Revealed – E-mails from inside the NSA bureaucracy

Earlier this month, the NSA declassified a huge set of internal e-mails, following FOIA-requests about the issue of whether Edward Snowden had raised concerns about the NSA’s surveillance programs through proper channels inside the agency.

> Download the declassified e-mails (very large pdf)

Here, we will take a look at the administrative details these internal NSA e-mails provide. Next time we will see what their content says about the concerns that Snowden claimed to have raised.


Internal e-mail from NSA director Michael Rogers. In the signature block we see his
NSANet and SIPRNet e-mail addresses and his non-secure phone number (all redacted)
(Click to enlarge – See also: NSA director Alexander’s phones)

E-mail addresses

Except from the classification markings, the NSA’s internal e-mails aren’t very different from those exchanged by most other people around the world. But they do show for example some details about the internal communications networks of the agency.

From the signature blocks underneath the e-mails we learn that, depending on their function and tasks, NSA employees have e-mail addresses for one or more of the following four computer networks:

NSANet for messages classified up to Top Secret/SCI (Five Eyes signals intelligence). On this network the address format for e-mail is jjdoe@nsa

JWICS for messages classified up to Top Secret/SCI (US intelligence). The address format is jjdoe@nsa.ic.gov

SIPRNET for messages classified up to Secret (mainly US military). The address format is jjdoe@nsa.smil.mil

UNCL for unclassified messages, likely through NIPRNet. The address format is jjdoe@nsa.gov

For e-mail, all NSA employees have display names in a standardized format: first comes their family name, given name and middle initial, sometimes followed by “Jr” or a high military rank. Then follows “NSA” and the proper organizational designator, then “USA” for their nationality and finally “CIV” for civilian employees, “CTR” for contractors, “USN” for Navy, “USA” for Army or “USAF” for Air Force members.

Thus, the display name of the current NSA director is “Rogers Michael S ADM NSA-D USA USN”, while that of the previous director was “Alexander Keith B GEN NSA-D USA USA”. In 2012, Snowden had the display name “Snowden Edward J NSA-FHX4 USA CTR”:


E-mail from Snowden as systems administrator in Hawaii, August 2012
The redacted part of the classification marking
seems to hide a dissemination marking *
(Click to enlarge)

The organizational designator FHX4 is interesting. FH stands for Field station Hawaii, but X4, being unit 4 of division X, is still a mystery. The field station divisions have the same designators as those at NSA headquarters, where there’s also a division X, but so far no document gave an indication what it does.

The signature block shows that Snowden worked as a systems administrator for Dell’s Advanced Solutions Group and that he was deployed at the Technology Department of NSA’s Cryptologic Center in Hawaii, more specifically at the Office of Information Sharing. The latter has the organizational designator (F)HT322 and is therefore different from that in Snowden’s display name.

In the declassified messages we only see display names, not the actual e-mail addresses behind them. Therefore, only the classification markings on the messages provide an indication on which network they were exchanged.

From an e-mail that was declassified earlier we know that in April 2013 Snowden used the address “ejsnowd@nsa.ic.gov”, which is the format for the JWICS network, but was apparently used on NSANet.*

From one of the declassified e-mails about NSA’s internal investigation it seems that Snowden had just two mail accounts: “we have his TS [Top Secret] NSANet email and his UNCLASSIFIED NSA.gov email”, but this is followed by some redacted lines.*

Finally, the signature blocks of some NSA employees also provide a link to their dropbox for sending them files that may be too large for e-mail. Such dropboxes have addresses like “http://urn.nsa.ic.gov/dropbox/%5B…%5D”.


Example of an NSA message, with in the signature block e-mail addresses for JWICS and an
unclassified network, and phone numbers for the NSTS and the non-secure phone networks
OPS 2B is the wider and lower one of the two black NSA headquarters buildings
(Click to enlarge)

Telephone numbers

Besides e-mail addresses, many messages also have phone numbers in the signature blocks. They show numbers for one or more of the telephone systems used at NSA:

NSTS, which stands for National Secure Telephone System and is NSA’s internal telephone network for secure calls. Numbers for this network have the format 969-8765 and are often marked with “(s)” for “secure”

STE, which stands for Secure Terminal Equipment, being a telephone device capable of encrypting phone calls on its own. Telephone numbers can be written in the format (301) 234-5678 or as STE 9876.

BLACK, CMCL or Commercial, which are numbers for non-secure telephones that may also access the public telephone network. They have the regular format (301) 234-5678 and are often marked with “(b)” for “black” (as opposed to “red”) or with “(u)” for unclassified.


The NSA/CSS Threat Operations Center (NTOC) at NSA headquarters, with from left to right:
an STE secure phone, a probably non-secure telephone and a phone for the NSTS
(Photo: NSA, 2012 – Click to enlarge)

TIKICUBE

Finally, releasing such a huge set of documents in which many parts had to be redacted always bears the risk that something is overlooked. That also happened this time, as in one e-mail from an investigator from NSA’s Counterintelligence Investigations unit Q311 they forgot to redact the codeword TIKICUBE:

TIKICUBE appears to be a unit of the Investigations Division Q3. Whether this might be a special unit investigating the Snowden leak isn’t clear though.

The abbreviations behind the investigators name are: CFE for Certified Fraud Examiner and CISSP for Certified Information Systems Security Professional.

We also see that this investigation division is not located at the NSA headquarters complex at Fort Meade, but at FANX. This stands for Friendship Annex, a complex of NSA office buildings in Linthicum, near Baltimore, some 12 km. or 7.5 miles north-east of Fort Meade.

The famous blue-black glass headquarters buildings are OPS 2A and OPS 2B, while the SIGINT division is apparently in the flat 3-story building from the late 1950s, designated OPS 1.

NSA – Is the Shadow Brokers leak the latest in a series ?

Earlier this week, a group or an individual called the Shadow Brokers published a large set of files containing the computer code for hacking tools. They were said to be from the Equation Group, which is considered part of the NSA’s hacking division TAO.

The leak got quite some media attention, but so far it was not related to some earlier leaks of highly sensitive NSA documents. These show interesting similarities with the Shadow Brokers files, which were also not attributed to Edward Snowden, but seem to come from an unknown second source.

Screenshot of some computer code with instructions
from the Shadow Brokers archive

The Shadow Brokers files

Since August 13, the ShadowBrokers posted a manifesto and two large encrypted files on Pastebin, on GitHub, on Tumblr and on DropBox (the latter three closed or deleted meanwhile).

One of the encrypted files could be decrypted into a 301 MB archive containing a large number of computer codes for server side utility scripts and exploits for a variety of targets like firewalls from Cisco, Fortinet and Shaanxi. The files also include different versions of several implants and instructions on how to use them, so they’re not only the malware that could have been found on the internet, but also files that were only used internally.

A full list of the exploits in this Shadow Brokers archive can be found here.

https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

Security experts as well as former NSA employees considered the files to be authentic, and earlier today the website The Intercept came with some unpublished Snowden documents that confirm the Shadow Brokers files are real.

Besides the accessible archive, Shadow Brokers also posted a file that is still encrypted, and for which the key would only be provided to the highest bidder in an auction. Would the auction raise 1 million bitcoins (more than 500 million US dollars), then Shadow Brokers said they would release more files to the public. This auction however is likely just meant to attract attention.

Screenshot of a file tree from the Shadow Brokers archive

From the Snowden documents?

According to security experts Bruce Schneier and Nicholas Weaver the new files aren’t from the Snowden trove. Like most people, they apparently assume that Snowden took mostly powerpoint presentations and internal reports and newsletters, but that’s not the whole picture. The Snowden documents also include various kinds of operational data, but this rarely became public.

Most notable was a large set of raw communications content collected by NSA under FISA and FAA authority, which also included incidentally collected data from Americans, as was reported by The Washington Post on July 5, 2014. The Snowden documents also include technical reports, which are often very difficult to understand and rarely provide a newsworthy story on their own.

Someone reminded me as well that in January 2015, the German magazine Der Spiegel published the full computer code of a keylogger implant codenamed QWERTY, which was a component of the NSA’s WARRIORPRIDE malware framework. So with the Snowden trove containing this one piece of computer code, there’s no reason why it should not contain more.

Contradicting the option that the Shadow Brokers files could come from Snowden is the fact that some of the files have timestamps as late as October 18, 2013, which is five months after Snowden left NSA. Timestamps are easy to modify, but if they are authentic, then these files have to be from another source.

A second source?

This brings us to a number of leaks that occured in recent years and which were also not attributed to Snowden. These leaks involved highly sensitive NSA files and were often more embarrassing than stuff from the Snowden documents – for example the catalog of hacking tools and techniques, the fact that chancellor Merkel was targeted and intelligence reports proving that NSA was actually successful at that.

> See Leaked documents that were not attributed to Snowden

It is assumed that these and some other documents came from at least one other leaker, a “second source” besides Snowden, which is something that still not many people are aware of. The files that can be attributed to this second source have some interesting similarities with the Shadow Brokers leak. Like the ANT catalog published in December 2013, they are about hacking tools and like the XKEYSCORE rules published in 2014 and 2015 they are internal NSA computer code.

This alone doesn’t say much, but it’s the choice of the kind of files that makes these leaks look very similar: no fancy presentations, but plain technical data sets that make it possible to identify specific operations and individual targets – the kind of documents many people are most eager to see, but which were rarely provided through the Snowden reporting.

As mainstream media became more cautious in publishing such files, it is possible that someone who also had access to the Snowden cache went rogue and started leaking documents just for harming NSA and the US – without attributing these leaks to Snowden because he would probably not approve them, and also to suggest that more people followed Snowden’s example.

Of course the Shadow Brokers leak can still be unrelated to the earlier ones. In that case it could have been that an NSA hacker mistakenly uploaded his whole toolkit to a server outside the NSA’s secure networks (also called a “staging server” or “redirector” to mask his true location) and that someone was able to grab the files from there – an option Snowden also seems to favor.

Diagram showing the various stages and networks involved
in botnet hacking operations by NSA’s TAO division

An insider?

Meanwhile, several former NSA employees have said that the current Shadow Brokers leak might not be the result of a hack from the outside, but that it’s more likely that the files come from an insider, who stole them like Snowden did earlier.

Of course it’s easier for an insider to grab these files than for a foreign intelligence agency, let alone an ordinary hacker, to steal them from the outside. But if that’s the case, it would mean that this insider would still be able to exfiltrate files from NSA premises (something that shouldn’t be possible anymore after Snowden), and that this insider has the intent to embarrass and harm the NSA (Snowden at least said he just wanted to expose serious wrongdoings).

Here we should keep in mind that such an insider is not necessarily just a frustrated individual, but can also be a mole from a hostile foreign intelligence agency.

Russian intelligence?

On Twitter, Edward Snowden said that “Circumstantial evidence and conventional wisdom indicates Russian responsibility”, but it’s not clear what that evidence should be. It seems he sees this leak as a kind of warning from the Russians not to take revenge for the hack of the Democratic National Committee (DNC) e-mails, which was attributed to Russian intelligence.

This was also what led Bruce Schneier to think it might be the Russians, because who other than a state actor would steal so much data and wait three years before publishing? Not mentioned by Schneier is that this also applies to the documents that can be attributed to the second source: they are also from before June 2013.

A related point of speculation is the text that accompanied the Shadow Brokers files, which is in bad English, as if it was written by a Russian or some other non-western individual. This is probably distraction, as it looks much more like a fluent American/English speaker who tried to imitate unexperienced English.

The text also holds accusations against “Elites”, in a style which very much resembles the language used by anarchist hacker groups, but that can also be faked to distract from the real source.

Screenshot of some file folders from the Shadow Brokers archive

Conclusion

With the authenticity of the Shadow Brokers files being confirmed, the biggest question is: who leaked them? There’s a small chance that it was a stupid accident in which an NSA hacker uploaded his whole toolkit to a non-secure server and someone (Russians?) found it there.

Somewhat more likely seems the option that they came from an insider, and in that case, this leak doesn’t stand alone, but fits into a series of leaks in which, since October 2013, highly sensitive NSA data sets were published.

So almost unnoticed by the mainstream media and the general public, someone was piggybacking on the Snowden-revelations with leaks that were often more embarrassing for NSA than many reportings based upon the documents from Snowden.

Again, obtaining such documents through hacking into highly secured NSA servers seems less likely than the chance that someone from inside the agency took them. If that person was Edward Snowden, then probably someone with access to his documents could have started his own crusade against NSA.

If that person wasn’t Snowden, then it’s either another NSA employee who was disgruntled and frustrated, or a mole for a hostile foreign intelligence agency. For an individual without the protection of the public opinion like Snowden, it must be much harder and riskier to conduct these leaks than for a foreign state actor.

Former NSA counterintelligence officer John Schindler also thinks there could have been a (Russian) mole, as the agency has a rather bad track record in finding such spies. If this scenario is true, then it would be almost an even bigger scandal than that of the Snowden-leaks.

Update:
On August 21, NSA expert James Bamford also confirmed that TAO’s ANT catalog wasn’t included in the Snowden documents (Snowden didn’t want to talk about it publicly though). Bamford favors the option of a second insider, who may have leaked the documents through Jacob Appelbaum and Julian Assange.

Revealed – U.S. Army Cultural Assessment of the Islamic State of Iraq and the Levant (ISIL)

Cultural Assessment of the Islamic State of Iraq and the Levant (ISIL)

Page Count: 74 pages
Date: May 31, 2016
Restriction: None
Originating Organization: U.S. Army Training and Doctrine Command, TRADOC G-20
File Type: pdf
File Size: 7,113,430 bytes
File Hash (SHA-256):05053BE458B21A87EE8BC5FD889B36BEF89A494EF0681D027579068E49DB86E5

Download File

What follows is an assessment of the Islamic State of Iraq and the Levant (ISIL) from a socio-cultural perspective. We have employed a modified PMESII-PT framework for analysis (Political, Military, Economic, Social, Infrastructure, Information, Physical Terrain, Time). We have modified PMESII-PT in three ways to emphasize the socio-cultural aspect of this analysis. First, we have expanded the concept of Military to cover all coercive forces in the area of interest. The expanded category includes law enforcement, pro and anti-government paramilitaries, militias, external forces, etc. Second, we added Population and Culture as separate categories. Arguably, these categories could be covered in PMESII-PT under Society, but we saw them as sufficiently important to merit separate chapters. Third, we have expanded the concept of Information, which we have titled Communications, to account for both how information is communicated and how it is received within the society under analysis. With that as background, here is a synopsis of our major findings by category in our modified PMESII-PT framework.

POLITICAL: ISIL has developed a political system in the image of the 7th Century Islamic Caliphate, which includes executive and judicial branches of government, but not a legislative branch. The legislative branch was unnecessary because Sharia is interpreted from the original religious sources, not created. In the ISIL system the executive branch interprets Sharia and communicates its interpretation to the greater organization. The judicial branch oversees the implementation of the executive’s interpretation of Sharia law by means of multilayered security and legal systems.

SECURITY: ISIL has concentrated power in its military and state security apparatus in order to expand its dominion to areas outside its current control and enforce its interpretation of Sharia within its territories. In order to weaken resolve in areas outside its control and to gain compliance in areas it controls, ISIL has created a culture of terror through the institutionalized use of local and media based public spectacles of primordial violence.

ECONOMIC: ISIL has a rentier economy, which derives a significant portion of its revenues from the sale of oil and gas to external clients. ISIL’s total cash and assets are estimated in the billions of dollars. Despite recent financial setbacks, ISIL has sufficient funds to maintain, or even expand, its security forces. As long as its security forces are effective, and in the absence of outside opposition, ISIL will continue to control its current territory. At its current funding rate ISIL can fight a holding action in the Levant while continuing to export terror to the rest of the world.

POPULATION: The population of ISIL-controlled territories is estimated at between six and eight million people. An estimated ten to twelve million people have fled from ISIL territory and adjacent regions affected by the Syrian Civil War. The conflict in the region has been devastating to the population, which is suffering excessive unemployment, food scarcity, economic paralyses, and generalized poverty. The vast amount of displaced persons is straining Iraqi and international humanitarian relief efforts.

SOCIETY: ISIL is an autocracy superimposed on top of tribal society, which by its nature is the antithesis of an autocracy. Social identity in ISIL-controlled areas is derived from three identity parameters (Arab, Muslim, and Sunni) shared by the general population. Historically, tribal affiliation has been the primary determinant of social status in both Syria and Iraq, but ISIL has altered this by elevating its members, many of whom are former Baathists, and foreign fighters to the upper echelons of ISIL society. ISIL further undermined the Sunni tribal leaders by usurping the economic means of production and distribution.

CULTURE: ISIL’s cultural folklore envisions a return to a 7th Century Islamic “Golden Age” when the original “pure” Caliphate ruled the Arabian Peninsula. The past is portrayed as an Islamic Eden unspoiled by infidels or apostates. ISIL narratives describe a final apocalypse in which the retrogressive forces of Islam triumph over the progressive, corrupted, non-believers of modernity, creating a new world order. This vision animates ISIL’s actions. ISIL justifies its brutality, deviation from traditional Islamic values regarding women, and crimes against humanity as service to the state. Because the Islamic State is everything, it follows that survival of the Islamic State is paramount. Based on ISIL’s actions when threatened with defeat in Iraq, if the situation in the Levant becomes untenable, ISIL leaders will most likely seek to relocate to a location, such as Libya, where they can continue their jihad.

INFRASTRUCTURE: To date, ISIL has shown the ability to maintain its physical infrastructure at an acceptable level of functionality, although its infrastructure has certainly deteriorated due to years of war and neglect. How long ISIL can continue to maintain its infrastructure is uncertain, particularly in light of ISIL’s recent drop in revenue and Coalition bombing. ISIL has employed a “scorched-earth” policy by destroying the infrastructure when driven out of urban or rural areas. ISIL will most likely continue this policy, if and when it has to cede more territory.

COMMUNICATIONS: ISIL has developed an almost textbook information operations campaign using all mediums of communications at its disposal to further its strategic goal of establishing a Caliphate. Using symbols and assorted media, ISIL is employing a multi-layered communications strategy to promote its ideology, secure its base, attract foreign fighters, create affiliates, and turn Muslim public opinion against the West.

GEOGRAPHY: In terms of the physical geography, ISIL occupies an area with very narrow and linear habitable areas generally surrounded by vast expanses of desert. Because of the desert terrain and lack of significant rainfall, life in the region is almost entirely dependent on the Tigris-Euphrates river system.

isil-populationisil-population-2

The STASI-LIST-Download – Die STASI-LISTE als ZIP-Datei zum Downloaden

Diese Liste beinhaltet die Namen von 90.598 Mitarbeitern des Ministeriums für Staatssicherheit der DDR. Die Liste ist nicht vollständig. Insbesondere Mitarbeiter der Führungsebene sind nicht enthalten.

This is a list of 90.598 members of the secret police of East Germany (Ministry for State Security), the list isn’t complete, because the most of the high Officiers lieke Colonel and higher have destroyed the personal Informations in the last days of Eastern Germany.

Listen der Stasimitarbeiter-hier findest Du sie! Was bedeuten die Zahlen?
1.Listen der Stasi-Diensteinheiten!
Bem.:hier kannst du die Nr.(6-stellig) der Dienststellen heraussuchen.
2.Liste der Stasi-Mitarbeiter (Hauptamtlich)
Bem.:Hoffentlich hast Du einen guten Rechner, denn die Liste ist erschreckend lang. Die ersten 6 Ziffern sind das Geburtsdatum + die nächsten 6 Ziffern = Dienstausweisnummer! Die zwei Ziffern hinter dem Geburtsdatum geben das Geschlecht an: 41 und 42 = Männlich, 51 und 52 = Weiblich! Wichtig für suchen und finden, sind die sechs Ziffern in den Semikolon vor den Namen: z.B. ;07;00;44; ! Das ist die Nummer der Dienststelle !
Also du suchst in der Liste der Dienststellen, die Nummer der Dienststelle, die Dich interessiert. Damit gehst Du in die Liste der Mitarbeiter und suchst Dir alle Mitarbeiter der entsprechenden Dienststelle heraus. Ich habe das für mein Wohnort getan und so alle Mitarbeiter gefunden. Ob die Liste Vollständig ist kann ich nicht einschätzen, aber zumindest er/kannte ich einige Exverräter vom Namen her.
3.Liste der OibE (Offiziere im besonderen Einsatz)

Hiermit stelle ich eine Liste der Stasi-Mitarbeiter mit Ihrem Klarnamen zum Download ins Internet – aus Sicherheitsgründen auf einem anderen Server:

.
http://cryptome.org/ma_stasi.zip

Auf dieser Website berndpulch.org haben Sie zudem alle Stasi-Namen alphabetisch geordnet sowie die BDVP-Listen und die Offiziere im besonderen Einsatz.

“ENDLICH FREI” – Die Geschichte der DDR Berliner Mauer – Der Film

Rise and Fall of the Berlin Wall – The Movie

THE NAKED TRUTH – Freedom, Peace, Human Rights, Freedom of Opinion, Good Vibrations

Follow

Get every new post delivered to your Inbox.

Join 1,167 other followers

%d bloggers like this: