Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata
from the 'just-metadata'-strikes-again dept
The latest batch of Snowden docs published at The Intercept cover a lot of ground. The internal informational sheets from the Signals Intelligence Directorate include info on a host of surveillance programs that haven’t been revealed by previous document dumps. Nor do they discuss the programs in full. As such, some of the information is limited.
One of those published last week mentions the NSA’s targeting of internet cafes in Iraq and other Middle Eastern countries using a program called MASTERSHAKE. Using MASTERSHAKE, analysts were apparently able to drill down location info to which target was sitting in which chair at the cafes under surveillance.
Further down the page [PDF], past this brief mention of a program discussed more fully elsewhere, there’s another interesting tidbit. Apparently, the NSA can suss out electronic dead drops using harvested metadata. (h/t Electrospaces)
[REDACTED] will be briefing on THERAPYCHEATER. This is a system that uses metadata analysis to detect and exploit the communication patterns of targets about whom the SIGINT system has no specific a priori knowledge. By identifying suspicious patterns in the access to draft folders of webmail accounts, THERAPYCHEATER will identify email addresses potentially being used in a form of covert communication known as a cyber dead drop. There are numerous examples in both SIGINT and collateral of terrorists using cyber dead drops to communicate operational information and plans.
Apparently, the tried-and-true surveillance workaround is no longer a secure option. One way to avoid surveillance of communications was to simply not communicate. Composing drafts in a shared email account was one to talk to others without risking interception.
As the paragraph states, this draft folder metadata is used to acquire new surveillance targets, based almost solely on the analyst’s impression of account activity. Presumably from here, the NSA can move on to seeking access to the actual account to see what’s hiding inside that’s never been sent. Or, at the very least, keep an eye on traffic to and from the email account.
This was written in 2005 so access to email account metadata may be more limited, thanks to routine encryption. However, the metadata here refers to activity taking place within an account, suggesting the NSA does (or at least did) have access to certain types of account activity, rather than simply gathering metadata related to web-traversing communications.
Filed Under: dead drops, email, mastershake, metadata, nsa, surveillance
Comments on “Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata”
“the tried-and-true surveillance workaround is no longer a secure option.”
Was it ever?
sounds familiar
Isn’t this how U.S. General Petraeus and Paula Broadwell traded messages…(yep, checked wikipedia)
I wonder if the NSA generated that piece of intel?
Technically ignorant?
https://www.youtube.com/watch?v=PG6Z27KL6PE
Unless you mean an online file sharing network, by definition an offline file sharing network cannot be compromised using online methodologies.
It’s an entirely different context.
You should specify would kind of dead drop you mean.
Re: Technically ignorant?
I thought the definition given in the leaked document was pretty clear with the quote and expanded commentary.
This is like suggesting the linked video is technically ignorant by saying the title implies only USB-connected devices or all devices with USB connectors can be used for a dead drop.
Re: Technically ignorant?
Compromising an online endpoint of an offline network could be said to compromise the network too. E.g., if you’re moving files between 1 offline and 1 internet-connected computer via a USB stick, someone who compromises the internet-connected one has compromised the "network"; it no longer offers secrecy.
But...
Wasn’t it the case that in 2005 and earlier, using plain text SMTP commands or HTTP web browsing was how much of the mail traffic operated?
“metadata may be more limited, thanks to routine encryption”
Do you _really_ think for a millisecond that they don’t have the master certificates to decrypt all SSL traffic? Really?
If it was a problem for them they’d be shutting it down; pronto.
Re: Re:
Yes, because that’s not how TLS works. If they had all the Certificate Authority private keys, they could forge any certificate, but decrypting a session requires knowing the private key of the certificate for that session, not the private key of the root CA certificate that signed the intermediate CA certificate that signed the endpoint certificate. Some stupidly implemented CAs know the private keys of the certificates that they endorse, but the better ones never receive the endpoint’s private key, so they can’t disclose it even under duress.
Remember when MyNameHere/Whatever was loudly claiming that metadata wasn’t significant so we didn’t have to worry about the NSA vacuuming it all up? Bah! Humbug!
...?
Well, isn’t that interesting!
I’m in the UK. The last time I was unemployed for any length of time, a fair while ago now, I was sent to a place called Reed Employment in Partnership, a company contracted by the government to help the unemployed get back into work.
Due to past security issues, customers weren’t allowed to attach their own storage devices to Reed’s computers. Instead, we were all required to use the draft folders in webmail accounts for storing our CVs (or résumés, in American), etc, in similar fashion to the counter-surveillance method described in the article.
It’s a certainty that at least some extremists were making use of Reed’s services. Presumably, everyone using the same branch who subsequently accessed their email from another location would also be flagged up as a potential terrorist – particularly the ones who mainly spoke Arabic and weren’t fluent in written English.
Did Reed unintentionally push hundreds of thousands of customers onto anti-terrorism watch-lists? I wonder how many other government service providers did the same thing…?
Dead drops were a very common concept a number of years ago, as it was a very simple way to pass a message without actually sending anything. That was back before anyone realized that pretty much everything you every do in a free mail account (like hotmail) is backed up and kept for a long time.
It’s interesting that the feds were onto it and looking for ways to handle it.
The names they choose… MASTERSHAKE sounds like those body-building products and THERAPYCHEATER.. And people say they don’t have a sense of humor.
Re: Re:
Someone should check to see if there are also programs called “MEATWAD” & “FRYLOCK”.
Re: Re: Re:
WHAT HAPPENED TO MY FREAKIN’ SURVEILLANCE SYSTEM?!
Is it just me, or does anyone else have that spooky feeling that all these Snowden data drips are only released ‘after’ the 3 letter agency has either abandoned the program or replaced it with something better.
Just wonderin’