March 25, 2015

New Zealand and XKEYSCORE: not much evidence for mass surveillance



Since March 5, The New Zealand Herald and the website The Intercept published a number of stories based on top secret documents regarding New Zealand. These stories followed last year's claims by Edward Snowden saying that the New Zealand signals intelligence agency GCSB is involved in indiscriminate and illegal mass surveillance of ordinary citizens.

Here we will take a close look at the original documentes that accompanied these reportings and put them in a broader context in order to see whether they support these claims or not. Attention will also be paid to the notorious XKEYSCORE system.




The listening station at Waihopai (SIGAD: NZC-333) in New Zealand
after activists deflated one of the kevlar radomes in April 2008
(Source: GCSB presentation - Click to enlarge)
 

GCSB satellite collection

In the first story from March 5, it was claimed that New Zealand's signals intelligence agency GCSB conducted "mass spying on friendly nations" in the South Pacific on behalf of the Five Eyes partnership, which consists of the United States, the United Kingdom, Canada, Australia and New Zealand.

The allegation of "mass spying" seems to be based upon an excerpt from an GCHQ wiki page from about 2011, which talks about "full-take collection" at New Zealand's satellite intercept station in Waihopai (codenamed IRONSAND):



Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)


A GCSB report from July 2009 says that GCSB users were trained by NSA XKEYSCORE trainers "in anticipation of full-take collection and 2nd party sharing" with the full-take collection expected to be running by October 2009.


"Full-take" collection

The New Zealand Herald explained that "full-take collection means the base now collects and retains everything it intercepts: both the content of all the messages and the metadata". If that would be true, then one could probably speak of "mass surveillance".

But later on, the report quotes the German magazine Der Spiegel, which reported already in 2013 that XKEYSCORE "enables 'full-take' of all unfiltered data over a period of several days". The latter is an important detail, but neither The New Zealand Herald, nor The Intercept paid any further attention to it.

When New Zealand's prime minister John Key was asked about the "full-take" at a press conference, he told a reporter: "With the greatest of respect, I don't actually think you understand the technical term and it's not my job to explain it to you". This is the standard response governments give in these matters, rather letting citizens think they are under massive surveillance than explaining what really happens...
 

XKEYSCORE

In the GCHQ wiki entry we also see two check boxes with next to them the Waihopai station mentioned as "GCSB_IRONSAND_WC2_FULL_TAKE". The abbreviation WC2 stands for WEALTHYCLUSTER 2, which is apparently the second generation of a system that is used to process low data rate signals: it sessionizes all of them and then forwards them to XKEYSCORE.

Using WEALTHYCLUSTER processing is called the traditional version of XKEYSCORE, which is used for satellite and terrestrial radio signals. For higher data rates, like on fiber-optic cables, it was/is not possible to forward all data to XKEYSCORE.

These yet unfiltered internet communication sessions forwarded to XKEYSCORE are called the 'full-take'. They are only stored for a short period of time: content is buffered for 3 to 5 days (sometimes shorter or sometimes longer, depending on the amount of traffic), and metadata for up to 30 days. In other words, XKEYSCORE creates a rolling buffer which is continually being rewritten:



Slide with some main characteristisc of the XKEYSCORE system
See also another, similar NSA presentation about XKEYSCORE


This buffering enables analysts to perform federated queries using so-called "soft selectors", like keywords, against the body texts of e-mail and chat messages, digital documents, spreadsheets in English, as well as in Arabic and Chinese. XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPN or the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performed anonymous, and therefore cannot be found by just filtering out known e-mail addresses of a target. When such content has been found, the analyst might be able to find new intelligence or new "strong selectors", which can then be used for starting a traditional search.


XKEYSCORE Fingerprints

To use XKEYSCORE more efficient, analysts can create so-called 'fingerprints', which are rules that contain search terms (especially all the correlated identities of a certain target) that are automatically executed by the system. Some examples of XKEYSCORE fingerprints were disclosed by German regional television on July 3, 2014, who presented them as excerpts of XKEYSCORE's source code.

Until now, The New Zealand Herald has published two XKEYSCORE fingerprints that define GCSB targets: one related to candidates for the job of director-general of the World Trade Organisation (WTO), and another one related to the Solomon Islands, for which the fingerprints show that GCSB (and/or NSA) was interested in documents from the government of this island state, as well as in the Truth and Reconciliation Commission and former militia groups.


GCSB targets

Another document disclosed by The New Zealand Herald and The Intercept shows that GCSB also spies on China, Pakistan, India, Iran, South Pacific Island nations (like Tuvalu, Nauru, Kiribati and Samoa, Vanuatu, New Caledonia, Fiji, Tonga and French Polynesia), the diplomatic communications of Japan, North Korea, Vietnam, and South America, as well as French police and nuclear testing activities in New Caledonia, and even on Antarctica.

A number of these targets, and some others, were already listed in a 1985-86 annual report of GCSB (classified as TOP SECRET UMBRA), which was accidently released in 2006. So although it might be embarrassing for the New Zealand government that the spying on nearby friendly island states was exposed, it is nothing new and nothing what is very far out of the range of what intelligence agencies usually do.


"Collect it All"

In a GCSB presentation (pdf) about the Waihopai satellite station from April 2010 we read: "To brief IS on the MHS ‘Collect It All’ initiative" - with IS being the abbreviation for IRONSAND, the codename for Waihopai; and MHS for Menwith Hill Station, NSA's large satellite facility in England.

This seems to confirm that "Collect It All" was initially a project for the Menwith Hill Station, maybe meant to be extended to other satellite collection facilities, but not the primary aspiration for NSA's collection efforts in general, as Glenn Greenwald claimed in his book No Place To Hide.*

As evidence, Greenwald presented a slide from a 2011 presentation for the annual Five Eyes conference, but that shows that "Collect it All" actually refers to just one particular stage of the collection process for satellite traffic:




- On top of the diagram, the process starts with receiving the satellite signals ("Sniff it All") and this is followed by "Know it All", which is about detecting (survey) what kind of traffic certain communication channels contain.

- The stage for which they aim "Collect it All" is when signals are processed into usable data by conversion, demodulation and demultiplexing. This is done through systems codenamed ASPHALT and ASPHALT PLUS, but no further information on these system has been published. Apparently "Collect it All" is about increasing the capability to process signals.

- The next stage is "Process it All" where, after a Massive Volume Reduction (MVR) to get rid of useless data, XKEYSCORE (XKS) is used to search for things that are of interest. The last two stages are about analysing data at a large scale and share them with GCHQ and NSA's satellite intercept station in Misawa, Japan.



Photo of what might be XKEYSCORE equipment at the NSA's
European Cryptologic Center (ECC) in Griesheim, Germany
(Source: ECC presentation (pdf) - Click to enlarge)


Targeted collection

Combining the earlier disclosed information about XKEYSCORE shows that neither "full-take", nor "Collect it All" means that "everything" ends up in some NSA database (typically PINWALE for content and MARINA for metadata). This only happens with data that is extracted based upon 'strong selectors', 'fingerprints', or manual searches by analysts when they think it contains valuable foreign intelligence information.

A 2012 NSA document about a training course for XKEYSCORE, published by Der Spiegel in June 2014, says that this system helps analysts to "downsize their gigantic shrimping nets [of traditional collection methods] to tiny goldfish-sized nets and merely dip them into the oceans of data, working smarter and scooping out exactly what they want".

This suggests that XKEYSCORE is able to sort out data in a way that is even more targeted than the traditional method, in which communications are filtered out by internet addresses. This would make XKEYSCORE even less the "mass surveillance tool" as it is called by Snowden.
 


GCSB cable access

Besides the satellite station in Waihopai and the High-Frequency radio intercept facility near Tangimoana, some snippets disclosed in September 2014, show that GCSB also started a cable access program codenamed SPEARGUN, for which the first metadata probe was expected mid-2013. According to The Intercept, this program might be about tapping the Southern Cross cable, which carries "the vast majority of internet traffic between New Zealand and the rest of the world".

A bit confusing is that in a 2012 GCSB presentation (pdf), project SPEARGUN is listed among topics related to the "IRONSAND Mission", but maybe this means that the mission of this satellite intercept station in Waihopai was extended to include cable operations too.

IRONSAND is in the north east of the South Island of New Zealand, while the landing points for the Southern Cross cable are in the north of the North Island, a distance of more than 500 kilometers. It's possible that from the Waihopai station the actual cable intercept facilities are remotely controlled, maybe through a secure Virtual Private Network (VPN) connection over the domestic Aqualink cable:




The access points to the Southern Cross cable could then be identical with the "NSA facilities" in Auckland and "in the north" of the country, which Edward Snowden hinted to in his speech on the "Moment of Truth" meeting in Auckland on September 15, 2014.


Snowden's claims

The Intercept presented this cable access as a "mass metadata surveillance system" capable of "illegal domestic spying" on the communications of New Zealanders. These claims seem to be based upon a rather pathetic statement from Edward Snowden himself:

"If you live in New Zealand, you are being watched. At the NSA I routinely came across the communications of New Zealanders in my work with a mass surveillance tool we share with GCSB, called “XKEYSCORE.” It allows total, granular access to the database of communications collected in the course of mass surveillance. It is not limited to or even used largely for the purposes of cybersecurity, as has been claimed, but is instead used primarily for reading individuals’ private email, text messages, and internet traffic".

Snowden pretends that XKEYSCORE is primarily used to snoop on the communications of private citizens, as if GCSB, NSA and the other partner agencies don't have way too many other targets (see for example the long list of countries targeted by GCSB) and waste their time on ordinary civilians. Snowden however continues:

"The GCSB provides mass surveillance data into XKEYSCORE. They also provide access to the communications of millions of New Zealanders to the NSA at facilities such as the GCSB station at Waihopai"
"It means they have the ability see every website you visit, every text message you send, every call you make, every ticket you purchase, every donation you make, and every book you order online
"

This is also misleading, because, as we have already seen, GCSB isn't very much interested in "your" private communications. In his "Moment of Truth" speech, Snowden claimed that he would have been able to enter for example the e-mail address of prime minister John Key in XKEYSCORE to get access to all content and metadata of his internet activities.

What Snowden briefly acknowledged in this speech, but left out in his statement for The Intercept, is that such searches are constrained by policy restrictions. Indeed, every analyst who works with XKEYSCORE and wants to query data collected in New Zealand, has to do a training on the New Zealand Signals Intelligence Directive 7 (NZSID7), which contains the rules about what GCSB is allowed to do.

As GCSB is not allowed to collect communications of New Zealanders (except for when there's a warrant to assist domestic agencies), this means that the other Five Eyes agencies aren't allowed to do that either. Snowden would therefore not have been allowed to look at the communications of prime minister Key.


Not only must all queries against data from New Zealand sources be compliant with both the NZSID7 and the Human Rights Act (HRA), they will also be audited by GCSB:



Excerpt from a GCHQ wiki page from about 2011 about XKEYSCORE (XKS)
access at the Waihopai satellite station, codenamed IRONSAND
(Click to enlarge)

Snowden however considers these policy restrictions not sufficient because analysts "aren't really overseen". For GCSB, a 2013 review report found that there were indeed problems with oversight, but the new GCSB law, which is opposed by many people because it would supposedly enable "mass surveillance", actually also strengthens oversight. NSA noticed this too.


The government's response

New Zealand's prime minister John Key rejected the reportings by The New Zealand Herald, saying that "Some of the information was incorrect, some of the information was out of date, some of the assumptions made were just plain wrong". He strongly denied that GCSB collects mass metadata on New Zealanders, but he acknowledged that the agency had tapped into the cable, but only for the purposes of a cybersecurity program codenamed CORTEX.

As a proof, several secret government documents were declassified, but from them it doesn't become clear whether CORTEX really is the same program as the cable access which is codenamed SPEARGUN in the NSA and GCSB documents. According to Key, the CORTEX cybersecurity system was eventually scaled back and now only protects specific entities in the public sector and some private companies.

A snippet from an NSA document says that the implementation of the cable access project SPEARGUN was awaiting the new 2013 GCSB Act. It was said this was because the new law would enable "mass surveillance", but the proposed law also authorizes GCSB to ensure cybersecurity, which would support the statement of the government.

 

Conclusion

As the disclosed documents only contain a few lines and no further details about the cable acces codenamed SPEARGUN, it is not possible to say for sure whether this is about intercepting communications from the Southern Cross cable, like the Snowden-related media claim, or that it is actually a cybersecurity program, like the government says.

What did become clear is that XKEYSCORE isn't really a "mass surveillance tool", but is actually used to collect data in a way that is at least just as targeted as traditional methods. Many of GCSB's targets came out as legitimate, some are more questionable, but none of them included the bulk collection of communications from ordinary citizens, whether domestic or abroad.

Snowden also said that there are "large amounts of indiscriminate metadata about the communication and other online events of citizens" from all Five Eyes countries. But apart from the domestic phone records collected by the NSA, no evidence has yet been presented for such collection in the other countries.



Links and Sources
- EmptyWheel.net: What an XKeyscore Fingerprint Looks Like
- The New Zealand Herald: Bryce Edwards: The ramifications of the spying scandal
- The Press: We're snooping on the Pacific...so what?
- Report: Review of Compliance at the Government Communications Security Bureau (pdf) (2013)
- ArsTechnica.com: Building a panopticon: The evolution of the NSA’s XKeyscore

March 11, 2015

US military and intelligence computer networks



From the Snowden revelations we learned not only about NSA data collection projects, but also about many software tools that are used to analyze and search those data. These programs run on secure computer networks, isolated from the public internet. Here we will provide an overview of these networks that are used by the US military and US intelligence agencies.

Besides computer networks, they also use a number of dedicated telephone networks, but gradually these are transferred from traditional circuit-switched networks to Voice over IP (VoIP). This makes it possible to have only one IP packet-switched network for both computer and phone services. It seems that for example NSA's NSTS phone system is now fully IP-based.



An old NSTS telephone and a KVM-switch which enables switching between physically
separated networks, in this case two Unclassified (green labels), one Secret
(red label) and one Top Secret/SCI (orange and yellow label) network
(National Security Operations Center, 2006 - Click to enlarge)


US national networks

The main US military and intelligence computer networks are (of course) only accessible for authorized personnel from the United States. Special security measures are in place to prevent interception by foreign intelligence agencies. Most of the tools and programs used by NSA run on JWICS and NSANet, but here we only mention them when this is confirmed by documents.


DNI-U (Director National Intelligence-Unclassified)
- Until 2006: Open Source Information System (OSIS)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Access: US intelligence users
- Controlled by: DNI-CIO Intelligence Community Enterprise Services office (ICES)
- Purpose: Providing open source information; consists of a group of secure intranets used by the US Intelligence Community (IC)
- Computer applications: Intelink-U, Intellipedia, etc.



Page of the Unclassified version of Intellipedia
This one from the CIA's AIN network
(Click to enlarge)


NIPRNet (Non-secure Internet Protocol Router Network)
- Classification level: Sensitive But Unclassified (SBU, color code: green)
- Secured by: Network traffic monitored by the TUTELAGE program and QUANTUM-DNS at gateways
- Address format: http://subdomains.domain.mil
- Access: US military users, via Common Access Card smart card *
- Number of users: ca. 4,000,000
- Purpose: Combat support applications for the US Department of Defense (DoD), Joint Chiefs of Staff (JCS), Military Departments (MILDEPS), Combatant Commands (COCOM), and senior leadership; composed of the unclassified networks of the DoD; provides protected access to the public internet.
- Computer applications: E-mail, file transfer and web services like the Joint Deployable Intelligence Support System (JDISS)
- Video Teleconferencing (VTC)



Cyber security officers in an operations center room at Barksdale Air Force Base
There are screens connected to NIPRNet (green background/border)
and SIPRNet (red background/border)
(Photo: U.S. Air Force/Tech. Sgt. Cecilio Ricardo - Click to enlarge)
More about this photo on SecurityCritics.org



SIPRNet (Secret Internet Protocol Router Network)
- Classification level: SECRET (color code: red)
- Secured by: TACLANE (KG-175A/D) network encryptors
- Address format: http://subdomains.domain.smil.mil
- Access: US (and some foreign partners)* military and intelligence users, via SIPRNet Token smart card
- Number of users: ca. 500,000 *
- Controlled by: JCS, NSA, DIA and DISA *
- Purpose: Supporting the Global Command and Control System (GCCS), the Defense Message System (DMS), collaborative planning and numerous other classified warfighter applications, and as such DoD's largest interoperable command and control data network.
- Computer applications: Intelink-S, Intellipedia, TREASUREMAP, Joint Deployable Intelligence Support System (JDISS), Defense Knowledge Online, Army Knowledge Online, etc.
- Phone service: VoSIP (Voice over Secure IP) as an adjunct to the DRSN for users that do not require the full command and control and conferencing capabilities.
- Secure Video Teleconferencing (VTC)



Computers in the White House Situation Room, with a yellow screensaver,
indicating they are connected to a TOP SECRET/SCI computer network
(Screenshot from a White House video)


JWICS (Joint Worldwide Intelligence Communications System)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE (KG-175A/D) network encryptors *
- Address format: http://subdomains.domain.ic.gov
- Access: US intelligence users
- Controlled by: DIA, with management delegated to AFISR
- Purpose: Collaboration and sharing of intelligence data within the US Intelligence Community (IC)
- Computer applications: ICE-mail, Intelink-TS, Intellipedia, GHOSTMACHINE, ROYALNET, TREASUREMAP, ICREACH, Joint Deployable Intelligence Support System (JDISS), etc.
- Phone Service: DoD Intelligence Information System (DoDIIS) VoIP telephone system
- Secure Video Teleconferencing (VTC)



Web-browser with a JWICS address for the ROYALNET tool


These various military and intelligence networks run on a world-wide physical infrastructure that is called the Defense Information Systems Network (DISN), which is maintained by the Defense Information Systems Agency (DISA) and consists of landline, mobile, radio and satellite communication links

Most of these communication links are not connected to the public internet, but because radio and satellite transmissions can easily be intercepted by foreign countries, the security of these networks is assured by encryption. This encryption can also be used to run higher classified traffic over communication links with a lower classification level through Virtual Private Network (VPN) tunnels.

Classified communications have to be protected by Suite A Cryptography, which contains very strong and classified encryption algorithms. On most networks this is implemented by using Type 1 certified TACLANE (KG-175A/D) in-line network encryptors made by General Dynamics:



(Diagram: General Dynamics)


As long there's the appropriate strong link encryption, only the end points with the computer terminals (where data are processed before they are encrypted) need strict physical and digital security requirements in order to prevent any kind of eavesdropping or interception by foreign adversaries.

Most American military bases are connected to the SIPRNET backbone, but for tactical users in the field, the SIPRNet and JWICS networks can extend to mobile sites through Satellite Communications (SATCOM) links, like for example TROJAN SPIRIT and TROJAN SPIRIT LITE, which consist of a satellite terminal that can be on a pallet, in a shelter, on a trailer or even connected to a transit case.


Other US goverment departments and intelligenc agencies also have their own computer networks at different classification levels:

FBI
- LEO (Law Enforcement Online; Unclassified, for law enforcement communications)
- FBINet (Federal Bureau of Investigation Network; Secret)
- SCION (Sensitive Compartmented Information Operational Network; Top Secret/SCI)


DHS
- HSIN (Homeland Security Information Network; Unclassified)
- HSDN (Homeland Secure Data Network; Secret)


State Department
- OpenNet (Unclassified)
- ClassNet (Secret; address format: http://subdomain.state.sgov.gov)
- INRISS (INR Intelligence Support System; Top Secret/SCI)


CIA
- AIN (Agency InterNet; Unclassified)
- ADN (Agency Data Network?; Top Secret/SCI)


NRO
- GWAN (Government Wide Area Network, also known as NRO Management Information System (NMIS); Top Secret)
- CWAN (Contractor Wide Area Network; Top Secret)


NGA
- NGANet (National Geospational intelligence Agency Network; Top Secret/SCI)


Finally, there's the Capitol Network (CapNet, formerly known as Intelink-P), which provides Congressional intelligence consumers with connectivity to Intelink-TS and CIASource, the latter being the CIA's primary dissemination vehicle for both finished and unfinished intelligence reports.



US multinational networks

Besides the aforementioned networks that are only accessible for authorized military and intelligence personnel from the United States, there are also computer networks set up by the US for multinational coalitions, and which therefore can also be used by officials from partner countries.

The group of countries that have access to such coalition networks is often denoted by a number of "Eyes" corresponding with the number of countries that participate.


NSANet (National Security Agency Network)
- Classification level: TOP SECRET/SCI (color code: yellow)
- Secured by: TACLANE network encryptors *
- Address format: http://subdomain.domain.nsa
- Access: US, UK, CAN, AUS, NZL signals intelligence users
- Controlled by: NSA, with management delegated to CSS Texas
- Purpose: Sharing intelligence data among the 5 Eyes partners
- Computer applications: SIDToday (newsletter), TREASUREMAP, MAILORDER, MARINA, TURBINE, PRESSUREWAVE, INTERQUAKE, World Cellular Information Service (WCIS), GATC Opportunity Volume Analytic, etc.
- Phone service: NSTS (National Secure Telephone System)



Web-browser with NSANet address for the INTERQUAKE tool, used by NSA's
Special Collection Service (SCS, organizational code: F6) units
(Click for the full presentation)


Besides NSANet as its general purpose intranet, NSA also operates several other computer networks, for example for hacking operations conducted by the TAO-division. We can see some of these networks in the following diagram, which shows how data go (counter-clockwise) from a bot in a victim's computer on the internet, through a network codenamed WAITAUTO to TAONet and from there through a TAONet/NSANet DeMilitarized Zone (DMZ) to data repositories and analysing tools on NSANet:



Diagram showing the data flow for TAO botnet hacking operations
(Source: NSA presentation - Click to enlarge)


PEGASUS
- Until 2010: GRIFFIN (Globally Reaching Interconnected Fully Functional Information Network)
- Classification level: SECRET//REL FVEY
- Access: US, UK, CAN, AUS, NZL military users
- Controlled by: DIA(?)
- Purpose: Information sharing and supporting command and control systems
- Applications: Secure e-mail, chat and VoSIP communications


STONEGHOST (Quad-Link or Q-Lat)
- Classification level: TOP SECRET//SCI
- Access: US, UK, CAN, AUS, NZL(?) military intelligence users
- Controlled by: DIA
- Purpose: Sharing of military intelligence information
- Applications: Intelink-C, etc.


CFBLNet (Combined Federated Battle Laboratories Network)
- Classification level: Unclassified and SECRET
- Access: US, UK, CAN, AUS, NZL, and at least nine European countries Research & Development institutions
- Controlled by: MultiNational Information Sharing (MNIS) Program Management Office
- Purpose: Supporting research, development and testing on command, control, communication, computer, intelligence, surveillance and reconnaissance (C4ISR) systems.
- Applications: Communications, analytic tools, and other applications



The CFBLNet countries in 2009, with three of the Five Eyes countries (yellow line),
six European NATO countries and the NATO organization (black line),
six NATO guest nations (dotted line) and two non-NATO countries.
(source: NATO Education and Training Network (pdf), 2012)


For communications among the members of multinational coalitions, the United States provides computer networks called Combined Enterprise Regional Information eXchange System (CENTRIXS). These are secure wide area network (WAN) architectures which are established according to the specific demands of a particular coalition exercise or operation.

CENTRIXS enables the secure sharing of intelligence and operational information at the level of "SECRET REL TO [country/coalition designator]" and also provides selected centralized services, like Active Directory/DNS Roots, VoIP telephony, Windows Server Update Services (WSUS) and Anti-Virus Definitions.

There are more than 40 CENTRIXS networks and communities of interest (COIs) in which the 28 NATO members and some 80 other countries participate. The best-known CENTRIXS networks are:


CENTRIXS Four Eyes (CFE or X-Net)
- Classification level: TOP SECRET//ACGU
- Address format: http://subdomains.domain.xnet.mnf
- Access: US, UK, CAN, AUS military users
- Controlled by: DIA
- Purpose: Operational coordination through sharing and exchange of intelligence products
- Applications: Various services


CENTRIXS-ISAF (CX-I)
- Classification level: TOP SECRET//ISAF
- Access: ca. 50 coalition partners
- Controlled by: ?
- Purpose: Sharing critical battlefield information; US component of the Afghan Mission Network (AMN).
- Computer applications: Web services, instant messaging, Common Operational Picture (COP), etc.
- Voice over IP


CENTRIXS-M (Maritime)
- Classification level: TOP SECRET ?
- Purpose: Supporting multinational information exchange among the ships of coalition partners of the US Navy to provide access to critical, time-sensitive planning and support data necessary to carry out the mission
- Computer applications: E-mail, Chat messaging, Webpages, etc.


Some other CENTRIXS networks are:

CENTRIXS-GCTF
- For the ca. 80 Troop Contributing Nations of the Global Counter-Terrorism Force (GCTF)

CENTRIXS-CMFC
- For the Combined Maritime Forces, Central Command (CMFC)

CENTRIXS-CMFP
- For the Combined Maritime Forces, Pacific (CMFP)

CENTRIXS-J
- For the United States and Japan

CENTRIXS-K
- For the United States and South-Korea



Links and Sources
- US National Intelligence: A Consumer's Guide (pdf) (2009)
- Paper about How to Use FASTLANEs to Protect IP Networks (pdf) (2006)

February 23, 2015

NSA and GCHQ stealing SIM card keys: a few things you should know

(Updated: February 27, 2015)

Last Thursday, February 19, the website The Intercept broke a big story about how NSA and GCHQ hacked the security company Gemalto in order to acquire large numbers of keys used in the SIM cards of mobile phones.

The story has quite some background information about how these keys are used and how NSA and GCHQ conducted this operation. But as we have often seen with revelations based upon the Snowden-documents, media once again came with headlines like "Sim card database hack gave US and UK spies access to billions of cellphones", which is so exaggerated that it is almost a scandal in itself.

Instead, analysing The Intercept's article and the original documents leads to the conclusion that the goals of this operation were most likely limited to tactical military operations - something that was completely ignored in most press reports. Also there is no evidence that Gemalto was more involved in this than other SIM card suppliers.



To what extent was Gemalto involved?

According to The Intercept, NSA and GCHQ planned hacking several large SIM card manufacturers, but in the documents we find only one for which this was apparently successful: Gemalto. Other documents merely show that GCHQ wanted to "investigate Gemalto" "for access to Gemalto employees" "to get presence for when they would be needed".

An internal GCHQ wiki page from May 2011 lists Gemalto facilites in more than a dozen countries, like Germany, Maxico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore, but also without explicitly saying whether or not these were successfully hacked.

One report and a few slides from a presentation that was not fully disclosed mention large numbers of SIM card keys that had been collected, but this is not specifically linked to Gemalto. Although Gemalto is the largest manufacturer, it seems likely these data were also collected from other companies, like Bluefish, Giesecke & Devrient, Oberthur, Oasis, Infineon, STMicroelectronics, and Morpho.

Therefore, we actually don't know to what extent NSA and GCHQ used the access they apparently had to Gemalto's network, and it is definitely not correct to say that all 2 billion SIM cards that Gemalto produces every year were compromised by this hack.

And given the fact that other SIM card suppliers were targeted and/or hacked too, one wonders why The Intercept didn't left out the name of Gemalto. Because now its competitors profit from not being named, while Gemalto shares already had a huge drop on the stock market.

Update:
On February 25, Gemalto came with a press release in which results of its investigation into the alleged hack were presented. Gemalto concluded that NSA and GCHQ probably "only breached its office networks and could not have resulted in a massive theft of SIM encryption keys". The report also says Gemalto never sold SIM cards to four of the twelve operators listed in the GCHQ documents, in particular to the Somali carrier, and that in 2010-2011, most operators in the targeted countries were using the vulnarable 2G networks, mostly with prepaid cards which have a very short life cycle, typically between 3 and 6 months.

The Netherlands

Gemalto is a digital security company providing software applications, secure smart cards and tokens and is also the world’s biggest manufacturer of SIM cards. It's essentially a French company, but it has some 12.000 employees in 44 countries all over the world.

The Gemalto headquarters are officially in Amsterdam in the Netherlands, which made Dutch media claiming that "NSA hacked a company in the Netherlands". This was rather premature, since the two Dutch locations of Gemalto seem not to be likely targets in this case.

The Amsterdam headquarters is very small, consisting of only some 30 people. The reason they are in Amsterdam is apparently mainly because the Dutch capital was already the seat of Axalto, one of Gemalto's predecessors, and because the company wanted access to the Amsterdam stock exchange.

Unnoticed by Dutch national media is the fact that Gemalto also has a plant in the city of Breda, where, according to an unrelated press report from last year, (only) bank cards are personalised. This plant also has a customer service team, but strangely enough Breda isn't in the list of locations on Gemalto's website.



The plant of Gemalto in the southern Dutch city Breda
(photo: Tom van der Put/MaRicMedia)


Also interesting is that last month, Gemalto acquired the US manufacturer of security products SafeNet. This company, founded in the late 1980s by former NSA officials, not only makes encryption devices used by commercial companies and banks all over the world, but also the KIV-7 link encryptor, which is used by the US Army, as well as the Enhanced Crypto Card (KSV-21), which provides the encryption functions for the US government's STE secure telephone.



How does the SIM card key work?

SIM cards, produced by companies like Gemalto, have a microchip which among other data includes a unique 128 bit Authentication Key, also known as "Ki". A copy of this key is given to the phone provider, so when a phone call is made, this key number can be used to make sure the handset connects to a valid provider, and the provider knows it connects to a handset that belongs to a known customer.

The Intercept's report suggests that this Ki number is also used as the encryption key to protect the subsequent communications, but in reality this is a bit more complex. Here's how it works for 3rd Generation (UMTS) networks:

1. After a handset connects to the base station, the latter sends the handset a 128 bit random number, a 48 bit sequence number and an authentication token.

2. The chip in the SIM card combines the Ki number with the random number and the sequence number to also calculate an authentication token and a response number, which are used to authenticate the network and the handset, respectively.

3. By combining the Ki number with the random number, the SIM card chip also calculates the:
- 128 bit Confidentiality Key (CK) for encrypting messages
- 128 bit Integrity Key (IK) for checking the integrity of messages
4. The actual (voice) data are then encrypted through the f8 algorithm (which is based upon the KASUMI block cipher) using the Confidentiality Key.

5. For additional security, both the Confidentiality Key and the Integrity Key have a limited lifetime. The expiration time is variable and send to the handset after establishing a connection.

Although for the actual encryption key CK, the Ki number from the SIM card is mixed with a random number, this provides no extra security: the base station sends this random number to the handset over the air unencrypted, so it can be intercepted easily by anyone.

Eavesdroppers would therefore only need the SIM card Ki to recreate the encryption key and use that to decrypt the conversation (see also this US Patent for a "Method of lawful interception for UMTS").



Why were these SIM card keys collected?

The press reports, speaking in general terms of "unfettered access to billions of cellphones around the globe", suggest that everyone's mobile phone could now be at risk of being intercepted by NSA or GCHQ.

One important thing they forgot, is that one only needs to steal SIM card keys when you are trying to intercept mobile phone traffic when it travels by radio between the handset and the cell tower. Only that path is encrypted.

Once the communications arrive at the provider's network, they are decrypted and sent over telephone backbone networks to the cell tower near the receiving end as plain text. It's then encrypted again for the radio transmission between the cell tower and the receiving handset.





As we know from previous Snowden-leaks, NSA and GCHQ have vast capabilities of filtering fiber-optic backbone cables that are likely to contain communications that are of interest for military or foreign intelligence purposes. The big advantage here is that on those backbone cables there's no encryption (although people can use end-to-end encryption methods themselves).

Therefore, the SIM card keys are only needed when NSA and GCHQ want to listen in or read traffic that is or has been intercepted from the wireless transmission between a handset and a cell tower. This narrows down the field where these keys can be useful substantially.


Tactical military operations

Intercepting the radio signal of mobile phones needs to be done from rather close proximity. To do this, the NSA uses StingRay and DRT devices, which are highly sophisticated boxes that in a passive mode are capable of detecting and intercepting the radio transmissions of multiple cell phones. In an active mode they can mimic a cell tower in order to catch individual phone calls and as such they are better known as IMSI-catchers.

These devices are widely used by the NSA and the US military in tactical ground operations, like in Afghanistan and previously in Iraq, as well as in other crisis regions. StingRays and DRT boxes can be used as a manpack, in military vehicles, but also aboard small signals intelligence aircraft like the C-12 Huron. Surveillance drones also have similar capabilities.




A Prophet Spiral Humvee which uses DRT devices
for collecting radio and cell phone signals


This military, or at least anti-terrorism purpose is confirmed by a disclosed slide which shows that Kis for mobile networks from Somalia, Kuwait, Saudi Arabia, Afghanistan, Iran and Bahrain were found among collected data.

A GCHQ report that was also published as part of The Intercept's story says that key files from "Somali providers are not on GCHQ's list of interest, [...] however this was usefully shared with NSA", which clearly shows that both agencies were looking for keys from specific countries.

The report also says that during a three month trial in the first quarter of 2010, significant numbers of Kis were found for cell phone providers from Serbia, Iceland, India, Afghanistan, Yemen, Iran, Tajikistan and Somalia, which is shown in this chart:



According to the report, this chart reflects "a steady rate of activity from several networks of interest", which again indicates that GCHQ is specifically looking for keys for countries where the US and the UK are involved in military operations.

The same reports says that Iceland appearing in this list was unexpected, but Dutch newspapers guessed this could be explained by the fact that in 2010, Julian Assange and other people related to WikiLeaks were staying there.

One also wonders why The Intercept didn't trace the companies that in 2010 and 2011 provided the SIM cards to the countries mentioned in the GCHQ report. The fact that SIM keys for those countries were collected, seems a strong indication that the security of those suppliers was apparently weak.


Eavesdropping in foreign capitals

Remarkably, the use of SIM card keys for tactical military operations is completely ignored by The Intercept, even though this is probably the main purpose (which was also expressed by at least two security experts). The Intercept does however claims that such keys would be useful to eavesdrop on mobile phone traffic somewhere else:

The joint NSA/CIA Special Collection Service (SCS) has eavesdropping installations in many US embassies, and because these are often situated in the city center and therefore near a parliament or government agencies, they could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials.

With the current UMTS (3G) and LTE (4G) mobile networks using encryption that is much harder to crack than that of the older GSM network, having the SIM card keys would make it easy to decrypt already collected mobile communications, as well as listing in to them in real-time.



A 16 port IMSI catcher from the Chinese manufacturer Ejoin Technology


As easy it may be to decrypt conversations when having the key, the more difficult it seems to get hold of keys that are useful for this purpose. SIM cards are shipped in large batches of up to several hundred thousand cards and while it is known to which provider in which country they go, one cannot predict in whose phone the individual cards will eventually end up.

So when NSA and GCHQ are stealing large numbers of keys, they have to wait for some of them ending up by people that are on their target lists - which really seems a very small chance. This method is also useless against people using an old SIM card, which could be the case for German chancellor Merkel, who has a phone number that was already used in 1999. For these kind of targets it would be much more efficient to hack or tap into local telephone switches.

The way to make it work would be to "collect them all" and create a database of keys that will eventually cover every newly assigned phone number. But in one of the documents, GCHQ notices that large SIM suppliers increasingly use strong encryption for their key files, which will make it hard to achieve such a full coverage.

This is another reason, why stealing SIM card keys is most likely focussed on war zones: over there, very large amounts of phone calls and metadata are collected, which, given the large number of suspects and targets over there too, makes much better chances of finding keys that are actually useful. But still, stealing these keys looks not like a very efficient method.



Could these hacking operations be justified?

This brings us to the question of how justified this method of stealing SIM card keys could be. The fact that NSA and GCHQ are hacking commercial telecommunication and security companies is seen as one of the biggest scandals that have been revealed during the Snowden-revelations.

It's not only because of breaking into their networks, but also because for this, the communications of specific employees like system administrators are intercepted to acquire the passwords and usernames for their Facebook-accounts, despite the fact that they themselves aren't a threat to the US or the UK.

They are targeted not as an end, but as means in order to get access to the communications of other targets elsewhere. These ultimate targets could maybe justify these means, but without knowing what the actual goals are, it's difficult to come with a final judgement.

Although this kind of hacking affects innocent civilians, it's still very focussed. According to The Intercept, "In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization" - which is a rather small number given that Gemalto alone has some 12.000 employees.

Targeting companies and organizations like Swift, Belgacom and Gemalto should not have come as a complete surprise. Nowadays internet and telecommunication providers have become similar of interest for national security as military contractors and top technological research institutions have always been.

This is also reflected by the last of the 16 Topical Missions in the NSA's Strategic Mission List from 2007:

"Global Signals Cognizance: The core communications infrastructure and global network information needed to achieve and maintain baseline knowledge.
Capture knowledge of location, characterization, use, and status of military and civil communications infrastructure, including command, control, communications and computer networks: intelligence, surveillance, reconnaissance and targeting systems; and associated structures incidental to pursuing Strategic Mission List priorities.
Focus of mission is creating knowledge databases that enable SIGINT efforts against future unanticipated threats and allow continuity on economy of force targets not currently included on the Strategic Mission List."



Links and Sources
- Motherboard.vice.com: Did the NSA Hack Other Sim Card Makers, Too?
- NRC.nl: Simkaartsleutels vooral van belang bij afluisteren in Midden-Oosten
- Tweakers.net: Gemalto: geen sim-sleutels buitgemaakt bij aanval geheime diensten
- Reuters.com: Hack gave U.S. and British spies access to billions of phones: Intercept
- Crypto.com: How Law Enforcement Tracks Cellular Phones
- Presentation about Network Security: GSM and 3G Security (pdf)
- Matthew Green: On cellular encryption
- GCHQ's aspirations for mobile phone interception: 4 slides + 2 slides
- This article appeared also on the weblog of Matthew Aid

February 12, 2015

Snowden would not have been able to legally "wiretap anyone"

(UPDATED February 19, 2015)

During his very first interview, former NSA contractor Edward Snowden pretended that he, sitting behind his desk "certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, or even the President if I had a personal e-mail".

Right from the beginning, intelligence experts doubted that individual NSA analysts would have such far-reaching powers. By looking at the legal authorities and procedures that regulate NSA's collection efforts, it becomes clear that it is highly unlikely that Snowden, or other analysts could have done that in a legitimate way.



Targeting US citizens under FISA authority

The National Security Agency (NSA) collects foreign signals intelligence outside the US, but in a few special cases, it is also allowed to collect data about US citizens or to collect data inside the US. This is shown in the following decision tree:



Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(Click to enlarge)


In the interview, Snowden was talking about wiretapping ordinary US citizens as well as US government officials. According to the Foreign Intelligence Surveillance Act (FISA) from 1978, the NSA is only allowed to monitor the communications of such US citizens, US residents or US corporations when they are suspected of espionage or terrorism.

If NSA thinks that's the case, then they have to apply for an individual warrant from the Foreign Intelligence Surveillance Court (FISC) by showing that there is probable cause that the intended target is an agent of a foreign power (section 105 FISA/50 USC 1805), or associated with a group engaged in international terrorism. Depending on the type of surveillance, the FISC then issues a warrant for a period of 90 days, 120 days, or a year.


Acquiring an individual FISA warrant

So, when Snowden really had the authority to wiretap ordinary Americans and US government officials even up to the President, then he would have had to provide probable cause that these people were either foreign agents or related to terrorist groups.

For the President this would only be imaginable in films or television series, and it would only apply to very few other Americans. In other cases the NSA would and will not get a FISA warrant to eavesdrop on US citizens or residents.

Snowden often said that he sees the FISA Court as a mere "rubber stamp" because it approves almost all requests from the intelligence agencies. However that may be, obtaining an individual FISA warrant isn't easy: a request needs approval of an analyst's superior, the NSA's general counsel, and the Justice Department, before it is presented to the FISA judge.*



Collection under section 702 FAA

Maybe some people would ask: wouldn't it be easier to target US persons through the PRISM program, under which NSA collects data from major US internet companies like Facebook, Google, Yahoo, Microsoft?

The answer is no, despite the fact that PRISM is governed by section 702 of the FISA Amendments Act (FAA), which was designed to collect data faster and easier. As such, section 702 was enacted in 2008 to legalize the notorious warrantless wiretapping program, authorized by president George W. Bush right after the attacks of 9/11.

But what many people don't realize, is that the special authority of section 702 FAA can only be used to collect communications of non-US persons located outside the United States.

The NSA uses section 702 not only to gather data through the PRISM program, but also by filtering internet backbone cables operated by major US telecommunication providers, the so-called Upstream collection.




Section 702 FAA certifications

What makes section 702 FAA collection faster is that instead of an individual warrant from the FISA Court, NSA gets a general warrant for some specific topics, which is valid for one year.

For this, the US Attorney General and the Director of National Intelligence (DNI) annually certify that specific legal requirements for the collection of time-sensitive and higher volumes of data have been met and how these will be implemented.

These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like hiding names and addresses of US citizens when their communications come in unintended. The court then issues an order that approves the certification.

Until now, we know of section 702 FAA certifications for three topics:
- Foreign Governments (FG, Certification 2008-A, including cyber threats?)
- Counter-Terrorism (CT, Certification 2008-B)
- Counter-Proliferation (CP, Certification 2009-C)

These certifications include some general procedures and specific rules for minimizing US person identifiers. They do not contain lists of individual targets. Maybe this contributed to Snowden's idea that analysts are always allowed to select targets all by themselves. But even then, this only applies to foreign targets and only to a few specific categories.


Dual authorities

In a report by The Washington Post from July 5, 2014, it was said that Snowden, in his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center, had "unusually broad, unescorted access to raw SIGINT under a special ‘Dual Authorities’ role", which reportedly refers to both section 702 FAA (for collection inside the US) and EO 12333 (for collection overseas).

Those two authorities allowed him to search stored content and initiate new collection without prior approval of his search terms. "If I had wanted to pull a copy of a judge’s or a senator’s e-mail, all I had to do was enter that selector into XKEYSCORE", so he did not need to circumvent [access] controls, Snowden said to the Post.

So, when Snowden apparently had the 702 FAA and EO 12333 authorities, this means he wasn't authorized to target American judges or senators, in the sense of initiating real-time wiretapping, because for that the traditional FISA authority and a warrant from the FISC is needed. It looks like he confirms this by saying "If I had wanted to pull a copy of a judge’s or a senator’s e-mail", which sounds more like pulling such an e-mail from a database.

This also seems to be confirmed by the fact that Snowden points to XKeyscore for getting such e-mails. XKeyscore is mainly used to search data that already have been collected in one way or another, particularly at access points outside the US. The common way to start new surveillances (tasking) is through the Unified Targeting Tool (UTT, see below).


Back door searches

Indeed there's a legal way to search for communications of US persons in data that have already been collected: according to an entry in an NSA glossary published by The Guardian in August 2013, the FISA Court on October 3, 2011 allowed using certain US person names and identifiers as query terms on data already collected under 702 FAA:


This became known as "back-door searches". These queries might be questionable, but unlike the term "back-door" suggests, they are not illegal, as the practice was approved by the FISA Court. In a letter to senator Wyden from June 2014, DNI Clapper revealed that not only NSA, but also CIA and FBI are allowed to query already collected 702 FAA data in this way.

In August 2014, former State Department official John Napier Tye revealed that NSA is also allowed to use US person names to query data collected under EO 12333, but only those that have been approved by the Attorney General and for persons considered to be agents of a foreign power.


Approval for back door searches

Clapper explained that "back door" queries are subject to oversight and limited to cases where there is "a reasonable basis to expect the query will return foreign intelligence". Querying by using US person identifiers is only allowed for data from PRISM, not from Upstream collection. In 2013, NSA approved 198 US person identifiers to be queried against the results of PRISM collection.

The PCLOB report (pdf) about 702 FAA operations from July 2014 says that "content queries using U.S. person identifiers are not permitted unless the U.S. person identifiers have been pre-approved (i.e., added to a white list) through one of several processes, several of which incorporate other FISA processes".

For example, the NSA has approved identifiers of US persons for whom there were already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA’s Office of General Counsel after showing that using that US person identifier would "reasonably likely return foreign intelligence information". All approvals to use US person identifiers to query content must be documented.


The details Snowden told to the Post and the framework for "back-door" searches, confirm that he wasn't authorized to target US persons, but apparently did had the authority to use US persons identifiers for querying already collected PRISM data.

But contrary to what Snowden said, the NSA's Minimization Procedures from October 2011 say that US person identifiers may only be used as query terms after prior internal approval (as is the case with such queries under EO 12333). That again makes it highly unlikely that e-mail addresses from American judges or senators, let alone from the President would make it through.

But even without a prior approval, querying US persons without the intention of retreiving foreign intelligence information is illegal, which brings us to the next chapter.


Circumventing official procedures

In an interview, Glenn Greenwald was also asked about this issue and he explained that the "authority" Snowden was talking about, was not an authority in a legal sense.

According to Greenwald, Snowden meant that "NSA have given [analysts] the power to be able to go in and scrutinize the communications of any American; it may not be legal, but they have the power to do it".

So it may not be legally allowed that "any analyst at any time can target anyone, any selector, anywhere", but they may have the technical capability to do so. In other words, wiretapping anyone is only possible when analysts (intentionally) circumvent the official procedures and safeguards.

In that interpretation, Snowden apparently warned against the risk that individual analysts could misuse their power, although somewhat earlier in the interview he was speaking about the whole agency that "targets the communications of everyone" and ingests, filters, analyses and stores them.


Unified Targeting Tool

Circumventing official procedures and legal authorities could be done by manipulating targeting instructions given through the Unified Targeting Tool (UTT), which is a webbased tool that is used to start the actual collection of data.

A rogue analyst could for example confirm that there's a FISA warrant, when there's no warrant present, or provide a fake foreigness indicator, so someone could be targeted under the authority of Executive Order 12333, which doesn't require the procedure of acquiring a FISA court approval.



A rare screenshot of the Unified Targeting Tool (UTT), which shows some of the
fields that have to be filled in. We see that data about a "FAA Foreign
Governments Cert." is missing and therefore not valid to task (see below),
and also a drop down menu with various Foreigness Factors.


Unfortunately no manual for this tool has been disclosed so far, although that would have been useful to learn more about such internal safeguards to prevent misuse. The NSA itself also didn't release such documents, which could have contributed to more trust in the way they actually operate.


Targeting procedures

We have no details about the procedure for targeting US citizens, but we do know about the process for collection under the PRISM program. As PRISM is used for gathering data about foreigners, it can be considered to be less sensitive than collecting data about US persons, for which there are maybe some extra safeguards and checks. The PRISM tasking process is shown in this slide:



Slide that shows the PRISM tasking process
(Click to enlarge)


We see that after the analyst has entered the selectors (like a target's phone number or e-mail address) into the UTT, this has to be reviewed and validated by (in this case) either the FAA adjudicators in the S2 Product Line, or the Special FISA Oversight unit.

A final review of the targeting request is conducted by the Targeting and Mission Management unit. Only then the selectors are released to be "tasked" on the various collection systems.

For targeting foreigners on collection systems outside the US (which is governed by EO 12333), there are less restrictions, but also this is still not completely at the will of individual analysts. At least every eavesdropping operation has to be in accordance with the goals set in the NSA's Strategic Mission List and other policy documents.


Incidents

Nonetheless, recently declassified NSA reports to the president's Intelligence Oversight Board (IOB) show that there have been cases in which there was an abuse of the collection system, either wilfully or accidentally. The majority of incidents both under FISA and EO 12333 authority occured because of human error.

It shows that despite the safeguards, some unauthorized targeting and querying can still happen, but also that the internal oversight mechanisms detected them afterwards, with the selectors involved being detasked, the non-compliant data being deleted and the analysts being counseled.

(Edited after adding Greenwald's interpretation of Snowden's words and adding something about the non-compliance incidents. Also added an addendum about Snowden's authorities based upon a report by The Washington Post, and added some explanation about the back-door searches)


Links and Sources
- Privacy and Civil Liberties Oversight Board: Section 702 Program Report (pdf)
- Stanford Law Review: Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?
- The Guardian: The top secret rules that allow NSA to use US data without a warrant
- EmptyWheel.net: Postings about section 702 FAA
- Robert S. Litt, ODNI General Counsel: An Overview of Intelligence Collection
- Related documents:
  - President Policy Direction (PPD) 28 Section 4 Procedures (pdf) (2015)
  - Foreign Intelligence Surveillance Act - Summary Document (2008)

January 26, 2015

How GCHQ prepares for interception of phone calls from satellite links

(Updated: March 17, 2015)

Most of the Snowden-revelations are about spying on the internet, but NSA and GCHQ are also conducting the more traditional collection of telephone communications that go through satellite links.

What needs to be done before phone calls can be collected, can be learned from two highly detailed technical reports from the GCHQ listening station near Bude in the UK.

These reports were published on August 31 last year by the German magazine Der Spiegel and the website The Intercept as part of a story about how Turkey is both a partner and a target for US intelligence.

Here we will analyse what's in these reports, which give an interesting impression of the techniques used to transmit telephone communications over satellite links.



Satellite dishes at the GCHQ intercept station near Bude, Cornwall, UK


Officially, such technical reports are called "informal reports", as opposed to the "serialized reports" that contain finished intelligence information for end users outside the SIGINT community.

Until now, only two of such technical reports have been disclosed, but according to an article by Der Spiegel from December 20, 2013, they are from "a bundle of documents filled with international telephone numbers and corresponding annotations" from Sigint Development (SD), which is a unit that identifies and develops new targets.

The technical reports are about test runs for new, previously unmonitored communication paths intended to "highlight the possible intelligence value" and whether certain satellite links could be "of potential interest for tasking". The reports give no indication about whether the listed numbers were eventually tasked for collection and neither about the intensity and length of any such surveillance.


Der Spiegel says these documents show that GCHQ "at least intermittently, kept tabs on entire country-to-country satellite communication links, like Germany-Georgia and Germany-Turkey, for example, of certain providers", which sounds rather indiscriminate.

However, the fact that GCHQ analysts are sampling these satellite links on whether they contain target's phone numbers, shows they are looking for the most productive links to be eventually intercepted. During the parliamentary investigation in Germany, officials from BND explained a similar way of selecting specific channels of specific satellites.




Technical report nr. 35

The first technical report is number 35 from October 15, 2008. It is about four satellite links between the United Kingdom and Iraq, which were given the following case notations, starting with G2, which is NSA's identifier for the Intelsat 902 communications satellite:
- G2BCR (UK - Iraq)
- G2BBU (UK - Iraq)
- G2BCS (Iraq - UK)
- G2BBV (Iraq - UK)

The physical gateways (the satellite ground stations) for these satellite links are in the UK and in Iraq, with the UK station providing logical gateways to the Rest-of-the-World (ROW), mainly Turkey, Syria, Saudi Arabia, UAE and Egypt.





Multiplexing and compression

By analysing the C7 channel (see below), it was confirmed that the two links from the UK to Iraq were load-sharing traffic between the Rest-of-the-World and Iraq, as was the case for the link originating in Iraq.

For an efficient transmission, the links are equipped with the DTX-600 Compression Gateway device, made by Dialogic. This is a high-capacity, multi-service, multi-rate voice and data compression system, which is able to simultaneously compress toll quality voice, fax, Voice Band Data (VBD), native data (for example, V.35), and signaling information:




This kind of voice compression equipment is installed at either end of long-distance links, like from communications satellites or submarine fiber-optic cables. Telecommunication companies try to pack as much capacity into as little physical space as possible, making it also more difficult for intelligence engineers to unpack it.


Signaling System No. 7

Most of the information in the report is derived from the so-called C7 channel. C7 is the British term for the Signaling System No. 7 as specified by ITU-T recommendations. In the US it is referred to as SS7 or CCSS7 (for Common Channel Signalling System 7).

SS7 is a set of protocols for setting up and routing telephone calls. In the SS6 and SS7 versions of this protocol, this signalling information is "out-of-band", which means it is carried in a separate signaling channel, in order to keep it apart from the end-user's audio path.

In other words, SS7 contains the metadata for telephone conversations, like the calling and the called phone numbers and a range of switching instructions. This makes the SS7 or C7 channel the first stop for intelligence agencies.


Analysis of the link

In order to see whether these four satellite links could contain traffic that is useful for foreign intelligence purposes, the analyst took some phone numbers from Iraq (country code 964), Iran (98), Syria (963) and the UK (44) and looked whether these appeared in the data of the C7 channel.

All four links had hits, both for the called and the calling number. These numbers were redacted by The Intercept, except for the terms "Non Op Kurdish Extremism" and [Kurdish] "Leadership". The report continues with a more detailed analysis of the links. As an example we look at the one between the UK and Iraq, which has the case notation G2BCR and was paired with G2BCS:

On this link, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 2-153-1 in the UK, and the Destination Point Code (DPC) 4-036-4 in Iraq. The switching device at the originating end is a Nokia DX220 ABS and at the destination end a Unid Exch.

The DTX-600 contains 11 active trunks for digital voice data that are compressed into packets of 10 milliseconds duration by using the audio data compression algorithm g.729. There is also one WC1A channel.

After decompression by a tool named SWORDFISH it came out that the location of the C7 channel is the "3rd Trunk BS19". Protocols used on this link were Cisco, IPv4, ICMP, TCP, UDP, GRE, ESP and PPTP. Similar analysis was done for the other three satellite links.



Intelsat communications satellite from the 900-series,
nine of which were launched in June 2001.


The report then has a small list of Technical Details, saying that the traffic goes via the Intelsat 902 communications satellite, but the exact frequencies of the four links are redacted, just like the Symbol Rate and the FEC Rate. FEC probably stands for Forward Error Correction, to mitigate for packet losses.

There is also a FEC RASIN number: TPC2D78R005. RASIN stands for RAdio-SIgnal Notation, which is a comprehensive, originally 10-volume NSA manual that lists the physical parameters of every known signal, all known communication links and how they are collected. It seems strange that this internal RASIN code is visible, while the FEC rate, which is common technology, is redacted.


Conclusion

The conclusion on whether these satellite links can be tasked on the collection system is: "Due to limited patching there is currently no spare tasking availability on Lopers". LOPERS is one of the main systems used by NSA for collecting telephone communications. According to Der Spiegel, some other reports concluded about tasking: "Not currently due to the data rate of the carriers."

Finally, this technical report gives the (redacted) contact details at OPA-BUDE, with OPA being the abbreviation of a yet unknown unit at the GCHQ Bude listening station in Cornwall. The last section of the report is fully blacked out by The Intercept, but the next report will show what is apparently covered there.



Technical report nr. 44

The second technical report is from December 1, 2008 and is about a satellite link between Jordan and Belgium. It has the case notation 8BBAC, with 8B being the identifier of a yet unknown communications satellite. The frequency of the link is redacted. The physical gateways are in Jordan and Belgium, with the Belgian station also providing a logical gateway to the Rest-of-the-World (ROW).





The link is an E1 carrier, which means it runs 2048 Megabit/second and has 32 timeslots (channels), which are numbered TS0 to TS31 (another widely used carrier is E3, which has an overall capacity of 34.368 Megabit/second and has 512 timeslots). Each timeslot can carry one phone call, so one E1 link can transmit up to 30 calls simultaneously. The remaining two timeslots are used for the signaling information.

The analyst found that in this case timeslots 30 and 31 were used to relay the C7 signaling information and that compression was achieved by the DTX-360B Digital Circuit Multiplication Equipment (DCME). Using this technique, one Intelsat communications satellite can relay up to 112.500 voice circuits (telephone calls) simultaneously.

The report also says that the "RLE to this link is believed to be 8BBNH. Currently in view at Sounder". RLE stands for Return Link End, which in this case would be the link back from Belgium to Jordan. SOUNDER is the covername for the GCHQ listening station at Ayios Nikolaos in Cyprus, which is apparently able to intercept the Intelsat downlink to Jordan.



The GCHQ intercept station Ayios Nikolaos (SIGAD: UKM-257) in Cyprus


Analysis of the link's metadata

The technical report says that on timeslot 30, the C7 channel runs between end points that are designated with the Originating Point Code (OPC) 4-032-5 at FAST Link GSM (now Zain) in Jordan, and the Destination Point Code (DPC) 2-014-7 at F Belgacom in Brussels, Belgium.

It's interesting to see Belgacom here, as from 2009, GCHQ got access to the cell phone roaming branch of this company by using the highly sophisticated Regin spyware suite.

From OPC 4-032-5 in Jordan, there were also transit calls via DPC 2-012-2 to some fourty countries all over the world. In addition to this, there were also transit calls to Mauritius, Finland, Bulgaria, Switzerland, Sweden, Syria and Iran via DPC 2-012-1.

On timeslot 31, the C7 channel runs between the end points 4-032-0 at FAST Link in Jordan, and 2-013-1 at F Belgacom in Brussels, Belgium. For this timeslot there were also two links with transit calls, via DPC 2-012-2 and DPC 2-012-1.

For these transit calls, the report also mentions an eight digit Circuit Identification Code (CIC). This code is used to connect the metadata in the C7 channel to the trunk and the timeslot which carry the voice part of the call. In this way, each of the 30 channels of an E1 link has a CIC associated with.

GCHQ has to know the CIC, in order to pick the right voice part from one of the content channels, after having found the target's phone number in the signaling channel.



Interface of an NSA tool with a page titled "SS7 Summary" which lists and visualizes
the number of OPC/DPC pairs accessible by various NSA fiber-optic cable
interception programs, identified by their SIGAD number.
(Screenshot from an NSA presentation
published in December 2013 - Click to enlarge)


Mapping the link

The analyst used the DEPTHGAUGE tool to map the 8BBAC satellite link. He reports that the resultant map was not fully conclusive, but that it supported the previously listed mapping. What follows is a list which seems to relate Circuit Identification Codes (CIC) to the specific TimeSlots (TS). Not all of them had yet been mapped.

The 8BBAC link was sampled for telephony data (DNR) for approximately 94 hours during the period from November 26 to December 1, 2008, by using a tool or system codenamed DRUMKIT.

Phone numbers listed in CORINTH, which could be GCHQ's telephony tasking database, were found 607 times in timeslot 30. This included both tasked and de-tasked numbers, which means numbers that were under surveillance as well as numbers for which the surveillance had been terminated. 26 numbers that were tasked at the time of the analysis had 86 hits.

In timeslot 31, there were 349 hits, 40 of which were from 14 phone numbers that were under surveillance. These hits could be viewed in DRUMROLL under the filenames 8BBAC0030 for timeslot 30 and 8BBAC0031 for timeslot 31.


DRUMROLL hits

The report lists all the hits of tasked, and a selection of the non-tasked phone numbers that were found in timeslot 30 and timeslot 31. These lists are completely blacked out, except for the terms "Turkish MFA" (= Ministry of Foreign Affairs) and "Kurdish Leadership".

According to The Intercept's reporting, NSA was regularly providing its Turkish partners with the mobile phone location data of PKK leaders, but was at the same time spying on the Turkish government.

DRUMROLL was first seen in snippets from a GCHQ document published by Der Spiegel in December 2013. It gave the hits for a satellite link with case notation 1ABCT. According to the Spiegel article, this was a communication path between Belgium and Africa.

For each of the entries there are codes or numbers under TNDEntry, TNDOffice, TNDtask and TNDzip. It is not known what TND stands for, but it could be something like Target Number Database.

Among the hits are European Union Commissioner Joaquin Almunia, the French oil and gas company Total E & P, the French transport company Thales Freight and Logistics and the UN Institute for Disarmament Research. As such lists can show both tasked and de-tasked numbers, it's not clear whether these ones were still under surveillance; the N under TNDtask could stand for "Not Active":




The technical report nr. 44 from 2008 may have similar information in the lists that were redacted.

That report then continues with a small list of Technical Details of satellite link 8BBAC, with the Symbol Rate and the FEC Rate not being redacted, like in the first report. The conclusion of the report is that "this link can be tasked on the system". According to Der Spiegel this was the answer in many of the other reports too.

Finally, also readable unlike in the first report, is the standard disclaimer that is under every document from GCHQ. It says that this "information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informataion legislation".

Apparently this time the editors from The Intercept forgot to redact the GCHQ's internal (non-secure) phone number and e-mail address for such disclosure requests, which normally appear blacked out in all GHCQ documents that have been disclosed.



Classification

All three technical reports we have seen are classified SECRET STRAP 1 SPOKE. The British marking STRAP 1 means that the dissemination of the document is restricted by measures from a three-level control system codenamed STRAP. Within that system, STRAP 1 is the lowest level.

More interesting is the NSA marking SPOKE, which also denotes a control system to limit access to the document, but is rarely seen. Other British documents marked STRAP 1 often have COMINT as their American equivalent, which is the general marking used for all information related to communications intelligence that hasn't to be more strictly controlled.

SPOKE is one of the codewords that NSA used in the past, but which were presumably abandoned in 1999. But from documents published as part of the Snowden-leaks we know that from these codewords at least SPOKE and UMBRA are still used.

Given what's in the known documents that have the SPOKE classification, it seems to cover technical information about targets, like their phone numbers and the communication links in which these can be found. The higher UMBRA marking is then probably used for the actual content, when this is collected outside the US under EO 12333 authority.

Update:
On March 12, 2015, the Intelligence and Security Committee (ISC) of the British Parliament published an extensive report about interception activities of the UK intelligence agencies, which says that GCHQ only collects data from a small number of fiber-optic cable channels ('bearers'), which are likely to contain traffic that is of intelligence value.


Links and Sources
- Wikipedia: ISDN User Part
- ZDNet.com: Invasive phone tracking: New SS7 research blows the lid off mobile security