Title: HTTP Activity in XKEYSCORE
Release Date: 2015-07-01
Document Date: 2009-03-01
Description: This NSA presentation from March 2009 explains how agency analysts can exploit HTTP data through XKeyScore: see the Intercept article XKEYSCORE: NSA’s Google for the World’s Private Communications, 1 July 2015.
Document: TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123
HTTP Activity in
XKEYSCORE
March 2009
Derived From: NSA/QSSM 1-52
Dated: 200701 (T
Declassify On: 202911
■-«>1
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity
HTTP Activity is essentially all web-based
activity from a user’s internet browser (with
some exceptions)
■ It includes, web-surfing, Internet Searching
(like Google), Mapping Website (Google
Earth/Maps) etc.
■ Most of this data will not contain a strong
selector like E-mail address
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity
■ HTTP activity comes in two types:
cnn.com Server
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity
How do you know which side you’re looking at?
Client-to-Server requests are generally small in
size and are computers talking to other
computers
Server-to-Client responses larger and are what
web-pages look like at home
So if you’re looking at something that looks like
a web-page its Server-to-Client
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity Examples
Client-to-Server request:
TOP SECRE T//C ö MIN T//2Û320108
ID: sess orig proc
Type: HTTP-GET & Printer Friendlv Version
DNI Display | Raw Data \ PNI Format
Services v
GET /Hezb oll ah-T errorism-Judith-P almer-Harik/ dp/1860648932 HTTP/U
User-Agent: Mozffla/5.0 (Windows; U; Windows NT 5.1; en-TJS) Apple WebKit/5 25.19 (E.HTML, like Gecko) Chrome/1.0.154.43 Safari/525.19
Referer: http ://www. go ogle. c om. pk/se ar ch?hi=en&q=wr e tt.e n bo oks on hizb oil ah&btnG=G oogle Search&meta=
Accept: text/xml, app lie ation/xml, applic atio n/xhtml xml, text/html, q=0.9, text/plam, q=0.8 ,image/png, */*, q=0.5
A c c ept -Enc o ding: gzip r deflat e ,b zip 2, s dch
Cookie: ubid-mam^l 35-5525816-3765531
apn-user-id=P 1YXY7 QF1PUYQ5
Accept-Language: en-US,en
Accept-Charset: ISO-8859-l,*,utf-8
Host: www. amazon, c om
Connection: Keep-Alive
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity Examples
Server-to-Client Response:
ID: sess origproc
® Document Information ype: HTTP Si Printer Friendly Version
DNI Display Raw Data DNI Format
0 HTTP Header Information Content Type: HTTP/HTML
Services ^
ñ Ri IS Barca reinstates ñ Isfahan to
k!j 1*5 6-point lead exhibit
over Real expressionist art
Home Page
Iran
Middle East
Iraq
Palestine
Lebanon
Turkey
Persian Gulf
Others
US
Asia/Pacific
Africa
Europe
Americas
Sci/Tech
Health
0
Kuwait government ’resigns1 over economy
Mon, 16 Mar 2009 19:07:16 GMT
The Kuwaiti government has submitted its
resignation to the county's emir amid a row
over the premier's handling of the economic
crisis.
"The resignation has been submitted formally and
it's up to the amir (ruler) to decice," Reuters
quoted Nasser al-Duwailah, a pariamentarian, as
saying on Monday.
The resignation would further delay the approval of 1.5 billion dinars (UED 5.11
billion) rescue package which is ta be injected to the Persian Gulf natior's
economy to ease the impact of the global financial crisis.
The government has not commented on the report.
Latest News
Kuwait govemr
economy
Childhood diet
r.sk
'US-Russian pa
shield row1 _
Judges want M
confiscated
Leader pardon;
Ancient book n
Lieberman eye;
ally
IIÄ Intelligent oeoo!
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity
■ XKS HTTP Activity Meta-data differs
greatly depending on which side of traffic
we’re collecting
■ In nearly all cases it’s better to have client
to-server traffic
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity Client-to-Server
Accepté */*
//search.bbc. co.uk/sear ch?tab=ur disorder=sortboth6: ci=iiiusharraf6: star t=2&s cope =ur du
Referen:
Accept-Language
A c c e p t- En c
en-us
Us er-Agen t| Hozilla/4. Q (compatible; HS IE 6.Q; Windows HT 5.1; SV1)
Ho s t ■■u -----
)
j E3
Con
Cookie! BBC-UID=b479a5f 4ad230a53063d51363Ü2Ü3acti22684634aÜeÜtil64c45f 96ef c054c£950Mozilla%2f 4%2e0%20%28cc
Cache-Uontroi: max-stale=u
1 66808702E9À98546 | 1
URL Path URL Args
Host
search.bbc.co.uk /search tab=urduâorder=sortbothâq=musharrafâstart=3âscope=urduâlink=next
Search Terms Language Browser
musharraf
en
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Via
66808702^
Referer
http://search .bbc.co.uk/search?tab=urduâorder=sortbathâq=musharrafâstart=2âscope=urdu
Cookie
BBC-UID=b479a5f4ad230a53063d513630203acb22684634a0e0b164c45f96efc054cf950Mozilla%2f4%2e0%20%28com
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity Server-to-Client
Application Info HTTP Type
Press TV - Kuwait government 'resigns' over economy response
ffc Document Information
Type HTP
ILA OCOO J1IU
-rinter F'¡end y Vers cn
DNI Dbplciy 1 Rax Data 1 DM I" cima:
□ HTTP Header Information Corten: Type: fTTP/lITM_
Services *
Horne ?g&e
Iran
Middle East
Iran
Palestine
Lrbar on
Turkey
Pergian 3nlf
Others
US
As.à/F'acfc
AÍri :a
Europe
Americas
Sc/Iech
Health
ff..I..
Barca reinstate g
t' point .ead
over ileal
B Isfahan to
eiihibi;
expressions; art
Kuwait government ’resigns1 over economy
Men, 16 Mar 2009 19 07 \$ Gb£T
The Kuwaiti qovernment has submitted its
n-isiijiinlinri In Ihn i:iiunly'\ Krriir ariiiiJ n rnw
over the premier's handlinq of the economic
crisis.
'The resignation h3s teen ;Lbrrit:ed formal/ 3nd
t's uo to tne errir (ruler) :o decide," ^euTe's
qioted \assar al-Uuwailah. a parliamentarian 3S
saying on Monday
The resignation would further delay tne approval of 1.5 oillien dinars (USD 511
oillion’i rescue pacauurijny Ij ease .ha impact uf .ha jluual "ir aruia crisis.
Thn ij ivHirnriHiil li/-'- rm i:iirinriK*ili-iI nri li-MKfiirl.
Latest News
TsI.WXll JJCVtiTTir
economy
Otile Hi o: k: (iir.
risk
'US-R us star :>x
shield row1
R Tiuly.is wxtiI \T
confiscated
[£ Leader pardon:
[£ Ancient book r
L.cbcru'.an eve;
hIIx
lí¿* Intelligent reoo
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity
HTTP Types
Meta-data will also tell you which side of
traffic you’re looking at
Client-to-server has two main types:
HTTP Type HTTP Type
get post
Server-to-client has only one
HTTP Type
response
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
■ A ‘GET’ is you requesting data from the
server (most web surfing)
■ A ‘POST’ is you sending data to the server
(i.e. signing in, filling out a form, uploading
a file etc.)
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
XKS SIGDEV: HTTP Traffic
Example: Lets look for all Arabic font Google
queries coming out of the tribal areas of
Pakistan
Information needed is contained in HTTP
Activity meta-data
Host
WWW.jtp
Query Marina for IP: 116.
ji
Fm Country (IP) Fm
PK
BAI
Cancel
1 JVC8?
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
) 10 o
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
j iif U i
XKS SIGDEV: HTTP Traffic
TS A
USERID PHONE USER A
ACTIVITY USER B
20081119 074259Z
:emaüAddr> logged in (email) 116.
20081119 Û74259Z
logged in (email) 116.
20081119074304Z
logged in (email) 116.
20081119 074316Z
:emaüAddr> logged in (email) 116.
20081119 074316Z
logged in (email) 116.
20081119074316Z
START TIME
STOP TIME
hemailAddrsMogge^i^emai^^^
DURATION CALL DONE BP .ADDRESS USERID
20081119 073141Z 20081119 092841Z Od 01:57:00 UNK
WU II iS V 1
20081119 074357Z
:emailAddr> logged in (email) 116.
20081119 Û74357Z
kern ailA ddr > logged in (email) 116.
20081119 074357Z
:emailAddr> logged in (email) 116.
20081119 074357Z
:emailAddr> logged in (email) 116.
20081119 Û74358Z
kem ailA ddr > lo gge d in (email) 116.
20081119 074358Z
logged in (email) 116.
20081119 074358Z
:emailAddr> logged in (email) 116.
20081119 Û74358Z
kem ailA ddr > lo gg e d in (email) 116.
20081119 074511Z
logged in (email) 116.
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
PHONE MAC ADD
u
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
XKS SIGDEV: HTTP Traffic
Now make that into a workflow
X-KEYSCORE EMAILER !
QUERY NAME: ¥as_NCTFP_Foriegn_Googlers
current time: 2008-11-20 07:15:15 GMT
submitted at: 2008-11-20 03:55:03 GMT
has 14 result(s)
SEARCHES
www.google.com
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
2008-11-19
18:54:20
07:36:49
07:37:07
08:03:17
08:05:51
08:06:52
15:01:00
15:14:13
15:33:19
04:24:44
04:24:59
04:29:29
04:30:04
04:31:51
al qaida (en, en-GB) (1)
The al-Ikhlas network (cybertrans from Arabic) (1)
(refecer) the al-Ikhlas network (cybertrans from Arabic) (3)
Forum bride/ 1 Arus (cybertrans from x^rabic) (1)
Forum love/gram (cybertrans from Arabic) (1)
(referer) forum love/gram (cybertrans from Arabic) (1)
The hills jihadist without inflicting (cybertrans from Arabic) (10)
(referer) the hills jihadist without inflicting (cybertrans from Arabic)
ttaziristan (cybertrans from Arabic) (1)
Scandals (cybertrans from x^rabic) (2)
(referer) scandals (cybertrans from Arabic) (1)
News (cybertrans from Arabic) (1)
Forum soil (cybertrans from Arabic) (1)
(referer) forum soil (cybertrans from Arabic) (1)
■>./ dllU^
Workflow Values Workflow XML
(6)
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
HTTP Activity-URLs
■ Many targets use Free File Sharing
Websites to pass messages.
■ Example we may see a message like this
From: badguy@yahoo.com
To: someotherbadguy@yahoo.com
Hey dude check out this file:
http: //www. send space. com/f i le/1 gojft
■ Lets use X-KEYSCORE to find who else
might have viewed that file
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
■ XKS breaks up URL’s into their components:
http ://ww^^oo£l^om/sear^?JiNar&li^&CFterTorisi^
www.google.com is the ‘host’
aka everything between the http:// and the
firsfteearch is the ‘url path’ everything after
www.blah.com and before the ?
hl=ar&lr=&q=terrorism&start=10&sa=N
is the ‘url argument’ aka everything after the ?
terrorism is the ‘search term’
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
XKS SIGDEV: HTTP Traffic
EX: Targets pass links to videos, use XKS to discover
new targets who have viewed those videos
In HB 00215-09, he promises that the newest video will be ready very soon, and then sends these two links:
http://www.load.to/.
http://www.files.to/ge
Datetime:
2 Weeks V Start: 2008-12-23 □ 00:00 A V Stop: 2009-01-06 □ SSL 23:59 A V
HTTP Type:
Host:
URL Path;
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
>10 01 101
1001 I 00) IOOI
I 1001 1001 IOC
OIOOI 101
10 10 01 101
) 101 010001 101
XKS SIGDEV: HTTP Traffic I :
> IOI
Datet
TS A
20081231 224606Z
20081231 224949Z
20081231 22494 9Z
20081231 224949Z
20081231 224952Z
20081231 224952Z
20081231 224952Z
20081231 225018Z
20081231 225021Z
USERID PHONE USER A
ACTIVITY USER B
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
logged in (email) 59.
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
XKS HTTP Meta-data: ‘Atiyah
(TS//SI//OC/REL TO USA, AUS, CAN, GBR, NZL) During
his Internet session, 'Atiyah queried on himself, "Shaykh
'Atiyatallah," and on the name "Khalid al-Habib."
(3/00/7878-08)
(TS//SI//OC/REL TO USA, AUS, CAN, GBR, NZL) During
his session on 16 September, 'Atiyah used a U.S. search
engine to search for information on himself and a possible
associate. 'Atiyah submitted Arabic queries for an alias of
his, ’"Atiyahtallah", and his real name, "Jamal Ibrahim
Ishtaywi". 'Atiyah also queried for "A Revealing View."
(COMMENT: This is likely a reference to the book he
recently wrote entitled "Lebanese Hezballah and the
Palestinian Issue - A Revealing View.") 'Atiyah also
queried for "'AM 'Iwad al-Harabi” (no further information).
On 17 September, 'Atiyah searched again on the title of his
book. (3/00/7151-08)
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
■ (TS//SI//OC/REL TO USA, AUS, CAN, GBR, NZL) During the
1035Z to 1143Z online activity, ’Atiyah down-loaded the VoIP
application Skype to his private computer. During an earlier
online session from approximately 0902Z to 0935Z, either
'Atiyah or his wife, Jamila, also down-loaded Skype onto her
private computer. (3/00/10570-07)
■ (TS//SI//OC/RELTO USA, AUS, CAN, GBR, NZL) Although
much of 'Atiyah's online activity is communication, he is also
a "news hound." While located in Sanandaj, ’Atiyah daily
visited several online international news sites, such as
Qatar-registered al-Jazeera news website, and Arabic
language versions of U.S.-based and U.K.-based news
organizations. Also, ’Atiyah frequently visits religious sites,
such as the Saudi Arabia-registered islamtoday.net.
(3/00/21045-07)
> 10 01
1001 I 00) tool
I 1001 1001 ICO)
XKS En
0 01 10)010 _JÇr pj *
> 10)
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Enabled: Google Earth Exploitation
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL