NSA surveillance tools

De La Quadrature du Net
Révision datée du 7 janvier 2014 à 10:17 par 3a31f49c5462 e29fc581520f (discussion | contributions) (just a copy of [https://pad.lqdn.fr/p/nsa_surveillance_tools])
(diff) ← Version précédente | Voir la version actuelle (diff) | Version suivante → (diff)
Aller à la navigationAller à la recherche

WE NEED TO:

Please attempt to provide for each program the following information in the following format (between ----------) :


Sommaire

Name

""Short Description"" : what it is or does ""Category"" : either program|compartment|attack vector (see Categories note for definition) ""Family"" : either collect | process | database | target | attack (see Families note for definition) ""Related items"" : {list of programs or compartments, space separated, wiki style links} ""Status"" : either active|inactive|unknown (if you have no idea) ""Links"" :


Useful links

General documentation http://cryptome.org/2013/12/appelbaum-30c3.pdf..

Jacob Appelbaum 30c3 Protect and Infect Slides - http://cryptome.org/2013/12/appelbaum-30c3.pdf Full 50 pages of the NSA ANT Catalog with crisp images in 11 separate files: http://cryptome.org/2013/12/nsa-Crisp QUANTUMTHEORY Images: http://cryptome.org/2013/12/nsa-quantumtheory.pdf Crisp QUANTUM Tasking Images: http://cryptome.org/2013/12/nsa-quantum-tasking.pdf http://www.mindmeister.com/fr/308518551/the-national-security-agency-operates-more-than-500-separate-signals-intelligence-platforms-employs- <<<<< ,

--> http://buggedplanet.info/index.php?title=Category:NSA_codewords

https://buggedplanet.info/index.php?title=Category:NSA_programs

Reading and understanding the NSA docs (classification and acronyms)


Note : Categories Program A program is a technical solution of some sort (ex: a database, satellite collect, etc.) or a group of programs. Compartment A compartment is a partner of some sort (ex: foreign state, company, etc.) or a group of compartments. attack vector An attack vector is any kind of attack tool, software (ex: trojan) or hardware (ex: USB bug).

DSI tool : Digital Network Intelligence the NSA term for the collection of data from the Internet. (from https://en.wikipedia.org/wiki/DNI) < corresponds to family:collect

Note : Families

   For category:programs :
   Collect             A collection program attempts to retrieve signal by any mean necessary (either global or local)
   Process           Such a program receives raw data (think packets), attempts to read from it  and stores this information in a database
   Database          Stores data for later use
   Target              Once  the processed signal is stored, targeting allows the analyst to find new targets
   Attack              Once a target is found, it is attacked in order to collect more informations


   For category:attack vector
   software          Any bytecode executed on an target computer (ex: Trojan, keylogger, etc.)
   hardware         Any physical device deployed in target environment (ex: USB or video cable implant)
   network           Any network operation executed on target network traffic (ex: packets manipulation, stream injection)


Note : Online documentation As with any kind of work, we relay on others work. You'll find a number of links at the end of this document who will help you to dig / understand in case of need.

NO REF:

   BACONRIDGt (NSA datacenter in St.Antonio, TX) BANANAGLEE (DNT software exploit. Related to TAO, https://www.schneier.com/blog/archives/2013/12/more_about_the.html)   BLACKPEARL  BLINDDATE  BSR  BULLDOZER  Byzantine Anchor (BA)  Byzantine Candor (BC)  Byzantine Hades (BH) BANYAN  BELLTOPPER BELLVIEW BINOCULAR BLACKFOOT BLACKMAGIC BLACKWATCH BULLSEYE
   CANDYGRAM  CDR Diode  CHIMNEYPOOL   CONJECTURE  CONOP  COTS   CROSSBEAM  CRUMPET Covert network (CCN)  CRYPTO ENABLED   CW  CYCLONE Hx9  CADENCE  CANNON LIGHT CARBOY II CARILLION  CASPORT CENTERMASS  CHALKFUN  CHASEFALCON CHEWSTICK CHIPPEWA  CIMBRICINEPLEX CLOUD   COASTLINE  CREDIBLE CREST  CRISSCROSS
   DANDERSPRIT  DANDERSPRITZ  DIETYBOUNCE  DOCKETDICTATE  DOGCOLLAR DANCINGOASIS DANGERMOUSE DECKPIN DELTA  DIKTER DISHFIRE DRAGONFLY DRUID DYNAMO
    EBSR  ENTOURAGE  EPICFAIL EWALK
     FERRETCANNON  FET  FINKDIFFERENT (FIDI)  FIREWALK  FLUXBABBIT  FLYING PIG  FOXSEARCH  FREEFLOW  FREEZEPOST  FRIEZERAMP  FUNNELOUT FACELIFT FALLOUT FASCIA FISHBOWL FOXTRAIL
    GALAXY  GECKO II  GENESIS  GEOFUSION  GINSU  GOPHERSET  GOURMETTROUGH  GREAT EXPECTATIONS GAMUT  GENTE GLOBAL BROKER
    HALLUXWATER  HAMMERMILL  HC12  HEADWATER  HOLLOWPOINT  HOWLERMONKEY (HM)  HOWLERMONKRY  HUSH PUPPY HERCULES  HOMEBASE
    ISLANDTRANSPORT  INTELINK ISHTAR IVY BELLS
    JETPLOW  JUNIORMINT  
    KONGUR  KLONDIKE (KDK)
    LANDSHARK  LEGION (JADE)  LEGION (RUBY)  LFS-2  LHR   LOUDAUTO LITHIUM LONGHAUL
    MAESTRO  MCM  MIDDLEMAN  MJOLNIR  MOCCASIN  MONKEYCALENDAR  MULLENIZE  MUTANT BROTH  MAGIC LANTERN  MAILORDER MAIN CORE MAUI MESSIAH METTLESOME  MORAY 
    NEBULA  NEWTONS CRADLE  NIGHTWATCH 
    OCONUS  OLYMPUS  OMNIGAT  ONIONBREATH  OSMJCM-II  OILSTOCK  OCTAVE OCTSKYWARD ONEROOF OSCAR
    PARCHDUSK  PHOTOANGLO  PICASSO  PPM  PROTOSS  PSP PLUS  PROTON PUZZLECUBE PAWLEYS PITCHFORD PENDLETON PICARESQUE PIEDMONT. PAINTEDEAGLE 
      QIM/JMSQ   QUICKANT   
      REMATION II  Retro reflector  RETURNSPRING  ROCKYKNOB  RONIN
      SDR  SEAGULLFARO  SERUM  SHARPFOCUS (SF2)  SHORTSHEET SLICKERVICAR  SNEAKERNET  SOUFFLETROUGH  SPARROW II  SPECULATION  SSG   STRAITBAZARRE  STRAITBIZARRE (SB)  TRIKEZONE  STRONGMITE    STUXNET  SURPLUSHANGAR  SUTURESAILOR  SWAP SABRE SEMESTER SETTEE  SHARKFIN  SOLIS  SPHINX SPINNERET SPOKE  SPOTBEAM STEELKNIGHT STONE STUMPCURSOR  SURREY SCHOOLMONTANA SIERRAMONTANA SEASONEDMOTH STRAITBAZZARE SSP (Mexican Public SecuritySecretariat, http://www.spiegel.de/fotostrecke/nsa-dokumente-die-abteilung-tao-der-nsa-fotostrecke-105355-6.html related to TAO)
    TLN  TOTECHASER  TOTEGHOSTLY TRINITY    TUNING FORK    TUROPANDA  TWISTEDKILT TALENT KEYHOLE (TK) TALK QUICK TAPERLAY TAROTCARD TEMPEST TREASUREMAP TRIBUTARY TRINE TUNINGFORK TUSKATTIRE
    UMBRA UNIFORM
    WHITETAMALE  WEALTHYCLUSTER WRANGLER WEBCANDID WHITEBOX
     XCONCORD
   ZESTYLEAK


A

AGILEVIEW

""Short Description"" : NSA internet information tool or database / digital network intelligence tools (DNI tool) ""Category"" : program ""Family"" :collect ""Related items"" : ""Status"" :

AGILITY

""Short Description"" : NSA internet information tool or database / digital network intelligence tools (DNI tool) ""Category"" : program ""Family"" :collect ""Related items"" : ""Status"" :

AIGHANDLER

""Short Description"" : Geolocation analysis (?). ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

AIRGAP/COZEN

""Short Description"" : Priority missions tool used to determine SIGINT gaps ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

AIRSTEED

""Short Description"" : Cell phone tracking program of the Global Access Operations (GAO) ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

ALPHA

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

ALTEREGO

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

AMBULANT

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

ANCHORY

""Short Description"" : NSA software system which provides web access to textual intelligence documents ""Category"" : program ""Family"" : database ""Related items"" : ""Status"" : ""Links"" :


ANGRYNEIGHBOR

""Short Description"" : ""Category"" : attack vector ""Family"" : ""Related items"" : CW SURLYSPAWN RAGEMASTER DROPMIRE LOUDAUTO ""Status"" :

APERIODIC

""Short Description"" : ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

AQUADOR

""Short Description"" : ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

ARGON

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

ARKSTREAM

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

ARTEMIS

""Short Description"" : Geospatial analysis ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

ASSOCIATION

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

AUNTIE

""Short Description"" : ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

AUTOSOURCE

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : ""Status"" :

B

BACONRIDGE

""Short Description"" : Installation of TAO in St. Antonio, TX. 270 personnel, 210 workshations. ""Category"" : ""Family"" : ""Related items"" : Tailored Access Operations ""Links"" :

  • [
   http://www.spiegel.de/fotostrecke/nsa-dokumente-die-abteilung-tao-der-nsa-fotostrecke-105355-14.html%7CDer Spiegel] Geheimdokumente: Die Spezialabteilung TAO der NSA stellt sich vor


BEACHHEAD

""Short Description"" :Computer exploit delivered by the system. ""Category"" : attack vector ""Family"" : network ""Related items"" : FERRETCANNON FOXACID ""Links"" :

  • Scheier The NSA's New Risk Analysis

BLACKHEART

""Short Description"" : collection from FBI implant. ""Category"" : program ""Family"" : collect ""Related items"" : ""Links"" :

BEACHHEAD

""Short Description"" :Computer exploit delivered by the system. ""Category"" : attack vector ""Family"" : network ""Related items"" : FERRETCANNON FOXACID

BLARNEY

""Short Description"" :BLARNEY (US-984 and US-984X). The collection takes place at top-level telecommunications facilities within the United States, choke points through which most traffic will flow, including wireless. This type of surveillance is referred to as "UPSTREAM Collection. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

BLUEANCHOR

""Short Description"" :Partner providing a network access point for the YACHTSTOP program ""Category"" : program ""Family"" : ""Related items"" : YACHTSTOP ""Status"" :

BLUEZEPHYR

""Short Description"" : US-3277, subprogram of OAKSTAR ""Category"" : program ""Family"" : ""Related items"" : OAKSTAR ""Status"" :

BOUNDLESSINFORMANT

""Short Description"" : BOUNDLESSINFORMANT is a big data analysis and data visualization system used by the NSA to give managers summaries of the NSA's world wide data collection activities. According to a Top Secret heat map display also published by The Guardian and produced by the Boundless Informant program, almost 3 billion data elements from inside the United States were captured by the NSA over a 30-day period ending in March 2013.Data analyzed by BOUNDLESSINFORMANT includes electronic surveillance program records (DNI) and telephone call metadata records (DNR) stored in an NSA data archive called GM-PLACE. It does not include FISA data, according to the FAQ memo. PRISM, a government codename for a collection effort known officially as US-984XN, which was revealed at the same time as BOUNDLESSINFORMANT, is one source of DNR data. According to the map, BOUNDLESSINFORMANT summarizes data records from 504 separate DNR and DNI collection sources (SIGADs). In the map, countries that are under surveillance are assigned a color from green, representing least coverage to red, most intensive. ""Category"" : program ""Family"" : process ""Related items"" : ""Status"" : ""Links"" :

  • [5]
  • Guardian : Boundless Informant: the NSA's secret tool to track global surveillance dat

BULLRUN

""Short Description"" : BULLRUN is a clandestine, highly classified decryption program run by the NSA. The British signals intelligence agency Government Communications Headquarters (GCHQ) has a similar program codenamed EDGEHILL. Access to the program is limited to a group of top personnel at the Five Eyes (FVEY), NSA and the signals intelligence agencies of Britain, Canada, Australia, and New Zealand. Signals that cannot be decrypted with current technology may be retained indefinitely while the agencies continue to attempt to decrypt them.

"Documents show that the N.S.A. has been waging a war against encryption using a battery of methods that include working with industry to weaken encryption standards, making design changes to cryptographic software, and pushing international encryption standards it knows it can break." (The New York Times) ""Category"" : program ""Family"" : process ""Related items"" : APERIODIC, AMBULANT, AUNTIE, PAINTEDEAGLE, PAWLEYS, PITCHFORD, PENDLETON, PICARESQUE, PIEDMONT ""Status"" : ""Links"" :

C

CDRDIODE

""Short Description"" :It is the name for a protecting device that enables the intercepted data to flow to NSA without enabling an attacker to use the same way to compromise NSA or travel further toward identification. The tentative explanation is that when some data come from the low side (insecure) toward the high side (secure) of the NSA infrastructure so that it can be read by analaysts at the NSA Remote Operation Center ROC, then it needs to go through that CDRDIODE. ""Category"" : ""Family"" : ""Related items"" : IRATEMONK WISTFULTOLL ""Status"" : ""Links"" :

COBALTFALCON

""Short Description"" : US-3354, Subprogram of OAKSTAR. ""Category"" : program ""Family"" : ""Related items"" :OAKSTAR ""Status"" :

COMMONDEER

""Short Description"" : ""Category"" : attack vector ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

CONTRAOCTAVE

""Short Description"" : ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

CONVEYANCE

""Short Description"" :CONVEYANCE is a final layer of filtering to reduce the intake of information about Americans, it provides filtering for PRISM and filtering the voice content processed by S3132. The CONVEYANCE's informations are stocked in NUCLEON. ""Category"" : program ""Family"" : process ""Related items"" : PRISM NUCLEON ""Status"" : ""Links"" :

  • [7] NSA slides explain the PRISM data-collection program

COTTONMOUTH-1

""Short Description"" : will provide air-gap bridging software persistence capability "in-field" reprogrammability, and covert communications with a host software implant over the USB. The RF link will enable command and data infiltration and exfiltration. CM-1 will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-1 will be a GENIE-compliant based on CHIMNEYPOOL. CM-1 conceals digital components (TRINITY), USB 1.1 FS hub, switches, and HOWLERMONKEY (HM) RF Transceiver within the USB Séries-A cable connector. MOCCASIN is the version permanently connected to a USB keyboard. Another version can be made with an unmodified USB connector at the other end. CMH-I has the ability to communicate to other CM devices over the RF link using an over-the-air protocol called SPECULATION. ""Category"" : ""Family"" : ""Related items"" : COTTONMOUTH ""Status"" : ""Links"" :

COTTONMOUTH-2

""Short Description"" : will provide air-gap bridging software persistence capability "in-field" reprogrammability, and covert communications with a host software implant over the USB. The RF link will enable command and data infiltration and exfiltration. CM-1 will also communicate with Data Network Technologies (DNT) software (STRAITBIZARRE through a covert channel implemented on the USB, using this communication channel to pass commands and data between hardware and software implants. CM-1 will be a [[#GENIE|]]-compliant based on CHIMNEYPOOL. CM-1 conceals digital components (TRINITY), USB 2.0 HS hub, switches, (...?) ""Category"" : ""Family"" : ""Related items"" : COTTONMOUTH ""Status"" : ""Links"" :

COTTONMOUTH-3

""Short Description"" : ""Category"" : ""Family"" : ""Related items"" : COTTONMOUTH ""Status"" : ""Links"" :

COURIERSKILL

""Short Description"" : Collection mission system. ""Category"" : ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

CRYPTOENABLED

""Short Description"" :collection derived from AO's efforts to enable crypto. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" : [8] La diplomatie Française sur écoute aux États-unis

CUSTOMS

""Short Description"" : customs opportunities (not LIFESAFER) ""Category"" : ""Family"" : ""Related items"" : ""Links"" :

CTX4000

""Short Description"" : the CTX4000 is a portable continuous wave radar unit, it can be used to illuminate a target system to recover different off net information. Primary uses include VAGRANT and DROPMIRE collection. (see also CW) ""Category"" : attack vector ""Family"" : hardware ""Related items"" : VAGRANT DROPMIRE ""Status"" : ""Links"" :

CW

""Short Description"" :Continuous Wave aka CW is a continuous radio signal (like the CTX4000) sent toward a target so that the reflected radio wave is modulated by the signal to intercept. It's the default interception mechanism of NSA for both voice, PS2 and USB keyboard keypresses, exfiltered data, network traffic and any kind of data the NSA is interested to extract from a target. It's a very advanced attack where a Radar sends a CW toward a target covertly equipped with a eavesdropping bug called a RETROREFLECTOR which will modulate the original CW signal and re-radiate this modulated CW so that it can be picked up by the emitting Radar. The benefit of such technique is that there is no need for the eavesdropping bug to generate radio signal, and therefore, no need for huge batteries or power. It also means that the bug can be turned on and off remotely, providing easy way to turn off the bug when a bug sweep detection team is trying to located it. The downside is that it's dangerous for health as the Radar signal between 1Ghz and 6Ghz can be harmful to human and cause illness and cancer, as it did numerous times in the past since the first time it was detected in the US Embassy in Moscow, Russia. ""Category"" : attack vector ""Family"" : hardware ""Related items"" : ANGRYNEIGHBOR [CTX4000]] RAGEMASTER VAGRANT ""Status"" : ""Links"" :

D

DARKTHUNDER

""Short Description"" :SSO Corporate/ TAO (Tailored Access Operations) Shaping A SIGAD used for TAO, and thus QUANTUM, FOXACID. ""Category"" : ""Family"" : ""Related items"" : QUANTUM, FOXACID ""Status"" :

DEITYBOUNCE

""Short Description"" : DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and XP. It currently targets Dell PowerEdge 1850/2850/1950/2950 RAID servers, using BIOS versions A02, A05, A06, 1.1.0, 1.2.0, or 1.3.7. Through remote access or interdiction, ARKSTREAM is used to reflash the BIOS on a target machine to implant DEITYBOUNCE and its payload (the implant installer). Implantation via interdiction may be accomplished by nontechnical operator through use of a USB thumb drive. Once implanted, DEITYBOUNCE's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on. Status: Released / Deployed. Ready for Immediate Delivery ""Category"" : ""Family"" : ""Related items"" : ARKSTREAM ""Status"" : ""Links"" :


DEWSWEEPER

""Short Description"" :USB (Universal Serial Bus) hardware host tap that provides COVERT link over US link into a target network. Operates w/RF relay subsystem to provide wireless Bridge into target network. ""Category"" : ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

  • [12] - Snowden's docs

DROPMIRE

""Short Description"" : Passive collection of emanations using antenna. DROPMIRE aimed at surveillance of foreign embassies and diplomatic staff, including those of NATO allies. NSA leaks show how US is bugging its European allies. The report reveals that at least ""38 foreign embassies"" were under surveillance, some of which as far back as 2007. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

DROPOUTJEEP

""Short Description"" : DROPOUTJEEP is a STRAITBIZARRE based software implant for the Apple iphone operating system and uses the CHIMNEYPOOL framework. DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. ""Category"" : program ""Family"" : ""Related items"" : STRAITBIZARRE CHIMNEYPOOL TURBULENCE FREEFLOW ""Status"" : ""Links"" :

DRTBOX

""Short Description"" :Program for intercepting mobile communication networks. France in the NSA's crosshair : phone networks under surveillance.

""Category"" : program ""Family"" : collect ""Related items"" : ""Status"" : ""Links"" :

E

ECI

""Short Description"" : ECI ( Extremely Compartimented Intelligence) is an undeterminded group of NSA partners ""Category"" : compartment ""Related items"" : BULLRUN PAINTED EAGLE ""Status"" : unknown ""Links"" :


EGOTISTICALGIRAFFE

""Short Description"" : EGOTISTICALGIRAFFE (EGGI) is a NSA program for exploiting the TOR network. ""Category"" : program ""Family"" : attack ""Related items"" : EGOTISTICALGOAT ERRONEOUSINGENUITY ""Status"" : ""Links"" :

EGOTISTICALGOAT

""Short Description"" : EGOTISTICALGOAT (EGGO) is a NSA tool for exploiting the TOR network. ""Category"" : program ""Family"" : attack ""Related items"" : EGOTISTICALGIRAFFE ERRONEOUSINGENUITY ""Status"" : ""Links"" :

ENDUE

""Short Description"" :A COI for sensitive decrypts of the BULLRUN program ""Category"" : ""Family"" : ""Related items"" : BULLRUN ""Status"" : ""Links"" :

ERRONEOUSINGENUITY

""Short Description"" : ERRONEOUSINGENUITY (ERIN) is a NSA tool for exploiting the TOR network. ""Category"" : program ""Family"" : ""Related items"" : EGOTISTICALGIRAFFE EGOTISTICALGOAT ""Status"" :

EVENINGEASEL

""Short Description"" :Program for surveillance of phone and text communications from Mexico's cell phone network. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

  • [18]: NSA Accessed Mexican President's Email

EVILOLIVE

""Short Description"" :Collects internet traffic and data. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

  • [19] - NSA expanded bulk collection of internet data under newly uncovered surveillance programs

F

FAIRVIEW

""Short Description"" :Fairview' (US-990is a secret mass surveillance programme run by the National Security Agency, aimed at collecting phone, internet and e-mail data in bulk from the computers and mobile telephones of foreign countries' citizens. According to the revelations, the NSA had collected 2.3 billion separate pieces of data from Brazilian users in January 2013 alone. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

FEEDTROUGH

""Short Description"" : FEEDTROUGH is a persistence technique for two software implants, DNT's BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen firewalls. nsa-ant-feedthrough.jpg https://www.schneier.com/blog/archives/2014/01/feedtrough_nsa.html ""Category"" : program ""Family"" : ""Related items"" : BANANAGLEE ZESTYLEAK ""Status"" : ""Links"" :

FOXACID

""Short Description"" : FOXACID identifies TOR users on the Internet and then executes an attack against their Firefox web browser.

  1. finding Tor users via programs codenamed STORMBREW, FAIRVIEW, OAKSTAR and BLARNEY.
  2. The NSA creates "fingerprints" that detect HTTP requests from the Tor network to particular servers.
  3. These fingerprints are loaded into NSA database systems like XKEYSCORE,
  4. Using powerful data analysis tools with codenames such as TURBULENCE, TURMOIL and TUMULT, the NSA automatically look for Tor connections.
  5. After the identification, the NSA uses its network of secret Internet servers to redirect those users to another set of secret Internet servers, with the codename FOXACID, to infect the user's computer.
  6. Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.

See QUANTUM for the Man-in-the-middle. ""Category"" : program ""Family"" : ""Related items"" :OAKSTAR QUANTUM STORMBREW FAIRVIEW OAKSTAR BLARNEY TURBULENCE TURMOIL TUMULT XKEYSCORE ""Status"" : ""Links"" :

  • Schneier How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID]
  • [20] NSA repeatedly tries to unpeel TOR anonymity and spy on users, memos show
  • [21] How the NSA Is Trying to Sabotage a U.S. Government-Funded Countersurveillance Tool]

http://www.spiegel.de/fotostrecke/qfire-die-vorwaertsverteidigng-der-nsa-fotostrecke-105358.html%7CSpiegel.de]

G

GENIE

""Short Description"" :implants of spywares

""Category"" :attack vector ""Family"" : network ""Related items"" : ""Status"" : projected ? ""Links"" :

</ref>


GHOSTMACHINE

""Short Description"" :GHOSTMACHINE is the NSA's SSO (Special Source Operations) cloud analytics platform. ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

GODSURGE

""Short Description"" : runs on the FLUXBABBIT hardware implant and provides software application persistence on Dell PowerEdge servers by exploiting the JTAG debugging interface of the server's processors. ""Family"" : attack vector ""Related items"" : ""Status"" : ""Links"" :

H

HIGHLANDS

""Short Description"" : spywares implants. ""Category"" : attack vector ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

HIGHTIDE/SKYWRITER

""Short Description"" : Desktop dashboard ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

HOWLERMONKEY

""Short Description"" : It takes as little as 30 minutes to install some of the NSA's new wireless bugs (one of which uses a so call HOWLERMONKEY transmitter to fit into the victim's USB plug, with no visible profile). ""Family""": attack vector ""Category"" : ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

I

IRATEMONK

""Short Description"" : provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution throught Master Boot Record (MBR) substitution. This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor and Samsung hard drives. Through remote access or intediction, UNITEDRAKE, or STRAITBAZZARE are used in conjunction with SLICKERVICAR to upload the hard drive firmware onto the target machine to implant IRATEMONK and its payload (the implant installer). Once implanted, IRATEMONK's frequency of execution (dropping the payload) is configurable and will occur when the target machine powers on. ""Category"" : attack vector ""Family"" : collect ""Related items"" :UNITEDRAKE STRAITBAZZARE SLICKERVICAR ""Status"" : ""Links"" :

IRONCHEF

""Short Description"" : IRONCHEF provides access persistence to target systems by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to communicate with a hardware implant that provides two-way RF communication..This technique supports the HP Proliant 380DL G5 server, onto which a hardware implant has been installed that communicates over the I2C Interface WAGONBED. Through interdiction, IRONCHEF, a software CNE implant and the hardware implant are installed onto the system. If the software CNE implant is removed from the target machine, IRONCHEF is used to access the machine, determine the reason for removal of the software, and then reinstall the software from a listening post to the target system. ""Family""": attack vector ""Category"" : attack ""Family"" : ""Related items"" : WAGONBED, TAO ""Status"" : ""Links"" :

* http://leaksource.files.wordpress.com/2013/12/nsa-ant-ironchef.jpg%7CIRONCHEF - ANT product data]

J

JUGGERNAUT

""Short Description"" :Picks up all signals from mobile networks. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" : [25] Photo Gallery: NSA Documentation of Spying in Germany

L

LIFESAVER

""Short Description"" : Imaging of the Hard Drive. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :


LOPERS

""Short Description"" :LOPERS is a software application for Public Switched Telephone Networks. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

M

MADCAPOCELOT

""Short Description"" :Subprogram (US-3140 (PDDG:TM)) of STORMBREW - DNI and metadata through XKEYSCORE, PINWALE and MARINA. ""Category"" : program ""Family"" : ""Related items"" : STORMBREW PINWALE MARINA XKEYSCORE ""Status"" :

MAGNETIC

""Short Description"" :sensor collection of magnetic emanations. ""Category"" : program ""Family"" : collect ""Related items"" : ""Status"" : ""Links"" :


MAINWAY

""Short Description"" : MAINWAY is a database maintained by the NSA containing metadata for hundreds of billions of telephone calls made through the four largest telephone carriers in the United States: AT&T and Verizon.

It is estimated that the database contains over 1.9 trillion call-detail records. The records include detailed call information (caller, receiver, date/time of call, length of call, etc.) for use in traffic analysis[5] and social network analysis, but do not include audio information or transcripts of the content of the phone calls. Similar programs exist or are planned in other countries, including Sweden (Titan traffic database) and Great Britain (Interception Modernisation Programme)

""Category"" : program ""Family"" : database ""Related items"" : ""Status"" : ""Links"" :


MARINA

""Short Description"" :MARINA is a metadata database for the NSA, it aggregates NSA metadata from a large scale of sources. Any computer metadata picked up by NSA is routed in this system. MARINA tracks the browser datas, gathering contacts and contents of a user. MARINA can look in the last 365 days of DNI such as page request, emails, voice over IP, pictures (by webcam), list of logins/passwords for each « contact » (and not "target")... ""Category"" : program ""Family"" : database ""Related items"" : ""Status"" : ""Links"" :

MINERALIZE

""Short Description"" : collection from LAN Implant ""Category"" : program ""Family"" : collect ""Related items"" : ""Status"" : ""Links"" :

MONKEYROCKET

""Short Description"" :Sub-program of OAKSTAR, aka US-3206 (PDDG:6T). ""Category"" : program ""Family"" : ""Related items"" :OAKSTAR ""Status"" :

MOONLIGHTPATH

""Short Description"" :MOONLIGHTPATH is a Special Sources Operations (SSO) program, maintained by the NSA, it's a collection program to query metadatas, started in September, 2013 ""Category"" : ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

  • [27] How the NSA is still harvesting your online data

MUSCULAR

""Short Description"" :MUSCULAR is a tool to exploit the data links from Google and Yahoo, operated jointly by the National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ). They are copying entire data flows across fiber-optic cables that carry information among the data centers. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

N

NIGHTSTAND

""Short Description"" : Standalone tool currently running on an x86 laptop loaded with Linux Fedora Core 3. Exploitable targets include Win2k, WinXP, WinXPSP1, WinXPSP2 running internet explorer versions 5.0-6.0. NIGHTSTAND packet injection can target one client or multiple targets on a wireless network. Attack is undetectable by the user. Use of external amplifiers and antennas in both experimental operational scenarios have resulted in successful NIGHTSTAND attacks from as far away as eight miles under ideal environmental conditions. ""Category"" : attack vector ""Family"" : network ""Related items"" : ""Status"" : ""Links"" :

NUCLEON

""Short Description"" :NUCLEON is a database maintained by the NS) which intercepts telephone calls and routes the spoken words. ""Category"" : program ""Family"" : database ""Related items"" : ""Status"" : ""Links"" :

O

OAKSTAR

""Short Description"" :OAKSTAR is a secret internet surveillance program of the National Security Agency (NSA) of the United States. It was disclosed in 2013 as part of the leaks by former NSA contractor Edward Snowden. OAKSTAR is an umbrella program involving surveillance of telecommunications, it falls under the category of "[[UPSTREAM collection," meaning that data is pulled directly from fiber-optic cables and top-level communications infrastructure.

UPSTREAM collection programs allow access to very high volumes of data, and most of the pre-selection is done by the providers themselves, before the data is passed on to the NSA. The FY 2013 budget for OAKSTAR is $9.41 million. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : BLUEANCHOR BLUEZEPHYR COBALTFALCON MARINA MONKEYROCKET ORANGEBLOSSOM ORANGECRUSH SILVERZEPHYR SHIFTINGSHADOW STEELKNIGHT UPSTREAM YACHTSHOP ""Links"" :

OCEAN

""Short Description"" : optical collection system for Raster-Based computer screens ""Category"" : program ""Family"" : collect ""Related items"" : ""Status"" : ""Links"" :


OCEANARIUM

""Short Description"" : Database for SIGINT from NSA and intelligence sharing partners around the world ""Category"" : program ""Family"" : database ""Related items"" : ""Status"" :

OCELOT

""Short Description"" :Actual name: MADCAPOCELOT , a sub-program of STORMBREW for collection of internet metadata about Russia and European counterterrorism. MADCAPOCELOT uses DNI from XKEYSCORE, PINWALE and MARINA ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

OLYMPUS

""Short Description"" : OLYMPUS (OLYMPUSFIRE ?) is an exploitation system that uses a software implant on a Microsoft Windows based target PC to gain complete access to the targeted PC. The target, when connected to the Internet, will contact a Listening Post (LP) located at an NSA/USSS facilities, which is online 24/7, and get ist commands automatically. There commands include directory listings, retrieving files, performing netmaps, etc. The results of the commands are then returned to the LP, where the data is collected and forwarded to CES and analysis and production elements. ""Category"" : attack vector ""Family"" : collect ""Related items"" : VALIDATOR ""Status"":

ORANGEBLOSSOM

""Short Description"" :Sub-program of OAKSTAR for collection from an international transit switch (sigad: US-3251) ""Category"" : program ""Family"" : collect ""Related items"" : OAKSTAR ""Status"" :

ORANGECRUSH

""Short Description"" :Subprogram of OAKSTAR, aka US-3230 (PDDG:0B). ""Category"" : program ""Family"" : ""Related items"" :OAKSTAR ""Status"" :

P

PATHFINDER

""Short Description"" :PATHFINDER is a SIGINT analysis tool made by Science Applications International Corporation (SAIC), a new US company headquartered in McLean, Virginia that provides government services and information technology support. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" :

PEDDLECHEAP

""Short Description"" : subprogram of FERRETCANNON and FOXACID. ""Category"" : attack vector ""Family"" : network ""Related items"" : FERRETCANNON FOXACID. ""Status"" : ""Links"" :

PINWALE

""Short Description"" : PINWALE is the code name for an NSA database of archived foreign and domestic e-mails it has collected under its SIGINT efforts. It is searchable by monitored NSA analysts. Its existence was first revealed by an NSA analyst who was trained to use it during 2005. However, according to Homeland Security Today, Pinwale has in it much more than email, it also contains other forms of Internet data, and other forms of digital communications as well. Its software has built-in protections against collecting from any of the Five Eyes members. Unlike its successor XKEYSCORE, targets for PINWALE have to be approved beforehand by the United States Foreign Intelligence Surveillance Court (FISC). ""Category"" : program ""Family"" : database ""Related items"" : ""Status"" : ""Links"" :


PRISM

""Short Description"" : PRISM (US-984XN) is a clandestine mass electronic surveillance data mining program known to have been operated by the United States National Security Agency (NSA) since 2007. PRISM is a government code name for a data-collection effort.The PRISM program collects stored Internet communications based on demands made to Internet companies such as Google Inc. and Apple Inc. under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms. The NSA can use these PRISM requests to target communications that were encrypted when they traveled across the Internet backbone, to focus on stored data that telecommunication filtering systems discarded earlier, and to get data that is easier to handle, among other things. The program is operated under the supervision of the U.S. Foreign Intelligence Surveillance Court (FISA Court, or FISC) pursuant to the Foreign Intelligence Surveillance Act (FISA). Documents indicate that PRISM is "the number one source of raw intelligence used for NSA analytic reports", and it accounts for 91% of the NSA's Internet traffic acquired under FISA section 702 authority. The leaked information came to light one day after the revelation that the FISA Court had been ordering a subsidiary of telecommunications company Verizon Communications to turn over to the NSA logs tracking all of its customers' telephone calls on an ongoing daily basis. ""Category"" : program ""Family"" : process ""Related items"" : TRAFFICTHIEF MARINA MAINWAY FALLOUT PINWALE CONVEYANCE NUCLEON ""Status"" : active ""Links"" :


Q

QFIRE

""Short Description"" : TURMOIL (Deep Packet Inspection) and TURBINE (Deep Packet Injection) combined with additionnal infrastructure that they co-opt through pwnage of routers and other operations ""Category"" : attack vector ""Family"" : network ""Related items"" : TURMOIL [TURBINE]] ""Status"" : ""Links"" :

QUANTUM

""Short Description"" : To trick targets into visiting a FOXACID server, the NSA relies on its secret partnerships with US telecoms companies. As part of the TURMOIL system, the NSA places secret servers, codenamed QUANTUM, at key places on the Internet backbone for a man-in-the-middle (or a man-in-the-side). The NSA uses these fast QUANTUM servers to execute a packet injection attack, which surreptitiously redirects the target to the FOXACID server. ""Category"" : attack vector ""Family"" : netwok ""Related items"" : FOXACID QUANTUMBOT QUANTUMCOPPER QUANTUM INSERT QUANTUMCOOKIE QUANTUMNATION QUANTUMSKY QUANTUMTHEORY ""Status"" : active ""Links"" :

Schneier: How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID [ArsTechnica - NSA repeatedly tries to unpeel Tor anonymity and spy on users, memos show [Slate.com - How the NSA Is Trying to Sabotage a U.S. Government-Funded Countersurveillance Tool Spiegel.de: Britain's GCHQ Hacked Belgian Telecoms Firm

QUANTUMBOT

""Short Description"" : hijack IRC bot (--> botnet?) ""Category"" : attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID ""Status"" : active ""Links"" :

QUANTUMCOPPER

""Short Description"" : a.k.a the great firewall of earth (like the Great FIrewall of China) ""Category"" : attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID ""Status"" : active ""Links"" :

QUANTUMCOOKIE

""Short Description"" : force cookies onto target browsers ""Category"" :attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID ""Status"" : attack vector ""Links"" :

QUANTUM INSERT

""Short Description"" : It appears to be a method with which the person being targeted, without their knowledge, is redirected to websites that then plant malware on their computers that can then manipulate them. Some of the employees whose computers were infiltrated had "good access" to important parts of Belgacom's infrastructure, and this seemed to please the British spies, according to the slides. ""Category"" : attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID ""Status"" : attack vector ""Links"" :

QUANTUMNATION

""Short Description"" : ""Category"" : attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID VALIDATOR [COMMONDEER]] ""Status"" : active ""Links"" :

QUANTUMSKY

""Short Description"" : ""Category"" : attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID ""Status"" : active ""Links"" :

QUANTUMTHEORY

""Short Description"" : ""Category"" : attack vector ""Family"" : netwok ""Related items"" : QUANTUM FOXACID [SEASONMOTH]] ""Status"" : active ""Links"" :

R

RADON

""Short Description"" :Bi-directional host tap that can inject Ethernet packets onto the same targets. Allows bi-directional exploitation of Denies networks using standard on-net tools. ""Category"" : attack vector ""Family"" : network ""Related items"" : ""Status"" : ""Links"" :

RAGEMASTER

""Short Description"" : provides a target for RF flooding and allows for easier collection of the VAGRANT video signal. The current RAGEMASTER unit taps the red video line on the VGA cable. It was found that, empirically, this provides the best video return and cleanest readout of the monitor contents. When the RAGEMASTER is illuminated by a radar unit, the illuminating signal is modulated with the red video information. This information is re-radiated, where it is picked up at the radar, demodulated, and passed onto the processing unit, such as a LFS-2 and an external monitor. ""Category"" : program ""Family"" : collect ""Related items"" : NIGHTWATCH GOTHAM VIEWPLATE ""Status"" : ""Links"" :


RAGTIME

""Short Description"" :RAGTIME (RT) is the code name of four secret surveillance programs conducted by the National Security Agency (NSA) of the United States. These special programs are conducted under the code name RAGTIME (also abbreviated as RT), and are divided into several subcomponents (RAGTIME-A, RAGTIME-B, RAGTIME-C, and RAGTIME-P). It's said that about 50 companies have provided data to this domestic collection program.

  • RAGTIME-A : counterterrorism
  • RAGTIME-B :
  • RAGTIME-C : counterproliferation actvities (like WMD, nuclear, biological, chemical).
  • RAGTIME-P (P -> Patriot act ?) : warantless wiretapping

""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

RAMPART

""Short Description"" : RAMPART ( or RAMPART-T) is a NSA operational branches that intercept heads of state and their closest aides. Known divisions are RAMPART-A, RAMPART-I and RAMPART-T, which focuses on foreign governments. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

ROC

""Short Description"" :NSA TAO Remote Operation Center ROC is their intelligence exploitation centers. It is supposed to be distributed around the world, with suspected locations such as Dagger Complex, Griesheim, Darmstadt, Germany; San Antonio, Texas, USA; etc. According to Wikipedia in :

TAO's headquarters are termed the Remote Operations Center (ROC) and are based at Fort Meade, Maryland. TAO has also expanded to NSA Hawaii (Wahiawa, Oahu), NSA Georgia (Fort Gordon, Georgia), NSA Texas (Medina Annex, San Antonio, Texas), and Buckley Air Force Base, Denver. ""Category"" : compartment ""Family"" : ""Related items"" : TAO ""Status"" : ""Links"" :

  • [33] on wikipedia.org

S

SENTINEL

""Short Description"" :Sentinel is a National Security Agency (NSA) security filter for SYBASE databases which provides multi-level security down to the row level. ""Category"" : program ""Family"": database ""Related items"" : ""Status"" : ""Links"" :

SHELLTRUMPET

""Short Description"" :SHELLTRUMPET is a NSA metadata processing program which show the NSA's metadata collection scale. ""Category"" : program ""Family"" : process ""Related items"" : ""Status"" : ""Links"" :

SHIFTINGSHADOW

""Short Description"" :Subprogram of OAKSTAR, aka .US-3217 (PDDG:MU) ""Category"" : program ""Family"" : ""Related items"" : OAKSTAR ""Status"" :

SILVERZEPHYR

""Short Description"" :Subprogram of OAKSTAR, aka US-3257 (PDDG:SK), DNR (metadata, voice, fax), DNI (content, metadata) ""Category"" : program ""Family"" : ""Related items"" :OAKSTAR STEELKNIGHT ""Status"" :

SOMBERKNAVE

""Short Description"" : SOMBERKNAVE is a software implant tha surreptitiously routes TCP traffic from a designated process to secondary network via un unused embedded 802.11 network devices. If an Internet-connected wireless access point is present, SOMBERKNAVE can be used to allow OLYMPUS or VALIDATOR to "call home"" via 802.11 form an air-gapped target computer. If the 802.11 interface is in use by the target, he will not attempt to transmit. ""Category"" : attack vector ""Family"" : software ""Related items"" : OLYMPUS VALIDATOR ""Status"" : ""Links"" :


SSO

""Short Description"" :Special Site Operation : a physical place from where NSA executes attacks such as QUANTUMINSERT. Typically an US Embassy with either one or several of these: antennas, network connections, radio patch antennas, etc... ""Category"" : ""Family"" : ""Related items"" : QUANTUMINSERT ""Status"" :

STEELFLAUTA

""Short Description"" : SSO Corporate/ TAO (Tailored Access Operations) Shaping ""Category"" : ""Family"" : ""Related items"" : ""Status""

STELLARWIND (STLW)

""Short Description"" : STELLARWIND is the code name of a Sensitive Compartmented Information security compartment for information collected under the President's Surveillance Program (PSP). This was a program by the United States National Security Agency (NSA) during the presidency of George W. Bush and revealed by Thomas Tamm to the The New York Times in 2008. The operation was approved by President George W. Bush shortly after the September 11 attacks in 2001. STELLARWIND was succeeded during the presidency of Barack Obama by four major lines of intelligence collection in the territorial United States together capable of spanning the full range of modern telecommunications. The program's activities involved data mining of a large database of the communications of American citizens, including e-mail communications, phone conversations, financial transactions, and Internet activity. ""Category"" : program ""Family"" : collect ""Related items"" : BLARNEY ""Status"" : Stopped end 2011, see [[EVILOLIVE|]]. ""Links"" :

STORMBREW

""Short Description"" :STORMBREW (aka US-983 (PDDG:FL) is an umbrella program involving surveillance of telecommunications. It falls under the category of "UPSTREAM collection," meaning that data is pulled directly from fiber-optic cables and top-level communications infrastructure. There is also a SIGAD of the same name, which is described as a "key corporate partner." A map shows that the collection is done entirely within the United States. This corporate partner has servers in Washington, California, Texas, Florida, and in or around New York, Virginia, and Pennsylvania. UPSTREAM collection programs allow access to very high volumes of data, and most of the pre-selection is done by the providers themselves, before the data is passed on to the NSA. ""Category"" : program ""Family"" : ""Related items"" : MADCAPOCELOT, STORMBREW, PINWALE, MARINA UPSTREAM XKEYSCORE ""Status"" : ""Links"":

STUCCOMONTANA

""Short Description"" : provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system - including physically replacing the router's compact flash card. ""Category"" : attack vector ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

SURLYSPAWN

""Short Description"" :has the capability to gather keystrokes without requiring any software running on the targeted system. It also only requires that the targeted system be touched once. The retro-reflector is compatible with both USB ans PS/2 keyboards. The simplicity of the design allows the form factor to be tailored for specific operational requirements. ""Category"" : program ""Family"" : collect ""Related items"" : ANGRYNEIGHBOR, TAO ""Status"" : ""Links"" :

T

TAWDRYYARD

""Short Description"" : TAWDRYYARD is used as a beacon, typically to assist in locating and identifying deployed RAGEMASTER units. Current designs allows it to be detected and located quite easily within a 5°' radius of the radar system being used to illuminate it. It allows a standard lithium coin cell to power it for months or years. The simplicity of the design allows to form factor to be tailored for specific operational requirements. Future capabilities being considered are returnof GPS coordinates and a unique target identifier and automatic processing to scan a target area for presence of TAWDRYYARDs. All components are COTS and so are non-attributable to NSA. ""Category"" : program ""Family"" : target ""Related items"" : RAGEMASTER ""Status"" : ""Links"" :

THINTREAD

""Short Description"" : THINTREAD is the name of a project that the NSA pursued during the 1990s. The program involved wiretapping and sophisticated analysis of the resulting data, but according to the article, the program was discontinued three weeks before the September 11, 2001 attacks due to the changes in priorities and the consolidation of U.S. intelligence authority. The "change in priority" consisted of the decision made by the director of NSA General Michael V. Hayden to go with a concept called TRAILBLAZER, despite the fact that THINTREAD was a working prototype that protected the privacy of U.S. citizens. ThinThread was dismissed and replaced by the TRAILBLAZER Project ""Category"" : program ""Family"" : ""Related items"" : TRAILBLAZER ""Status"" : inactive ""Links"" :

TRAFFICTHIEF

""Short Description"" : According to an XKEYSCORE presentation, TRAFFICTHIEF is a database of "Meta-data from a subset of tasked strong-selectors" According to the XKEYSCORE presentation, a example of a strong selector is an email address. In other words, it would be a database of the metadata associated with names, phone numbers, email addresses, etc., that the intelligence services are specifically targeting. ""Category"" : program ""Family"" : database ""Related items"" : XKEYSCORE ""Status"" : ""Links"" :


TRAILBLAZER

""Short Description"" : TRAILBLAZER was a United States NSA program intended to develop a capability to analyze data carried on communications networks like the Internet. It was intended to track entities using communication methods such as cell phones and e-mail. It ran over budget, failed to accomplish critical goals, and was cancelled. ""Category"" : program ""Family"" : collect ""Related items"" : ""Status"" :inactive ""Links"" :


TURBINE

""Short Description"" : Deep Packet Injection, works with TURMOIL. ""Category"" : attack vector ""Family"" : network ""Related items"" : TRAILBLAZER [QFIRE]] TURMOIL ""Status"" : ""Links"" :

TURBULENCE

""Short Description"" : TURBULENCE is a project started circa 2005. It was developed in small, inexpensive "test" pieces rather than one grand plan like its failed predecessor, the TRAILBLAZER. It also includes offensive cyber-warfare capabilities, like injecting malware into remote computers. The United States Congress criticized the project in 2007 for having similar bureaucratic problems as the TRAILBLAZER Project. ""Category"" :program ""Family"" : attack ""Related items"" : [TRAILBLAZER]] ""Status"" : ""Links"" :

TURMOIL

""Short Description"" : TURMOIL is involved in the process of decrypting communications by using Deep Packet Inspection ( Passive dragnet surveillance sensors). ""Category"" : program ""Family"" : collect target ""Related items"" :QFIRE ""Status"" : ""Links"" :

TUTELAGE

""Short Description"" :Part of the TURBULENCE program ""Category"" : program ""Family"" : ""Related items"" : TURBULENCE ""Status"" :

TYPHON

""Short Description"" :Tactical SIGINT elements use this equipment to find, fix and finish targeted handset users. Target GSM handset registers with BSR unit. Operators are able to geolocate registred handsets. Capturing the user. ""Category"" : program ""Family"" : ""Related items"" : ""Status"" : ""Links"" :

U

UNITEDRAKE

""Short Description"" : A program similar to STRAITBIZARRE, used for uploading malicious HDD firmware, works with SLICKERVICAR. Known components include a GUI, a database, and a server, and a manned listening post. It includes a trojan of the same name. Digital Network Technologies (DNT), a private company, actively maintains the listening posts for UNITEDRAKE, as well as design and deploy malware. ""Category"" : attack vector ""Family"" : network ""Related items"" : IRATEMONK FERRETCANNON FOXACID ""Status"" : ""Links"" :

UPSTREAM

""Short Description"" :The UPSTREAM program, or "Room 641A", is a telecommunication interception facility operated by AT&T for the NSA that commenced operations in 2003 and was exposed in 2006. Room 641A is located in the SBC Communications building at 611 Folsom Street, San Francisco, three floors of which were occupied by AT&T before SBC purchased AT&T. The room was referred to in internal AT&T documents as the SG3 [Study Group 3] Secure Room. It is fed by fiber optic lines from beam splitters installed in fiber optic trunks carrying Internet backbone traffic and, as analyzed by J. Scott Marcus, a former CTO for GTE and a former adviser to the FCC, has access to all Internet traffic that passes through the building, and therefore "the capability to enable surveillance and analysis of internet content on a massive scale, including both overseas and purely domestic traffic." Former director of the NSA's World Geopolitical and Military Analysis Reporting Group, William Binney, has estimated that 10 to 20 such facilities have been installed throughout the United States. ""Category"" : program ""Family"" : collect ""Related items"" : ""Status"" : ""Links"" :


V

VAGRANT

""Short Description"" : Collection of computer Screens. The monitor cables are rigged with an RF retro reflector, (RAGEMASTER). VAGRANT collection therefor requires a continuous RF generator such as CTX4000 or PHOTOANGLO, and a system to process and display the returned video signal such as NIGHTWATCH, GOTHAM, LS-2 (with an external monitor), or VIEWPLATE. Known to be deployed in the field , as of September 2010 at the following embassies: Brazil's UN Mission in NY (POKOMOKE), France's UN Mission in NY (BLACKFOOT), India's Embassy and annex in DC, and India's UN Mission in New York. India's embassies were slated to be detasked, at the time of the document. Context of documents seems to suggest, but does not definitively prove that the coverterm VAGRANT only applies to the signal itself. ""Category"" : program ""Family"" : collect ""Related items"" : CTX4000 CW DROPMIRE RAGEMASTER PHOTOANGLO NIGHTWATCH GOTHAM, LS-2 VIEWPLATE ""Status"" : ""Links"" :


VALIDATOR

""Short Description"" : A software based malware item designed to run on certain Juniper routers (J, M, and T Series) running the JUNOS operating system. It must be maintained by means of a malicious BIOS modification. A typical use case involves the exfiltration of data from the victimized system. A separate document describes VALIDATOR as a backdoor used against Windows systems (win 98-2003). In this instance, it will identify the system, and if it is truly a target, invite a more sophisticated trojan in, such as UNITEDRAKE or OLYMPUS. This trojan has been used to de-anonymize tor users. A third version of VALIDATOR works for Apple iOS devices. The QUANTUMNATION states that the success rate against iOS devices is 100%. ""Category"" : attack vector ""Family"" : software ""Related items"" : FOXACID SCHOOLMONTANA SIERRAMONTANA STUCCOMONTANA SOMBERKNAVE OLYMPUS UNITEDRAKE ""Status"" : ""Links"" :

VIEWPLATE

""Short Description"" : Replacement for the NIGHTWATCH system. ""Category"" : program ""Family"" : ""Related items"" : NIGHTWATCH PHOTOANGLO ""Status"" : ""Links"" :

W

WAGONBED

""Short Description"" : a malicious hardware device that provides covert 2-way RF communications on the I2C channel of HP Proliant 380DL G5 servers. WAGONBED 2 can be mated with a Motorola G20 GSM module to form CROSSBEAM. ""Category"" :attack vector ""Family"" : hardware ""Related items"" : CROSSBEAM IRONCHEF FLUXBABBIT GODSURGE ""Status"" : ""Links"" :

WATERWITCH

""Short Description"" : Handheld device for homing in on target handsets, used in conjunction with TYPHON or similar systems to provide more precise location information. ""Category"" : program ""Family"" : target ""Related items"" : TYPHON ""Status"" : ""Links"" :

WISTFULTOLL

""Short Description"" : A plugin for UNITEDRAKE and STRAITBIZARRE that extracts WMI and registry information from the victim machine. Also available as a stand-alone executable. Can be installed either remotely, or by USB thumb drive. In the latter case, exfiltrated data will be stored on that same thumb drive. ""Category"" : program ""Family"" : ""Related items"" : IRATEMONK STRAITBIZARRE SEAGULLFARO UNITEDRAKE RETURNSPRING ""Status"" : http://cryptome.org/2014/01/nsa-codenames.htm

X

XKEYSCORE (XKS)

""Short Description"" :XKeyscore (XKS) is a formerly secret computer system used by the United States National Security Agency for searching and analyzing Internet data about foreign nationals across the world. The program is run jointly with other agencies including Australia's Defence Signals Directorate, and New Zealand's Government Communications Security Bureau. XKeyscore is an NSA data-retrieval system which consists of a series of user interfaces, backend databases, servers and software that selects certain types of metadata that the NSA has already collected using other methods. According to the published slides, these come from three different sources:

  • FORNSAT - which means "foreign satellite collection", and refers to intercepts from satellites (ECHELON) that process data used by other countries
  • Overhead - American satellites
  • Special Source Operations (SSO -Division of the NSA that cooperates with American mobile phone operators
  • Tailored Access Operations (TAO - Division of the NSA that deals with hacking and cyberwarfare
  • F6 - Joint operation of the CIA and NSA (Special Collection Service) that carries out clandestine operations including espionage on foreign diplomats and leaders
  • FISA - All types of surveillance approved by the Foreign Intelligence Surveillance Court
  • 3rd party - Foreign partners of the NSA such as Belgium, Denmark, France, Germany, Italy, Japan, the Netherlands, Norway, Sweden, etc

""Category"" : program ""Family"" : process ""Related items"" : ""Status"" : ""Links"" :

Y

YACHTSHOP

""Short Description"" :Subprogram of OAKSTAR, aka US-3247 (PDDG:PJ) ""Category"" : program ""Family"" : ""Related items"" : OAKSTAR MARINA ""Status"" :

YELLOWPIN

""Short Description"" : a particular device that includes a HOWLERMONKEY component ""Category"" : ""Family"" : ""Related items"" : HOWLERMONKEY ""Status"" : ""Links"" :

Z

ZESTYLEAK

""Short Description"" : a software exploit made by CES for Juniper Netscreen ns5xt, ns50, ns200, ns500, ISG 1000 firewalls ""Category"" : attack vector ""Family"" : software ""Related items"" : [ [FEEDTROUGH]] ""Status"" : ""Links"" :