Russian Metro to Track Lost / Stolen Phones

(подталкивать, подтолкнуть, подмигивание)

A major Russian newspaper reported that Moscow’s metro system is planning what appears to be a mobile phone tracking device in its metro stations—ostensibly to search for stolen phones.

According to Izvestia (Google Translate), Andrey Mokhov, the operations chief of the Moscow Metro system’s police department, said that the system will have a range of five meters (16 feet). “If the [SIM] card is wanted, the system automatically creates a route of its movement and passes that information to the station attendant,” Mokhov said.

Many outside experts, both in and outside Russia, though, believe that what local authorities are actually deploying is a “stingray,” or “IMSI catcher”—a device that can fool a phone and SIM into reading from a fake mobile phone tower. (IMSI, or an International Mobile Subscriber Identity number, is a 15-digit unique number that sits on every SIM card.) Such devices can be used as a simple way to see what phone numbers are being used in a given area or even to intercept the audio of voice calls. (more)

Read More

World's Biggest Data Breaches - Infographic

A beautiful way to get the point across...

Be sure to visit the interactive original HERE.

Read More

And, the winner of Who's Got the Biggest Electronic Ear is...

"According to the Max Planck Institute, you're 100 times more likely to be surveilled by your own government if you live in the Netherlands or you live in Italy," Baker said. 

"You're 30 to 50 times more likely to be surveilled if you're a French or a German national than in the United States." (more)

Read More

Israel's Verint to Get Indian Government Contract for Interception Tools

India - Verint's leadership team recently met communications minister Kapil Sibal in Israel and indicated the company's desire to work with the government to intercept all forms of encrypted communications to address India's cyber security needs.

Sibal has also apprised Israel's IT & communications minister Gilad Erdan about engaging Verint to implement an interception solution. "Verint is willing to work with the Indian government to address the issue of intercepting encrypted communications like Gmail, Yahoo-. mail and others. It will shortly co-ordinate with DoT's security wing and CERT-In teams to implement a customized interception solution," says an internal telecom department note, a copy of which was reviewed by ET. (more)

But wait! There's more!

India - Worried over increasing tiger deaths each year and many due to poaching and poisoning, India plans to start round-the-clock electronic surveillance of some of the tiger habitats using high definition cameras. (more)

Read More

Surveillance Camera Hack to be Reveled at Black Hat

A US security expert says he has identified ways to remotely attack high-end surveillance cameras used by industrial plants, prisons, banks and the military, something that could potentially allow hackers to spy on facilities or gain access to sensitive computer networks.

Craig Heffner, a former software developer with the National Security Agency (NSA) who now works for a private security firm, said he discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco, D-Link and TRENDnet...

He plans to demonstrate techniques for exploiting these bugs at the Black Hat hacking conference, which starts on July 31 in Las Vegas.

Read More

ISPs Grossed as Feds Net Passwords

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused. (more)

Read More

Wiretap Evidence Included in SAC Capital Case

The evidence of insider trading at SAC Capital Advisors LP includes court-authorized wiretaps, a U.S. prosecutor said at the $14 billion hedge fund’s arraignment in federal court in Manhattan.

“The discovery will be voluminous, including a large number of electronic recordings, including electronic messages, instant messages, court-authorized wiretaps and consensual recordings,” Assistant U.S. Attorney Antonia Apps told U.S. District Judge Laura Taylor Swain yesterday about the pretrial evidence-gathering process. “In short, a tremendous volume.” (more)

Read More

NSA says there are three different PRISMs

(Updated: July 28, 2013)

Yesterday, German media wrote about an official letter from the NSA, which was sent to the German government to clarify some misconceptions about PRISM. This because German media and politics were heavily confused after it became clear that there's more than one program named PRISM.

The NSA letter explains what the PRISM data collection program is about and then confirms that this program is different from a more common military web tool called "Planning tool for Resource Integration, Synchronization and Management" (PRISM).

Surprisingly, the NSA also reveals that there's even a third program called PRISM. In this case the name stands for "Portal for Real-time Information Sharing and Management" and it's apparently an internal NSA information sharing program. It was unknown until now, probably because it's used in the NSA's highly sensitive Information Assurance Directorate (IAD).


Initially: two different PRISMs

Almost immediately after The Guardian and The Washington Post came with their disclosure of PRISM on June 6, some people googled and found out there were also a number of other programs called PRISM. Because both papers failed to clarify the precise nature of PRISM, it seemed that the program could have been the same as a more common application called "Planning tool for Resource Integration, Synchronization and Management" (PRISM). We examined this in an earlier article.

However, this option of both PRISMs being one and the same had to be abandoned after The Washington Post published four new slides from the PRISM-presentation on June 29. These slides presented many new details and also proved that the PRISM which collects data from internet companies is different from the PRISM planning tool. The first operates on the national intelligence level, and the latter is used at a tactical level by the various military commands. These new insights were discussed on this weblog in this article and graphically shown in this figure:

Comparing the PRISM data collection program and the PRISM planning tool
(click for a bigger picture)

Confusion in Germany

On July 17, the German tabloid BILD came with big headlines claiming that troops of the German federal defense forces (Bundeswehr) in Afghanistan already knew about PRISM in 2011. This suggested that the German government was lying, because earlier it had denied all accusations of knowing anything about the PRISM program as unveiled by Edward Snowden.

BILD found "PRISM" mentioned in a confidential e-mail, which the ISAF Joint Command Headquarters in Kabul sent to all Regional Commands (RC) in Afghanistan on September 1, 2011:

Screenshot of the front page of the German tabloid BILD,
as shown on the German television channel ZDF

This publication caused a lot of discussion, so already on the same day, spokesmen from both the German foreign intelligence agency BND and the German defense forces declared that there are two different PRISM programs: the first one being the program unveiled by Edward Snowden, and the second one being a "computer supported US communications system", which is used in Afghanistan "to coordinate US reconaissance systems and to present collected information" - as we can read from this letter of the assistant Defense minister:

Screenshot of a letter from the assistent German Defense minister to the German parliament,
explaining the PRISM confusion, as shown on the German television channel ZDF

Both officials didn't say that the full name of this second PRISM is "Planning tool for Resource Integration, Synchronization and Management", making it harder to proof that both programs are different.

Again this shows severe deficiencies in informing the public and in research by the media. The BILD-article is pure sensationalism. Simply googling key words from sections of the e-mail like "collection management shop", "COMINT nominations [...] must be resubmitted into PRISM" and "SIGINT Operational Tasking Authority" would have rapidly pointed to the PRISM planning tool.

As described earlier, the second PRISM is a so-called tasking tool, which is used to request the intelligence information which is needed for military operations. As such it's the core application of the military intelligence collection management. This PRISM planning tool runs over the intelligence community's JWICS and the military's SIPRNet networks. It was developed by SAIC, first mentioned in 2002 and since then in many job descriptions on the internet.

Only very few media did this kind of research and found out that there are really two different PRISM programs. We can see for example one article at Netzpolitik.org, which connects a bit too many things, and another one at Golem.de, which is based upon research by this weblog.


A letter from the NSA

On July 25, the website of the German newspaper WELT cited a letter which the NSA sent to the German federal government to answer official questions about PRISM. The letter says the media is "confusing two separate and distinct PRISM programs" and continues with explaining what the first program is about:

"The first PRISM pertains to the foreign intelligence collection being conducted under Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA). This is the program that has caught the most attention of our publics, politicians and the media.
This is not bulk collection, and there are restrictions on how long the information can be retained. It is carefully targeted in accordance with a public law and requires court approval and supervision.
A fundamental, protective requirement of FISA is that it restricts the ability of the U.S. Government to obtain the contents of communications from communications service providers by requiring that the court find that the government has an appropriate and documented foreign intelligence purpose, such as the prevention of terrorism, hostile cyber activities or nuclear proliferation."

Screenshot of the letter from the NSA to the German government,
as shown on the German television channel ZDF

According to German media, the NSA letter continues by saying that the second PRISM program is a tool, which is used by US troops in Afghanistan to order and search intelligence information. This is the program mentioned in the ISAF e-mail from 2011 and is clearly the Planning tool for Resource Integration, Synchronization and Management (PRISM), allthough that's not only used in Afghanistan, but also at other US military commands.

Surprisingly and all by itself, the NSA added that there's even a third program called PRISM, which is fully independent from the two PRISM programs mentioned before. In this case the name is also an acronym, which stands for "Portal for Real Time Information Sharing and Management" and the program is apparently used for internal real-time exchange of information.

By now we already have quite some information about the first PRISM program, we know there's a clear distinction from the second PRISM tool and we even learned about a third PRISM. Nonetheless, German opposition leaders said they still hardly know what PRISM is all about, but this seems to be mainly for political ends, as Germany is facing general elections in September.


Now: three different PRISMs

It seems that NSA revealed the existance of the third PRISM program for the very first time, as it never appeared somewhere online before. If we google its full name, the only results are the recent German news reports. The German magazine Der Spiegel came with another quote, which seems to suggest that this third NSA tool "tracks and queries requests pertaining to our Information Assurance Directorate".

If that's correct, it could explain why we never heard of this program. The NSA's Information Assurance Directorate (IAD) is a very secretive division, because it's responsible for safeguarding US government and military secrets by implementing sophisticated encryption techniques.

Probably the most remarkable thing about the new "Portal for Real-time Information Sharing and Management" is not its function, which seems pretty obvious, but the fact that there are three programs with exactly the same name.

But from what we know by now, it also becomes clear that each program is used for different purposes and in different environments: the PRISM data collecting program is part of NSA's Signals Intelligence division, the PRISM planning tool is used for military intelligence and the PRISM information sharing portal in the Information Assurance division of the NSA.

Finally, here's a short summary of all three different PRISM programs:

1. PRISM
This is a codeword for an NSA project of collecting information about foreign targets from data of nine major US internet companies. This program started in 2007 and was unveiled by Edward Snowden in June 2013.

2. Planning tool for Resource Integration, Synchronization and Management (PRISM)
This is a web tool used by US military intelligence to send tasking instructions to data collection platforms deployed to military operations. This program is not very secret and was first mentioned in 2002.

3. Portal for Real-time Information Sharing and Management (PRISM)
This is an internal NSA program for real-time sharing of information, apparently in the NSA's Information Assurance Directorate. Its existance was revealed by the NSA in July 2013.

Read More

Double-Edged Sword Zone - Protect Your Office with iSpy (FREE)

iSpy (64-bit) uses your webcams and microphones to detect and record movement or sound and provides security, surveillance, monitoring and alerting services. You can Control cameras with PTZ, one-click or auto upload to YouTube, auto FTP to any servers, Listen to and monitor audio live over the network, connect and monitor as many cameras and microphones as you like, import and export object lists to share with colleagues, connect multiple computers in a group and manage over the web. FREE Download. (free warning sticker - download and print)


Of course, you can see how this could be used against you, and there is no free lunch. The software download is free, but there are $ enhancements ~Kevin

Read More

Did You Know... Surprising Spy Facts!

• The new NSA center in Utah is 15 times the size of MetLife Stadium, home to the New York Giants and Jets, and 7 times bigger than the Pentagon. (more) 

• Spy blimps can stay aloft for almost 3 weeks. (more) And, they are coming to Washington, DC (more) (video)

• 1,600 intelligence gatherers working at the Rivanna Station along with NGIC— DIA (Defense Intelligence Agency), NGA (National Geospatial-Intelligence Agency, and the frequently-in-the news National Security Agency (NSA)— call them the "crown jewels" of the Department of Defense intelligence. (more)
 
• The S&P 500 SPDR (SPY, A) is the oldest and best-known exchange-traded fund. (more) (oops, wrong spy)
 
• Authorities in eastern Turkey have cleared a small bird detained on suspicions of spying for Israel. (more)

• North Korea to put captured US spy ship on display. (more) 

• The real danger the NSA poses can be found here.

Read More

Happy Birthday, CIA

On July 26, 1947, 
President Truman signed the National Security Act, creating the Department of Defense, the National Security Council, the Central Intelligence Agency and the Joint Chiefs of Staff. (more)

Read More

Hot Stock Tip...

Invest in SPYs Spies.

The string of revelations about America's surveillance apparatus by former National Security Agency contractor Edward Snowden has cast a spotlight on the growing number of American companies involved in electronic spycraft.

It hasn't visibly damped enthusiasm among Silicon Valley investors and military contractors looking for ways to get into a business many see as one of the few growth areas left as U.S. military spending contracts.

Some of the country's most influential venture capitalists and former spy chiefs are investing in companies now providing the government with the sweeping electronic spy system and evolving cyberwarfare programs exposed by Mr. Snowden. (more)

Read More

The Other Domestic Spying Scandal

With all the concern about the government spying on us, is it any wonder that couples spy on one another?

Dating site SeekingArrangement.com surveyed over 22,000 Americans and found that 55% admitted to spying on their partners.

In Houston, at least according to the survey, it isn’t that bad. Only 48.8% of the people admitted to spying, which ranks us as the 10th most trusting city in the county. (more)

Read More

Business Secrets Leak via Personal Devices

The smartphone revolution opened the floodgates to the BYOD (bring your own device) trend among workers... 

More than half of information workers own the devices they use for work, according to Forrester Research, which surveyed almost 10,000 people in 17 countries, and that proportion is likely to increase, says David Johnson, a senior analyst at Forrester.

The groundswell caused many IT directors to simply throw up their hands. A study published last November by Kaspersky Lab, a digital-security firm, found that one in three organizations allowed personal cellphones unrestricted access to corporate resources—with troubling consequences. One in five companies in the same survey admitted losing business data after personal devices were lost or stolen. (more)

The pressure is on manufacturers to come up with better security features. 
"Certified for Business Use" has a nice value-added ring to it.

Read More

Android Phones - The New Corporate Espionage Tool

Alcatel-Lucent’s Kindsight subsidiary has released figures that show an increase in malicious software (malware) used by hackers to gain access to devices for corporate espionage, spying on individuals, theft of personal information, generating spam, denial of service attacks on business and governments and millions of dollars in fraudulent banking and advertising scams.

“Malware and cybersecurity threats continue to be a growing problem for home networks and mobile devices, particularly for Android smartphones and tablets which are increasingly targeted,” said Kevin McNamee, security architect and director of Alcatel-Lucent’s Kindsight Security Labs.

“A third of the top 15 security threats are now spyware related, up from only two spyware instances the last quarter,” said McNamee. “MobileSpy and FlexiSpy were already in the top 15 list, but SpyBubble moved up to take the 4th spot, while SpyMob and PhoneRecon appeared for the first time, ranking 5th and 7th respectively.

“Mobile spyware in the BYOD context poses a threat to enterprises because it can be installed surreptitiously on an employee’s phone and used for industrial or corporate espionage.”

McNamee said it is “surprisingly easy” to add a command and control interface to allow the attacker to control the device remotely, activating the phone’s camera and microphone without the user’s knowledge.

“This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device – all without the user’s knowledge.

“The mobile phone is a fully functional network device. When connected to the company’s Wi-Fi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. (more)

Read More

SIM Card Flaw Could Allow Eavesdropping on Phone Conversations

Vulnerability in the security key that protects the card could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, a security researcher warns.

Karsten Nohl, founder of Security Research Labs in Berlin, told The New York Times that he has identified a flaw in SIM encryption technology that could allow an attacker to obtain a SIM card's digital key, the 56-digit sequence that allows modification of the card. The flaw, which may affect as many as 750 million mobile phones, could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, Nohl warned. 

Can you decode the code?

"We can remotely install software on a handset that operates completely independently from your phone," warned Nohl, who said he managed the entire operation in less than two minutes using a standard PC. "We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account." (more)


The U.N.'s Geneva-based International Telecommunications Union, which has reviewed the research, described it as "hugely significant."

Cracking SIM cards has long been the Holy Grail of hackers because the tiny devices are located in phones and allow operators to identify and authenticate subscribers as they use networks. (more)
 

Read More

You’ve Nicked Hackers... Now Expose the Buggers

UK - Phone hacking is a crude but preventable means of invading someone’s privacy.

You can go to jail for it — and many journalists face this risk as they await trial.

By comparison, breaking into a telecoms substation, plugging into a landline and intercepting private phone calls and computer traffic is a really serious crime.

Yet while those journalists were arrested at dawn and charged after long periods on police bail, nobody has been arraigned for bugging despite evidence over many years.

The difference between the two offences is important.

Hacking is opportunistic eavesdropping. Bugging is nothing less than espionage.

Once a bug is attached by stealth, it can monitor every spoken word and keystroke without the subscriber ever knowing.  (more)

Read More

The Wild Wild West - Town to Issue Drone Hunting Permits

Deer Trail, a small Colorado town, is considering a measure that would allow its residents to hunt for federal drones and shoot them down.

“Is it illegal? Of course it is. But it’s also illegal to spy on American citizens,” resident Phillip Steel told CNN in a phone interview. “If they fly in town, we will shoot them down.”

Steel said he wrote the ordinance after he learned the Federal Aviation Administration “loosened regulations that would allow the flight of drones in domestic airspace.” (more)

Read More

Bug Found in Office of Berlusconi's Judge

An electronic bug was found in the offices of the Italian judges due to hear a final appeal this month by former premier Silvio Berlusconi against a tax fraud conviction, news reports said Friday.

An employee of the Court of Cassation discovered a device used to record or intercept conversations and alerted police Thursday afternoon, the Rome-based Il Tempo newspaper said.

The bug, which was removed by police, did not have any batteries, the daily said. (more)

Read More

If You Can Pee, You Can Make a Phone Call

If asked what would be a great power source for mobile phones, it’s a fair bet that most people wouldn't make urine their first choice. But that's exactly what a group of scientists at Bristol Robotics Laboratory in the UK have done. As part of a project to find new ways to provide electricity for small devices in emergency situations and developing countries they have created a new fuel cell system powered by pee.

 The key to this rather unorthodox way of powering a phone is a microbial fuel cell (MFC) that converts organic matter directly into electricity. Inside the MFC, there are a mixture of ordinary anaerobic microorganisms that release electrons as they feed – in this case, on the urine. (more)

Thus giving a whole new meaning to streaming media. (rimshot!) Gee whiz.

Read More

Mobile Security Apps Perform Dismally Against Spyware

via Josh Kirschner at Techlicious...

Mobile spyware can have a devastating effect on your life; the constant fear that a spouse, significant other or even employer is following your every move, knows everything about your life and has completely removed any vestige of privacy...

And spyware is not as rare as you may think. According to mobile security company Lookout, .24% of Android phones they scanned in the U.S. had surveillance-ware installed intended to target a specific individual. Sophos reports a similar .2% infection rate from spyware. If those numbers hold true for Android users in general, that would mean tens of thousands could be infected.

I set out to test the leading Android anti-malware vendors to see how they fared at protecting us against the threat of spyware...

The results, generally speaking, were dismal. Of twelve products I tested, none was able to detect more than two-thirds of the samples. Many missed half or more of the spyware apps. And, surprisingly, the potential spyware apps least likely to be detected were those widely available in Google Play. (more)

Josh did an excellent job researching this topic and we thank him for publicly exposing the flaws. 

Now, what can be done about really detecting spyware?

Murray Associates was approached by two clients several years ago who had come to the same conclusion as Josh via their own research. They asked us to develop a solution – based on the following conditions:
  1. The solution must make quick and reasonable spyware evaluations. 
  2. No special forensic tools should be required. 
  3. No special skills should be necessary.
  4. No assistance should be necessary once the initial training is over. The phone owner must be able to conduct the test him- or herself—anytime, anyplace.
  5. Advancements in spyware software and cell phone hardware should not render the test ineffective.

The results of this project are published in the book, "Is My Cell Phone Bugged?", and are used in SpyWarn, a unique Android spyware detection app.

Read More

Android Malware that Gives Hackers Remote Control is Rising (Technical but important news.)

via... Sean Gallagher - Ars Technica 
Remote access tools have long been a major part of targeted hacker attacks on individuals and corporate networks. RATs* have been used for everything from hacking the e-mail boxes of New York Times reporters to capturing video and audio of victims over their webcams. Recently, wireless broadband and the power of smartphones and tablets have extended hackers’ reach beyond the desktop. In a blog post yesterday, Symantec Senior Software Engineer Andrea Lelli described the rise of an underground market for malware tools based on Androrat, a remote administration tool that can give an attacker complete control over devices running the Android OS.

Androrat was published on GitHub in November 2012 as an open source tool for remote administration of Android devices. Packaged as a standard Android application (in an APK file), Androrat can be installed as a service on the device that launches at start-up or as a standard “activity” application. Once it’s installed, the user doesn’t need to interact with the application at all—it can be activated remotely by an SMS message or a call from a specific phone number.

The app can grab call logs, contact data, and all SMS messages on the device, as well as capture messages as they come in. It can provide live monitoring of call activity, take pictures with the phone’s camera, and stream audio from the phone’s microphone back to its server. It can also post “toasts” (application messages) on the screen, place phone calls, send text messages, and open websites in the phone’s browser. If it is launched as an application (or “activity”), it can even stream video from the camera back to the server.

Hackers have taken Androrat’s code and run with it. Recently, underground marketplaces for malware have begun to offer Androrat “binder” tools, which can attach the RAT to the APK files of other legitimate applications. When a user downloads what appears to be a harmless app that has been bound to Androrat, the RAT gets installed along with the app without requiring additional user input, sneaking past Android’s security model. Symantec reports that analysts have found 23 instances of legitimate apps that have been turned into carriers for Androrat. The code has also been incorporated into other “commercial” malware, such as Adwind—a Java-based RAT that can be used against multiple operating systems.

Lelli said that Symantec has detected “several hundred” cases of Androrat-based malware infections on Android devices, mostly in the US and Turkey. But now that binders are available to anyone willing to pay for them, the potential for infection to spread is growing rapidly. (more)

*Spybusters Countermeasure: Android app SpyWarn detects RAT spyware activity. (http://tinyurl.com/SpyWarnApp)

Read More

New Jersey Supreme Court Restricts Police Searches of Phone Data

Staking out new ground in the noisy debate about technology and privacy in law enforcement, the New Jersey Supreme Court on Thursday ordered that the police will now have to get a search warrant before obtaining tracking information from cellphone providers.

The ruling puts the state at the forefront of efforts to define the boundaries around a law enforcement practice that a national survey last year showed was routine, and typically done without court oversight or public awareness. With lower courts divided on the use of cellphone tracking data, legal experts say, the issue is likely to end up before the United States Supreme Court. (more)

Read More

If You Think The NSA Is Bad, Wait To You See South Korea’s Surveillance State

SEOUL, South Korea — Americans are apparently blasé about government eavesdropping.

In the days after former National Security Agency contractor Edward Snowden revealed that Washington spies extensively on its own citizens, polls found that about half of Americans have no problem with such snooping, as long as it protects them from terrorism.

But a scandal unfolding here in South Korea illustrates how such domestic snooping can easily harm a democracy. The imbroglio has sparked student protests and candlelight vigils around Seoul... (more)

Read More

NSA Leak Highlights the Power of Spying - Irish Eyes Aren't Smiling

Ireland - Entrepreneurs are worried. Not because they have something to hide from US authorities, but for fear of breaking contractual liability. 

"I'm currently setting up two businesses here," said Jude Braden, who employs 12 people in Dublin-based data-related businesses. "My problem is that under Irish and EU law, I have a duty to protect the data of my clients. I can potentially be sued if my clients' data gets out into the public domain. But the events of recent weeks and months puts me in a position where I may not be able to fulfill the terms of that obligation."
 Espionage and industrial skullduggery have long been connected, said Conor Flynn, founder of Isas, a Dublin- IT security firm... "There has always been suspicions among American industrialists when they travel to China that they would be monitored for espionage purposes.

Dublin-based IT security expert Brian Honan agrees. "You don't bug German embassy offices if you're looking for Al-Qai'da," said Honan. "When the US plants bugs in EU embassies it is clearly targeted at trade talks and industrial interests."

Conor and Brian are correct. Industrial skullduggery, and bugging, are key espionage tactics – and, they are not the tools of governments alone. Tried and true spy methods still work in the business world.  (more)

Read More

New slides about NSA collection programs

(Updated: November 12, 2013)

Over the last month, the publication of various slides of a powerpoint presentation about the top secret NSA collection program PRISM caused almost worldwide media attention. Less known is that a number of new slides about other NSA collection programs were published on July 6 by the Brazilian newspaper O Globo.

These and a few other slides were also shown on Brazilian televion, combined with an interview with Guardian-columnist Glenn Greenwald, who lives in Rio de Janeiro. Screenshots of some of the slides shown on Brazilian television became available on Flickr (see Links and Sources). On July 21, the German magazine Der Spiegel published some extra details about the XKEYSCORE program.

UPDATE:
On July 31, The Guardian published a full presentation about XKEYSCORE, but this shows the program is not for data collection, but for data analysing.

- FAIRVIEW-slides - FORNSAT-slide - PRISM-slides - XKEYSCORE-slides -

FAIRVIEW-slides

Brazilian television and the O Globo website presented a whole new series of four slides from what seems to be a presentation about the FAIRVIEW program or maybe the broader "collection of communications on fiber cables and infrastructure as data flows past", which was called "Upstream" in one of the PRISM-slides.

The first slide (below) shows the logos of the NSA and its Special Source Operations (SSO) unit, and a map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment". As DNI stands for Digital Network Intelligence, this map apparently shows internet traffic to North Korea, as traced by the FAIRVIEW program.

According to O Globo these maps show the amount of exchanged messages and phone calls (allthough DNI only refers to internet traffic) by various countries in the world with North Korea, Russia, Pakistan and Iran. Below we see DNI traffic to Pakistan on March 4 and 5, 2012:

A third slide shows a list op "Top 20 Pakistani domains (.pk)" which where apparently tracked between February 15, 2012 and March 11, 2012:

A fourth slide shows some lines with names of collection managers of OAKSTAR, BLARNEY and what appears to be the STORMBREW and (the hitherto unknown) OCELOT programs (Update: newly disclosed slides show that the latter word is actually MADCAPOCELOT). Brazilian television showed this slide uncensored with the names visible, but here we blacked them out:

According to former NSA official Thomas Drake FAIRVIEW is a highly classified program for tapping into the world’s intercontinental fiber-optic cables. It acts as an "umbrella program" with other programs underneath it. One of them is BLARNEY, which is a program to access internet data at key junctions and is facilitated by arrangements with commercial cable companies and internet servce providers.

According to Drake, "BLARNEY is to the international Internet space as PRISM is to the domestic". FAIRVIEW is apparently also the method through which the NSA receives the information it has collected, essentially co-opting the fiber optic cables to transmit the data back to the agency to be analyzed by data mining programs.


FORNSAT-slide

The Brazilian television also showed one slide from a presentation which wasn't mentioned or seen earlier. The only information we have, is the slide itself and what the O Globo website tells about it:

The slide is titled PRIMARY FORNSAT COLLECTION OPERATIONS, and the O Globo website says it shows a network of 16 facilities for intercepting transmissions from foreign satellites. The slide shows markings in blue and green, where blue represents "US Sites" and green "2nd Party" for intercepting locations run by partner signals intelligence agencies of the UKUSA Agreement.

US Sites:
- JACKKNIFE, Yakima (US)
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)

2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Cyprus
- SNICK, Oman
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, New Zealand

Most of these locations were part of the ECHELON satellite intercept program. The NSA station at Bad Aibling in Germany was closed down in 2004, but at the same time, the German foreign intelligence agency BND opened a listening station at the nearby Mangfall baracks, also near Bad Aibling.

According to Snowden, there's also NSA personell at this station, maintaining their own communications hub connected to the NSA headquarters. This cooperation between NSA and BND is based on a Memorandum of Agreement dated April 28, 2002. As the slide has no date, it's unclear whether the marking on the map is for the former NSA station, or the current NSA/BND post.

The SCS sites in Brasilia and New Delhi are units of the Special Collection Service, a joint CIA/NSA program to collect information through covert listening posts based in US embassies in foreign capitals.

Update: An article showing a better version of the map says that it's from 2002, which explains why it shows the stations at Bad Aibling and Sabena Seca, both of which have since closed.


PRISM-slides

Already nine slides from the presentation about the PRISM data collection program were published on the websites of The Guardian and The Washington Post. On this weblog we also discussed the first five slides and the following four slides, which were additionally published by the Post.

The Brazilian television showed two new pictures, the first is the fifth slide published by The Guardian, but only showing the world map with fiber optic cables, and without the text balloons about "Upstream" and "PRISM" collection methods, which apparently show up after clicking the original powerpoint presentation:

The slide which is below was not published earlier. Just like the previous slide, this one is also about "FAA702 Operations", which means operations under section 702 of the FISA Amendment Act (FAA) of 2008. The slide shows the same world map with fiber-optic cables and is hardly readable, but according to Wikipedia, the subheader reads "Collection only possible under FAA702 Authority" and the program name FAIRVIEW is the central cyan colored box. Maybe the codenames of other programs are in the yellow box at the right side:

An eleventh slide of the PRISM presentation appeared on the website of O Globo, some days after the previous slides were shown on television. This slide is titled "A Week in the Life of PRISM Reporting" and shows some samples of reporting topics from early February 2013:

It seems the bottom part of this slide was blacked out by Brazilian media, as the Indian
paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as
topics under the header "India", and also information from Asian and African
countries is contributing to a total of "589 End product Reports".

These lists show that PRISM is used for collecting data about the usual strategical and tactical targets and not about ordinary people, as most of the media reports suggest.



XKEYSCORE-slides

Brazilian television showed a whole new set of slides about the XKEYSCORE program. According to O Globo, XKEYSCORE detects the nationality of foreigners by analysing the language used within intercepted emails, which the paper claims has been applied to Latin America and specifically to Colombia, Ecuador, Venezuela and Mexico.

In total, O Globo showed four slides about the XKEYSCORE program, which are classified as TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL. This means this information can be shared with signals intelligence agencies from Australia, Canada, Great Britain and New Zealand, which are cooperating under the so called UKUSA Agreement.

XKEYSCORE collects data with the help of over 700 servers based in "US and allied military and other facilities as well as US embassies and consulates" in several dozen countries. These locations are shown on the slide below:

The next slide shows how the collected data of so-called sessions are processed by separating them into different communication information, which are stored in various databases:

According to O Globo the XKEYSCORE can also track people by localities when they are using Google Maps:

This slide is follewed by one showing a map of Afghanistan and surrounding countries with a lot of coloured marking points, without any clarification of what they represent:

According to new information published by the German magazine Der Spiegel (pdf) on July 21, the slides about X-KEYSCORE are from a presentation dated February 25, 2008. It's said that, starting with the metadata, the program is able to retroactively reveal any terms a targeted person has typed into a search engine like Google or Google Maps. Furthermore, there's a buffer storage capable of storing a "full take" of intercepted raw data for several days. X-KEYSCORE can also to monitor user activity in near real time, as well as showing "anomalies" in internet traffic.

In December 2012, XKEYSCORE gathered around 180 million data sets from Germany alone. Apparently the German federal security service BfV was equipped with XKEYSCORE to "expand their ability to support NSA as we jointly prosecute CT [counterterrorism] targets" and the German foreign intelligence agency BND was tasked with instructing the BfV on how to use the program.

On July 25, the directors of the German intelligence agencies briefed members of the German parliamentary intelligence oversight committee about the various NSA programs. They said that XKEYSCORE is used by the BND since 2007, that BfV uses a test version since 2012, and that this program is not for collecting data, but only for analysing them. The director of the BfV even gave a partial demonstration of the test version of XKEYSCORE.

UPDATE:
On July 31, The Guardian published a full presentation about XKEYSCORE, which confirms that this program is not for data collection, but for data analysing.

(Updated on September 22 with the eleventh PRISM slide and on October 23 with a better FornSat slide)



Links and Sources
- Brazilian television report: La CIA y la NSA espiaron mediante satélites desde Brasil & Slides
- O Globo slides: Mapa mostra volume de rastreamento do governo americano
- Cryptome translations: NSA Email and Phone Tracking Programs
- Screenshots on Flickr: NSA Hawaii in USB Made in China
- DailyDot.com: Forget PRISM: FAIRVIEW is the NSA's project to "own the Internet"
- Der Spiegel-article: 'Prolific Partner': German Intelligence Used NSA Spy Program

See also: Boundless Informant NSA data-mining tool – four key slides

Read More

Bremont Codebreaker Crypto Watch Turns Position of Earth into a Usable Measurement

The Bremont Codebreaker is a limited edition chronograph that uses original artifacts from the famous cryptographic facility to commemorate British code breaking efforts during the Second World War.

Bletchley Park was one of the best kept secrets of the Second World War and remained so for decades after until the story was made public in 1974. The ancient estate with its Victorian mansion was the headquarters for the Government Code and Cipher School (GC&CS), where 9,000 scientists, mathematicians and others were tasked with decrypting enemy ciphers from the German Enigma and Lorenz machines. It was where Alan Turing laid the foundations for modern computer science and artificial intelligence and was the birthplace of Colossus, the world’s first programmable electronic computer.

The efforts of the team at Bletchley Park were perhaps the greatest single strategic advantage of the Allies and may have shortened the war by two years. The Codebreaker is meant to not only act as a commemoration piece, but also a physical container of some of that story. According to Bremont, the Codebreaker was Inspired by a classic 1940’s officers watch and that 240 steel Codebreaker watches will be created along with 50 rose gold watches. Each numbered watch has a flyback Chronograph GMT automatic movement and is made from materials directly related to the code breaking efforts. (more)

Read More

Keeping the NSA in Perspective

by George Friedman, Stratfor

In June 1942, the bulk of the Japanese fleet sailed to seize the Island of Midway. Had Midway fallen, Pearl Harbor would have been at risk and U.S. submarines, unable to refuel at Midway, would have been much less effective. Most of all, the Japanese wanted to surprise the Americans and draw them into a naval battle they couldn't win.

The Japanese fleet was vast. The Americans had two carriers intact in addition to one that was badly damaged. The United States had only one advantage: It had broken Japan's naval code and thus knew a great deal of the country's battle plan. In large part because of this cryptologic advantage, a handful of American ships devastated the Japanese fleet and changed the balance of power in the Pacific permanently. (more)
 
George Friedman is the Chairman of Stratfor, a company he founded in 1996 that is now a leader in the field of global intelligence.

Read More

Hackers Turn Verizon Box into Spy Tool

Researchers at iSec hacked into a Verizon network extender, which anyone can buy online, and turned it into a cell phone tower small enough to fit inside a backpack capable of capturing and intercepting all calls, text messages and data sent by mobile devices within range...

"The level of technical skill that you need to break into one of these, people are learning college. 

A malicious person could put one of these, with a battery, in a backpack, and go downtown - to a place like Times Square or Wall Street...

Frankly, these devices scare us. It is not the NSA tapping ordinary people. It is about ordinary people attacking ordinary people." (more)

Note: Verizon says they fixed this particular issue.

Warning: Femtocells in general, however, offer a new playground to hackers and criminals alike. Cut back on your confidential transmissions in densely populated areas.

Read More

Attack of the Cyber Mercenaries

A British intelligence report says that other nations are hiring hackers to launch attacks against their enemies, a trend it described as particularly worrying.

Have board, will travel. ~K3y5LingR

The warning over cyber mercenaries came in an annual report published by Britain's Intelligence and Security Committee, a watchdog body of senior lawmakers that oversees Britain's spy agencies. (more)

Read More

Watergate Redux

The Dallas, Texas offices of law firm Schulman & Mathias were broken into two weeks ago by two burglars caught on surveillance camera. The two stole three computers. Damon Mathias, a partner at the firm, said

Attorneys said the burglars may have been hired to steal documents related to State Department whistleblower Aurelia Fedenisn, who is represented by the firm...

In early June, Fedenisn gave CBS News a draft State Department Inspector General report which offered the details of allegations that alleged sex crimes involving diplomats — including one U.S. ambassador who allegedly visited prostitutes — were ignored by State Department top officials. (more)

Time to sweep the office.

Read More

Free Webinar - Corporate Espionage via Mobile Device

Corporate Espionage via Mobile Device
Wednesday, July 10, 2013
02:00 PM Eastern DT (11:00 AM Pacific)
Duration: 45 Min

We discuss the topic of mobile risk and espionage via compromised mobile device. viaForensics' Director of R&D Thomas Cannon recently demonstrated "Corporate Espionage via a Mobile Device" as a proof of concept attack. In this demonstration, an innocent application is leveraged to harbor malware and exfiltrate data from a mobile device. The attacker is able to remotely activate phone features such as the camera and microphone, and the device can be used to bypass corporate defenses and infiltrate a corporate network. (Register)

Read More

New insights into the PRISM program

(Updated: October 1, 2013)

Last Saturday, June 29, the Washington Post unexpectedly disclosed four new slides from the powerpoint presentation about the PRISM data collection program.

This disclosure came as a surprise, because earlier, Guardian-journalist Glenn Greenwald said that no more slides would be published because they contain very specific technical NSA means for collection, for which The Guardian would probably be prosecuted.

That The Washington Post now disclosed them, is even more surprising, not only because it's an American paper, but also because it's said that Edward Snowden initially went to The Post asking to publish all 41 slides of the PRISM presentation. But The Washington Post refused to do so and therefore Snowden gave the scoop to The Guardian, which published the first four slides.

It's not clear who exactly released the four new slides, whether it was Snowden himself or editors of The Washington Post, and what the reason was for doing it. Allthough these new slides show some of the same oddities we already saw in the first series, these new ones have a very specific and detailed content. This makes them look far more genuine and, more importantly, show much better how PRISM actually works.

We now learn that PRISM is not one single technical system or computer application, but a data collecting project which combines a number of different tools, computer systems and databases, some existing, some maybe new. This also means that this PRISM program is not the same thing as the Planning tool for Resource Integration, Synchronization and Management (PRISM), a theory which was examined in our previous posting.

- The PRISM tasking process - Different tasking tools- The actual data collection -

- Storage of collected PRISM data - Analysing collected data- PRISM case notations -

- Searching the collected data - Links and Sources -

The PRISM tasking process

In this first new slide (below) we see details of the PRISM Tasking Process, which is how instructions for gathering the requested data are sent and reviewed. This process starts with an NSA analyst typing one or more search terms, or "selectors" as NSA calls them, into the Unified Targeting Tool (UTT). Selectors may refer to people (by name, e-mail address, phone number or some other digital signature), organizations or subjects such as terrorism or uranium related terms.

Along with the selectors, the analyst must fill out an electronic form that specifies the foreign-intelligence purpose of the search and the basis for the analyst’s reasonable belief that the search will not return results for US citizens or foreign nationals who are within the US at the time of data collection.

The slide shows that it's possible to search existing communications that are already stored ("Stored Comms") and also to initiate a search for new, future communications of selected targets. The latter option is called "Surveillance", which by a number of media was erroneously interpreted as the possibility of real-time monitoring of for example an internet chat.

Every request made by a target analyst must be approved twice. For new surveillance requests, an FAA Adjudicator (S2) does the first review and validation of the target. The slide says that there are such adjudicators in every so-called Product Line, which are the NSA departments for specific issues like counter terrorism and couter proliferation. A second and final review of the analysts' determination is done by NSA unit S343 for Targeting and Mission Management, which then releases the tasking request through the Unified Targeting Tool. Then it's apparently a computer system called PRINTAURA which distributes the requests to the different collection sites.

For searching stored communications, the first check is done by the Special FISA Oversight and Processing unit (SV4). According to The Washington Post this seems to refer to the federal judges of the secret Foreign Intelligence Surveillance Court (FISC), but according to national security reporter Marc Ambinder, the "FISA Oversight and Processing" is an internal NSA unit. The second and final review is once again done by unit S343 for Targeting and Mission Management. After the request is released to PRINTAURA, the Electronic Communications Surveillance Unit (ECSU) of the FBI checks against its own database to filter out known Americans.


Different tasking tools

In another source the Unified Targeting Tool (UTT) is described as a DNR tasking tool, which means it's a software program used to send so called tasking instructions to dedicated devices, telling them which data should be collected. As DNR stands for Dial Number Recognition, this sounds like the targeting tool is aimed at finding out who is behind a certain phone number, but as NSA sources often mention DNR equal to DNI (Digital Network Intelligence or internet content), it seems DNR stands for information derived from telephone networks in general.

According to one of the earlier slides, NSA analysts should also use other sources, like data which can be gathered through access points that tap into the internet’s main gateway switches ("Upstream"). This is done through collection programs codenamed FAIRVIEW, STORMBREW, BLARNEY and OAKSTAR. Allthough by its name the Unified Targeting Tool (UTT) seems to be of a generic nature, it's not clear whether it can be used also for tasking these other sources, or that they need other tasking tools.

Screenshot of the Unified Targeting Tool (UTT) showing how to select a "Foreigness Factor"
(note the URL in the address bar starting with "gamut")

From a number of job descriptions we learn that this Unified Targeting Tool is often mentioned in connection to GAMUT and sometimes also to CADENCE. We see this written like "GAMUT-UNIFIED TARGETING TOOL", "GAMUT/UTT" or "CADENCE/UTT". Both GAMUT and CADENCE are nicknames for what is said to be a "collection mission system for tasking" and probably refer to databases which store the tasking requests from the Unified Targeting Tool.

An interesting coincedence is that the word gamut means a range of colors that can be reproduced by a certain technique - like a prism can break light up into its constituent spectral colors.

More important is that the new slide shows that for PRISM the Unified Targeting Tool (UTT) is used for tasking, which means that this PRISM program is different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which itself is a tasking tool. Before the new slides were released, The Guardian and The Washington Post failed to explain whether PRISM was a single application or a project-like program.

Infographic comparing the PRISM data collection program and the PRISM planning tool
(click for a bigger picture)

Now we know that the PRISM planning tool isn't the application used for tasking the data collection from the internet companies, it's also clear that the PRISM planning tool is used primarily for requesting information needed for military operations and therefore tasks various intelligence sources deployed to those operations. By contrast, the Unified Tasking Tool used under the PRISM program is for requesting information on the national level.


The actual data collection

The actual collecting of the internet data under the PRISM program is not done by the NSA, but by the Data Intercept Technology Unit (DITU) of the FBI. This makes sense, as the FBI is the agency which is primarily responsible for investigating US companies and citizens.

From one source it seems that the Data Intercept Technology Unit was set up in 2011 or 2012 to monitor new and emerging technology with court-authorized intercepts, but this source (pdf) says that it already existed in 1997. There's a challenge coin of DITU (right) dating from after 9/11, as it shows pictures of the World Trade Center and the Pentagon.

In it's comments on this slide, The Washington Post says this FBI "interception unit [is] on the premises of private companies", which isn't the case as DITU is an FBI unit based at Quantico, Virginia. They can have equipment installed at sites of the internet companies, but for that no evidence is presented, making one author questioning whether there is such equipment at all.

Initially the DITU managed the FBI's internet monitoring programs Omnivore and Carnivore, tapping into the internet at ISP locations. The raw data were decoded by using the Packeteer en Coolminer tools, as can be read in this document (pdf) from 2010, but according to the PRISM-reporting, the unit can now also order data from companies like Google, Yahoo, Microsoft, Apple and others directly.

A new report by Declan McCullagh says that internet companies don't want the FBI to install listening devices on their networks. In order to prevent that, they are willing to cooperate with the FBI by adding their own monitoring capabalities to their network and server equipment, which makes it easier for them to comply with government information requests. This would mean that there's no need for dedicated FBI data collecting devices at the companies premises.

Earlier, Google said that when it receives a valid FISA court order, it delivers the information to the US government through secure FTP transfers or in person. Another option is doing this by using an encrypted dropbox, where an internet company can drop the requested data. Facebook and Microsoft said they will only hand over data or information about specific individuals upon receiving a legally binding order or subpoena.

Depending on the company, a PRISM-tasking may return e-mails, attachments, address books, calendars, files stored in the cloud, text or audio or video chats and metadata that identify the locations, devices used and other information about a target. After collecting, the FBI's Data Intercept Technology Unit passes this information to one or more so called customers at the NSA, the CIA or the FBI itself.


Storage of collected PRISM data

A second slide (below) shows how collected data flows into the various NSA servers. It's the Data Intercept Technology Unit (DITU) of the FBI which collects raw data from the internet companies, and sends them to the NSA. At NSA the data first go to a system called PRINTAURA, which, according to the Washington Post, automates the traffic flow.

As PRINTAURA also distributes the tasking requests, it seems this system is the technical heart of the PRISM program, which may also be indicated by the fact that both nicknames/codewords start with the same three letters. As we learn from the slide, PRINTAURA is managed by NSA unit S3532.

All NSA offices, operations, units and cells have their own designation, consisting of a letter, followed by some numbers. We remember that the first slide of the PRISM presentation has a line which says "[...] PRISM Collection Manager, S35333". This means the author of the slides was a collection manager attached to unit S35333, which, just like the PRINTAURA unit S3532, is part of the S35 or Special Source Operations (SSO) division according to this NSA orgchart.

From PRINTAURA data go to a database called TRAFFICTHIEF, which according to this article was set up as part of the TURBULANCE program to detect threats in cyberspace. From a slide about the XKeyscore tool, published by The Guardian on July 29, we learn that TRAFFICTHIEF is a database for metadata about specifically selected e-mail addresses.

Data to be processed are send to a system called SCISSORS, which is managed by unit T132, and from there onto unit S3132 for "Protocol Exploitation". This does the processing of something which is blacked out - probably the specific classified codeword used for these internet data.

This processing sorts the data into different types and protocols and dispatches them to the various NSA databases for storage. But before that, metadata and voice content have to pass FALLOUT and CONVEYANCE. According to the Washington Post, these systems appear to be a final layer of filtering to reduce the intake of information about Americans, but an internal NSA document describes FALLOUT as a "DNI ingest processor". All other data once again pass the SCISSORS system.

Finally, the collected data are stored in the following databases:
- MARINA: for internet metadata
- MAINWAY: for phonecall metadata
- NUCLEON: for voice content
- PINWALE: contrary to what many other media say, this database is not only for video content, but also for "FAA partitions" and "DNI content". DNI stands for Digital Network Intelligence, which is intelligence derived from digital networks, or simply: internet content, like forum postings and e-mail and chat messages. The word PINWALE is often combined with the abbreviation UIS, which stands for User Interface Services, apparently an interface tool for accessing and searching databases.


Analysing collected data

There are no slides available saying what happens with these data after being stored, but The Washington Post says that "After processing, [collected data] are automatically sent to the analyst who made the original tasking. The time elapsed from tasking to response is thought to range from minutes to hours. A senior intelligence official would say only, Much though we might wish otherwise, the latency is not zero."

At the moment it's not clear which tool or application is used to analyse the data gathered from the US internet companies. National security reporter Marc Ambinder says that PRISM itself might be "a kick-ass GUI [graphic user interface] that allows an analyst to look at, collate, monitor, and cross-check different data types". However, until now there's no evidence for PRISM being such a tool for analysis.

Most tools used by NSA employees are listed in job descriptions and the PRISM we see there is always the Planning tool for Resource Integration, Synchronization and Management, that we talked about in our previous posting.

Therefore, it's likely that data gathered under the PRISM program are analysed using other common NSA analysing tools, like the XKEYSCORE indexing and analysing tool, which The Guardian erroneously presented as a collection program, or a more specific tool called DNI Presenter, which is used to read the content of stored e-mails and chats or private messages from Facebook and other social networks.

Based upon what such analysis presents, NSA analysts use other tools, like CPE (Content Preparation Environment), to write a report. Such reports are then stored in databases for finished NSA intelligence products, like ANCHORY. Finally, these intelligence reports are available to end users through the Top Secret section of INTELINK, which is the intranet of the US intelligence community.


PRISM case notations

A third slide (below) shows how each target gets a unique PRISM case notation and what the components of these notations are.

Abbreviations: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?);
RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking; CASN = Case Notation

The first position is the designation for each of the providers from which internet data are collected. Some people noticed the numbers jumped from P8 for AOL to PA for Apple, but someone suggests that P9 was maybe assigned to a company that fell out, and that the numbers may be hexadecimal, so the next provider will be PB, followed by PC, etc., as B = 11, C = 12, etc.

The next position of the case notation is a single letter, designating the content type, like e-mail and chat messages, social network postings, but also so-called real-time notifications (RTN) for e-mail and chat events. The Washington Post and other media apparently misinterpreted this by saying that NSA officials "may receive live notifications when a target logs on or sends an e-mail, or may monitor a voice, text or voice chat as it happens".

(Update: compare this to the data analysing tool TAC, which is used by the Defense Intelligence Agency and offers "real-time analysis of data" by alerting "analysts immediately when fresh intelligence is detected".)

In the slide, the real-time notifications are clearly listed as being "Content Type" and most of us will know them as the messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client. These notification messages are also available for NSA analysts, but only after being collected and stored, just like all other types of internet content.


Searching the collected data

The fourth new slide (below) is presented by The Washington Post as being about "Searching the PRISM database", but as we just learned from the dataflow slide, there is no single PRISM-database. Data collected from the internet companies go into separate databases, according to the type of data. Some of these databases already existed before the PRISM program was started in 2007.

The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there's no further explanation of what application we see here, but if we look at the word REPRISMFISA we can imagine the application is for going "back to data collected under the PRISM program according to the Foreign Intelligence Surveillance Act (FISA)". Remember also that in one of the earlier slides it's said: "Complete list and details on PRISM web page: Go PRISMFAA".

Above the olive green bar, there is a line saying: "DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // [blacked out] / SI / TK // ORCON // NOFORN" This means that depending on the generated content of the page, it has to be classified as TOP SECRET, with additionally one or several of the following Sensitive Compartmented Information control systems:
- TALENT KEYHOLE (TK - for data collected by space-based collection platforms)
- Special Intelligence (SI - for data from communications intercepts)
- an undisclosed control system marked by a classified codeword, which is blacked out by The Washington Post. Probably this is the codeword used for information which is based upon data derived from the internet companies. As said earlier, "PRISM" is not a codeword used for content, but rather the (unclassified) nickname of the program for collecting certain internet data.

In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This seems to confirm that this application is used to search data collected under the Foreign Intelligence Surveillance Act (FISA), specified for use by NSA, FBI and the Department of Justice (DOJ).

Below these icons there is a search field, to get a partial list of records. The search options seem rather limited, as only two keywords can be entered, with an additonal "and/or" option. At the left there's a column presenting a number of options for showing totals of PRISM entries. For checking the record status, one can click the following options:
- See Entire List (Current)
- See Entire List (Expired)
- See Entire List (Current and Expired)
- See NSA List
- See New Records
- Ownership count

Below this list, the text says: "If the total count is much less than this, REPRISMFISA is having issues, E-MAIL the REPRISMFISA HELP DESK AT [address blacked out] AND INFORM THEM"

The numbers below that text are hardly readable, but the Washington Post says that on "April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database". This sounds like a huge number, but without any further details about these targets it's almost impossible to give some meaningful opinion about it.

(Updated with minor additions and corrections based upon recently disclosed documents)


Links and Sources

- ForeignPolicy.com: Meet the Spies Doing the NSA's Dirty Work
- TheWeek.com: Solving the mystery of PRISM
- ForeignPolicy.com: Evil in a Haystack
- WashingtonPost.com: Inner workings of a top-secret spy program
- TechDirt.com: Newly Leaked NSA Slides On PRISM Add To Confusion, Rather Than Clear It Up
- Technovia.co.uk: Something doesn’t add up in the lastest Washington Post PRISM story
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”
- CNet.com: FBI: We need wiretap-ready Web sites - now (2012)
- CNet.com: How the U.S. forces Net firms to cooperate on surveillance

Read More