XKEYSCORE was one of the first covert programs that the Guardian wrote about when Snowden began leaking NSA documents two years ago, in 2013.
Now, a new set of training manual reveals the breadth of this program and how easily an analyst can break into remote computers – within a “few mouse clicks”.
Using only a target’s email address, telephone number, name or other identifying data, an analyst has the ability to conduct sweeping searches of his or her personal data.
“Given the breadth of information collected by XKEYSCORE, accessing and exploiting a target’s online activity is a matter of a few mouse clicks. The amount of work an analyst has to perform to actually break into remote computers over the Internet seems ridiculously reduced — we are talking minutes, if not seconds. Simple. As easy as typing a few words in Google,” Jonathan Brossard, a security researcher and the CEO of Toucan Systems, told The Intercept, a magazine which serves as a platform to report on the documents released by Edward Snowden.
“Anyone could be trained to do this in less than one day: they simply enter the name of the server they want to hack into XKEYSCORE, type enter, and are presented login and password pairs to connect to this machine. Done. Finito,” Brossard added.
The training manual released by The Intercept also reveals the scope of surveillance:
The XKEYSCORE database is "fed a constant flow of Internet traffic from fiber optic cables that make up the back of the world’s communication network, among other sources, for processing," the new report states. Its servers collect all of this data for up to five days, and store the metadata of this traffic for 30 to 45 days.
The system however is not limited to collecting web traffic.
“These newly published documents demonstrate that collected communications not only include emails, chats and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more.”
“XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited,” the magazine says.
Traffic from popular social media sites is described as “a great starting point” for tracking individuals, according to an XKEYSCORE presentation titled “Tracking Targets on Online Social Networks.”
This system also enables analysts to access web mail servers with “remarkable ease.”
The same methods are used to steal the credentials — user names and passwords — of individual users of message boards.
Hacker forums are also monitored for people selling or using exploits and other hacking tools.
The only obstacle is, when intelligence agencies collect massive amounts of Internet traffic all over the world, they face the challenge of making sense of that data. The vast quantities collected make it difficult to connect the stored traffic to specific individuals.
The NSA makes use of browser cookies, which the Internet companies use to track their users.
“Cookies are small pieces of data that websites store in visitors’ browsers. They are used for a variety of purposes, including authenticating users (cookies make it possible to log in to websites), storing preferences, and uniquely tracking individuals even if they’re using the same IP address as many other people.”
NSA made it a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies.
“XKEYSCORE gives you access to the full cookie string, so if you’re adventurous enough you can do your own protocol exploration,” the manual says.
“Remember: Cookies are there for a reason!”
Apps that run on tablets and smartphones also use analytics services that uniquely track users. Almost every time a user sees an advertisement (in an app or in a web browser), the ad network is tracking users in the same way.