NSA XKeyscore targeted Tor Directory Authority servers

The German broadcaster ARD published a report that reveals that NSA XKeyscore has targeted two Germany-based Tor Directory Authority servers.

The NSA surveillance program XKeyscore, according to a report published by German public broadcaster ARD, two Germany-based Tor Directory Authority servers have been targeted by the US intelligence. According to the report, the two cases are not isolated, in the past documents leaked by Edward Snowden reveled the secret project Stinks to track user in Tor anonymizing network.

The broadcaster published for the first time the source code from XKeystore has been revealed, but ARD didn’t provide information on how it has received it.

XKeyscore gives ‘widest-reaching’ collection of online data, analyzing the content of emails, social media and browsing history. On August 2014 The Guardian journal has published an exclusive report on the NSA surveillance program providing several NSA training slides from the secret program.

Facebook chats and private messages become accessible to the intelligence agents simply providing the Facebook user name and a date range for the investigation, XKeyscore in fact provides instruments necessary for the analysis that are conducted also without any legal authorization or a warrant.

“A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.” The NSA boasts in training materials that the program, called XKeyscore, is its “widest-reaching” system for developing intelligence from the internet.

The NSA slides show that since 2008 the X-Keyscore platform was used to track activities related to 300 alleged terrorists around the world studying their habits and participations to various Internet forums.

“Analysts are warned that searching the full database for content will yield too many results to sift through. Instead they are advised to use themetadata also stored in the databases to narrow down what to review. A slide entitled “plug-ins” in a December 2012 document describes the various fields of information that can be searched. It includes “every email address seen in a session by both username and domain”, “every phone number seen in a session (egaddress book entries or signature block)” and user activity – “the webmail and chat activity to include username, buddylist, machine specific cookies etc“.”

The documents revealed that in 2012 more than 41 billion records were collected and stored in a single 30-day period by XKeyscore that analyzes real time more than 20 terabytes of information (e.g. Emails, chats, social media operations and browsing histories) every day.

The source code published by the ARD demonstrates that the NSA track people who are believed to live outside the US and who request Tor bridge information via e-mail or who search for or download Tor or the TAILS live operating system. The NSA tracked IP addresses of Internet users who were engaged in the mentioned activities.

In the XKeyStore code includes IP addresses of the Tor Directory Authority, part of the backbone of the Tor Network. These authorities are updated every our with information related to new Tor relays.

The post explains that also the authors, including the popular expert Jacob Appelbaum, were targeted by the XKeyscore.

“Their research in this story is wholly independent from the Tor Project and does not reflect the views of the Tor Project in any way,” “During the course of the investigation, it was further discovered that an additional computer system run by Jacob Appelbaum for his volunteer work with helping to run part of the Tor network was targeted by the NSA. Moreover, all members of this team are Tor users and appear to be have been targets of the mass surveillance described in the investigation.” ARD stated.

Going deep in the source code it is possible to verify that the NSA is also targeting users of an anonymous remailer MixMinion.

/**
 * Placeholder fingerprint for Tor hidden service addresses.
 * Real fingerpritns will be fired by the plugins
 *   'anonymizer/tor/plugin/onion/*'
 */fingerprint('anonymizer/tor/hiddenservice/address') = nil;
// END_DEFINITION


// START_DEFINITION
appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
        http_host('mixminion') or
        ip('128.31.0.34');
// END_DEFINITION

I’m not surprised by the revelation of the NSA surveillance program, but for the disclosure of the source code of a secret architecture … this is probably the greatest failure for US Intelligence.

Pierluigi Paganini

(Security Affairs – XKeyScore, surveillance)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.