NSA’s survaliance of the internet Can open-source help? KLID presentation May 21, 2015 Luke Herbert [email protected] Professionelle Keld Simonsen [email protected] Linux-Interessenter Can open-sourcei Danmark help? May 21, 2015 1/ 82 → Contents 1 Introduction 2 Tailored Access Operations 3 Data Collection 4 Analysis 5 Hacking (Malware) 6 Cryptography 7 Using the Data 8 Open-Source Possibilities 9 Conclusion Can open-source help? May 21, 2015 2/ 82 Introduction → NSA National Security Agency (NSA) ”The National Security Agency/Central Security Service (NSA/CSS) leads the U.S. Government in cryptology that encompasses both Signals Intelligence (SIGINT) and Information Assurance (IA) products and services, and enables Computer Network Operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances.” Can open-source help? May 21, 2015 3/ 82 Introduction → 5 Eyes The 5 Eyes alliance (FVEY) UKUSA Agreement • Great Britain • New Zeeland • Canada • Australia Founded August 1941 Backbone STONEGHOST Intel Network Can open-source help? May 21, 2015 4/ 82 Introduction → Partners Partners as of 2013 Glenn Greenwald: No Place To Hide, May-2014. Can open-source help? May 21, 2015 5/ 82 Introduction → Edward Snowden Edward Snowden • Born: 21 June, 1983 • 2006: CIA System admin. • 2009: Dell Consultant at NSA • One of approx. 1000 NSA admins authorised to access almost all systems. • 2010: NSA allows USB sticks to be used in secure areas. • 2013: Charged with Theft of government property, unauthorized communication of national defense information, and ... Can open-source help? May 21, 2015 6/ 82 Introduction → Publication Edward Snowden (ES) • ES stationed at the NSA’s Remote Operations Center facility in Hawaii. • Raytheon’s Sureview Insider Threat Management not installed due to “bandwidth issues” • Contacted Glenn Greenwald (GG), a journalist at The Guardian in late 2012 • Problems setting up GnuPG lead GG to abandon contact • Contacted Laura Poitras (LP) in January 2013 • May/June 2013: Travels to Hong Kong hands over documents to GG and LP • All distribution and analysis of documents by GG and LP Can open-source help? May 21, 2015 7/ 82 Introduction → Other Leakers At least 3 US intelligence community leakers 1 Edward Snowden 2 A person who is passing secrets to Jake Appelbaum, Laura Poitras and others in Germany: • Angela Merkel surveillance story • TAO catalog • X-KEYSCORE rules (Not in Snowden documents) Likely an NSA employee/contractor working in Germany, or someone from German intelligence 3 New leaker, with access to a different stream of information (National Counterterrorism Center), whom the Intercept calls "a source in the intelligence community." Can open-source help? May 21, 2015 8/ 82 NSA’s survaliance of the internet Can open-source help? Tailored Access Operations Can open-source help? May 21, 2015 9/ 82 Tailored Access Operations → Tailored Access Operations Tailored Access Operations (TAO) A cyber-warfare intelligence-gathering unit of the NSA • Active since at least 1998 • More than 1,000 engineers • I 2010 TAO undertook 279 operations against 258 targets in 89 countries • Responsible for a “toolbox” of attacks know as the ANT (Access Network Technology) catalogue • Slogan:"Getting the ungettable" Can open-source help? May 21, 2015 10/ 82 Tailored Access Operations → ANT - Cottonmouth-I Cottonmouth-I: Computer hidden in a USB cable with a radio transmitter 50 units for $1 million in 2008. Can open-source help? May 21, 2015 11/ 82 Tailored Access Operations → For example Cottonmouth-III Cottonmouth-III: Same idea, just in an RJ45 or USB port 50 units for $1.2 million in 2008. Can open-source help? May 21, 2015 12/ 82 Tailored Access Operations → Monitors & Keyboard Monitors $30 Keyboards $30 Can open-source help? May 21, 2015 13/ 82 Tailored Access Operations → ANT: Nightstand Nightstand: Portable system which wirelessly attacks MS Windows systems from up to 8 miles. Can open-source help? May 21, 2015 14/ 82 Tailored Access Operations → ANT: Other Products Other ANT Selected Products • DROPOUTJEEP: Attack software for Apple iPhone. Modular design which allows reading/writing files, SMS, contacts, voicemail, geolocation, and microphone/camera monitoring etc. C&C and data ex-filtration possible via SMS, data or voice. All communication hidden and encrypted. • IRATEMONK: Malware aimed at HDD firmware, compatible with: Maxtor, Samsung, Seagate, og Western Digital drives. • CANDYGRAM: A $40,000 suitcase which simulates a GSM base-station. • GINSU: Technology which exploits the PCI bus in a computer. Allows for reinstall of malware on system restart. • DEITYBOUNCE: Technology which installs arbitrary software on Dell PowerEdge servers via there BIOS. • FEEDTROUGH: Attack software for Juniper Networks firewalls with similar capabilities. • HEADWATER: Same idea for Huawei routers. • JETPLOW: Same idea for Cisco PIX and ASA firewalls. Can open-source help? May 21, 2015 15/ 82 NSA’s survaliance of the internet Can open-source help? Data Collection Can open-source help? May 21, 2015 16/ 82 Data Collection → Collect it all Can open-source help? May 21, 2015 17/ 82 Data Collection → TURBULENCE TURBULENCE: Goal to collect “the vast majority of worldwide communications” • Project started in 2005, to collect data world-wide • Denotes a family of mass-surveillance programs • Provides input to a range of analysis tools Can open-source help? May 21, 2015 18/ 82 Data Collection → Collect it all The worlds data Can open-source help? May 21, 2015 19/ 82 Data Collection → Collect it all NSA Bases Worldwide Can open-source help? May 21, 2015 20/ 82 Data Collection → MYSTIC MYSTIC: Telephone call interception program • Started in 2012 • Collects all of a test country’s telephone calls • Targets call content by means of speech-to-text software • Those calls are stored in a database codenamed NUCLEON, and can be retrieved at a later date using a tool codenamed RETRO. • Calls collected number in the billions (30 day cache). • Expanded to a least one more test country in 2013 Can open-source help? May 21, 2015 21/ 82 Data Collection → Undersea cables OAKSTAR, STORMBREW, BLARNEY & FAIRVIEW: Monitor Undersea cables Can open-source help? May 21, 2015 22/ 82 Data Collection → Undersea cables USS Jimmy Carter (SSN-23) Can open-source help? May 21, 2015 23/ 82 Data Collection → Undersea cables GlimmerGlass Can open-source help? May 21, 2015 24/ 82 Data Collection → PRISM PRISM: Largest Source of Raw Intelligence Extract information from the servers of nine major American internet companies • Microsoft • Yahoo • Google • Facebook • PalTalk • AOL • Skype • YouTube • Apple Can open-source help? May 21, 2015 25/ 82 Data Collection → PRISM Can open-source help? May 21, 2015 26/ 82 NSA’s survaliance of the internet Can open-source help? Analysis Can open-source help? May 21, 2015 27/ 82 Analysis → What is collected What is collected? • Online purchases/auctions • Internet searches • Credit/debit card transactions • Websites visited • Financial information SWIFT • Emails sent/received • Legal documents • Social media activity (Facebook, • Travel documents Twitter, etc) • Health records • Blogging activity including posts read, written, commented (Patent) • IP television shows watched/recorded • Videos watched and/or uploaded online • Commuter toll records • Photos viewed and/or uploaded • Electronic bus/subway passes online • Facial recognition data from • Mobile phone GPS-location data surveillance cameras • Mobile phone apps downloaded • Educational records • Phone call records (Patent) • Arrest records • Driver license information • Text messages sent and received • Skype video calls Can open-source help? May 21, 2015 28/ 82 Analysis → Analysis The analysis hierarchy Can open-source help? May 21, 2015 29/ 82 Analysis → XKeyScore XKeyScore Can open-source help? May 21, 2015 30/ 82 Analysis → XKeyScore XKeyScore Can open-source help? May 21, 2015 31/ 82 Analysis → XKeyScore XKeyScore Can open-source help? May 21, 2015 32/ 82 Analysis → TRAFFICTHIEF TRAFFICTHIEF: Long term metadata storage Data: Imagine you hired a detective to eavesdrop on someone. He might plant a bug in their office. He might tap their phone. He might open their mail. The result would be the details of that person’s communications. Metadata: Imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased – how he spent his day. Metadata = Surveillance Can open-source help? May 21, 2015 33/ 82 NSA’s survaliance of the internet Can open-source help? Hacking (Malware) Can open-source help? May 21, 2015 34/ 82 Hacking (Malware) → Implants Implants: NSA term for spyware/malware • CAPTIVATEDAUDIENCE take over a targeted computer’s microphone and record conversations taking place near the device • GUMFISH covertly take over a computer’s webcam and snap photographs • FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. • GROK is used to log keystrokes. • SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer. Can open-source help? May 21, 2015 35/ 82 Hacking (Malware) → TURBINE TURBINE • Designed to make deploying malware by reducing overseeing implant functions. • The system would “relieve the user from needing to know/care about the details” “One of the greatest challenges for active SIGINT/attack is scale,” explains the