Documents

UK TOP FVEY Broadcast/Internet Radio Exploitation and Analysis [email protected]_hq 6th November 2009 OPD-NAC Distribution (via email) GCHQ (TR) (JTRIG) (CRFC) FTCG) (CNE) SIS - (5T2) BSS - (C3T-4) 2nd Parties (NSA) UK TOP FVEY

UK TOP FVEY Report Summary Author Primary Customer TR-CISA SDTD Reference Contributing Key Terms Broadcast, Icecast, Shoutcast, Peercast, Internet Radio Soft Copy Location Development\GNE Restricted\NAC Reports Relevant CMAPs See Also Strategic Framework Task 4134544, UK TOP FVEY

UK TOP FVEY Context 1.1 Internet Radio is a technology that allows audio streams, usually based on MP3 or AAC formats, to be broadcast over the Internet to clients in real- time. Details 1.2 This report documents the results of an analysis into data derived from on-line broadcasting, or ?Internet radio?. This technology allows users to broadcast audio via the internet without the restrictions traditionally associated with broadcasting. 1.1 The technology covers protocols such as ?Shoutcast?, ?lcecast? and ?Peercast?. Further details of the technology are summarised in report 4134544 1.2 The interception capability was delivered under Strategic Framework Task 4134544 by TR-CISA and was deployed at CPC in the PPF framework. 1.3 A sample of the derived SIGINT data was taken over 3-month period (August- October 2009). This sample represented 6.68 Million unique events from the accesses feeding the research system. These accesses ranged between STM1-STM64 from a range of sources. 1.4 In order to facilitate analysis, the data was tagged with the geographic location of each IP addresses from the TR-NE research prototype GEOFUSION using Slr?ip? adr?lu?log. 1.5 The data was parsed to extract client-server and server-client relationships by using the Broadcast-Server and Broadcast-Listener fields that the PPF AEG module output to the single line records. Analysis 2 Broadcast Population 2.1 There were 224,446 Unique listener IP addresses over the 3 month period covering approximately 108448 /24 subnets. 3 Geographic Distribution of Servers 3.1 Servers were geographically distributed between 1719 individual locations. The Top 50 are shown in Table 1. UK TOP FVEY

UK TOP FVEY Frequency Location 2237697 756510 217796 153888 146391 125152 97128 WESTCH 85279 63901 62837 56389 53432 49978 45843 43112 41600 29308 21199 20978 20687 20396 19495 17710 17065 16879 15777 15334 14704 13724 12607 11701 10913 10708 10516 9236 8987 8820 8187 7450 7184 6780 US 5944 4881 4791 4775 4476 4448 4289 4177 4072 Table 1: Top 50 Locations of broadcast servers UK TOP FVEY

UK TOP FVEY 3.2 Since GEOFUSION does not provide suitable accuracy for city specific analysis. A breakdown of geographic distribution by country is shown below: Broadcast Servers IFR IIE EIUS EINL ISE IDE IRU EIGB IPL ILV EISI IRO IHU ILT IBG ICZ IUA EICH EIES EISK EICA EIMX DAT EITR IKZ INO IAF EIIT Chart 1: Server location by country 3.3 The top countries of listeners were found to be France, Ireland, the US and the Netherlands, other European countries are also in the Top 10. Frequency Country 2261311 FR 918890 IE 396842 US 288907 NL 183631 SE 158202 DE 132895 RU 1 12180 GB 67145 PL 53516 LV 50833 SI 28308 R0 2301 0 22620 LT UK TOP FVEY

UK TOP FVEY 19517 BG 14183 CZ 13632 UA 12004 CH 11336 ES 9581 SK 6344 CA 5008 MX 4550 AT 3353 TR 3301 K2 3005 NO 2629 AF 2572 IT 2351 MK 2233 TH Table 2: Server location by country Listener Analysis 3.4 The data was analysed to find which country had the most listeners for Internet radio. The top countries were found to be Ireland, Mexico, Japan and the US. However listeners to any one particular radio station could from any of 185 different countries observed. The most frequently seen countries for listeners is shown below: Frequency Country 1006737 MX 824123JP 486840 US 156282AN 144270 CA 125266DE 88647 BR 67825 EC 54953 Do 48473 CO 39594GB 21557NL 21489AU 18990 FR 18149ES 16957PK 14554 PL 12637AE 10330 EG Table 3: Listener Location by Country UK TOP FVEY

UK TOP FVEY Listener Geographic Distribution EIIE IAN IEC IIL IAU EIPK IIN EIPH IID IZA IMX EICA IRO IGB EIFR EIIT EIEG ITH IUA IMY EIJP IDE EIDO IIR EIGR EIPL EIFI IBE IRU IKZ EIUS EIBR EICO INL EIES EIAE EIKR EISG ICH ISE Chart 2: Listener Location by Country UK TOP FVEY

UK TOP FVEY 4 Contact Chaining Via Broadcast Events Figure 1: Interconnected Broadcast Events (Renoir) 4.1 Bulk events were visualized in Renoir. Since there is no TDI present within broadcast events, it is difficult to say how many events represent unique users. There were two distinct behaviors exhibited by users of Internet radio stations. Figure 1 shows the first type a highly connected group of Internet radio stations with listeners having multiple connections to different radio stations. Figure 2 shows the second trend within the graph. Each radio station has a set of users who are not observed connecting to any other type of Internet radio station. This observation may be an artifact of the data collection process, which is on a smaller scale than what the corporate architecture can provide. However it may provide an insight into different types of user on the Internet, the technologically savvy user who uses multiple streams of radio for entertainment or news, and a user who knows what they want to listen to. UK TOP FVEY

UK TOP FVEY I-.uu II- in. II+?Il i;l l:-l l;l IEI .E-I El I: *l II II: [El I.I-II - - - I .IIll--I. .-II II I gin: I..I I l=-II..- I'll . I . =3 -: .14.: -- . 4.I.- Figure 2: Graphing of broadcast events (Renoir) 5 User Agent Analysis 5.1 The broadcast-client field within the TLVs in the generated data was extracted to see the most common software agents used to listen to Internet radio. The most common software agent was Winamp. A large number of other vendors can be seen. Notably there were nearly 2000 events from users with a PSP (Playstation Portable) and also listening via the Apple iPhone. Internet radio is likely a growth area for mobile phones and mobile devices as wireless networks increase in ubiquity and speed. Frequency User-Agent 119711WinampMPEG 28533Streamripper 27720iTunes 14349 RMA 11668xmms 10594 NSPIayer 10047MPIayer 8375 BASS 5291 JPIayer 2214BSPIayer 2137FreeAmp 204SScreamer 2025'etAudio 2011 Mozilla 1923 PSP-lnternetRadioPlayer UK TOP FVEY

UK TOP FVEY 1730 Icecast 1457tun3rLister 1345 Moodio 1308VLC 1279FMOD 1275 Roku 1248Xine 1147Today FM Radio Player 1068Ares 702 GStreamer 603shoutcastsource 573Tunin.FM?basic 552Tunin.FM 538Apple 470 FStream 405SN 404 Nullsoft 402 CorePIayer 385 Broadcast-Host 370 SC_iRadi0 364 InternetRadioBOX 357Audacious 353 nternet Explorer 313er 294 RaimaRadio 281Tun nFM 251 Windows-Media-Player 221 iTuner 175GOGS 1688houtcast 168iPhone 144 gnome-vfs 142WebRadio 139u travox 137 NSV 131 VirtuaIRadio 1290pticodec-PC 123 LCG 1 16860 nternetRadio 103 RecordTheRadio 98 MyNetRadioPlayer 96vTuner 94 Resco 8900deMorphicAudio 88 PocketTunes Table 4: User Agent Frequencies in Data Sample UK TOP FVEY

UK TOP FVEY 6 Top Radio Stations by Country 6.1 An analysis was performed on the data in order to see the most popular radio stations in a given country. The following data was obtained: Country IP Address Radio Station Iran 190.144.31.82 Pakistan 174.36.19.83 Russia 212.1 .226.163 M2 Radio China 91.121.65.213 Egypt 207.58.190.16 Radio ISMAILY ON LINE Zimbabwe 78.157.192.113 United Kingdom 88.191.13.53 Netherlands 195.149.107.49 [Multiple hosted radio stations] Iraq 72.21.36.210 Afghanistan 202.56.179.190 Argentina 208.72.155.18 6.2 Different countries exhibit different behaviours at this level. The top radio stations in Russia and UK are music and entertainment based stations. The top radio station in Iraq appears to be for a Saudi based action group to free prisoners in Iraq. 6.3 It is worth noting that the top radio station in China is a French language Algerian radio station. This is possibly due to inaccuracies in the GEOFUSION dataset or an motivated and interested community in China. UK TOP FVEY

UK TOP FVEY 7. Pakistan UK Connections 7.1 Any potential misuse of the technology could likely include radicalization between Pakistan and the United Kingdom. In order to observe the scale of users in the UK listening to Pakistan based radio stations, or vice versa, the data was filtered to find listeners and servers in the corresponding countries. 7.2 There were 468 events over the 3 month period corresponding to this pattern. These events were picked out and the radio station titles and descriptions were extracted. The most popular stations are shown below. Goom USA Server: 212.23.58.168 RockRadio1.com Server: 78.129.197.4 AWAZ 103.1 FM Server: 195.10.228.4 Octane Rollin? Server: 217.112.93.51 Radio Communicate Server: 85.92.197.165 The Server: 195.10.228.4 Unity 24 FM Server: 195.10.228.4 Radio 1 Server 216.66.84.2 Geo: London;GB .com Geo: London;GB Geo: London;GB Geo: London; GB Geo; London; GB Geo: London;GB Geo: London;GB .hu Geo: GB [Ambiguous Geofusion Result] DNS: co. uk Unknown Server;216.66.84.2 Geo: GB [Ambiguous Geofusion Result] DNS: live.radioramadhanshef?eld. co. uk Unknown Server: 88.115.99.31 Surge Live! (Southampton University) Server: 152.78.144.108 Radio Party Server: 85.92.197.165 Unknown server: 202.147.163.46 Unknown Geo: GB [Ambiguous Geofusion Result] Geo: Southampton;GB Geo: London;GB Geo: Gujranwala; PK UK TOP FVEY

UK TOP FVEY Server: 92.122.209.33 Geo: London;GB 7.3 These examples are almost exclusively UK based broadcast servers that have listeners in Pakistan. It is not possible to verify the content of each of these audio streams as to whether they match the description given in the URL or Title Field. 7.4 In the case of the Pakistan based broadcast server, the DNS resolves to a domestic ISP LDN. Residential customers can use a dynamic IP address service (such as to use their own connection as a static address for a Broadcast audio server. 8. Islamic Radio Stations 8.1 In order to assess the Islamic radicalization risk further, Internet broadcast titles were analyzed for the presence of keywords, Islam and Quran. 8.2 1 record contained the word ?Islam? in the ?Broadcast-Media-Genre? TLV 8.3 These stations are predominantly broadcasting recitations from the Quran, and represented 4696 events during the survey period. 3:33: lull-l I-TTI uni "Ia Figure 3: Graphs of top Islamic radio stations (Renoir) 8.4 The following radio stations were identified broadcasting this material. An estimation UK TOP FVEY

UK TOP FVEY of listeners is provided by finding the unique client-server lP pairs seen during the survey. Jebril Server: 74.63.225.58 Geo: Dallas;US 1698 Unique Client-Server lP pairs Audio Islam Server: 174.36.1.61 Geo: Dallas;US 81 Unique Client-Server lP Pairs Radio Dhikr Allah Server: 94.23.215.87 Geo: Paris;FR 4 unique Client-Server lP Pairs Radio Islam Server: 87.118.118.66 Geo: Chisinau;DE 11 Unique Client-Server lP Pairs Dars-E-Quran Server: 137.101.32.16 Geo: Karachi;PK 21 Unique Client-Server lP Pairs Hidayah Online Server: 174.36.1.61 Geo: Dallas;US 2 Unique Client-Server lP Pairs Quranic Audio Server: 174.36.235.149 Geo: Ashburn;US 1 Unique Client-Server lP Pairs IslamWeb Server: 202.176.219.164, 205.188.66.157 Geo: Singapore;SG Geo; Reston;US 20 Unique Client-Server lP Pairs 8.5 Case Study and SIGINT Fusion 8.6 As the largest Islamic radio station in the sample, Jebril was chosen as the focus for UK TOP FVEY

8.7 8.8 8.9 8.10 8.11 UK TOP FVEY some further analysis on its listeners. The Jebril radio station is hosted on 74.63.225.58 and geolocated to Dallas, USA. The radio station has a website associated with it ?The official website of Sheikh Muhammad Jebril?. It is a resource for quranic recitations and news. The following data was collated for the listeners to this station: 8 3 ran ussia re/and ia Herz vnia rance kraine udan therlands Africa Tanzania auritania zech ublic 1 omania In order to understand more about the listeners of any one particular radio station, further bulk SIGINT data from BLAZING SADDLES was used to understand any trends or behaviors. KARMA POLICE was able to correlate the Jebril radio station with the of each of its listeners. This reflected the geographical distribution seen in the broadcast media data with the majority of geolocating to Egypt and other parts of North Africa. This analysis was also performed for associated with listeners to the most popular Iraqi radio station in section X. The radio stations correlated with 123 distinct Vbulletin users, and users of other technologies such as Skype, Yahoo, MSN and Facebook. Also, it identified listeners of the radio station who use the the Maktoob blogging service. UK TOP FVEY

8.12 8.13 8.14 9.2 9.3 9.4 10. UK TOP FVEY A listener was chosen for further Internet a user located in Egypt. This user was found to have also used the following websites: Facebook. com Yahoo. com amrkhaled.net e-arabia.com redtube.com Youtube.com ratteb.com jeeran.com flickr. com islamwa y. com blogspot. com This profile suggests that listeners to Internet radio stations are often users of other Web 2.0 services, also that they use the web to get information from local or non- western news sources, blogs or social media. Recommendations for Future Work The single-Iine-records can be pulled through onto BLACKHOLE to feed a suitable QFD. Since the broadcast results are only events and not then they need to be correlated with the bulk TDI data that is already being processed. This might benefit Internet profiling work to understand what a user is doing on the Internet SAMUEL PEPYS). It could also be adapated into KARMA POLICE to go from a specific radio station to a list of TDls, or vice-versa. This report gives no consideration to the understanding and processing of the audio streams traversing the network. For radio stations that were private, or not accessible by the Internet, this would allow GCHQ to listen to the audio part of the protocol. A wealth of datamining techniques could be applied on small closed groups of individuals, to look for potential covert communications channels for hostile intelligence agencies running agents in allied countries, terrorist cells, or serious crime targets. An evaluation of Internet radio for future effects operations including information operations in Afghanistan or Iran could be considered as a way of getting rich audio information to a large audience of Internet connected individuals. References Strategic Framework Task 4134544, ICTR UK TOP FVEY

UK TOP FVEY UK TOP FVEY