NSA's XKeyscore is a global dragnet for vulnerable systems

Filed Under: Featured, Law & order, Privacy, Vulnerability

XKeyscoreXKeyscore doesn't just turn somebody's internet life inside out. It's also a bloodhound for sniffing out vulnerable systems.

A training slide on page 24 of the National Security Agency's 2008 presentation on the program, as revealed on Wednesday by The Guardian (via Edward Snowden), states it quite baldly:

  • Show me all the exploitable machines in country X
    • Fingerprints from TAO [Ed. Note: Tailored Access Operations, the NSA organisation that hacks the networks of foreign governments and organizations] are loaded into XKEYSCORE'S application/fingerprintID engine
    • Data is tagged and databased
    • No strong-selector
    • Complex boolean tasking and regular expressions required

According to Ars Technica's Sean Gallagher, the vulnerability "fingerprints" are added to serve as a filtering criteria for XKeyscore's application engines, comprised of "a worldwide distributed cluster of Linux servers attached to the NSA's Internet backbone tap points."

This turns XKeyscore into a passive port scanner, Gallagher writes, which can be used to search for network behavior on systems that match the NSA TAO's profiles for exploits or for systems already exploited by malware that the TAO can then take advantage of.

He explains how this could give the NSA a toehold of surveillance in countries such as Iran or China:

This could allow the NSA to search broadly for systems within countries such as China or Iran by watching for the network traffic that comes from them through national firewalls, at which point the NSA could exploit those machines to have a presence within those networks.

The slides also explain how XKeyscore can track encrypted VPN (Virtual Private Network) sessions and their participants, can capture metadata on who's using PGP encryption in email or who's encrypting Word documents, which can later be decrypted.

XKeyscore keeps all trapped Internet traffic for three days, but metadata is kept for up to 30 days.

That month gives the NSA time to trace the identity of those who created the documents its analysts intercept.

As the slides imply, this enables XKeyscore the unique ability of scouring traffic that hasn't yet been targeted for monitoring.

"No other system performs this on raw unselected bulk traffic," they state.

XKeyscore's nature was disputed when it was first revealed.

What is XKeyscore, exactly?

Is it a tool that can scour all things internet for surveillance purposes, or is it merely a database search tool plunked on top of databases full of already-captured data from other surveillance sources, as maintained by US journalist Marc Ambinder?

It sure does sound like a surveillance tool, going by the NSA's own description.

According to the slides published by The Guardian, XKeyscore is:

  1. DNI [ed.: Digital Network Intelligence] Exploitation System/Analytic Framework
  2. Performs strong (e.g. email) and soft (content) selection
  3. Provides real-time target activity (tipping)
  4. "Rolling Buffer" of ~3 days of ALL unfiltered data seen by XKEYSCORE:
    • Stores full-take data at the collection site—indexed by meta-data
    • Provides a series of viewers for common data types
  5. Federated Query system—one query scans all sites
    • Performing full-take allows analysts to find targets that were previously unknown by mining the meta-data

Has The Guardian mischaracterized XKeyscore as a top-secret, extraordinarily powerful surveillance tool?

I'm trying to keep my mind open, but it's hard to dismiss The Guardian's reporting, and it's hard to deem Edward Snowden's depiction of the NSA's activities as "hyperbolic," as some have deemed them, given the descriptions in these slides.

I'm no programmer, but when somebody calls a program an "exploitation system" that can be used "to find targets that were previously unknown by mining the meta-data," that sure does sound like a surveillance tool to me.

A frighteningly powerful one, at that.

, , , , ,

You might like

5 Responses to NSA's XKeyscore is a global dragnet for vulnerable systems

  1. outside the marginals · 382 days ago

    How long until the Chinese manage to hack Xkeyscore?

  2. Mark · 382 days ago

    I'm beginning to be more worried about the Americans as bad guys over the Chinese...

    • And how are the Chinese "bad guys"? Because they are a threat to America's small penis syndrome? China isnt your enemy champ...

  3. Anon · 381 days ago

    If we want privacy, we need to unplug... and perhaps wear a foil hat.

  4. AlphaCentauri · 380 days ago

    Frighteningly powerful, yes -- but are they mining any data that all the private companies like Facebook and Google aren't already collecting? If you set up your own Tor exit node or DNS server, would you have access to this same data? We are getting services without paying for them, so we know we're the product and not the customer. The only people who don't seem to have access to this data are the internet users themselves.

    You can't stop the collection of data over public connections, whether your government is collecting it directly or buying it from someone else. But you can insist that we proles have access to our own data once it has been collected.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.