Your Source for Leaks Around the World!

Archive for the ‘Canada’ Category

(VIDEO) Edmonton Police Officer Hit By Car & Stabbed in Suspected ISIS Terrorist Attack

In Archive, Canada, ISIS, Terrorism on October 1, 2017 at 5:28 PM

10/01/2017

Global:

A terrorism investigation is underway in Edmonton, where a police officer was stabbed and four pedestrians struck down by a fleeing U-Haul truck Saturday night.

A 30-year-old Edmonton man is in custody and police think he acted alone, but they aren’t ruling out the potential for others to be involved.

“We are urging Edmontonians to be vigilant and aware of their surroundings,” Edmonton Police Service (EPS) Chief Rod Knecht said in a 3 a.m. news conference on the attacks.

The chaos began down the street from Commonwealth Stadium, where the Edmonton Eskimos were hosting the Winnipeg Blue Bombers on Canadian Forces Appreciation Night. Over 30,000 people were at the game.

Police said at around 8:15 p.m., a car rammed a traffic checkpoint on Stadium Road near 92 Street, striking an officer and sending him flying into the air.

“Suddenly and without notice and at a high rate of speed, a male driving a white, Chevrolet Malibu crashed through the traffic barricades that were separating vehicles from pedestrians, the vehicle struck the officer, sending him flying into the air 15 feet before colliding with the officer’s cruiser, again at a high rate of speed,” Knecht explained.

A source has confirmed to Global News the police officer injured in the attack is Const. Mike Chernyk. On Sunday, an EPS source also confirmed Chernyk had been released from hospital.

Knecht said there was an ISIS flag in the car.

Knecht said a man, believed to be 30 years old, then jumped out of his car and “viciously attacked” the Edmonton Police Service member with a knife. “A struggle then ensued, during which the male suspect stabbed the officer several times before fleeing the scene on foot northbound down 92nd Street.”

The officer was taken to hospital and treated for non life-threatening injuries while a manhunt was launched.

Police say it was just before midnight when a U-Haul truck was pulled over at a checkstop on Wayne Gretzky Drive near 112 Avenue. Knecht said the officer realized the driver’s name was similar to that of the Malibu’s registered owner, and the U-Haul truck took off, pursued by police towards downtown Edmonton.

“Throughout the chase, the truck deliberately tried to hit pedestrians in crosswalks and alleys in two areas along Jasper Avenue.”

One witness said the U-Haul came speeding down 109th Street and careened east into the alley next to a bar, hitting two people.

And at 107 Street and Jasper Avenue, someone else was seen being loaded into an ambulance. In total, four people were injured and taken to hospital.

The U-Haul ended up on its side on 100 Avenue, near 107 Street, near The Matrix hotel.

“The driver was apprehended and taken into police custody,” Knecht said. “It is believed at this time that these two incidents are related.”

“These incidents are being investigated as acts of terrorism,” Knecht explained.

Edmonton police, the RCMP Integrated National Security Enforcement Team (INSET) and its Canadian Public Security Agencies are investigating the incidents as acts of terrorism under Section 83.2 of the Criminal Code of Canada.

“We believe the individual acted alone, but we’re not ruling out that there may be others.”

Police said there was no warning of the event. The name of the man arrested has not been released.

CBC:

Terrorism-related charges are pending against a man accused of stabbing a police officer and deliberately plowing a cube van into pedestrians in Edmonton on Saturday night, the RCMP says.

The suspect was known to both RCMP and police, RCMP K Division Assistant Commissioner Marlin Degrand told a news conference at Edmonton RCMP headquarters on Sunday afternoon. The man is a Somali refugee.

In 2015, after a complaint was made to Edmonton police that the man was displaying signs of extremism, members of the Integrated National Security Enforcement Team (INSET) launched an investigation, Degrand said.

The suspect was interviewed by members of INSET, but there was “insufficient evidence” to make an arrest and the suspect was deemed “not a threat,” Degrand said.

Abdulahi Hasan Sharif is the man accused in the attacks, multiple sources have told CBC News.

Degrand said the suspect has yet to be charged but is under arrest for offences including participation in a terrorist attack, commission of an offence for a terrorist group, five counts of attempted murder, dangerous driving, criminal flight causing bodily harm, and possession of a weapon for a dangerous purpose.

CSE’s Cyberwarfare Toolbox: False Flag Ops/Deception Techniques/Destroying Infrastructure Among 32 Tactics Revealed

In Archive, Canada, CSEC, False Flag, Hacking, NSA, NSA Files, PSYOP, Surveillance on April 2, 2015 at 11:07 AM

cse-cyber-activity-spectrum

03/23/2015

CBC/Ryan Gallagher/TheIntercept:

Top-secret documents obtained by the CBC show Canada’s electronic spy agency Communication Security Establishment (CSE) has developed a vast arsenal of cyberwarfare tools alongside its U.S. and British counterparts to hack into computers and phones in many parts of the world, including in friendly trade countries like Mexico and hotspots like the Middle East.

Details of the CSE’s capabilities are revealed in several top-secret documents analyzed by CBC News in collaboration with The Intercept.

The latest top-secret documents illustrate the development of a large stockpile of Canadian cyber-spy capabilities that go beyond hacking for intelligence, including:

  • destroying infrastructure, which could include electricity, transportation or banking systems
  •  “false flag” operations to “create unrest” — ie. carrying out an attack, but making it look like it was performed by another group — in this case, likely another government or hacker
  • “effects” operations to “alter adversary perception” – ie. sending out propaganda across social media or disrupting communications services with such techniques as deleting emails, freezing internet connections, blocking websites and redirecting wire money transfers
  • “honeypots” – ie. some sort of bait posted online that lures in targets so that they can be hacked or monitored

It’s unclear which of the 32 cyber tactics listed in the 2011 document are actively used or in development. CSE wanted to become more aggressive by 2015, the documents also said.

Document: CSEC Cyber Threat Capabilities – SIGINT and ITS: An End-to-End Approach (2011)

Previous Snowden leaks have disclosed that the CSE uses the highly sophisticated WARRIORPRIDE malware to target cellphones, and maintains a network of infected private computers — what’s called a botnet ​— that it uses to disguise itself when hacking targets.

Other leaked documents revealed back in 2013 that the CSE spied on computers or smartphones connected to Brazil’s mining and energy ministry to get economic intelligence.

Canada’s electronic spy agency and the U.S. National Security Agency “cooperate closely” in “computer network access and exploitation” of certain targets, according to an April 2013 briefing note for the NSA.

Document: NSA Intelligence Relationship with CSEC (April 2013)

Their targets are located in the Middle East, North Africa, Europe and Mexico, plus other unnamed countries connected to the two agencies’ counterterrorism goals, the documents say. Specific techniques used against the targets are not revealed.

Some of the capabilities mirror what CSE’s U.S. counterpart, the NSA, can do under a powerful hacking program called QUANTUM, which was created by the NSA’s elite cyberwarfare unit, Tailored Access Operations.

The apparent involvement of CSE in using the deception tactics suggests it is operating in the same area as a secretive British unit known as JTRIG, a division of the country’s eavesdropping agency, Government Communications Headquarters, or GCHQ. Last year, documents from Snowden revealed that JTRIG uses a range of effects operations to manipulate information online, such as by rigging the outcome of online polls, sending out fake messages on Facebook across entire countries, and posting negative information about targets online to damage their reputations.

According to the documents, the CSE wanted more aggressive powers for use both at home and abroad.

In 2011, the Canadian agency presented its vision for 2015 to the Five Eyes allies at a conference.

“We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates,” the top-secret presentation says.

Document: CASCADE: Joint Cyber Sensor Architecture (2011)

Effects operations refer to manipulating and disrupting computers or devices.

In an increasingly hostile cyberspace, Canada has also turned its attention to figuring out ways to better protect itself against such attacks.

Documents: CSEC Cyber Threat Detection (November 2009)
                          CSEC SIGINT Cyber Discovery (November 2010)

See Also: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

Back in 2011, CSE envisioned creating a “perimeter around Canada” to better defend the country’s interests from potential threats from other countries and criminals, raising the prospect the agency was preparing a broad surveillance program to target Canadians’ online traffic.

At the time, “full visibility of our national infrastructure” was among its goals, according to a planning document for 2015. Security analysts wanted the means to detect an attack before it hit a target like a government website.

“If we wish to enable defence, we must have intelligence to know when attacks enter our national infrastructure,” the 2011 top-secret CSE presentation says.

The agency would not answer how far it got with the 2015 plan.

Document: CSE Response to CBC Re: Cyberwarfare Revelations

Experts say the Anti-Terrorism Act, Bill C-51, currently being debated, could legalize use of some of the capabilities outlined in these classified documents.

Though the act would give CSIS, Canada’s domestic intelligence agency, the power to disrupt threats to the security of Canada both at home and abroad, the Canadian Security Intelligence Service relies on its sister service, the CSE, for technical help with surveillance and infiltration of cellphones and computers.

NSA Mapping Networks of Major Telecom/Finance/Oil/Manufacturing Companies, Including From US & Five Eyes Countries

In Archive, Canada, Five Eyes, NSA, NSA Files, Surveillance, UK, USA on March 22, 2015 at 6:32 PM

nsa-private-networks-sigdev

03/17/2015

Colin Freeze/Christine Dobby/Globe&Mail (1)(2)(3):

The U.S. National Security Agency has been trying to map the communications traffic of corporations around the world, and a classified document reveals that at least two of Canada’s largest companies are included.

A 2012 presentation by a U.S. intelligence analyst, a copy of which was obtained by The Globe and Mail, includes a list of corporate networks that names Royal Bank of Canada and Rogers Communications Inc.

The presentation, titled “Private Networks: Analysis, Contextualization and Setting the Vision,” is among the NSA documents taken by former contractor Edward Snowden. It was obtained by The Globe from a confidential source, and has not previously been disseminated or analyzed publicly.

Canada’s biggest bank and its largest wireless carrier are on a list of 15 entities that are visible in a drop-down menu on one of the presentation’s 40 pages. It shows part of an alphabetical list of entries beginning with the letter “R” that also includes two U.K.-headquartered companies – Rolls Royce Marine and Rio Tinto – and U.S.-based RigNet, among other global firms involved in telecom, finance, oil and manufacturing.

The name of Huawei Technologies Co. Ltd. appears in the presentation as well, and the NSA appears to have had a keen interest in isolating the corporation’s data channels. “These links are likely to carry Huawei traffic,” reads one slide.

nsa-private-networks-huawei

The document does not say what data the NSA has collected about these firms, or spell out the agency’s objective, but it states that “private networks are important.”

nsa-private-networks-important

It notes that high-level NSA “targets,” such as foreign countries’ armed forces and diplomats, use private networks. But it also mentions the Brazilian energy firm Petrobras, the Belgium-based SWIFT network of global electronic payments, and even global “Google infrastructure” controlled by the California technology giant.

The presentation obtained by The Globe describes SigDev techniques for finding targets – one is an NSA software program called “ROYALNET”, that can help analysts “identify communicants of private networks” or determine the best “access points for a target’s communications.”

nsa-private-networks-royalnet

Another technique featured in the presentation involves sorting captured telecommunications traffic into “realms,” which the document says are “a label assigned by the intelligence community.”

A realm appears to be a continually updated list of everything the NSA can gather about how a specific corporation routes communications on the Internet, and any known device on its private networks. One slide in the presentation titled “Realms in Analyst Tools,” shows the drop-down menu listing 15 firms, which is where “RoyalBankOfCanada” and “RogersWireless.ca” are listed.

nsa-private-networks-realms

The list is not visible beyond the letter R entities shown on a screen shot in the presentation, and it is not known whether other Canadian corporations are listed.

Previous leaks show the NSA and its allies indiscriminately capture telecommunications data from Internet routes. In this presentation, the agency appears to be using that “bulk” collected data to map out specific networks. The NSA is not trying at this stage to get at any data inside individual computers, such as specific transactions or customer records.

A comparison of this document with previous Snowden leaks suggests it may be a preliminary step in broad efforts to identify, study and, if deemed necessary, “exploit” organizations’ internal communication networks.

Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab, who reviewed the leaked document with The Globe, said the activity described could help determine useful access points in the future: “This is preparing the battlefield so it could later be used. This is … watching communications come in and out of a network and saying, ‘Okay, these are the places we need to go in.’”

Markings on the document, which is labelled “top secret,” indicate it was shared with the NSA’s Canadian counterpart, the Communications Security Establishment.

“While CSE cannot comment on intelligence capabilities or operations – our own or our allies – there is no evidence in the document in question that intelligence activities have been directed at any Canadian entity, company or individual,” spokesman Ryan Foreman said in an e-mailed statement.

(The Globe did not provide a copy of the document to CSE.)

The Canadian companies named in the document say they have no reason to believe their computer systems or customer records were compromised and insist their networks are secure.

“If such surveillance is taking place, we would find that very troubling,” Rogers spokeswoman Patricia Trott said.

“We have not provided the NSA access to our network,” RBC spokesman Don Blair said.

A spokesman for Huawei Canada declined to comment on Tuesday, as did representatives for Britain-based Rolls Royce Marine and Rio Tinto. U.S.-based RigNet, which was also named, did not respond to requests seeking comment.

When The Globe asked the NSA for comment, agency spokeswoman Vanee Vines urged the newspaper not to publish names of intelligence employees. Asked about the interest in Rogers and RBC, she said the NSA “will not comment on specific, alleged foreign intelligence activities.” Vines added that the spy agency never collects intelligence “to provide a competitive advantage to U.S. companies.”

However, some documents show the U.S. intelligence community has not ruled out such activities in the future. One previously leaked strategy document envisions a future, in 2025, when U.S. companies are falling behind and policy makers push government spies to conduct aggressive economic-espionage campaigns.

Today, under the terms of a 66-year old reciprocal accord, Washington and Ottawa are supposed to refrain from spying on the communications of each other’s citizens and entities.

For decades the NSA and CSE have spied in co-operation with agencies from Britain, Australia and New Zealand, and are together known as the “Five Eyes.” The powerful alliance relies on near complete trust and sharing, as well as general agreements not to spy on each other.

Because of this, any revelations about member nations directly targeting their own or each other’s citizens or corporations are explosive. A previously leaked U.S. guide for keeping intelligence documents under wraps suggests that the NSA would strive to keep any such spying quiet for decades.

Five Eyes partners “are among NSA/CSS’s strongest,” that document says. “Revealing the fact that the NSA/CSS targeted their communications at any time … could cause irreparable damage.” (CSS refers to the NSA’s military adjunct, the Central Security Service.)

The original source document was not published in this article. All screenshots are from a previous video report via Fantástico and Glenn Greenwald‘s book “No Place to Hide“. More below:

nsa-private-networks-more-1

nsa-private-networks-more-2

nsa-private-networks-more-3

nsa-private-networks-more-4

nsa-private-networks-more-5

nsa-private-networks-more-6

nsa-private-networks-more-7

nsa-private-networks-more-8

Related Links:

(NSA Programs) Treasure Map: Near Real-Time Interactive Map of Internet, Any Device, Anywhere, All the Time; Packaged Goods: Tracks Traceroutes, Accessed 13 Servers in Unwitting Data Centers

NSA/GCHQ TREASUREMAP Docs: “Map the Entire Internet” for “Computer Attack/Exploit Planning”

HACIENDA: Five Eyes Program Port Scanning Entire Countries for IT Vulnerabilities

MORECOWBELL: NSA’s Covert DNS Monitoring System

PONY EXPRESS: CSE Spying on Canadians’ Emails to Government

In Archive, Canada, CSEC, NSA Files, Surveillance on February 25, 2015 at 10:42 PM

cse-pony-express

02/25/2015

Ryan Gallagher/Glenn Greenwald/TheIntercept/CBC:

Canada’s electronic surveillance agency is covertly monitoring vast amounts of Canadians’ emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents.

The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years.

The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada’s equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden.

The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.

PDF

Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained.

Now, the Snowden documents shine a light for the first time on the huge scope of the operation — exposing the controversial details the government withheld from the public.

Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.

The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA. Members of the public routinely communicate with government employees when, for instance, filing tax returns, writing a letter to a member of parliament, applying for employment insurance benefits or submitting a passport application.

In a top-secret CSE document on the security operation, dated from 2010, the agency says it “processes 400,000 emails per day” and admits that it is suffering from “information overload” because it is scooping up “too much data.”

PDF

The document outlines how CSE built a system to handle a massive 400 terabytes of data from Internet networks each month — including Canadians’ emails — as part of the cyber operation. (A single terabyte of data can hold about a billion pages of text, or about 250,000 average-sized mp3 files.)

The agency notes in the document that it is storing large amounts of “passively tapped network traffic” for “days to months,” encompassing the contents of emails, attachments and other online activity. It adds that it stores some kinds of metadata — data showing who has contacted whom and when, but not the content of the message — for “months to years.”

CSE, under its cyberdefence mandate, is allowed to hold on to personal information — email addresses, IP addresses and other identifiers — for up to 30 years, then transfer it to Library and Archives Canada, according to the agency’s own description of its databanks in the federal Info Source publication.

Of the masses of emails the agency was scanning and storing using PONY EXPRESS in 2010, however, only about 0.001 percent of them were deemed to contain potentially malicious viruses. According to the documents, the automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat. Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected.

The document says that CSE has “excellent access to full take data” as part of its cyber operations and is receiving policy support on “use of intercepted private communications.” The term “full take” is surveillance-agency jargon that refers to the bulk collection of both content and metadata from Internet traffic.

Another top-secret document on the surveillance dated from 2010 suggests the agency may be obtaining at least some of the data by covertly mining it directly from Canadian Internet cables. CSE notes in the document that it is “processing emails off the wire.”

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology (DPI). Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more.

DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

Since the 2010 documents were authored, it is likely the scale of the domestic data collection has increased. CSE states in the documents that it is working to bolster its capabilities. Under a heading marked “future,” the agency notes: “metadata continues to increase linearly with new access points.”

A CSE spokesman told The Intercept and CBC News in a statement that the agency eventually deletes intercepted Canadians’ emails if they are found to contain no cyberthreat, but would not comment on the amount of emails collected, or discuss the period of time that the messages are retained for.

PDF

See: Dreamy, Nosey, Tracker & Paranoid: GCHQ’s Spying Smurfs Can Hide On Phones, Turn Them On, Eavesdrop & Locate

EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance on February 25, 2015 at 10:34 PM

02/11/2015

Matthew Braga/Motherboard:

You might not think Canada’s digital spies are on par with those in the US and UK—but rest assured, America’s northern neighbour is just as capable of perpetuating mass surveillance on a global scale. Case in point: at over 200 locations around the world, spies from Canada’s cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet’s core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents (1) (2) leaked by whistleblower Edward Snowden,  ​and published by Der Spiegel last month, the program is designed to “track known threats,” “discover unknown threats,” and provide “defence at the core of the Internet.”

cse-eonblue-1

And while it may be tempting to dismiss this as yet another in a long line of revelations of mass surveillance, it is one of the clearest examples yet that Canada plays no small part in its Five Eyes partnership with intelligence agencies from Australia, New Zealand, the UK, and the US.

The meaning of threats, in this case, is two-fold: cyber attacks on network infrastructure and data, certainly, but also the online activities of terrorists believed to be plotting attacks against the physical world. The EONBLUE program is part of CSE’s Global Network Detection operations, which specialize in collecting signals intelligence from the movement of traffic online.

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet’s “core” and describes EONBLUE’s ability to “scale to backbone internet speeds”—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

As of November 2010, when the document was dated, EONBLUE had already been under development for over eight years. However, it isn’t clear from the slides for how long EONBLUE has been used, or whether it is still in use today.

According to network security researchers consulted by Motherboard, EONBLUE is likely a global-scale implementation of ​a technology known as Deep Packet Inspection (DPI).

cse-eonblue-2

Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more. Internet service providers have been known to use DPI technology to identify subscribers using peer-to-peer filesharing protocols such as BitTorrent on their networks, for example. But such devices, generally speaking, can do much, much more.

Depending on how the system is configured, DPI hardware can: log the IP addresses of all users connecting to a website or webpage; log all activity from a certain IP, or blocks of IPs; identify applications being used on the network; look for cookies, email addresses, phone numbers, and other identifiers; identify encrypted traffic, and also the type of encryption used; identify the type of protocol a connection is using (for example, FTP or HTTP); locate the port that network traffic is connecting to or from; and, perhaps most concerning of all, modify certain types of traffic in real-time, in such a way that neither the sender or receiver would know any such tampering took place.

In other words, such a device can be instructed to lay bare your activities online.

It’s not clear what, exactly, EONBLUE is configured to monitor, but descriptions of other Canadian intelligence operations that rely on the program do offer some indication. For example, one document says that, thanks to EONBLUE, Canadian intelligence analysts identified a new type of malware, codenamed SNOWGLOBE, that they suspected was the work of French intelligence.

Because EONBLUE monitors network traffic, CSE was able to watch someone log into one of the remote computers, or listening posts, with which SNOWGLOBE communicated, and retrace the malware operator’s steps. This enabled Canadian intelligence to login to the listening post themselves, and see the data SNOWGLOBE had transmitted from the computers it had infected.

Another document outlining a roadmap for EONBLUE development references a Canadian version of ​the infamous US intelligence database XKEYSCORE. At the NSA, XKEYSCORE allowed analysts to query such information as the content of emails, browsing history, telephone numbers and online chats between Facebook users that, until July 2013, were not encrypted by default.

cse-eonblue-3

While it’s not clear how CSE’s XKEYSCORE functioned in practice, it’s clear Canadian spies were at least planning to develop a powerful database on par with that of its partner agencies in the US and UK—but using data that had been flagged by EONBLUE.

While the documents make it clear that EONBLUE relies on access to the internet’s core infrastructure—the physical cables and connection points across which most data in a geographic region travels—it’s not clear where, exactly, that access occurs.

“It’s difficult to understand how they’re doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad,” said Tamir Israel, a staff lawyer at the ​Canadian Internet Policy & Public Interest Clinic (CIPPIC).

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and  ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

cse-eonblue-4

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

Curiously, one slide within the document hints at the existence of an Australian extension of EONBLUE operated by Australian Signals Directorate. Another refers to a Canadian special source. Whether that data source is located in Canada, or is a Canadian operator of infrastructure abroad, remains unclear.

According to documents jointly published by The Intercept and CBC, a CSE program codenamed LEVITATION tracked users downloading certain files from popular filesharing networks worldwide to identify extremists, while another program codenamed PONY EXPRESS sifts through millions of emails sent from Canadians to government agencies in a bid to detect potential cyber threats.

While there is no explicit link between the programs in any of the documents that have been publicly released, CSE could have instructed EONBLUE to flag the IP addresses of every user who attempted to access a bomb-making guide, for example, and send that information to a database for later analysis by LEVITATION.

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology. DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

It’s hard not to overstate the importance of what’s happening here. There are more eyes than we realize watching our data as it travels around the world. And it’s programs such as EONBLUE that prove the Canadian government is playing a much larger role in monitoring the internet than most might think—with a prowess that rivals both NSA and GCHQ.

%d bloggers like this: