Cyber Surveillance and Espionage An assessment and background information of the NSA activities May 7th, 2014 Excerpt of published information about PRISM Assessment and background information regarding the NSA Scenarios of strategic electronic surveillance Telecommunication can be surveyed globally Satellite Communication Until the nineties of the last century the major part of inter-continental telecommunication traffic went over satellites. The NSA set up and maintained a globally spanning network of eavesdropping terminals. In Germany, the Bavarian city Bad Aibling in the South of Munich became one base. Details can be found in theECHELON investigation report of the European Parliament 2001/2002. Advantage of Satellite Communication Recording of the Ups and Downs of data streams to satellites can easily be realized, without any direct link to the actual data sender. Disadvantage Satellites do not play an important role for current telecommunication technology anymore. Description Assessment and background information regarding the NSA Current distribution of global surveillance presences Assessment and background information regarding the NSA Resource situation of intelligence services in the US Assessment and background information regarding the NSA Agency / Program Management / Support Data Collection Data Processing and Exploitation Data AnalysisTotal Budget Central Intelligence Agency1,811.50,3871,114,787 National Security Agency5,22,51,61,510,8 National Reconnaissance Program1,86,02,5- 10,3 National Geospatial-Intelligence Program2,00,5371,40,9734,91 Defense Intelligence Program 1,71,30,2281,24,428 Total12,521,8376,1154,77345,225 Numbers in billions US-Dollars Submarine Cable Since the beginning of this millennium world-wide telecommunication is almost completely realized via fiber optics. Easily to compromise by attacks are cable landing points. If there is no spatial access hereto, also a listening device underseas can be used. This is generally installed via specializedsubmarine boats. The USA is said to have an accordingly equipped nuclear submarine named USS Jimmy Carter.The picture at the bottom on the left hand side displays a eavesdropping set-up for submarine copper cables. Advantage Eavesdropping operations are almost not visible / not identifiable. Disadvantage Eavesdropping of cables underseas requires extremely high technical efforts. Description Assessment and background information regarding the NSA Scenarios of strategic electronic surveillance Telecommunication can be surveyed globally Scenarios of electronic surveillance Surveillance of copper cable (1/2) Eavesdropping of fiber optics is possible via the so called coupler technique: Fibers are strongly bended, and detectors are collecting and assessing the leaking light. Thus a 1:1 copy of all contents (a wave length) of one fiber is provided.Access points are generally junctions in the fiber course, since just there is sufficient length for the bending of fibers. The technique can be also applied for metrological installations by welding fibers together. Advantage Non-disruptive realization possible Disadvantage Not feasible in the whole fibre course An additional fiber required for transport of the captured information, moreover electonics for analysis is required DescriptionCouplerfiber optics laser beam stray light detector passive coupler active coupler Assessment and background information regarding the NSA Scenarios of electronic surveillance Surveillance of copper cable (2/2) Fiber optic splitter Eavesdropping of optic fibers is possible via radiation at the splice (connection end point of fibers). Herewith, fibre optic splitters are used, which provide a 1:1 copy of all contents (a wave length) of one fiber. Access points are distributing elements or interfaces of active net components. Splitter can also be non-disruptively integrated into existing transmission routes (thermal conduction). Advantage Easily to be implemented via plug-in connections Standard technology Disadvantage Splitters reduce light performance Additional fiber required for transport of captured information, moreover electonics for analysis required Non-disruptive realization requires special technology Description end point cut off fibers Assessment and background information regarding the NSA Scenarios of electronic surveillanceRe-routing via Internet peering Internet Peering Different network operators connect their Internet infrastructures via Peering. Not all national providers are directly coupled. To some extent national traffic is routed via global backbones. By means of the peering agreements, data traffic can be specifically re-routed between two sub areas of the Internet. Among the TOP 10 Internet backbone operators (Tier 1) are mainly US companies, such as Google, Verizon, Level 3, Cogent, Akamai, etc. The biggest German Internet provider is listed below the TOP 10 in world-wide comparison. Data can be registered remotely, since backbone operators have access to data traffic of the provider networks depending on them. Re-routing of data traffic via manipulation in the BGP routing protocol is hardly to be detected due to the high dynamic of changes in Internet routing. Description Image: wikipedia.de AS=Autonomous System (Collection of connected IP operator networks Country A Country BCountry C Country ACountry ACountry A Assessment and background information regarding the NSA Scenarios of electronic surveillanceCollection of meta data Call data records (meta data) Data traffic is routed in telco networks via different network distribution boxes, which generate meta data for billing purposes. Meta data contains calling information: Who called, When, from Where, with Whom, and How long. Many network operators have outsourced the processing of meta data to companies, such as Amdocs, who globally operate data centers (e.g. in the US). The amount of data is considerably reduced, since the content of connection data does not have to be stored. Data can easily be indexed and searched. Intelligence services can very easily mirror (copy) data in data centers, especially when those are already processed inside of the US. In Germany, more than 200 billions of such data records are registered per month. For calls in fixed and mobile networks a number of 15-25 billions of data records are estimated to be registered per month. Description Assessment and background information regarding the NSA Media reports let assume that NSA works together with providers of cryptosoftware and is hereby enabled to read encrypted data in clear text. The following threat scenarios against encryption are possible: Trials of all kinds of keys (brute force attack) in order to gain decryption. The longer the key, the bigger the needed calculation time for decryption. Manipulation of keys (certificates) during creation. Parts of the keys are predictable and reduce the calculation effort for trials of many key combinations. Manipulation of encryption software. Additional keys are used or crypto algorithms implemented in a manipulative way, whereby encryption quality decreases. Scenarios of electronic surveillanceIs encryption still safe? Description Use of sufficiently high key length, plus frequent changes of keys, driving decryption efforts into immeasurable numbers. Use of keys (certificates) created in trustful (e.g. national) Trust Centers. This reduces the risk of unpredictable and / or manipulative key material. Use of encryption softwarefrom trustful sources.Open Source software offers a verifiable security level and reduces the risk of targeted implementation errors. Rules for secure encryption Assessment and background information regarding the NSA Based on press reports: Peering and OTT data are the main attack points for the NSA PRISM background information Picture 1: By means of certain pricing strategies and taking advantage of peering agreements, data traffic can be easily re-routed into the US and then be surveyed on their own territory. Providing evidence of surveillance is hardly possible, since the routing course of data in the Internet changes continuously (many updates in BGP tables). Picture 2: This picture shows schematically that fiber optics landing in the US (Upstream) serve as data sources. Data from OTTs (Over the Top service providers (e.g. Google, Facebook, ) serve as additional sources. All in all, the whole Internet communication is clearly key for surveillance. This is mainly due to the fact that the Internet can be leveraged as a hiding place for criminals, since communication connections can be easily concealed. Evaluation Assessment and background information regarding the NSA XKeyScore is an analysis software for captured telecommunication data (Echelon,) Analysis of data with XKeyScore At first, data gained via surveillance is the raw data collection. Recorded data is being preserved approx. 3 days (time limitation due to the amount of data). Data is read in a database out of globally distributed servers, and is indicated full text for later processing. XKeyScore allows full text search in indicated data, also using different search criteria. A similar approach is used for DSL telecommunication surveillance on behalf of a judicial order from a police authority. The distribution of data collection points (servers) suggests that there are data sources close by the respective countries / locations. On the power point charts is a confidentiality note for the countries (USA, AUS, CAN, GBR, NZL), which work together on the Echelon System. This suggests the assumption that it is an analysis software for Echelon resp. its successor system. Bad Aibling is a location of the Echelon System in Germany. Assessment xKeyScore presentation cover sheet refers to 2007/2008 Assessment and background information regarding the NSA Based on press releases (Spiegel.de, theGuardian.com, etc.) NSA collects approx. 500 Mio. datasets from Germany. 500 million datasets represent approx. 0,25% of the total of all Call Data Record`s (meta data) Heatmap of NSA data collection In Germany, per month approx. 3.3 billions of mobile phone calls and 4.2 billions of fixed-line calls take place, in total about 7.5 billions. Each call generates at least two meta datasets (start, end), depending on the length of time also more datasets are generated. A projection of this to Germany results in an estimated number of 15-25 billions of meta datasets from mobile and fixed-line networks. Messaging services (SMS, MMS, Joyn, iMessage, WhatsApp, ) create further meta data amounting to two-digit to three-digit billions. Internet services (Website access, search requests, ) and Voice over IP (Skype, ) generate further datasets amounting to estimated three-digit billions. The total of meta data per month in Germany is clearly above 200 billions. The 500 million datasets, which the NSA is said to analyze, would correspond to a percentage of less than 0,25%. At the moment speculations are going on that the 500 million datasets from Germany belong to data that the BND* registered during its activities abroad and passed them over to the NSA, after having them cleaned by data of German citizens. Assessment Assessment and background information regarding the NSA *BND: Federal Intelligence Service in Germany Surveillance in Germany is very easily to be done Using data available abroad Data from fiber optics and services are combined By means of the PRISM surveillance program telecommunication surveillance is complemented by data from Over the Top (OTTs) providers, social networks and Voice-over-IP services. E-Mail Services play a major role. Data is generally also accessible on US territory (via servers of OTT providers). Data communication to OTT services can be eavesdropped via surveillance of inter-continental fiber optics. It would be also reasonable that the discussed number of 500 million datasets from Germany is received by those means. A comprehensive surveillance of German communication is due to the remote access capabilities not even necessary and therefore not really probable. The search of relevant data is presumably performed e.g. via XKeyScore, the further processing is done using visual analysis systems for graphic processing of data (cf. continuation page). Assessment Assessment and background information regarding the NSA Example of an analysis of phone and Internet data in the aftermath of the terror attack in NY/2001 Source: https://www.visualanalysis.com/ Assessment and background information regarding the NSA Surveillance of SMS NSA Dashfire Program In April 2011, the NSA collected daily around 194 million of SMS messages and analyzed those with the Dashfire system. This means extrapolated 70.8 billions of messages per year were collected and analyzed. Based on the NSA documents, in 2010, globally approx. 200.000 text messages were sent per second, extrapolated to 17.2 billions per day. For comparison: In Germany, considering all four mobile networks, approx. about 100 million SMS are sent per day. Those SMS also consist of notifications about lost calls, tariff information, messages about new voice mails etc. Thus, in 2011, the NSA collected in a year approx. the total number of all SMS that are sent in Germany during 2 days. Assessment Assessment and background information regarding the NSA Surveillance by computer network exploitation TAO Tailored Access Operations Technical eavesdropping installations Press reports revealed that the NSA operates an office of TAO, developing and providing a catalogue of several attack tools (ANT) for internal usage (2008): 48 products are listed in the catalogue, with 20 software programs, 26 hardware systems, and2 tools as a combination of hard and software Tools distribution on Juniper Netscreen Firewall, Cisco PIX and the ASA series probably high; vendors are presumably not involved. Installation is resistant to changes in BIOS or firmware (exploitation of unknown backdoors?) As of today, the catalogue might be more extensive (new exploits, affected systems/devices, degree of distribution) Recommendation:(1) Revision/adjustments/supplements of security requirements for network products (firewall/routers) and services, e.g. diagnosis and configuration ports shall not be reachable from the Internet.(2) Port verification with Huawei, Juniper and Cisco on accessibility from the Internet. Assessment Assessment and background information regarding the NSA USA CIA and NSA is legally allowed to perform industrial espionage against foreign companies as part of the reconnaissance of possibly unfair behavior in international competition. UK Industrial espionage against foreign companies for the welfare of the British economy is part of the legal mandate of intelligence services. France The legislative basis for industrial espionage of intelligence services is unclear. Press interviews from (former) accounts indicate that this happens to a comprehensive extent. Russia Industrial espionage for the welfare of the Russian economy and research is part of the legal mandate of intelligence services. China The 5-year plan of the communistic party results in the mandate of intelligence services to make up leeway in research and development by industrial espionage. The aim is to reach and continuously ensure the global leadership in key technologies (including information and communication technology). The additional risk industrial espionageIn many countries a mandate of intelligence services Governmental / legal assignment of intelligence services in selected countries Assessment and background information regarding the NSA Scenarios of strategic electronic surveillance Comparison of scenarios yes Coupler yes very high very high yes Optic Splitter yes high very high partially Peering partially very low high Communicationcircumstances (Who, When, ) Communication contents available (WHAT) Technical effort Amount of data highhighvery high Benefit from perspective of strategic reconnaissance yes Meta data no low low very high Assessment and background information regarding the NSA Protective measures against surveillance of national voice and data traffic Just allow the processing of meta data inside of national borders.Service providers have to appoint staff with security clearance for those means. Establishing the principle that national traffic can just be routed nationally (comparable to US regulation), especially relevant for Internet peering and future network generations (NGN). Enforced usage of encryption, e.g. encryption of communication between e-mail servers of national providers. Technical solutions Legal solutions Integrating security gateways of Internet peering points that allow a shielding of national parts of the Internet, without limiting the functionality inside of the country. Assessment and background information regarding the NSA