Your Source for Leaks Around the World!

Archive for the ‘Internet’ Category

Deep Web – Silk Road/Ross Ulbricht Documentary (2015)

In Archive, Drugs, Internet, Silk Road, Ulbricht on June 11, 2015 at 12:41 AM

deep-web

06/01/2015

via EPIX:

Extending far beyond the confines of Google and Facebook, there is a vast section of the World Wide Web that is a hidden alternate internet. Appropriately named the Deep Web, this mysterious and complex cyberspace serves as an outlet for anonymous communication and was home to Silk Road, the online black market notorious for drug trafficking. The intricacies of this concealed cyber realm caught the attention of the general public with the October 2013 arrest of Ross William Ulbricht – the convicted 30-year-old entrepreneur accused to be ‘Dread Pirate Roberts,’ the online pseudonym of the Silk Road leader. Making its World Television Premiere this spring, Deep Web – an EPIX Original Documentary written, directed and produced by Alex Winter​ – seeks to unravel this tangled web of ​secrecy, ​accusations,​ and​ criminal activity, and explores how the outcome of Ulbricht’s trial will set a critical precedent for the future of technological freedom around the world.



Related Links:

The Rise & Fall of Silk Road (Part 1) (Part 2)

Court Docs Detail How FBI Located Silk Road Servers/Surveillance of Ross Ulbricht

Silk Road Creator Ross Ulbricht Sentenced to Life in Prison

Feds Shut Down Silk Road 2.0, Alleged Operator Blake Benthall aka Defcon Arrested, “Silk Road Reloaded” Appears Within Hours

Net Neutrality Passes in Landmark FCC Ruling to Keep Internet “Fast, Fair, and Open”

In Archive, FCC, Internet, Net Neutrality on February 27, 2015 at 7:16 AM

02/26/2015

EFF:

Today the FCC voted three to two to reclassify broadband Internet access as a common carrier service under Title II of the Communications Act, and forbear from the parts of the Act that aren’t necessary for net neutrality rules. This reclassification gives the FCC the authority to enact (and enforce) narrow, clear rules which will help keep the Internet the open platform it is today.

As expected, the FCC’s new rules forbid ISPs from charging Internet users for special treatment on their networks. It will also reach interconnection between ISPs and transit providers or edge services, allowing the FCC to ensure that ISPs don’t abuse their gatekeeper authority to favor some services over others.

That’s great for making sure websites and services can reach ISP customers, but what about making sure customers can choose for themselves how to use their Internet connections without interference from their ISPs? To accomplish this, the FCC has banned ISPs from blocking or throttling their customers’ traffic based on content, applications or services—which means users, hackers, tinkerers, artists, and knowledge seekers can continue to innovate and experiment on the Internet, using any app or service they please, without having to get their ISP’s permission first.

Even better, the rules will apply to wireless and wired broadband in the same way, so you don’t have to worry that your phone switching from Wi-Fi to a 4G network will suddenly cause apps not to work or websites to become inaccessible. Lots of people use mobile devices as their primary way of accessing the Internet, so applying net neutrality rules to both equally will help make sure there is “one Internet” for all.

So congratulations, Team Internet. We put the FCC on the right path at last. Reclassification under Title II was a necessary step in order to give the FCC the authority it needed to enact net neutrality rules. But now we face the really hard part: making sure the FCC doesn’t abuse its authority.

For example, the new rules include a “general conduct rule” that will let the FCC take action against ISP practices that don’t count as blocking, throttling, or paid prioritization. As we said last week and last year, vague rules are a problem. The FCC wants to be, in Chairman Wheeler’s words, “a referee on the field” who can stop any ISP action that it thinks “hurts consumers, competition, or innovation.” The problem with a rule this vague is that neither ISPs nor Internet users can know in advance what kinds of practices will run afoul of the rule. Only companies with significant legal staff and expertise may be able to use the rule effectively. And a vague rule gives the FCC an awful lot of discretion, potentially giving an unfair advantage to parties with insider influence. That means our work is not yet done.  We must stay vigilant, and call out FCC overreach.

The actual order is over 300 pages long, and it’s not widely available yet. Details matter. Watch this space for further analysis when the FCC releases the final order.

PDF

Karl Bode/TechDirt:

While the net neutrality rules are incredibly important, the FCC’s decision on municipal broadband may actually wind up being more meaningful over the long run. As we’ve noted for years, neutrality violations are really just a symptom of a lack of competition. Around twenty states now have laws in place — usually based entirely on ISP/ALEC model legislation — that prohibit towns and cities from improving their own broadband infrastructure — even in instances where nobody else will. In some cases these rules even go so far as to prohibit towns and cities from striking public/private partnerships to improve broadband service.

Specifically, the FCC voted 3-2 to approve petitions by EPB Broadband in Chattanooga, Tennessee, and Greenlight in Wilson, North Carolina. Those petitions requested that the FCC use its authority to ensure timely broadband deployment using “measures that promote competition in the local telecommunications market, or other regulating methods that remove barriers to infrastructure investment.” While some politicians have lamented the FCC’s move as a trampling of states’ rights, these individuals ironically have had no problem with ISPs writing state telecom law that tramples those same rights. The justifications for these restrictions have never been coherently supported, and Wheeler was quick to highlight the hypocrisy of the position:

“You can’t say you’re for broadband and then turn around and endorse limits on who can offer it. You can’t say, ‘I want to follow the explicit instructions of Congress to remove barriers to infrastructure investment,’ but endorse barriers on infrastructure investment. You can’t say you’re for competition but deny local elected officials the right to offer competitive choices.”

Needless to say, this is likely only a new chapter in the debate over both issues, the precise wording of the neutrality wording will be debated for months if not years, and you can expect ISP legal action on both fronts aimed at protecting the uncompetitive status quo. It also probably goes without saying that opponents of net neutrality and those who like it when AT&T, Verizon and Comcast are allowed to write protectionist telecom law aren’t taking the day’s events very well. One of the best freakouts of the day belonged to Hal Singer, author of that misleading study we’ve previously debunked claiming that you’d face $15 billion in new taxes under Title II:

While some grieve the death of imaginary “innovation angels,” thousands of others are celebrating a rare instance where Internet activism was able to overcome lobbying cash and push a government mountain toward doing the right thing.

Full Video of FCC Net Neutrality Ruling and Press Conference


World Wide Web Inventor Tim Berners-Lee Statement @ FCC Net Neutrality Ruling

Apple Co-Founder Steve Wozniak Remarks

EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance on February 25, 2015 at 10:34 PM

02/11/2015

Matthew Braga/Motherboard:

You might not think Canada’s digital spies are on par with those in the US and UK—but rest assured, America’s northern neighbour is just as capable of perpetuating mass surveillance on a global scale. Case in point: at over 200 locations around the world, spies from Canada’s cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet’s core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents (1) (2) leaked by whistleblower Edward Snowden,  ​and published by Der Spiegel last month, the program is designed to “track known threats,” “discover unknown threats,” and provide “defence at the core of the Internet.”

cse-eonblue-1

And while it may be tempting to dismiss this as yet another in a long line of revelations of mass surveillance, it is one of the clearest examples yet that Canada plays no small part in its Five Eyes partnership with intelligence agencies from Australia, New Zealand, the UK, and the US.

The meaning of threats, in this case, is two-fold: cyber attacks on network infrastructure and data, certainly, but also the online activities of terrorists believed to be plotting attacks against the physical world. The EONBLUE program is part of CSE’s Global Network Detection operations, which specialize in collecting signals intelligence from the movement of traffic online.

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet’s “core” and describes EONBLUE’s ability to “scale to backbone internet speeds”—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

As of November 2010, when the document was dated, EONBLUE had already been under development for over eight years. However, it isn’t clear from the slides for how long EONBLUE has been used, or whether it is still in use today.

According to network security researchers consulted by Motherboard, EONBLUE is likely a global-scale implementation of ​a technology known as Deep Packet Inspection (DPI).

cse-eonblue-2

Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more. Internet service providers have been known to use DPI technology to identify subscribers using peer-to-peer filesharing protocols such as BitTorrent on their networks, for example. But such devices, generally speaking, can do much, much more.

Depending on how the system is configured, DPI hardware can: log the IP addresses of all users connecting to a website or webpage; log all activity from a certain IP, or blocks of IPs; identify applications being used on the network; look for cookies, email addresses, phone numbers, and other identifiers; identify encrypted traffic, and also the type of encryption used; identify the type of protocol a connection is using (for example, FTP or HTTP); locate the port that network traffic is connecting to or from; and, perhaps most concerning of all, modify certain types of traffic in real-time, in such a way that neither the sender or receiver would know any such tampering took place.

In other words, such a device can be instructed to lay bare your activities online.

It’s not clear what, exactly, EONBLUE is configured to monitor, but descriptions of other Canadian intelligence operations that rely on the program do offer some indication. For example, one document says that, thanks to EONBLUE, Canadian intelligence analysts identified a new type of malware, codenamed SNOWGLOBE, that they suspected was the work of French intelligence.

Because EONBLUE monitors network traffic, CSE was able to watch someone log into one of the remote computers, or listening posts, with which SNOWGLOBE communicated, and retrace the malware operator’s steps. This enabled Canadian intelligence to login to the listening post themselves, and see the data SNOWGLOBE had transmitted from the computers it had infected.

Another document outlining a roadmap for EONBLUE development references a Canadian version of ​the infamous US intelligence database XKEYSCORE. At the NSA, XKEYSCORE allowed analysts to query such information as the content of emails, browsing history, telephone numbers and online chats between Facebook users that, until July 2013, were not encrypted by default.

cse-eonblue-3

While it’s not clear how CSE’s XKEYSCORE functioned in practice, it’s clear Canadian spies were at least planning to develop a powerful database on par with that of its partner agencies in the US and UK—but using data that had been flagged by EONBLUE.

While the documents make it clear that EONBLUE relies on access to the internet’s core infrastructure—the physical cables and connection points across which most data in a geographic region travels—it’s not clear where, exactly, that access occurs.

“It’s difficult to understand how they’re doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad,” said Tamir Israel, a staff lawyer at the ​Canadian Internet Policy & Public Interest Clinic (CIPPIC).

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and  ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

cse-eonblue-4

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

Curiously, one slide within the document hints at the existence of an Australian extension of EONBLUE operated by Australian Signals Directorate. Another refers to a Canadian special source. Whether that data source is located in Canada, or is a Canadian operator of infrastructure abroad, remains unclear.

According to documents jointly published by The Intercept and CBC, a CSE program codenamed LEVITATION tracked users downloading certain files from popular filesharing networks worldwide to identify extremists, while another program codenamed PONY EXPRESS sifts through millions of emails sent from Canadians to government agencies in a bid to detect potential cyber threats.

While there is no explicit link between the programs in any of the documents that have been publicly released, CSE could have instructed EONBLUE to flag the IP addresses of every user who attempted to access a bomb-making guide, for example, and send that information to a database for later analysis by LEVITATION.

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology. DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

It’s hard not to overstate the importance of what’s happening here. There are more eyes than we realize watching our data as it travels around the world. And it’s programs such as EONBLUE that prove the Canadian government is playing a much larger role in monitoring the internet than most might think—with a prowess that rivals both NSA and GCHQ.

LEVITATION: CSE Tracking Millions of Downloads Daily from 102 File-Sharing Sites

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance, Terrorism on February 22, 2015 at 6:26 PM

01/27-28/2015

Ryan Gallagher/Glenn Greenwald/TheIntercept/CBC:

Canada’s leading surveillance agency is monitoring millions of Internet users’ file downloads in a dragnet search to identify extremists, according to top-secret documents.

The covert operation, revealed Wednesday by CBC News in collaboration with The Intercept, taps into Internet cables and analyzes records of up to 15 million downloads daily from popular websites commonly used to share videos, photographs, music, and other files.

The revelations about the spying initiative, codenamed LEVITATION, are the first from the trove of files provided by National Security Agency whistleblower Edward Snowden to show that the Canadian government has launched its own globe-spanning Internet mass surveillance system.

According to the documents, the LEVITATION program can monitor downloads in several countries across Europe, the Middle East, North Africa, and North America. It is led by the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA. (The Canadian agency was formerly known as “CSEC” until a recent name change.)

The latest disclosure sheds light on Canada’s broad existing surveillance capabilities at a time when the country’s government is pushing for a further expansion of security powers following attacks in Ottawa and Quebec last year.

Ron Deibert, director of University of Toronto-based Internet security think tank Citizen Lab, said LEVITATION illustrates the “giant X-ray machine over all our digital lives.”

“Every single thing that you do – in this case uploading/downloading files to these sites – that act is being archived, collected and analyzed,” Deibert said, after reviewing documents about the online spying operation for CBC News.


The ostensible aim of the surveillance is to sift through vast amounts of data to identify people uploading or downloading content that could be connected to terrorism – such as bomb-making guides and hostage videos.

In the process, however, CSE combs through huge volumes of data showing uploads and downloads initiated by Internet users not suspected of any wrongdoing.

In a top-secret PowerPoint presentation, dated from mid-2012, an analyst from the agency jokes about how, while hunting for extremists, the LEVITATION system gets clogged with information on innocuous downloads of the musical TV series Glee.

PDF

CSE finds some 350 “interesting” downloads each month, the presentation notes, a number that amounts to less than 0.0001 per cent of the total collected data.

The agency stores details about downloads and uploads to and from 102 different popular file-sharing websites, according to the 2012 document, which describes the collected records as “free file upload,” or FFU, “events.” Only three of the websites are named: RapidShare, SendSpace, and the now defunct MegaUpload.

SendSpace said in a statement that “no organization has the ability/permission to trawl/search Sendspace for data,” adding that its policy is not to disclose user identities unless legally compelled. Representatives from RapidShare and MegaUpload had not responded to a request for comment at time of publication.

LEVITATION does not rely on cooperation from any of the file-sharing companies. A separate secret CSE operation codenamed ATOMIC BANJO obtains the data directly from internet cables that it has tapped into, which can be viewed through the agency’s OLYMPIA program. CSE then sifts out the unique IP address of each computer that downloaded files from the targeted websites.

The IP addresses are valuable pieces of information to CSE’s analysts, helping to identify people whose downloads have been flagged as suspicious. The analysts use the IP addresses as a kind of search term, entering them into other surveillance databases that they have access to, such as the vast repositories of intercepted Internet data shared with the Canadian agency by the NSA and its British counterpart Government Communications Headquarters.

Once a suspicious file-downloader is identified, analysts can plug that IP address into MUTANT BROTH, a database run by the British electronic spy agency Government Communications Headquarters (GCHQ), to see five hours of that computer’s online traffic before and after the download occurred, opening the door for further surveillance of their activities.

That can sometimes lead them to a Facebook profile page and to a string of Google and other cookies used to track online users’ activities for advertising purposes. This can help identify an individual.

In one example in the top-secret document, analysts also used the U.S. National Security Agency’s powerful MARINA database, which keeps online metadata on people for up to a year, to search for further information about a target’s Facebook profile. It helped them find an email address.

After doing its research, the Levitation team then passes on a list of suspects to CSE’s Office of Counter Terrorism.

Since the secret 2012 presentation about LEVITATION was authored, both RapidShare and SendSpace have toughened security by encrypting users’ connections to their websites, which may have thwarted CSE’s ability to target them for surveillance. But many other popular file-sharing sites have still not adopted encryption, meaning they remain vulnerable to the snooping.

As of mid-2012, CSE was maintaining a list of 2,200 particular download links that it regarded as connected to suspicious “documents of interest.” Anyone clicking on those links could have found themselves subject to extra scrutiny from the spies.

The file-sharing surveillance also raises questions about the number of Canadians whose downloading habits could have been swept up as part of LEVITATION’s dragnet.

By law, CSE isn’t allowed to target Canadians. Canada’s commissioner charged with reviewing the secretive group found it unintentionally swept up private communications of 66 Canadians while monitoring signals intelligence abroad, but concluded there was no sign of unlawful practice.

In the LEVITATION presentation, however, two Canadian IP addresses that trace back to a web server in Montreal appear on a list of suspicious downloads found across the world. The same list includes downloads that CSE monitored in closely allied countries, including the United Kingdom, United States, Spain, Brazil, Germany and Portugal.

It is unclear from the document whether LEVITATION has ever prevented any terrorist attacks. The agency cites only two successes of the program in the 2012 presentation: the discovery of a hostage video through a previously unknown target, and an uploaded document that contained the hostage strategy of a terrorist organization. The hostage in the discovered video was ultimately killed, according to public reports.

A CSE spokesman declined to comment to The Intercept on whether LEVITATION remained active, and would not provide examples of useful intelligence gleaned from the spying, or explain how long data swept up under the operation is retained.

cse-response-to-cbc-re-levitation

Related Link: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

01/29/2015

Marcy Wheeler/Emptywheel:

I’ve argued the NSA does similar analysis using known codes tied to Inspire (not the URL, necessarily, but possibly the encryption code included in each Inspire edition) on upstream collection, which would basically identify the people within the US who had downloaded AQAP’s propaganda magazine. One reason I’m so confident NSA does this is because of the high number of FBI sting operations that seem to arise from some 20-year old downloading Inspire, which them appears to get sent out to a local FBI office for further research into online activities and ultimately approaches by a paid informant or undercover officer.

In other words, this kind of analysis seems to lie at the heart of a lot of the stings FBI initiates.

cse-levitation-scoreboard

But as the “Scoreboard” slide in this presentation makes clear, what this process gives you is not validated IDs, but rather probabilistic matches (which FISC appears to deal with using minimization procedures, suggesting they let NSA collect on these probabilistic matches with the understanding they have to treat the data in some certain way if it ends up being a false positive).

That’s important not just for the young men whom FBI decides might make worthwhile targets (even if they’re being targeted, largely, on their First Amendment activities).

It’s important, too, for the false negatives, by far the most important of which I believe to be the Tsarnaev brothers, both of whom reportedly had downloaded multiple episodes of Inspire, as well as other similar jihadist material, and on whom NSA had collected data it never accessed until after the attack, but neither of whom got targeted off this correlation process before they attacked the Boston Marathon.

That is, this really important possible false negative, just as much as the dubious positives that end up getting unbalanced young men targeted by the FBI, may say as much about the reliability of this process as anything else.

This CSE PPT is not yet proof that my suspicions are entirely accurate (though my claims here about correlations are based on officially released documents). But they strongly suggest my suspicions have been correct.

And — particularly given ODNI’s refusal to release what appears to be a key opinion describing the terms on which FISC permits the use of these correlations — this ought to elicit far more conversations about how NSA and its Five Eye partners “correlate” identities and how those correlations get used.

MORECOWBELL: NSA’s Covert DNS Monitoring System

In Archive, ICANN, Internet, NSA, NSA Files, Surveillance on February 15, 2015 at 7:01 PM

PDF / JPEG

01/24/2015

LeMonde (Rough Translation via Google) h/t Jacob Appelbaum/Laura Poitras:

One and a half after the beginning of the revelations of Edward Snowden was believed to know everything about the massive Internet surveillance by the US intelligence agency, the famous National Security Agency (NSA). Gold discoveries continue.

Le Monde and the German website Heise could see a new batch of confidential documents showing that the NSA tackles massive and systematic way DNS (Domain Name System), which manages the global names in directories.

On the Internet, almost everything begins with a request to a domain name. DNS servers, “switching stations” indispensable, receive connection requests as addresses formulated in language understandable by a human (eg “lemonde.fr”), then they find the Internet (IP) number corresponding machine-readable (195,154,120,129).

ISPs and large organizations have their own internal DNS servers, but to ensure that the names are valid, they must remain in constant contact with the great “root servers” at the top of the pyramid, which centralize directories to the world. There are now thirteen root server groups. They are managed by twelve organizations, including nine Americans (the Department of Defense, NASA, private companies, universities …).

Furthermore, the allocation and sale of domain names are overseen by the Internet Corporation for Assigned Names and Numbers (ICANN), an association established in California and is under the supervision of the US Department of Commerce.

IP numbers “in figures”, corresponding to the ‘in words’ addresses are managed by the Internet Assigned Numbers Authority (IANA), an organization linked to ICANN and works in conjunction with the federal agency NTIA (National Telecom and Information Administration). Note that the NSA officially working with NTIA, on cryptography.

The Government of the United States announced that it wanted to reduce its role in ICANN before the end of 2015, but the terms of the transfer of power to be defined.

Finally, for organizations that do not want or can not afford their own internal DNS server, there is free Internet intermediaries servers and open access.

Again, the main belong to US companies like Google, thereby collecting information on origin and destination of the masses of Internet connections worldwide. Systematic monitoring of the DNS, open system, so do not pose a complex theoretical problems, but it requires human and material resources.

To this already very American landscape, add the NSA. The documents found by the German website Heise and Le Monde describe a comprehensive program specifically devoted to spying the domain name system, called “MORECOWBELL”.

Originally, “More Cow Bells” is the title of a musical sketch from 2000, released by the weekly satirical show “Saturday Night Live” aired on US television network NBC. Thereafter, the sketch became worship, especially on the Web. By choosing this name, NSA officials may have wanted to show that they had of humor, and they appreciated the young and trendy pop culture.


MORECOWBELL has several functions.
It is primarily a tool for “passive surveillance”. In this context, it is used to map the internal networks of large companies, administrations and other organizations.

To spy on the DNS servers, the NSA sends continuous bursts of connection requests. It uses an advanced tool called “PACKAGEDGOODS“, an international network of clandestine computers that apparently have no connection with the US government. Machines designed specifically large DNS servers are installed, including Malaysia, Germany and Denmark. In total, they interrogate several thousand times per hour, 24 hours 24. The results are sent to the headquarters of the NSA every fifteen to thirty minutes.

Connection requests are made with fictitious addresses plausible. These are made of keywords lists frequently appearing in the internal use addresses of Web servers and email, databases, etc. – Usually barbarous names, impossible to guess right, and are not published anywhere.

Thus, step by step, MORECOWBELL manages to reconstruct a fairly comprehensive directory of valid addresses a corporate network or administration. Then, for each address, it will look for the corresponding IP number. Some servers also facilitate unintentionally the task of the NSA. When they receive a request for an address that does not exist, they return an error message with two suggestions – the two closest valid addresses, in alphabetical order … The constitution of the “Directory” becomes rather easy . Contacted by Heise, NSA replied that it was “not comment on specific activities alleged in intelligence abroad”.

Furthermore, the documents revealed by Edward Snowden in 2013 showed that the NSA intercepts direct Internet traffic flowing on some international cables, and secretly involved in the communication nodes management in the private sector. In the flood of trivial DNS queries to a business (www.companyX.com) MORECOWBELL will be able to identify those that seem most intriguing (eg “deepstorage.internal.companyX.com”) and store to the exploit later.

According to the new documents consulted by Le Monde, MORECOWBELL used primarily to monitor in near real time “websites of foreign governments, terrorists and extremist forums, malware download sites …”

Monitoring is even US sites “in the context of a request for assistance from the Department of Homeland Security.” The aim is to defend against attack from abroad. More generally, the NSA is thus in possession of a mass “metadata” techniques on the overall Internet traffic, it can interbreed with other types of metadata collected by its other monitoring programs: who communicates with whom, when, how often, etc.

MORECOWBELL also used to prepare Offensive NSA to penetrate or disrupt a server or a foreign network. For example, it will detect a service created by a company for the exclusive use of its employees, but that is actually accessible from the outside because it was poorly configured: for an experienced hacker, equipped with attack software, the service becomes a gateway to the entire corporate network, which can be hacked in various ways.

Finally, when an attack is triggered, querying DNS servers will be used to evaluate its effectiveness in real time. With MORECOWBELL, NSA know whether the contested services continue to run or if it has been cut. If it has been moved to another server as a protective measure, it will spot it again, which will resume the attack.

%d bloggers like this: