Germans reveal new NSA XKeyScore internet monitoring

News by Steve Gold

The German software revelation may have come from a second NSA leak/source other than Edward Snowden, says cryptography expert Bruce Schneier.

All software developers like to refine their code, releasing new versions for their users. And it appears that the NSA is the same, after a couple of German broadcasters claim to have spotted a next-generation version of XKeyScore.

XKeyScore - XKS - is a server-based application developed by the NSA and reportedly shared with other national spy agencies, including Australia's Defence Signals Directorate, New Zealand's Government Communications Security Bureau and the German Bundesnachrichtendienst.

First revealed back in July 2013 by NSA whistleblower Edward Snowden - and reported in the Sydney Morning Herald - XKS is essentially a customised version of Google designed to `spider' search everything a targeted user does on the Internet, including their social media interactions.

As reported by the Guardian newspaper in late July of last year, the program harvests user emails, social media activity and Web browsing history.

The two German broadcasters - Norddeutscher Rundfunk and Westdeutscher Rundfunk - claim that the updated NSA software includes elements of XKS, but has been enhanced to track specific users via the TOR (The Onion Router) IP anonymising network.

The broadcasters - who have not published the code of the actual NSA program yet - claim that the version of XKS in their hands has been designed for the German Internet and monitors two main TOR servers there, including Directory Authority, one of the critical links in the TOR network.

The two German broadcasters appear to have done their homework with the analysis, notes, and claims that the new version of XKS is also designed to monitor non-public TOR relays, which are issued to users in China and Iran, whose governments actively block the more public TOR network relays.

The report from the broadcasters - which was prepared by a team of six broadcast and IT professionals, says that two TOR servers, in Berlin and Nuremberg, are under active surveillance by the NSA.

After months of investigation by the German public television broadcasters NDR and WDR - "drawing on exclusive access to top secret NSA source code, interviews with former NSA employees, and the review of secret documents of the German government” - the research team have concluded that, as well as monitoring the TOR network system in Germany, the NSA is monitoring anyone who has taken an interest in several well-known privacy software systems.

The research team adds that it has been in contact with Roger Dingledine, one of three original developers of the TOR project, who said that the NSA's attack on the bridge address distribution service (ie the non-public servers) clearly illustrates the that the NSA's `collect all the things' monitoring mentality.

XKS - a passive search system notes that the real meat in the German broadcaster's research is buried on P5, and says that XKS is considered to be a passive monitoring system in that it silently listens, but does not transmit anything on the networks that it is targeting.

"However, through a process known as tipping, data from these programs can trigger other systems which perform active attacks," says the analysis, adding that Quantum is a family of such programs, and which is used for offensive computer intrusion.

Getting any UK security professionals to comment on the German researcher's revelations proved impossible, possibly owing to the political sensitivities involved.

However, leading US cryptography and security expert Bruce Schneier - a security expert with access to the Snowden files and a fellow at Harvard's Berkman Centre - said that the German software may have come from second leak/source other than Snowden.

"It's hard to tell how extensive this is. It's possible that anyone who clicked on this [TOR] link is currently being monitored by the NSA. It's possible that this will only happen to people who receive the link in e-mail," he said, adding that this will mean every subscriber to his Cryptogram newsletter may fall into this group within the next few weeks.

"And I don't know what else the NSA harvests about people who it selects in this manner," he concluded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews