Released Snowden Doc Shows NSA Thwarting Electronic Dead Drops By Using Email Metadata

from the 'just-metadata'-strikes-again dept

The latest batch of Snowden docs published at The Intercept cover a lot of ground. The internal informational sheets from the Signals Intelligence Directorate include info on a host of surveillance programs that haven't been revealed by previous document dumps. Nor do they discuss the programs in full. As such, some of the information is limited.

One of those published last week mentions the NSA's targeting of internet cafes in Iraq and other Middle Eastern countries using a program called MASTERSHAKE. Using MASTERSHAKE, analysts were apparently able to drill down location info to which target was sitting in which chair at the cafes under surveillance.

Further down the page [PDF], past this brief mention of a program discussed more fully elsewhere, there's another interesting tidbit. Apparently, the NSA can suss out electronic dead drops using harvested metadata. (h/t Electrospaces)

[REDACTED] will be briefing on THERAPYCHEATER. This is a system that uses metadata analysis to detect and exploit the communication patterns of targets about whom the SIGINT system has no specific a priori knowledge. By identifying suspicious patterns in the access to draft folders of webmail accounts, THERAPYCHEATER will identify email addresses potentially being used in a form of covert communication known as a cyber dead drop. There are numerous examples in both SIGINT and collateral of terrorists using cyber dead drops to communicate operational information and plans.

Apparently, the tried-and-true surveillance workaround is no longer a secure option. One way to avoid surveillance of communications was to simply not communicate. Composing drafts in a shared email account was one to talk to others without risking interception.

As the paragraph states, this draft folder metadata is used to acquire new surveillance targets, based almost solely on the analyst's impression of account activity. Presumably from here, the NSA can move on to seeking access to the actual account to see what's hiding inside that's never been sent. Or, at the very least, keep an eye on traffic to and from the email account.

This was written in 2005 so access to email account metadata may be more limited, thanks to routine encryption. However, the metadata here refers to activity taking place within an account, suggesting the NSA does (or at least did) have access to certain types of account activity, rather than simply gathering metadata related to web-traversing communications.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 Sep 2017 @ 2:24pm

    "the tried-and-true surveillance workaround is no longer a secure option."

    Was it ever?

    reply to this | link to this | view in chronology ]

  • identicon
    stine, 21 Sep 2017 @ 2:28pm

    sounds familiar

    Isn't this how U.S. General Petraeus and Paula Broadwell traded messages...(yep, checked wikipedia)

    I wonder if the NSA generated that piece of intel?

    reply to this | link to this | view in chronology ]

  • identicon
    Sarah, 21 Sep 2017 @ 2:51pm

    Technically ignorant?

    https://www.youtube.com/watch?v=PG6Z27KL6PE

    Unless you mean an online file sharing network, by definition an offline file sharing network cannot be compromised using online methodologies.

    It's an entirely different context.

    You should specify would kind of dead drop you mean.

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 21 Sep 2017 @ 3:32pm

      Re: Technically ignorant?

      I thought the definition given in the leaked document was pretty clear with the quote and expanded commentary.

      This is like suggesting the linked video is technically ignorant by saying the title implies only USB-connected devices or all devices with USB connectors can be used for a dead drop.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2017 @ 11:51am

      Re: Technically ignorant?

      by definition an offline file sharing network cannot be compromised using online methodologies

      Compromising an online endpoint of an offline network could be said to compromise the network too. E.g., if you're moving files between 1 offline and 1 internet-connected computer via a USB stick, someone who compromises the internet-connected one has compromised the "network"; it no longer offers secrecy.

      reply to this | link to this | view in chronology ]

  • identicon
    ANON, 21 Sep 2017 @ 3:04pm

    But...

    Wasn't it the case that in 2005 and earlier, using plain text SMTP commands or HTTP web browsing was how much of the mail traffic operated?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 3:37pm

    "metadata may be more limited, thanks to routine encryption"

    Do you _really_ think for a millisecond that they don't have the master certificates to decrypt all SSL traffic? Really?

    If it was a problem for them they'd be shutting it down; pronto.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2017 @ 6:23pm

      Re:

      Do you really think for a millisecond that they don't have the master certificates to decrypt all SSL traffic? Really?

      Yes, because that's not how TLS works. If they had all the Certificate Authority private keys, they could forge any certificate, but decrypting a session requires knowing the private key of the certificate for that session, not the private key of the root CA certificate that signed the intermediate CA certificate that signed the endpoint certificate. Some stupidly implemented CAs know the private keys of the certificates that they endorse, but the better ones never receive the endpoint's private key, so they can't disclose it even under duress.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 6:34pm

    Remember when MyNameHere/Whatever was loudly claiming that metadata wasn't significant so we didn't have to worry about the NSA vacuuming it all up? Bah! Humbug!

    reply to this | link to this | view in chronology ]

  • icon
    DocGerbil100 (profile), 21 Sep 2017 @ 8:05pm

    ...?

    Well, isn't that interesting!

    I'm in the UK. The last time I was unemployed for any length of time, a fair while ago now, I was sent to a place called Reed Employment in Partnership, a company contracted by the government to help the unemployed get back into work.

    Due to past security issues, customers weren't allowed to attach their own storage devices to Reed's computers. Instead, we were all required to use the draft folders in webmail accounts for storing our CVs (or résumés, in American), etc, in similar fashion to the counter-surveillance method described in the article.

    It's a certainty that at least some extremists were making use of Reed's services. Presumably, everyone using the same branch who subsequently accessed their email from another location would also be flagged up as a potential terrorist - particularly the ones who mainly spoke Arabic and weren't fluent in written English.

    Did Reed unintentionally push hundreds of thousands of customers onto anti-terrorism watch-lists? I wonder how many other government service providers did the same thing...?

    reply to this | link to this | view in chronology ]

  • icon
    MyNameHere (profile), 22 Sep 2017 @ 12:38am

    Dead drops were a very common concept a number of years ago, as it was a very simple way to pass a message without actually sending anything. That was back before anyone realized that pretty much everything you every do in a free mail account (like hotmail) is backed up and kept for a long time.

    It's interesting that the feds were onto it and looking for ways to handle it.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 22 Sep 2017 @ 5:54am

    The names they choose... MASTERSHAKE sounds like those body-building products and THERAPYCHEATER.. And people say they don't have a sense of humor.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2017 @ 9:18am

    Is it just me, or does anyone else have that spooky feeling that all these Snowden data drips are only released 'after' the 3 letter agency has either abandoned the program or replaced it with something better.

    Just wonderin'

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.