Snowden Archive
——The SIDtoday
Files Browse the Archive

Targeting Terrorist Internet Traffic

SUMMARY

Project DISTANTFISH targets terrorist internet traffic by providing a database of known terrorist login names, email addresses, etc., as well as information on user-generated computer sessions, for example, in an internet cafe.

DOCUMENT’S DATE

Mar 30, 2004

PUBLICLY AVAILABLE

Feb 05, 2018

1/2
Download
Page 1 from Targeting Terrorist Internet Traffic
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL (S//SI) Targeting Terrorist Internet Traffic FROM: Technical Director, Protocol Exploitation Branch, CES/Systems Analysis (S31212) Run Date: 03/30/2004 FROM: Technical Director, Protocol Exploitation Branch, CES/Systems Analysis (S31212) (S//SI) On February 14, 2004, a terrorist on the Counterterrorism top ten list walked into a web café in Iraq and logged into an MSN Messenger account. Little did this terrorist know that NSA knew his login name and that Counterterrorism analysts were alerted to his traffic. Unfortunately, the analysts were unable to do much with it, as the target never talked to anyone and he had few names on his buddy list. (S//SI) The analysts wanted to look at all of the traffic generated by the terrorist but were unable to do so... The web café used an inexpensive device known as a Network Address Translator (NAT) to share the Internet connection to all the computers in the café. There were many people in the café and the NAT mixed the computer sessions from all of the users together. Luckily, a fledgling service known as DISTANTFISH had just been deployed to Menwith Hill Station, and this new system was able to find the desired terrorist traffic. (S//SI) Project DISTANTFISH was created to target terrorist traffic on the Internet by providing two important services. First, it provides a database for discovering account identities for known terrorists to use as strong selectors (i.e. login names, e-mail addresses, or other elements that can be associated with a particular individual). Second, it provides information on which the same user generated computer sessions. Thus, if one session contains a strong selector for a terrorist, then all sessions can be collected. At the heart of this capability is an association service that can track an individual computer by the way it generates packets. (S//SI) From this association service, the DISTANTFISH team members were able to determine that the terrorist generated 107 computer sessions over eleven minutes, thus separating this traffic from that of the other 16 people in the web café. As most of the supporting software is still under development, the data was manually examined resulting in the discovery of two additional MSN Messenger accounts and two Yahoo web mail accounts that the terrorist used, but that NSA had been unaware of. Since terrorists often abandon accounts for new ones, having a complete picture of the accounts used is critical for targeting the terrorists' traffic. (U) Transforming DNI Selection and Filtering (S//SI) The need to greatly expand the existing DNI Surgical Survey capability has been recognized by Data Acquisition and Analysis and Production, placing this task on a list of twelve critical hard DNI problems known as the DA Dozen. The proposed solution is referred to as Persona Session Collection (PSC) and, to work, relies on strong selectors and user session association. DISTANTFISH provides critical capability on both and was highlighted as an important component to transforming DNI selection and filtering. (S//SI) PSC works by processing application layer protocols to extract certain metadata fields that work as strong selectors for the client of the current application. These selectors are usually login names, client e-mail addresses, user numbers, and other unique metadata. If a selector is found to be that of a known terrorist, that session, as well as all others generated by the terrorist, is forwarded to NSA for analysis. The DISTANTFISH association algorithms are the primary way of determining which sessions the terrorist generated when the access is traditional passive collection. The collection of all user sessions is called the Aggregate Session and can be achieved by other methods, especially active efforts. (S//SI) However, PSC assumes that the strong selectors for a terrorist are known. The second objective for DISTANTFISH is to associate all strong selectors for SIGINT targets and store them
Page 2 from Targeting Terrorist Internet Traffic
in a database. Intelligence analysts use the database to discover new identities to add to the selectors for that terrorist. Work on this database has begun, but much work remains. (U) Moving Forward (S//SI) Menwith Hill Station has over fifty hits a day on known terrorists accounts. This success has accelerated the work on the DISTANTFISH identity database and on integrating the association information into sustained processing systems. In the coming months, traffic related to all hits will be associated and presented to analysts together. The terrorist identity discovery database being developed in the Target Analysis Cell (TAC/TDS) will also come on line. When that day comes, terrorists will find it difficult to blend in to the crowd, allowing NSA and US troops to target terrorists before they can target us. (U) More Information (U//FOUO) DISTANTFISH Project Webpage "(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL sid_comms)." DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108