Title: Target Detection Identifiers

Release Date: 2015-09-25

Document Date: 2009-03-01

Description: This GCHQ presentation from March 2009 shows that the agency has targeted a number of popular websites in a concerted effort to harvest cookies (“target detection indentifiers”) on a massive scale: see the Intercept article Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities, 25 September 2015.

Document: tdi-introduction-p1-normal.gif:
Target Detection Identifiers

c This rtcrmation is exempt under the Freedom of Irfbrmation Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries So

Side 1tdi-introduction-p2-normal.gif:
UK SECRET STRAP2 COMINT ORCON

High-Speed Internet Processing

09:28:01 2008-10-131
09:28:13 2008-10-131

17776 80 GET / Cookie: ik= qyzwww...

13456 80 GET / Cookie: ik= xzxsrzczccz

Google

Event data sent to bulk store

® Crown Copyright. Al rights reserved. This information is exempt from disclosure under the Freedom ot Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to

Contains Intellectual Property owned arritor managed by GCHQ. The material may be issernnaled throughout the recipient organisation, but GCHQ permission must

be obtained for dissemination outside the organisation.

1 UK SECRET STRAP2 COMINT ORCONtdi-introduction-p3-normal.gif:
UK SECRET STRAP2 COMINT ORCON

High-Speed Internet Processing

• Bulk events key to SIGINT success on Internet

• Event types that are valuable for Intelligence change (quickly)

- 2000 SMTP/POP3

- 2001 Webmail

- 2007 vBulletin

- 2008 Social Networks,...,?

• GCHQ’s Applied Research are pioneering ways of dealing with this:

- Presence Events (TDI)

- Very large scale high speed flat file storage to bulk store TDIs

- Just enough data marts

° Crown Cop,right. Al rights reserved. This information is exempt from disclosure under the Freedom ot Information Act 2000 and may be subject to exemption uniter

other UK hfcrmalicn legislation. Refer disclosure requests to______________

Contains Intellectual Properly craned and/or managed by GCHQ. The material may be isseminaled throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 3tdi-introduction-p4-normal.gif:
IP Packet Information

• Many possible types of information

• Many techniques available

• HTTP Get requests dominate cutting edge
techniques

• To get Intelligence value Information must

relate to a person or device... a TDItdi-introduction-p5-normal.gif:
UK SECRET STRAP2 COMINT ORCON

Crown Copyright. t

otner urs mormauon legislation ireier disclosure requests

Contains Intellectual Property owned arri/or managed by GCHQ. The material may be risserrinaled throughout the recipient organisation, but GCHQ permission must

be obtained for dissemination outside the organisation.

,5 UK SECRET STRAP2 COMINT ORCONtdi-introduction-p6-normal.gif:
UK SECRET STRAP2 COMINT ORCON

° Crown Copyright

Contains Intellectual Property owned arri/or managed by GCHO. The material may be tisserrinaled throughout the recipient organisation, but GCHQ permission must

be obtained for dissemination outside the organisation.

,6 UK SECRET STRAP2 COMINT ORCONtdi-introduction-p7-normal.gif:
UK SECRET STRAP2 COMINT ORCON

Target

Detection

Identifier

° Crown Copyright. Al rights reserved. This information is exempt tom disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to

Contains Intellectual Property owned arri/bt managed by GCHQ. The material may be dssernnaled throughout the recipient organisation, but GCHQ permission must

be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 7tdi-introduction-p8-normal.gif:
UK SECRET STRAP2 COMINT ORCON

Target

Detection

Identifier

Who

When

Where

(doing) What

° CroAn Cop-,right. Al rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests lo_______________________________________________________

Contains Intelectual Property OMied and/or managed by GCHQ. The material may be cfrsseminaled throughout the recipient organisation, but GCHQ permission must

be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 8tdi-introduction-p9-normal.gif:
UK SECRET STRAP2 COMINT ORCON

Target

Detection

Identifier

Who

When

Where

(doing) What

Fundamental atom of the Internet age.

° CroAn Cop-,right. Al rights reserved. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests lo_______________________________________________________

Contains Intelectual Properly OMied and/or managed by GCHQ. The material may be cfrsseminaled throughout the recipient organisation, but GCHQ permission must

be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 9tdi-introduction-p10-normal.gif:
UK SECRET STRAP2 COMINT ORCON

Target Detection Identifiers

• DEFINITION

- TDIs are definite indicators of presence, that are unique and persistent

for a user/machine.

• Built on the familiar

- Telephony +44 - international phone code

- Signalling tells us this phone user is ‘online’

• Target Detection Identifiers

- Started with the Internet, mobile networks too.

- TDI is a ‘SIGINT standardised code’.

- Not a standard managed by the ITU/ETSI.

- Extraction from packets much more complex.

° Crown Copyright. Al rights reserved. This information is exempt from disclosure under the Freedom ot Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests to __

Contains Intellectual Properly owied and/or managed by GCHQ. The material may be rSsseminaled throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 10tdi-introduction-p11-normal.gif:
UK SECRET STRAP2 COMINT ORCONtdi-introduction-p12-normal.gif:


Target Detection Identifiers

• 70 distinct TDI types discovered. TDI Type TDI Location User/Machine
• 2500 TDIs/sec (GET, de-duplicated) Yahoo-Y-Cookie Cookie User
• => 200 Million per day per 10Gbps Yahoo-B-Cookie Coookie Machine
Google-IK Request-URI User
• De-dupe rate ??? Paltalk-Nfckname Request-URI User
• Cost - 250 hours per TDI MS-MUID-Cookie Cookie Machine
• Automated discovery prototype Google-SID-Cookie Cookie Machine
° Down Copyright. Al rights reserved. This information is exempt from disclosure urrier the Fr Maktoob-ME User-Cookie Cookie User
Orkut-PREFID-Cookie Cookie User
Cloob-Username Cookie User
other UK information legislation. Refer disclosure requests to Contains Intelectual Property owed arel/ot managed by GCHO. The material may be iSssemin be obtained for dissemination outside th »12 UK SECRET STRAP2 rc j aled throughout the recipient organisation, but GCHO permission must eorganisation Bit««* un COMINT ORCON ' ™ tdi-introduction-p13-normal.gif:
CHQ i-tomepïo? B AutoTDI u

□ CFT dfltn

RepOft 15 for the 7-day period from 04/10/08 <16 20) to 11/10/08 (16:20)

A cross-subnot threshold of S 10% has boon applied
A moan user transmission threshold of 2 10 has boon applod.

Putative selectors https //, photos/, insjcs/, cues/ are blacklisted from this plot
Click 0 to sort by a given cokjrrn.

R Ccmavn R Qontmtt R R Exompkt va^o

facebook Cookie datr«
faceb ook Cookie C-MSars
facebook Cookio utmzs
facebook Cookie —
fac ebook Cookio h usor=
facebook Cookie
routers Cookio lv=
facebook Cookie Qgy.LMtt-
live Cookie MUID=
routers Cookie ids
google URI a£
routers Cookie SS£
yahoo Cookie e=
yahoo Cookio
yotporn Cookie ÜäE
youpom Cookio utma=
yOcpom Cookie —tltft>2«
routers Cookio anon!d=
yotpom cookie —S£s£
yahoo URI BE
beto Cookie Ma«?»«".-.
google Cookie LM=
google Cookie 12:
google Cookie TM=
beto Cookie Username*
beto Cookie Emails
yahoo Cookio l_Sa
google Cookie s=
yahoo Cookio !£=
yiMmanagev cookie uiO=
routers Cookie PoDtTrackor=
yahoo Referer ÛE

ktf

wa-^vjvivj^vjsj^viOvn^viOvjo-si^vja'Oa-NNjviCDco

SECRET

R dearer

n count

7

6

4



“ couof
671
6S1
609
609
601
364
336
323
321
312
311
309
307
306
290
292
261
279
277
277
275
272
271
270
268
268
264
264
253
251
242
242

R Mean user trans/msS'C*

D frequency

12.98

12.09

12.14

12.44

12.37

10.38

10.67
18.63

10.91

21.59

15.02
16.83
10.76

10.60
24.90

24.23

22.92
16.22
24.40

31.18

27.19
16.95
16.80
17.07
27.18

27.67
78.61
39.35

14.24

66.03

14.24
17.85

^ Cross-/16
M percentage

Tli

3.51

4.25

3.56
3.74
4.97
0.24

9.18

3.24
0.45
S.91
0.39
2.76
7.79
1.96
1.65
4.60
0.46
1.69
6.89
2.06
7.31
3.73

6.57

2.21

2.24

3.00
3.82
2.54

1.01

0.48

7.19tdi-introduction-p14-normal.gif:


TDI Applications

• Bulk store of all TDIs seen in last 6 months [MUTANT BROTH]

• Bulk store TDI correlations (6 months) [AUTO ASSOC] _

• Bulk store TDI website correlations (6 months) [KARMA POLICE]

• Bulk store TDI vBulletin activity [INFINITE MONKEYS]

• Bulk store TDI Social Networking Site activity [SOCIAL ANIMAL]

• Bulk store web search requests [MEMORY HOLE]

• Bulk store Google Earth requests [MARBLED GECKO]

« BqJk .store, of ifehasU? ef© re r,.ref ere nces [HRM AB] and may be subject lo exempt bn uniter

cither UK information legislation. Refer disclosure requests to _

Contains Intellectual Property owned and/or managed by GCHQ. The material may be rfsseminated throughout the recipient organisation, but GCHQ permrsston must
be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 14tdi-introduction-p15-normal.gif:
litrnW 5Wfl ______IF kibm S«arch_________Px-Miori _________

Welcome

ill queries logged for audit

Database currently contains identifiers from the period Tue Dec 25 15:26:40 2007 to Fri Jun 20 22:13:19 2008 (18.41 billion rows of as 07 DUN 08).

Warning: data for pcriod(s):-
• Fri Jun 20 22:13:21 2008 - Tue Jun 24 09:33:20 2008

is loaded, but currently unavailable for query due to index building. The rest of the database can be queried as usual during the rebuild.

Search for Identifiers

cogged in asl

• If allow wildcards Is Ocked, •< and are multi-character (bob*) and single-character (h bOhotnai l .cor) wildcards.

• Queries are always case-sensitive (bobOhouwH.cc* * BCefoouail.con t BOtfHHHMl.CCM). There is an option to automatically convert to lowercase.

• For bulk quenes, past» in a list of identifiers separated by newlines (one per I ne).

• You can enter a mlnimum/maximum date for the search: default s to search all available selectors

^ MIRANDA 20135

Die \r~

Purpose NS 2.

Reason cemo

P Allow wildcards Execute |

P Convert to lowercase before searching

Matching Identifiers

The following identifiers have been found In the MUTAfTT BROTH database.

Select tnose that match your targets) to generate a summary of target activity.

i.

TD1 type

r CJwi-h'S-Y-is-.iM*'

TOl valuetdi-introduction-p16-normal.gif:
1
»aiwxd

Welcome

Logged ir asj^^^^^ali q teres legged for audit.

Database currently contains identifiers from the period Tue Deo 25 16:26:40 2007 to Frl Jun 20 22:13:19 2008 (1B.41 billion rows of as 07-JUN-08).

Warning: data for period(s):-

is loaded, but cum rebuild.

Search for Idcnt

• If allow wildcards

• Queres are always case-sensitive (bot£b»tnail.coi * KiiUr.-tail.c',*» * BCbl?!Krn*n,.CflH). There is an opton to automatically convert to lowercase.

• For bulk queries, paste in a list of identifiers separated by newlines (ore per line).

• You can enter a mlnlmum/maxlmum date for the search: default s to search all avai ablc selectors

O Allow wildcards

p Convert to lowercase before searching

MIRANDA [20135
)!C |1
Purpose |NS 3
Reason |demo

Execute

Matching Identifiers

The following «tenttiers have been 'ound in the MUTANT BROTH database.

Select those that match your targets) to generate a summary of target activity.

TO! type 70! value

r Chat-MS-Keei*r
WwurSECRET

i • ;■< .U m O »> Q "> _ _ n t. -«Ml

|/1*«| atom U ’ l i «•! fcjrwir.»« hmk

sew

cnat loemmers;, aieSSDTte vijeo-uocaaon laeitmes ere ornerena orme coaimune
Save as CSV

Date Time Source IP HHFP Source IP Geo

Identifier

17/06/2008 17:08:44

17/0

i

WHEN

17/00/2008 16:55:21

17/06/2008 16:55:16

17/06/2008 16:54:47

17/06/2008 16:52:13

15/06/2008 19:20:33

Type

Identifier Velue Passu

6de32fcb0 41.02:23.96:ISTANBUL TR: 5MMM Hi5-Email-Cook e^^^Bfrhotmail.com

6de32bb0 41.0

i

WHERE

M Hi5-Em

6de32bb0 41.9022,-87.6726;CHlCAOO;US;5l

i

11-Cookie

^ WHO

WHAT

b

hotmail.com

6dei7l:b0 4 1 .02;23.90,lb 1ANBUl, 1 K, 6MMH H,5-fciiM.I-Co»k f .ion.

rVS.'l 41.9022. r:-1CACC.. .2- S1---1I-- - Sr.iw.l O .k A
6
|dc8bCr43 33.5:36 3;0IMASHQ;SV. 5HLv H.5 Emcil Cook c comtdi-introduction-p18-normal.gif:
UK SECRET STRAP2 COMINT ORCON

Other Bulk Event Applications

• Most events that can be associated back to TDIs:

• File Transfer Signature (eg proof of life videos)

• Detection by Internet profile - eg ‘Dead Letter Drop’.

• Yahoo webcam images

• Airline reservation confirmation emails

° CroAn Copyright. A> rights reserved. This information is exempt from disclosure under the Freedom of Information Ad 2000 and may be sutjed lo exemption under

other UK information legislation. Refer disclosure requests lo______________________________________________________

Contains Intelectual Property owned arri/or managed by GCHQ. The material may be cfrsserrinaled throughout the recipient organisation, but GCHQ permission must
be obtained for dissemination outside the organisation.

UK SECRET STRAP2 COMINT ORCON

Side 18



















e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh