Half-Baked: The Opportunity To Secure Cookie-Based Identifiers From Passive Surveillance

August 13, 2015August 18, 2022 / Christopher Parsons

rkBJB0J-300x225 Andrew Hilts and I have released a new paper that is titled “Half-Baked: The Opportunity To Secure Cookie-Based Identifiers From Passive Surveillance.” Cookie-based identifiers are used by websites to deliver advertisements as well as collect analytics information about website visitors. Incidentally, intelligence agencies such as the NSA, GCHQ, CSE, and other Western signals intelligence bodies use the same identifiers to track the activities of individuals and their devices as they access, and use, the Internet. The paper respond to a series of basic questions: To what extent do major online properties encrypt the advertising, cookie, and other digital identifiers used by the NSA and other intelligence agencies to track users and their devices around the globe? Since the Snowden revelations began have providers actually encrypted more, or less, of these identifiers?

Full Abstract

Documents released by Edward Snowden have revealed that the National Security Agency, and its Australian, British, Canadian, and New Zealand equivalents, routinely monitor the Internet for the identifiers that are contained in advertising and tracking cookies. Once collected, the identifiers are stored in government databases and used to develop patterns of life, or the chains of activities that individuals engage in when they use Internet-capable devices. This paper investigates the extent to which contemporary advertising and analytics identifiers that are used in establishing such patterns continue to be transmitted in plaintext following Snowden’s revelations. We look at variations in the secure transmission of cookie-based identifiers across different website categories, and identify practical steps for both website operators and ad tracking companies to take to better secure their audiences and readers from passive surveillance.

Download the Paper

This post first appeared on the Telecom Transparency Project website.

New Update to the SIGINT Summaries

June 2, 2015August 18, 2022 / Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚n I have added one new item to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment (CSE) documents, along with summary, publication, and original source information.¹ CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),² and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

The new contribution comes from documents released by CBC and covers how Five Eyes intelligence analysts correlated telephony and mobile Internet communications information. For the first time I have noted, in the summary block, all of the codenames that were mentioned in the redacted document.

Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT)

Summary: This slide deck showcases some of the activities, and successes, of the Network Tradecraft Advancement Team (NTAT). The slides focus on how to develop and document tradecraft which is used to correlate telephony and Internet data. Two separate workshops are discussed, one in 2011 and another in 2012. Workshop outcomes included identifying potentially converged data (between telephony and Internet data) as well as geolocating mobile phone application servers. A common mobile gateway identification analytic was adopted by three agencies, including DSD. NTAT had also adopted the CRAFTY SHACK tradecraft documentation system over the courses of these workshops.

In an experiment, codenamed IRRITANT HORN, analysts explored whether they could identify connections between a potentially ‘revolutionary’ country and mobile applications servers. They successfully correlated connections with application servers which opened up the potential to conduct Man in the Middle attacks or effect operations towards the mobile devices, as well as the potential to harvest data in transit and at rest from the devices. In the profiling of mobile applications servers it appears that EONBLUE was used to collect information about a company named Poynt; that company’s application was being used by Blackberry users, and the servers profiled were located in Calgary, Alberta (Canada).

The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”)

Document Published: May 21, 2015 Document Dated: 2012 or later Document Length: 52 pages (slides plus notes) Associated Article: Spy agencies target mobile phones, app stores to implant spyware Download Document: Synergising Network Analysis Tradecraft: Network Tradecraft Advancement Team (NTAT) Codenames mentioned: ATLAS, ATHENA, BLAZING SADDLES, CRAFTY SHACK, DANAUS, EONBLUE, FRETTING YETI, HYPERION, IRRITANT HORN, MASTERSHAKE, PEITHO, PLINK, SCORPIOFORE

Footnotes

Formally known as the Communications Security Establishment Canada (CSEC). ↩
The ASD was formerly known as the Defence Signals Directorate (DSD). ↩

Five New Additions to the SIGINT Summaries

March 27, 2015August 18, 2022 / Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚n I have added five new items to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment(CSE) documents, along with summary, publication, and original source information.¹ CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

The new contributions come from documents released by CBC. They cover a range of topics, including extended discussions of the CSE’s domestic and international sensor networks, overviews of challenges facing Information Technology Security (ITS), which is itself responsible for defending government systems and networks, as well as overviews of the cyber threats CSE believed faced the Government of Canada.
Continue reading →

Six New Additions to the SIGINT Summaries

February 6, 2015August 18, 2022 / Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚n I have added six new items to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment(CSE) documents, along with summary, publication, and original source information.¹ CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

The new contributions come from documents released by Der Spiegel, The Intercept, and CBC. They cover a range of topics, including activities undertaken by the Counter Computer Network Exploitation (CCNE) groups at the Communications Security Establishment (CSE), the mass monitoring of file downloads from free file upload sites (e.g. Rapidshare, MegaUpload), as well as enriching UK and Canadian databases using data that foreign nations’ hackers are exfiltrating from targets of interest to the NSA, UK, and Canadians.

Continue reading →

New Additions to the Canadian SIGINT Summaries

January 8, 2015August 18, 2022 / Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚n

I’ve added three new items to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment(CSE) documents, along with summary, publication, and original source information.¹ CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

The Canadian SIGINT Summaries

December 30, 2014August 18, 2022 / Christopher Parsons

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Fryslân Journalists with access to leaked documents have reported on the partnerships and activities undertaken by Canada’s foreign signals intelligence (SIGINT) agency, the Communications Security Establishment (CSE), since October 2013. As a result of their stories we know that the Canadian government hosts collection facilities in its diplomatic outposts for American SIGINT operations, has co-ordinated with the NSA to monitor for threats to international summits that took place in Canada, and shares a cooperative relationship with the National Security Agency (NSA) to protect North America from foreign threats. CSE, itself, was found to be conducting signals intelligence and development operations against the Brazilian government, running experiments using domestically collected metadata to track Canadians’ devices, and automating both the discovery of vulnerable computer devices on the Internet for later exploitation and identifying network administrators’ Internet traffic.

The aforementioned revelations are just a sample of what Canadians have learned as journalists have reported on documents leaked to them by Edward Snowden and other whistleblowers. But it has been challenging for even experts to keep track of the Canadian discoveries amongst the tidal wave of information concerning American and British SIGINT agencies. I have created and published a resource to help researchers and members of the public alike track mentions of CSE in documents that have been reported on by professional journalists.

The Canadian SIGINT Summaries page of this website currently includes downloadable copies, along with summary, publication, and original source information, of leaked CSE documents. The page will be updated as new whistleblower documents are released and as I parse and add information about CSE’s operational guides that have been released to the public under Access to Information and Privacy (ATIP) laws. I plan to also include copies of the CSE Commissioner’s reports. While I will try to exhaustively collate documents it is entirely possible that I have, or will, miss some; if you believe I have failed to include a primary document and would like me to add it to the SIGINT Summaries page please contact me with the document and a link to the journalistic source which reported on it.

The Canadian SIGINT Summaries are not meant to replace the detailed reporting of documents nor the exhaustive examination of them by other researchers, scholars, or other analysts. And I expect to write more extensive analyses based upon the documents that extend beyond my summarizations of them. The Canadian SIGINT Summaries are meant as a public resource, listing all of the relevant public documents, briefly describing their contents and publication data, and letting readers download them to draw their own conclusions.

As I update the page with new items or sections I will publish blog posts which either include the item (if just one or two are added) or short summaries when larger updates are published. I hope that you find the Canadian SIGINT Summaries helpful and, for international visitors, encourage you to replicate this model to summarize information about your own domestic SIGINT agency.

Technology, Thoughts & Trinkets

Touring the Digital Though Type

Intelligence