The NSA's Weird Interest In File Sharing Programs
from the National-Sharing-Agency dept
Another large Snowden document dump from The Intercept uncovers many more off-brand uses of NSA surveillance tools. The pile of documents come from the NSA’s “SID (Signals Intelligence Directorate) Today” files, of which there are apparently thousands of available pages. The documents released late last week show that if it happened online, the NSA was looking at it.
According to documents provided by NSA whistleblower Edward Snowden, the spy agency formed a research group dedicated to studying peer-to-peer, or P2P, internet traffic. NSA didn’t care about violations of copyright law, according to a 2005 article on one of the agency’s internal news sites, SIDtoday. It was trying to determine if it could find valuable intelligence by monitoring such activity.
But it appears the NSA found very little worth observing.
“By searching our collection databases, it is clear that many targets are using popular file sharing applications,” a researcher from NSA’s File-Sharing Analysis and Vulnerability Assessment Pod wrote in a SIDtoday article. “But if they are merely sharing the latest release of their favorite pop star, this traffic is of dubious value (no offense to Britney Spears intended).”
The info in the SID Today publication [PDF] is a bit dated, as it shows BitTorrent trailing applications like eDonkey and KaZaa. Even though it was mostly popular albums traversing the internet pipes, the NSA still formed a File-sharing Analysis and Vulnerability Assessment (FAVA) “pod” to poke away at the infrastructure and search the shared files for data of national security interest. To do this, it had to strip away the layers of protection lying between the NSA and the contents of the files.
As many of these applications, such as KaZaA for example, encrypt their traffic, we first had to decrypt the traffic before we could begin to parse the messages. We have developed the capability to decrypt and decode both KaZaA and eDonkey traffic to determine which files are being shared, and what queries are being performed.
Breaking the encryption allowed the NSA to peer into users’ computers via their shared folders, as well as harvest email addresses, country codes, user names, and lists of recent searches.
Even so, there was little actual intelligence to be gathered from the most popular file sharing applications of a decade ago. But that laid the groundwork for further examination of file sharing for national security reasons. A program called GRIMPLATE tracked BitTorrent use by Defense Dept. employees, checking to see if any of the swarms travelling in and out of the DoD’s safe spaces was “malicious” — a definition that presumably covers DoD employee exfiltration of sensitive files as well as possibly-harmful programs being downloaded to DoD computers.
Over in the UK, GCHQ was taking much more proactive steps toward turning torrent traffic into both a weapon and a source of intel.
The page describes DIRTY RAT, a GCHQ web application used by analysts that at the time had “the capability to identify users sharing/downloading files of interest on the eMule (Kademlia) and BitTorrent networks. … For example, we can report on who (IP address and user ID) is sharing files with ‘jihad’ in the filename on eMule. If there is a new publication of an extremist magazine then we can report who is sharing that unique file on the eMule and BitTorrent networks.”
The RAT was also tasked with gathering info to be shared with law enforcement. Child porn is name-checked in the document, as are the London Metro Police and FBI. But GCHQ wasn’t interested in merely collecting info on users sharing illicit content. It also wanted to use the sharing platforms for malware delivery.
A tool called PLAGUE RAT “has the capability to alter the search results of eMule and deliver tailored content to a target,” the wiki article states. “This capability has been tested successfully on the Internet against ourselves and testing against a real target is being pursued.”
File sharing hasn’t gone away, so it’s indisputable both agencies are still eyeballing BitTorrent traffic. Considering a number of exfiltrated docs/software have been shared via the service, there are probably files of national security interest circulating along with movies, music, and games.