249172452 Details About the NSA INCENSER Program Top Level Telecommunications

Top Level Telecommunications: INCENSER, or how NSA and GCHQ are tapping internet cables

http://electrospaces.blogspot.com/2014/11/incenser-or-how-nsa-and-gchq-are.html[12/4/2014 10:18:17 AM]

November 29, 2014

INCENSER, or how NSA and GCHQ aretapping internet cables(Last edited: December 2, 2014)

Recently disclosed documents show that the NSA's fourth-largest cable tappingprogram, codenamed INCENSER, pulls its data from just one single source: asubmarine fiber optic cable linking Asia with Europe.

Until now, it was only known that INCENSER was a sub-program of WINDSTOP andthat it collected some 14 billion pieces of internet data a month. The latest revelationsnow say that these data were collected with the help of the British company Cable &Wireless (codenamed GERONTIC, now part of Vodafone) at a location in Cornwall inthe UK, codenamed NIGELLA.

For the first time, this gives us a view on the whole interception chain, from theparent program all the way down to the physical interception facility. Here we willpiece together what is known about these different stages and programs from recentand earlier publications.

- NIGELLA - GERONTIC - INCENSER - WINDSTOP -

Here you can read about:- Signals Intelligence (SIGINT),- Communications Security(COMSEC),- Information Classification,and also about the equipment, frompast and present, which make thatcivilian and military leaders cancommunicate in order to fulfill theirduties.

The main focus will be on the UnitedStates and its National SecurityAgency (NSA), but attention will alsobe paid to other countries andsubjects.

Any comments, additions, corrections,questions or suggestions will be veryappreciated! There's no login orregistration required for commenting.

twitter.com/electrospaces

info (at) electrospaces.net

PGP Public Key ID: FD9FD4E6

Welcome to this weblog about TopLevel Telecommunications!

The postings on this weblog areupdated frequently as new informationabout the NSA is still being revealed.Therefore, revisit this weblog andcheck the articles for updates!

87 More Next Blog Create Blog Sign In



The cables tapped at NIGELLA by GERONTIC under the INCENSER and WINDSTOP programs

(Map: ARD.de - Text: Electrospaces.net - Click to enlarge)

NIGELLA

Last week's joint reporting by the British broadcaster Channel 4, the German regionalbroadcasters WDR and NDR and the German newspaper Sddeutsche Zeitung,identified NIGELLA as an interception facility at the intersection of Cable & Wirelessand Reliance cables at Skewjack Farm.

There, just north-west of Polgigga Cottage in Cornwall, is a large building that wasconstructed in 2001 for FLAG Telecom UK Ltd for 5.3 million pounds. It serves as aterminus for the two ends of a submarine optical cable: one from across the Atlanticwhich lands at the beach of nearby Sennen, and one that crosses the Channel toBrittany in France:

- FLAG Atlantic 1 (FA1)Connecting the east coast of North America to the United Kingdom andFrance (6.000 kilometers)

The FLAG Atlantic 1 cable to America consists of 6 fibre pairs, each capable of carrying40 (eventually up to 52) separate light wavelengths, and each wavelength can carry10 Gigabit/s of traffic. This gives a potential capacity of 2.4 terabit/s per cable.However, in 2009, only 640 gigabit/s were actually used, which went apparently up to921 gigabit/s in 2011.

INCENSER, or how NSA and GCHQare tapping internet cables

German investigation of thecooperation between NSA and BND (I)

The phones of the Dutch PrimeMinister

The German operation Eikonal as partof NSA's RAMPART-A program

NSA's Strategic Mission List

About STELLARWIND and othermysterious classification markings

NSA's foreign partnerships

Another "red phone" for the Israeliprime minister

What if Google was an intelligenceagency?

Recent Posts

"It's actually straight up interesting butalso weird how weirdly, wonderfullydetailed this blog about hyper securecommunications is."

Gizmodo.com

Home

INDEX

Links

Abbreviations and Acronyms

NSA Nicknames and Codewords

NSA's organizational designations

NSA Glossary

The US classification system

SIGINT Activity Designators (SIGADs)

GCHQ Codewords and Abbreviations

Pages



The FLAG terminus station in Skewjack Farm, Cornwall

(photo: Sheila Russell - Click to enlarge)

The cable was initially owned by FLAG Telecom, where FLAG stands for Fiber-optic LinkAround the Globe. This company was renamed into Reliance Globalcom when itbecame a fully owned subsidiary of the Indian company Reliance Communications(RCOM). In March 2014, Reliance Globalcom was again renamed, now into GlobalCloud Xchange (GCX).

More important is another, much longer submarine cable, which was also owned bythis company, and which has its landing point on the shore of Porthcurno, a few milessouth-west of Skewjack Farm:

- FLAG Europe-Asia (FEA)Connecting the United Kingdom to Japan through the Mediterranean, withlanding points in Egypt, the Saudi Peninsula, India, Malaysia, Thailand,Hong Kong, China, Taiwan, South Korea and Japan (28.000 kilometers)

This cable has 2 fibre pairs, each capable of carrying up to 40 separate lightwavelengths, and each wavelength can again carry 10 gigabit/s of traffic. This gives apotential capacity of 800 gigabit/s, but in 2009 only 70 gigabit/s were used, whichwent up to 130 gigabit/s in 2011 - still an unimaginable 130.000.000.000 bits persecond.

The FLAG Atlantic 1 and FLAG Europe-Asia landing points

and the Skewjack Farm terminus station

(Map: Channel 4 - Click to enlarge)

The backhaul connection between the FLAG Atlantic 1 (FA1) and the FLAG Europe-Asia

BND Codewords and Abbreviations

Telephony Abbreviations

Internet abbreviations

717,515

Total Pageviews

How Obama's BlackBerry got secured

New phones aboard Air Force One

INCENSER, or how NSA and GCHQare tapping internet cables

DRTBOX and the DRT surveillancesystems

The US Classification System

New slides about NSA collectionprograms

The German operation Eikonal as partof NSA's RAMPART-A program

Popular Posts

BoundlessInformant (7) Classification (6)

GCHQ (4) Germany (6) Hotline (4)

Netherlands (5)

NSA (29) NSAPartnerships (7) POTUS (7)PRISM (7) Red Phone (5)

Wireless (6)

Labels

Air Force One (1) Apple (1) BlackBerry (1)Boeing (1) Brazil(1) Britain (1) Canada (1) CSEC (2) General Dynamics (1)

Gold Phone (1) GSM (2)ISAF (1) Israel (2) IST (2)

Kremlin (1) Metadata (3)

North Korea (1)

Obama (3) Russia (1)

Sectra (1) Secure voice (1) Situation Room (1)STE (3) STU-II (1) STU-III (1) UMTS (2)USA (2) USSR (2) Vatican (1) VoIP (1)White House (3)



(FEA) is provided by a local area network of Cable & Wireless, which also connectsboth submarine cables to its terrestrial internet backbone network.

According to the newly disclosed GHCQ Cable Master List from 2009, the interceptionof the FA1 and the FEA cables takes place at the intersection with this backhaulconnection:

This list also shows that the interception of these two cables is accompanied by aComputer Network Exploitation (CNE) or hacking operation codenamed PFENNINGALPHA.

Because the owner of the cables (Reliance Globalcom, now Global Cloud Xchange) isnot a cooperating partner of GCHQ, they hacked into their network for gettingadditional "router monitoring webpages" and "performance statistics for GTE [GlobalTelecoms Exploitation]".

Interception equipment

How the actual interception takes place, can be learned from an article in TheGuardian from June 2013, which provides some details about the highly sophisticatedcomputer equipment at cable tapping points.

First, the data stream is filtered through what is known as MVR (Massive VolumeReduction), which immediately rejects high-volume, low-value traffic, such as peer-to-peer downloads. This reduces the volume by about 30%.

Selectors

The next step is to pull out packets of information that contain selectors like phonenumbers and e-mail, IP and MAC addresses of interest. In 2011, some 40,000 ofthese were chosen by GCHQ and 31,000 by the NSA, according to The Guardian. Thisfiltering is most likely done by devices from Boeing-subsidiary Narus, which cananalyse high-volume internet traffic in real-time.

A single NarusInsight machine can monitor traffic up to 10 Gigabit/second, whichmeans there have to be up to a dozen of them to filter the relevant traffic from theFA1 and FEA submarine cables. Most of the information extracted in this way isinternet content, such as the substance of e-mail messages.

Full sessions

Besides the filtering by using specific selectors, the data are also sessionized, whichmeans all types of IP traffic, like VoIP, e-mail, web mail and instant messages arereconstructed. This is something the Narus devices are also capable of.

These "full take" sessions are stored as a rolling buffer on XKEYSCORE servers:content data for only three to five days, and metadata for up to 30 days. But "atsome sites, the amount of data we receive per day (20+ terabytes) can only be storedfor as little as 24 hours" according to an NSA document from 2008.

The aim is to extract the best 7,5% of the traffic that flows past the access, which isthen "backhauled" from the tapping point to GCHQ Bude through two 10 gigabit/schannels (the "egress" capacity). This might be a dedicated cable, or a secure VPNpath over the regular Cable & Wireless backbone that connects Bude with the south-west of Cornwall:

Search This Blog

2014 (28) November (3)

INCENSER, or how NSAand GCHQ are tappinginternet...

German investigation ofthe cooperationbetween NS...

The phones of the DutchPrime Minister

October (1)

September (3)

August (2)

July (4)

June (2)

May (2)

April (1)

March (3)

February (5)

January (2)

2013 (33)

2012 (10)

Blog Archive

Sequence of the real Red Phones, notfor the Washington-Moscow Hotline,but for the US Defense Red SwitchNetwork (DRSN). The phones shownhere were in use from the earlyeighties up to the present day andmost of them were made byElectrospace Systems Inc. They will bediscussed on this weblog later.

US Red Phones



The Cable & Wireless internet backbone (yellow) in Cornwall

and the connections to submarine fiber-optic cables (red)

(Map from before 2006 - Click for the full verion)

GERONTIC (Cable & Wireless)

The secret GCHQ documents about these cable tapping operations only refer to thecooperating telecommunications provider with the cover name GERONTIC. The realname is protected by STRAP 2 dissemination restrictions. But nonetheless, Germanmedia already revealed that GERONTIC is Cable & Wireless last year.

In july 2012, Cable & Wireless Worldwide was taken over by Vodafone for 1.04 billionpounds, but according to the GCHQ documents, the covername GERONTIC wascontinued, and was seen active until at least April 2013.

According to the press reports, GCHQ had access to 63 undersea internet cables, 29of which with the help of GERONTIC. This accounted for about 70% of the totalamount of internet data that GCHQ had access to in 2009.

Cable & Wireless was involved in these 29 cables, either because it had Direct CableOwnership (DCO), an Indefeasible Right of Use (IRU) or Leased Capacity (LC). Besidesthat, the GCHQ Cable Master List from 2009 lists GERONTIC also as a landing partnerfor the following nine cables:

- FLAG Atlantic 1 (FA1)- FLAG Europe-Asia (FEA)- Apollo North- Apollo South- Solas- UK-Netherlands 14- UK-France 3- Europe India Gateway (EIG)- GLO-1

Disclosed excerpts from internal GCHQ wiki pages show that Cable & Wireless heldregular meetings with GCHQ from 2008 until at least 2010, in order to improve theaccess possibilites, like selecting which cables and wavelenghts would provide the bestopportunities for catching the communications GCHQ wanted.

GCHQ also paid Cable & Wireless tens of millions of pounds for the expenses. Forexample, in February 2009 6 million pound was paid and a 2010 budget references a20.3 million pound payment to the company. By comparison, NSA paid all itscooperating telecommunications companies a total of 278 million dollars in 2013.

The intensive cooperation between Cable & Wireless and GCHQ may not come as asurprise for those knowing a bit more of British intelligence history. The company

For the record, you see:- Electrospace MLP-1- Electrospace MLP-1A (since 1983)- Electrospace MLP-2- Raytheon IST (since 1992)- Telecore IST-2 (since 2003)

Color codes for the classification levelsused by the government and thearmed forces of the Unites States:

These color codes are used to markthe classification level of (digital)documents and files and also of thecommunication devices used for theirtransmission.

US Classification Levels

Subscribe to this weblog!

Posts

Comments

- The Dutch virtual Crypto Museum

- Website about Crypto Machines

- Intelligence expert Matthew Aid

- Bruce Schneier on Security

- Steven Aftergood's Secrecy News

- The weblog Empty Wheel

- Stewart Baker's Skating on Stilts

- Marc Ambinder's The Compass

- Leaked documents: IC Off the record

- Glenn Greenwald's The Intercept

- Der Spiegel's 53 NSA-documents

- The NSA Observer

Hotlinks



already worked with predecessors of GHCQ during World War I: all internationaltelegrams were handed over so they could be copied before being sent on their way, apractice that continued for over 50 years.*

INCENSER (DS-300)

Among the documents about the GCHQ cable tapping is also a small part of aninternal glossary. It contains an entry about INCENSER, which says that this is aspecial source collection system at Bude. This is further specified as the GERONTICdelivery from the NIGELLA access, which can be viewed in XKEYSCORE (XKS):

This entry was also shown in the German television magazine Monitor, although not fully, but without the

redactions, so from this source we know the few extra words that were redacted for some reason.

The entry also says that INCENSER traffic is labeled TICKETWINDOW with the SIGINTActivity Designator (Sigad) DS-300. From another source we know thatTICKETWINDOW is a system that makes cable tapping collection available to 2nd Partypartners. The exact meaning of Sigads starting with DS isn't clear, but probably alsodenotes 2nd Party collection.

TEMPORA

In Bude, GCHQ has its Regional Processing Center (RPC), which in 2012 had a so-called "Deep Dive" processing capability for 23 channels of 10 gigabit/second eachunder the TEMPORA program.

TEMPORA comprises different components, like the actual access points to fiber-opticcables, a Massive Volume Reduction (MVR) capability, a sanitisation programcodenamed POKERFACE, and the XKEYSCORE system. As we have seen, most of thehardware components are located at the interception point, in this case the facility inSkewjack (NIGELLA).

Analysing

These collection systems can be remotely instructed ("tasked") from Bude, or maybeeven also from NSA headquarters. For one part that involves entering the "strongselectors" like phone numbers and internet addresses. For another part, that is byusing the additional capabilities of XKEYSCORE.

Because the latter system buffers full take sessions, analysts can also perform queriesusing "soft selectors", like keywords, against the body texts of e-mail and chatmessages, digital documents and spreadsheets in English, Arabic and Chinese.XKEYSCORE also allows analysts to look for the usage of encryption, the use of a VPNor the TOR network, and a number of other things that could lead to a target.

This is particularly useful to trace target's internet activities that are performedanonymous, and therefore cannot be found by just looking for the known e-mailaddresses of a target. When such content has been found, the analyst might be ableto find new intelligence or new strong selectors, which can then be used for starting atraditional search.

Possible targets

- The Cryptome

> Many more links

For questions, suggestions and otherremarks about this weblog in generalor any related issues, please use thefollowing e-mail address: info (at)electrospaces.net

For sending an encrypted e-mailmessage, you can use the PGP PublicKey under this ID: FD9FD4E6

You can also communicate throughTwitter: @electrospaces orXMPP/Jabber chat by using theaddress electrospaces (at) limun.org

Contact

The title picture of this weblog showsthe watch floor of the NSA's NationalSecurity Operations Center (NSOC) in2006. The URL of this weblog recallsElectrospace Systems Inc., thecompany which made most of the toplevel communications equipment forthe US Government. All information onthis weblog is obtained fromunclassified or publicly availablesources.

QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==

McAfee SIEMSolutions

mcafee.com/B2BSIEM

McAfee Leads in SIEM MagicQuadrant Discover The NewReport Today!



The disclosed GCHQ documents contain no specific targets or goals for the INCENSERprogram, which provided Channel 4 the opportunity to claim that this Cable &Wireless/Vodafone access allows "Britain's spies to gather the private communicationsof millions of internet users worldwide". Vodafone, which also has a large share of thetelecommuncations market in Germany, was even linked to the eavesdropping onchancellor Merkel.

Both claims are rather sensationalistic. Merkel's phone was probably tapped by othermeans, and both GCHQ and NSA aren't interested in the private communications ofordinary internet users. On the contrary, by tapping into a submarine cable thatconnects to Asia and the Middle East, INCENSER looks rather focussed at high-prioritytargets in the latter region.

> See also: NSA's Strategic Mission ListReporting

Despite INCENSER being NSA's fourth-largest cable tapping program regarding to thevolume which is collected, the intelligence reports analysts are able to write basedupon this only made it to the 11th position of contributors to the President's DailyBrief - according to a slide from a 2010 presentation about Special Source Collection,published by The Washington Post in October last year:

WINDSTOP (2nd Party)

Data collected under the INCENSER program are not only used by GHCQ, but also byNSA, which groups such 2nd Party sources under the codename WINDSTOP. As such,INCENSER was first mentioned in a slide that was published by the Washington Poston in October 2013 for a story about the MUSCULAR program:



According to NSA's Foreign Partner Access budget for 2013, which was published byInformation and The Intercept last June, WINDSTOP involves all 2nd Party countries(primarily Britain, but also Canada, Australia and New Zealand) and focusses onaccess to (mainly internet) "communications into and out of Europe and the MiddleEast" through an integrated and overarching collection system.

MUSCULAR is a program under which cables linking big data centers of Google and Yahoo are tapped. The

intercept facility is also located somewhere in the United Kingdom and the data are processed by GCHQ and

NSA in a Joint Processing Centre (JPC) using the Stage 2 version of XKEYSCORE.

A new slide from this presentation about WINDSTOP was published by SddeutscheZeitung on November 25, which reveals that a third program is codenamedTRANSIENT THURIBLE. About this program The Guardian reported once in June 2013,saying that it is an XKeyscore Deep Dive capability managed by GHCQ, with metadataflowing into NSA repositories since August 2012.

In November 2013, the Washington Post published a screenshot fromBOUNDLESSINFORMANT with numbers about data collection under the WINDSTOPprogram. Between December 10, 2012 and January 8, 2013, more than 14 billionmetadata records were collected:



The bar chart in the top part shows the numbers by date, with DNR (telephony) ingreen and DNI (internet) in blue. The section in the center of the lower part showsthese data were collected by the following programs:

- DS-300 (INCENSER): 14100 million records- DS-200B (MUSCULAR): 181 million records

XKEYSCORE, which is used to index and search the data collected under theINCENSER program, can be seen in the bottom right section of the chart.

With just over 14 billion pieces of internet data a month, INCENSER is the NSA'sfourth-largest cable tapping program, accounting for 9% of the total amount collectedby Special Source Operations (SSO), the division responsible for collecting data frominternet cables. According to another BOUNDLESSINFORMANT chart, the NSA's Top 5of cable tapping programs is:

SSO worldwide total:

DANCINGSOASIS:

SPINNERET (part of RAMPART-A):

MOONLIGHTPATH (part of RAMPART-A):

INCENSER (part of WINDSTOP):

AZUREPHOENIX (part of RAMPART-A):

...

Other programs:

160.168.000.000 (100%)

57.788.148.908 (36%)

23.003.996.216 (14%)

15.237.950.124 (9%)

14.100.359.119 (9%)

13.255.960.192 (8%)

...

(24%)

It's remarkable that just one single cable access (NIGELLA in Cornwall) providesalmost one tenth of everything NSA collects from internet cables. This also means thatbesides a large number of small cables accesses, NSA can only have access to just afew more cables with a similar high capacity as FA1 and FEA.

> See also: NSA's largest cable tapping program: DANCINGOASIS

Links and Sources- Golem.de: Die Abhrkette der Geheimdienste

- The recently disclosed documents about GCHQ cable tapping:

- NetzPolitik.org: Cable Master List: Wir spiegeln die Snowden-Dokumente ber angezapfte Glasfasern, auch

von Vodafone

- Sueddeutsche.de: Snowden-Leaks: How Vodafone-Subsidiary Cable & Wireless Aided GCHQs Spying Efforts

- ArsTechnica.com: New Snowden docs: GCHQs ties to telco gave spies global surveillance reach

- Sueddeutsche.de: Vodafone-Firma soll GCHQ und NSA beim Sphen geholfen haben

- WDR.de: Neue Snowden-Dokumente enthllen Ausma der Zusammenarbeit von Geheimdiensten und



Geplaatst door P/K op 23:37

Labels: GCHQ, NSA Partnerships

Telekommunikationsunternehmen

- TheRegister.co.uk: REVEALED: GCHQ's BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE

- Weblog about Uk Submarine Cable Landings & Cable Stations

- Article about Explaining submarine system terminology Part 1

- Thanks also to Henrik Moltke, who did most of the research for the German press reports

More reactions on Hacker News and Schneier's Blog

+87 Recommend this on Google

7 comments: Anonymous said...

So, since the program discards traffic such as peer to peer downloads, aperson could use that as a means of communication by imbeddingmessages in files that are sent by that method, as long as the IP addressesof the source and destination were not on the list of addresses of interest.

November 30, 2014 at 5:33 PM

Anonymous said...

I thought in years past they did this. After all you could easily embedencrypted code into a movie, and supply the key in it as well.

November 30, 2014 at 6:19 PM

Anonymous said...

Well, they say "high volume P2P" so they are probably looking for somemeaningful number of users in the swarm before discarding it.

December 1, 2014 at 2:37 PM

Anonymous said...

Wouldn't NSA just tap FA1 at it's USA landing point? Why would they needto tap it on the UK end?


Anonymous said...

> Wouldn't NSA just tap FA1 at it's USA landing point? Why would theyneed to tap it on the UK end?

My first guess for why they'd tap in the UK rather than the US is that USprivacy laws may not apply to information collected in the UK. This wouldbe an obvious way to sidestep US privacy laws.


Anonymous said...

> My first guess for why they'd tap in the UK rather than the US is that USprivacy laws may not apply to information collected in the UK.

AFAIK, anything crossing the border can be collected anywhere without legaldistinction. It is the overseas origin or destination that matters, not thepoint of collection.

December 2, 2014 at 1:24 AM

Anonymous said...

Exactly.



Subscribe to: Post Comments (Atom)

Older PostHome

Post a Comment

The "Five Eyes", often abbreviated as "FVEY", refer to an intelligencealliance comprising Australia, Canada, New Zealand, the United Kingdom,and the United States. These countries are bound by the multilateral UKUSAAgreement, a treaty for joint cooperation in signals intelligence.

http://en.m.wikipedia.org/wiki/Five_Eyes

December 2, 2014 at 3:32 AM

Awesome Inc. template. Powered by Blogger.

blogspot.comTop Level Telecommunications: INCENSER, or how NSA and GCHQ are tapping internet cables

52eEE/QWNyb2JhdFdlYkNhcFRJRDEA: form0: q:

5zYS1hbmQtZ2NocS1hcmUuaHRtbAA=: form0: search: input0:

249172452 Details About the NSA INCENSER Program Top Level Telecommunications

Documents

Transcript of 249172452 Details About the NSA INCENSER Program Top Level Telecommunications