TOP SECRET // SI-GAMMA / TALENT KEYHOLE // ORCON /PROPIN / RELIDO/ REL TO USA,

1. TOP SECRET // SI-GAMMA / TALENT KEYHOLE // ORCON /
2. PROPIN / RELIDO/ REL TO USA, FVEY *
3. TOP SECRET//SI//REL TO USA, FVEY
4.  
5. [edit] (U) SSO Collection Optimization Overview
6. (S//SI//REL USA, FVEY) This wiki article collects and documents the
7. activities within SSO to optimize collection from SSO sites. It is a direct
8. result of the activities and findings from the Large Access Exploitation
9. (LAE) Working Group. Optimization activities can be categorized as:
10. impacting primarily content collection, i.e., feeding repositories like
11. PINWALE and PRESSUREWAVE; metadata, perhaps better termed
12. "structured data," collection, i.e., primarily feeding repositories like
13. MARINA or MAINWAY; or both.
14. (TS//SI//REL USA, FVEY) An examination into the content collected by
15. SSO sites in the fall of 2011 revealed that a significant portion of collection
16. was repetitive, better placed into metadata repositories, or of little foreign
17. intelligence value. Rapidly changing internet protocols, imprecise targeting
18. methods, and constantly shifting target technology use means that selectors
19. or traffic seen by tasking today may not be the same tomorrow. In addition,
20. several emerging technologies in use by targets or contacts of targets have
21. protocols which can cause gross over-collection and selector detasking, e.g.,
22. Yahoo! Webmessenger, which cannot be prevented under UTT tasking, as
23. the protocol contains the precise selector tasked.
24. (TS//SI//REL USA, FVEY) The SSO Optimization team's job is to identify
25. these types of data, and ensure appropriate corrective action is taken,
26. throttling the data from corporate content or metadata repositories, as
27. appropriate.
28. (TS//SI//REL USA, FVEY) Implementation details for specific SSO sites
29. can be found on the SSO Collection Optimization NOFORN wiki page.
30. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
31.  
32. [edit] (U) Address Books
33. (U) Reason for Optimizing
34. (TS//SI//REL USA, FVEY) Ownerless address books can account for 22%
35. 2012), are highly repetitive, and can be both numerous and large.
36. Additionally, the data is highly structured, so they are better parsed and
37. analyzed in structured repositories like MARINA.
38. (U) Criteria (SCISSORS)
39. (TS//SI//REL USA, FVEY) To alleviate the large number of ownerless
40. address books currently being collected, address books will be blocked at
41. SCISSORS. SCISSORS will process each flow and label sessions with the
42. category of 8223 where they meet the following criteria:
43. o (Yahoo|Gmail|Hotmail)-viewAddressBook (which represents ~90% of all
44. addressbook collection)
45. o APMSGTYPE IS PRESENT
46. o NO APACTIVEUSER
47. o SIGAD = Given SIGADS (currently, four)
48. (TS//SI//REL USA, FVEY) The sessions that do not meet the above criteria
49. will send metadata to FALLOUT, but the sessions will be dropped before
50. reaching PINWALE. Metrics for category 8223 will not be available in
51. YELLOWSTONE, and these volumes will not count against PINWALE site
52. caps set by the CSRC.
53. (U) Criteria (XKEYSCORE)
54. (TS//SI//REL USA, FVEY) Because of how inefficient the SCISSORS
55. implementation of ownerless address book throttles is (essentially requiring
56. that SCISSORS process all of the selected content from the affected
57. dataflows twice), work is underway to implement the same throttle in
58. XKEYSCORE at site. This requires a software modification to allow certain
59. types of ownerless buddy list metadata to be created at site (vs at
60. SCISSORS, under the current architecture). Then a deployed XKEYSCORE
61. fingerprint will block the content while allowing the metadata to be
62. memorialized.
63.  
64. XKS Versions:
65. XKS Version 1.5.8 v89 TU Version 1.5.7 v151
66. Digester Labeling:
67. <HASBUDDY>true</HASBUDDY>
68. <ANONADDRBOOK>true</ANONADDRBOOK>
69. The following fingerprint labels and defeats the traffic.
70. defeat/atxks/ownerless_addressbook
71. (U) Deployment Date
72. (TS//SI//REL USA, FVEY) The SCISSORS ownerless address book throttle
73. was implemented on 2/29/2012 for one site, and for others in March and
74. April of 2012.
75. (TS//SI//REL USA, FVEY) The XKEYSCORE ownerless address book
76. throttle is under development.
77.  
78. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79.  
80. [edit] (U) Yahoo Webmessenger
81. (U) Reason for Optimizing
82. (S//SI//REL USA, FVEY) Yahoo's web-based Messenger client sends
83. frequent requests, and receives frequent responses, for inbox and buddy
84. status which are highly repetitive and contain little or no useful FI
85. information in the actual message content beyond the simple fact that the
86. user was online. During the first two weeks of December, at least eight
87. selectors were detasked by CSRC due to excessive collection (exceeding
88. session limits).
89. (U) Criteria
90.  
91. (S//SI//REL USA, FVEY) Yahoo Webmessenger is identified as either being
92. a request for status message from the client (uncommon), or a status
93. message (common):
94. o request
95. 1. HTTP GET /v1/pushchannel/
96. 2. 'x-yahoo-msgr-user-agent: YahooMessenger'
97. 3. http_host('rest-notify.msg.yahoo.com')
98. 4. http_url('&msgrAppId=' and '&sid=')
99. o status
100. 1. 'Content-Type: application/json;charset=utf-8'
101. 2. Message contains: '"@pendingMsg" : 0, "@syncStatus" : 0, "responses" :
102. [ {'
103. (U) Deployment Date
104. (S//SI//REL USA, FVEY) /atrouter/ on 11 Jan 2012. /atxks/ on 17 April
105. 2012.