Jump to content
Not connected, Your IP: 18.191.192.109
nath2336

NSA's DISTANTFISH program

Recommended Posts

Yesterday The Intercept released a new tranche of NSA documents from the Snowden leaks; https://theintercept.com/snowden-sidtoday/

 

Among them was a Signals Intelligence Directorate newsletter from 2004 named; Targeting Terrorist Internet Traffic https://assets.documentcloud.org/documents/3233073/Targeting-Terrorist-Internet-Traffic.pdf

 

It introduces Project DISTANTFISH which was established in 2004 (one can imagine how much it has developed over the past 12 years!) Here is an excerpt that is pertinent to AirVPN users, as AirVPN uses shared servers "for better protection"; TOTALLY FALSE - NOTE BY STAFF

 

 

(TOP SECRET) On February 14, 2004, a terrorist on the Counterterrorism top ten list walked into a web cafe in Iraq and logged into an MSN Messenger account. Little did this terrorist know that NSA knew his login name and that Counterterrorism analysts were alerted to his traffic. Unfortunately, the analysts were unable to do much with it, as the target never talked to anyone and he had few names on his buddy list.

 

(TOP SECRET) The analysts wanted to look at all of the traffic generated by the terrorist but were unable to do so... The web cafe used an inexpensive device known as a Network Address Translator (NAT) to share the Internet connection to all the computers in the cafe. There were many people in the cafe and the NAT mixed the computer sessions from all of the users together. Luckily, a fledgling service known as DISTANTFISH had just been deployed to Menwith Hill Station, and this new system was able to find the desired terrorist traffic.

 

(TOP SECRET) Project DISTANTFISH was created to target terrorist traffic on the Internet by providing two important services. First, it provides a database for discovering account identities for known terrorists to use as strong selectors (i.e. login names, e-mail addresses, or other elements that can be associated with a particular individual). Second, it provides information on which the same user generated computer sessions. Thus, if one session contains a strong selector for a terrorist, then all sessions can be collected. At the heart of this capability is an association service that can track an individual computer by the way it generates packets.

 

(TOP SECRET) From this association service, the DISTANTFISH team members were able to determine that the terrorist generated 107 computer sessions over eleven minutes, thus separating this traffic from that of the other 16 people in the web cafe. As most of the supporting software is still under development, the data was manually examined resulting in the discovery of two additional MSN Messenger accounts and two Yahoo web mail accounts that the terrorist used, but that NSA had been unaware of. Since terrorists often abandon accounts for new ones, having a complete picture of the accounts used is critical for targeting the terrorists' traffic.

 

For more information;

https://www.emptywheel.net/2016/12/07/distantfish-and-correlations/

Share this post


Link to post

Hey Zhang, you obviously know much more than me in these matters....

Just from what I had read, for example;  https://airvpn.org/topic/1150-are-ip-addresses-shared/

 

Hello!

Yes, they are shared. Each server has an "entry" and an "exit" IP address. The exit IP address is shared among all those connected to that server. We do offer custom plans which include dedicated, static IP addresses (anyone interested can contact us). However, as you wrote, a shared IP address offers a better protection.

Kind regards
AirVPN admins 

 

So you are saying that DISTANTFISH could not be used on AirVPN customers?

"There were many people in the cafe and the NAT mixed the computer sessions from all of the users together. Luckily, a fledgling service known as DISTANTFISH had just been deployed to Menwith Hill Station, and this new system was able to find the desired terrorist traffic."

"At the heart of this capability is an association service that can track an individual computer by the way it generates packets."

 

BTW; I was not trying to make Air look bad (I am a paying customer  ) I just read the article and noticed that sharing IP's may not provide anymore security than not sharing. I am happy to stand corrected.

Share this post


Link to post

This correlation has nothing to do with VPNs, it is a simple match that helps locating a user behind NAT, there were so many research papers

about this topic for at least past 10 years.

 

The method they used is known as passive OS fingerprinting, and one of the mostly used open source tools to do it is p0f.

http://lcamtuf.coredump.cx/p0f3/

 

You can check a web version of the same technique here:

http://witch.valdikss.org.ru

 

The important selectors are User-Agent, OS version (based on TCP fingerprints) and uptime (also based on TCP fingerprints).

Having all those 3 you can separate each machine behind NAT, if you monitor the exit and destination sources.

NAT is not a high anonymity layer against nation state surveillance.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Thanks Zhang! Maybe they marked those passages Top Secret because they did not want to give away what methods they were using at the time (even though they were/are public). Thanks for taking the time to explain much appreciated!

Share this post


Link to post

This correlation has nothing to do with VPNs, it is a simple match that helps locating a user behind NAT, there were so many research papers

about this topic for at least past 10 years.

 

The method they used is known as passive OS fingerprinting, and one of the mostly used open source tools to do it is p0f.

http://lcamtuf.coredump.cx/p0f3/

 

You can check a web version of the same technique here:

http://witch.valdikss.org.ru

 

The important selectors are User-Agent, OS version (based on TCP fingerprints) and uptime (also based on TCP fingerprints).

Having all those 3 you can separate each machine behind NAT, if you monitor the exit and destination sources.

NAT is not a high anonymity layer against nation state surveillance.

 

 

@Zhang, so is there a simple program to spoof these selectors?

Share this post


Link to post

For User-Agent there obviously is, but other ones are in your OS TCP stack and the sizes and sequence of your packets.

The easiest solution in this case would be using a gateway that reassembles the TCP packets in it's own order of the OS,

for example Tor exits do that - there are many usability and latency disadvantages in this implementation but if

metadata elimination is absolutely critical you can use that. Also you have privacy focused distros like Whonix, Qubes and

Tails which have identical stamps to all users around the world, something those suspects in 2004 obviously didn't have.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

For User-Agent there obviously is, but other ones are in your OS TCP stack and the sizes and sequence of your packets.

The easiest solution in this case would be using a gateway that reassembles the TCP packets in it's own order of the OS,

for example Tor exits do that - there are many usability and latency disadvantages in this implementation but if

metadata elimination is absolutely critical you can use that. Also you have privacy focused distros like Whonix, Qubes and

Tails which have identical stamps to all users around the world, something those suspects in 2004 obviously didn't have.

 

Thanks, Zhang, appreciate the help 

Share this post


Link to post

Stacks including variables like;

 

TCP Window Size, Request Buffer Size, Default Receive/Send Window, Buffer Size, NBSSB, Opts, ACKF, ARP variables, DTO's, Fin's, etc...

 

Some of us have known about this kind of surveillance and have been homogenizing stacks across a large number of devices to offset this surveillance technique. But these days this is used as one metric among many other techniques, it's just added assisting information in SIGINT not the exclusive tool.

 

But realize this, unless you take 'extreme' precautions, you aren't going to avoid Nation State Surveillance. Clearly you CAN avoid them if you choose to do so so I am not saying it's futile. However in the general scheme of things these days we try to 'limit' what they could get if they happened to decide to turn their eye towards you. That is, specific privacy/encryption techniques for 'specific things' that are important, not for everything you do. That way they do see the Pizza you ordered, but they don't see your crucial documents.

 

Another technique which I have been advocating for years - haystacking. Rather than masking the needle, just make the haystack monstrous so they don't know where to look or have massive amounts of data to sift through. I run a custom built Anti-Phorm server on my home network that itself puts out 30,000 internet searches and clicks per day. SOMEWHERE in that mess are the 'actual' searches and clicks from people in my household. But good luck finding them eh? That's why stack masking is factored here.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...