (ESP01):
  • Benhall, Cheltenham (GCHQ headquarters)
  • Bude station (Cornwall)
  • Ayios Nikolaos station (Cyprus)

Related programmes:

POKERFACE – GCHQ programme using MVR (Massive Volume Reduction) for high-speed filtering and selection, including removal of high-volume, low-value traffic such as peer-to-peer downloads. Also searches by ‘trigger’ words, email addresses and phone numbers.

XKEYSCORE – NSA system for searching and analysing Internet data.

INCENSER – GCHQ bulk collection programme that provides access to a cable system codenamed NIGELLA, which is the intersection of two fibre-optic cables connecting the Atlantic with Europe and Asia (ORG01, ELE01).

WINDSTOP – NSA umbrella programme for bulk collection in partnership with “trusted second party” countries (UK, Canada, Australia and New Zealand). The programme targets “communications into and out of Europe and the Middle East” (ELE01).

Layers of operation:

• Physical layer: Tapping of fibre-optic cables.
• Link layer, network layer and transport layer: Reconstruction of communication sessions.
• Application layer: Extraction of content and metadata.

Background:

The GCHQ cable-tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data between Western Europe, Asia and North America. This was done under secret agreements with commercial companies, described in one document as “intercept partners” (GUA01).

In 2015, GCHQ was censured for conducting bulk collection activities and sharing this information with the NSA (GUA02).

Company partners (GUA03, ORG01):

• BT (codenamed REMEDY)
• Vodafone Cable (GERONTIC)
• Verizon Business (DACRON)
• Global Crossing (PINNAGE)
• Level 3 (LITTLE)
• Viatel (VITREOUS)
• Interoute (STREETCAR)

Sources:

Electronic Frontier Foundation (EFF)
1) https://www.eff.org/files/2014/06/23/gchq_report_on_the_technical_abilities_of_tempora.pdf

Electrospaces (ELE)
1) http://electrospaces.blogspot.co.uk/2014/11/incenser-or-how-nsa-and-gchq-are.html

Espresso (ESP)
1) http://espresso.repubblica.it/inchieste/2013/11/04/news/the-history-of-british-intelligence-operations-in-cyprus-1.139978

Guardian (GUA)
1) http://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa
2) http://www.theguardian.com/business/2013/aug/02/telecoms-bt-vodafone-cables-gchq
3) http://www.theguardian.com/uk-news/2015/feb/06/gchq-mass-internet-surveillance-unlawful-court-nsa

Open Rights Group (ORG)
1) https://www.openrightsgroup.org/assets/files/pdfs/reports/gchq/01-Part_One_Chapter_One-Passive_Collection.pdf