The Enemy Is the Network

The Enemy is the Network

Name: Marcel Sütterlin Supervisor: Benjamin Hof

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 1 Netzdienste - TUM Informatik Overview

. The NSA in 2013-2014 . Mass Surveillance and Passive Attacks . An Overview of known Mass Surveillance Programs . How the NSA Programs work together . Conclusion

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 2 Netzdienste - TUM Informatik NSA Leakage in 2013-2014

. Edward Snowden purloined a massive file portfolio of disclosed files from the NSA . Published by Laura Poitras and Glenn Greenwald . Well-known terms: . PRISM . NSA Files

Figure 1. Edward Snowden

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 3 Netzdienste - TUM Informatik An Overview of known NSA Mass Surveillance Programs Overview

. Interaction between all programs

. Name of whole process: TURBULENCE

. TURMOIL: passive apparatus

. TURBINE: active apparatus

Figure 2. How the NSA programs interact with each other

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 6 Netzdienste - TUM Informatik An Overview of known NSA Mass Surveillance Programs PRISM

. Passive data collection from selected providers . Goal: E-Mail, Chat, Media Files, VoIP, Video Conferences . Legal access . Data access upon request

 Request must be for an individual Figure 3. Dates when PRISM collection began for each Provider person!

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 7 Netzdienste - TUM Informatik An Overview of known NSA Mass Surveillance Programs TUMULT & TURMOIL  TUMULT: Hardware device to mirror fiber-optic traffic  Forwards traffic to TURMOIL

. TURMOIL: Passive collection apparatus . Distributed network of TURMOIL programs . Located at ISP backbones, international gateways, .. . Operates on packet level, allows for efficient scanning . Includes fiber-cables of ISPs (RAMPART-A), undersea cables (RAMPART-M), land-based cables (RAMPART-T)

 Tips TURBINE if suspicious data found

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 8 Netzdienste - TUM Informatik An Overview of known NSA Mass Surveillance Programs WINDSTOP & TURBINE

. GCHQ WINDSTOP: accesses Yahoo’s and Google’s datacenters Contains MUSCULAR & INCENSER

. TURBINE: Active decision-taking apparatus . Triggered by TURMOIL . Contains QUANTUM and QUANTUMTHEORY techniques . A set of exploits to attack a target . Officer can influence further proceeding

 Responsible for analysis and decision-taking

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 9 Netzdienste - TUM Informatik An Overview of known NSA Mass Surveillance Programs X-KEYSCORE & TRAFFICTHIEF & TAO . X-KEYSCORE: A dynamic database to temporarily store relevant internet traffic . Data is collected by TURMOIL . Capable of saving five days full take internet traffic . Meta-data is stored 30 days

. TRAFFICTHIEF: The metadata database in X-KEYSCORE . TURBINE and TAO unit uses it for decision-taking

. TAO: Targeted Access Operations Unit Network Specialists, responsible for accessing difficult targets TAO Server contains QUANTUM(THEORY) implants

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 10 Netzdienste - TUM Informatik How the NSA Programs Work Together The TURBULENCE Apparatus: Passive Data Collection

. TUMULT mirrors fiber-optic traffic . WINDSTOP contributes data from GCHQ . Access to Google & Yahoo datacenters . RAMPART programs contribute data with the help of sub- programs

Figure 4. How TURBULENCE works

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 11 Netzdienste - TUM Informatik How the NSA Programs Work Together The TURBULENCE Apparatus: Passive Data Collection

. HAMMERSTEIN: Exploits & accesses VPN traffic . HAMMERCHANT: Exploits & accesses VoIP traffic . TURMOIL analyses data . Saves it to X-KEYSCORE . Metadata to TRAFFICTHIEF . If suspicious data found, triggers TURBINE

Figure 4. How TURBULENCE works

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 12 Netzdienste - TUM Informatik How the NSA Programs Work Together The TURBULENCE Apparatus: Automated Active Attack

. TURBINE gets data from X- KEYSCORE and TRAFFICTHIEF . If desired, officer can influence decision . Implant is selected from TAO servers (QUANTUM & QUANTUMTHEORY implants)

 Automated injection process

Figure 4. How TURBULENCE works

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 13 Netzdienste - TUM Informatik How the NSA Programs Work Together The TURBULENCE Apparatus: Automated Active Attack

. Data from databases X- KEYSCORE & TRAFFICTHIEF sent via TURBINE to officer

. Data from target sent via TURBINE to officer

 Officer is presented a portfolio of target

Figure 4. How TURBULENCE works

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 14 Netzdienste - TUM Informatik Conclusion

.NSA has a distributed portfolio of programs All shown modules are working together

.All traffic, including VoIP and VPN gets analyzed NSA has access to many major ISP’s

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 15 Netzdienste - TUM Informatik Thank you for your attention! 

Questions?

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 16 Netzdienste - TUM Informatik References

Figure 1: http://time.com/3010649/nsa-sexually-explicit-photographs-snowden/, last accessed: 12.01.2014.

Lehrstuhl für Netzwerkarchitektur und 19.01.2015 17 Netzdienste - TUM Informatik