Journal d'investigation en ligne et d'information‑hacking
par Antoine Champagne - kitetoa

#PRISM : let's have a look at the big picture

A long time ago in a galaxy far, far away, Daisy had a knowledge database stored on a Netscape Web server. Its aim was to secure the US military networks (and more). However, this Web server was secured like shit... Please, meet my friend Daisy : The Defense Information Systems Agency (DISA), is a United States Department of Defense (DoD) combat support agency composed of military, federal civilians, and contractors.

A long time ago in a galaxy far, far away, Daisy had a knowledge database stored on a Netscape Web server. Its aim was to secure the US military networks (and more). However, this Web server was secured like shit...

Please, meet my friend Daisy :

The Defense Information Systems Agency (DISA), is a United States Department of Defense (DoD) combat support agency composed of military, federal civilians, and contractors. DISA provides information technology (IT) and communications support to the president, vice president, secretary of defense, the military services, the combatant commands, and any individual or system contributing to the defense of the United States.

Almost all the IT projects, all of the Army’s and the Government's communication problems, everything was there. A unique view on how the US Government and Army reacted to the 9/11 events, a way to understand what was in the mind of the USA behind its war on terror.

What can be learned from these documents ?

  • The neocons had shitty ideas.
  • Wikileaks couldn't have happen without these projects.
  • The US wanted to know everything about their citizens.
  • Networks have diplomatic consequences.
  • US military networks are as rotten as their private counterpart.
  • The military networks were undersized when the “global war on terror” started.
  • 9/11 was a momentum. NeoCons had an agenda. It helped.

Soon after 9/11, NeoCons promoted a huge Net Centric plan for the Army and the Government. Its ambition was for the “Warfighters” to get all the needed information to take the right decision at the right time.

But guess what: a secret, is a secret. A shared secret isn’t a secret anymore...

If you're looking for accountability, look no further than the Bush administration and - specifically -Paul Wolfowitz, deputy defense secretary in the Bush administration, as he was one of the key guys for the Net Centric plan.

C4n I Haz a PhoN3 L1n3 pleAz ?

Please meet the Global Information Grid, the Net Centric concept...

The GIG is defined as a global interconnected end-to-end set of information capabilities, associated processes and personnel for collecting, processing, storing, disseminating and managing information on demand to warfighters, policy makers, and support personnel.The GIG comprises many systems that interoperate to provide the right info to the right places when needed. (...) allow vast amounts of information to be readily accessed by anyone, anywhere, anytime

GIG, connecting people…

The GIG had to be connected to every useful information source, like the Department of Homeland Security (see the MOU here), or NATO... (see the MOU here).

Before reading any further, answer this question honestly: where you really surprised by the PRISM leaks ? Well, PRISM is just a small part of the GIG.

For our part, we were in no way surprised by anything PRISM revealed so far.

On May 2003, Paul Wolfowitz created Talon.

Years after Kitetoa.com and Wired published articles about Talon, a document about this project appeared on Wikileaks.

This database codenamed Talon was designed to collect the following pieces of information :

  • non-specific threats to DoD interests;
  • Suspected surveillance of DoD facilities and personnel;
  • elicitation attempts, suspicious questioning, or other suspected intelligence collection activities focused on DoD interests;
  • tests of security;
  • unusual repetitive activity ;
  • bomb threats;
  • and any other suspicious activity and incidents reasonably believed to be related to terrorist activity directed against DoD personnel, property, and activities within the United States.

Talon would include :

« Non validated » information on strange behavior of American citizens and raw information reported by concerned citizens and military members regarding suspicious incidents. Information in TALON reports is non-validated, may or may not be related to an actual threat, and by its very nature may be fragmented and incomplete. The purpose of the TALON report is to document and immediately disseminate potential threat information to DoD personnel, facilities, and resources…

To say this differently, it has been public knowledge for years now that the American Government wanted to know everything about its citizens. Even non validated information. Even information that is not related to an actual threat.

How does that sound ?

Talon was probably to be inserted into the GCCS-J.

What's that? You might ask.

“GCCS-J is widely used by all the combatant commands, all Service GCCS programs, USCG, DIA, NSA”The Global Command & Control System – Joint (GCCS-J) service offers vital connectivity to systems used to plan, execute and manage military operations for both joint and multinational operations. GCCS-J fuses select C2 capabilities into a comprehensive, interoperable system by exchanging imagery, intelligence, status of forces, and planning information. GCCS-J is focused on meeting emerging operational needs through sustainment and synchronization support to operational baselines (Global, COP I3 and JOPES) and subject matter experts to assist with critical operation and the GCCS-J Family of Systems (FoS).GCCS-J is a Command, Control, Communications, Computer, and Intelligence (C4I) system for achieving full spectrum dominance, consisting of hardware, software, procedures, standards, and interfaces that provide a robust, seamless C2 capability to the Commander-in-Chief (CINC), Secretary of Defense (SECDEF), National Military Command Center (NMCC), Combatant Commanders (CDRs), Joint Force Commanders, and Service Component Commanders. It is a suite of mission applications fusing select C2 capabilities into a comprehensive, interoperable system by exchanging imagery, intelligence, status of forces, and planning information. GCCS-J is the principal foundation for dominant battlespace awareness, providing an integrated, near real-time picture of the battlespace necessary to conduct joint and multinational operations. It offers vital connectivity to the systems the joint warfighter uses to plan, execute, and manage military operations.The GCCS-J modernization vision is focused on continuing to decompose applicable existing applications into services, limiting local deployment, and continuing to expose data and scale services to support an enterprise implementation; reducing overall sustainment cost through use of more cost effective and appropriate COTS and HW products; and increasing the use of agile development practices.

The GCCS-J is, in fact, the real effective GIG. It is used by the US Army and other agencies so that the « warfighter » can make the good move, at any time, based on good intelligence.

GCCS is the tool for C2 (C2 : "the exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission. Command and control functions are performed through an arrangement of personnel, equipment, communications, facilities, and procedures employed by a commander in planning, directing, coordinating, and controlling forces and operations in the accomplishment of the mission")

Ok... But PRISM ? Well... When suicide bombers lolcats wants to blow the USA, the Empire needs something useful to defeat them. Why not PRISM ?

PRISM is a part of the GCCS-J.

Looking for  Waldo  PRISM

Waldo-image_approved
Waldo-image_approved
There are a lot of acronyms in this slide. Here is a little help from our friends at the Disa :

  • DVT – Deployment Visualization Tool
  • JOPES – Joint Operation Planning and Execution System
  • ACOA – Adaptive Courses of Action
  • JFRG II – Joint Force Requirements Generator
  • SORTS – Status of Resources and Training System
  • GSORTS – GCCS Status of Resources and Training System
  • COP – Common Operational Picture
  • CAMPS Consolidated Air Mobility Planning System
  • LOGCAT/ BCAT Logistician’s Contingency Assessment Tools/ Beddown Capability Assessment Tool
  • WHQ WebHoc Query
  • DCAPES Deliberate Crisis Action Planning and Execution System
  • AF Weather AF Weather Agency
  • TBMCS Theatre Battle Management Core Systems
  • AFIWC Air Force Information Warfare Center
  • AFSORT DET Air Force SORTS Data Entry Tool
  • JADE Joint Assistant for Deployment & Execution
  • AFSATCOM/ TIBS Air Force Satellite Communications - Tactical Information Broadcast System
  • GDSS Global Decision Support System
  • ALOG Army Logistics
  • GCCS-A Global Command and Control System - Army
  • TAG TPFDD Access Gateway
  • COMPASS Computerized Movement Planning And Status System
  • FOCUS Force Operation Characteristics Unified System
  • ASAS All Source Analysis Remote Workstation
  • ASORTS Army SORTS
  • SDDC-TEA Surface Deployment and Distribution Command – Transportation Engineering Agency
  • JSTARS Joint Surveillance Target Attack Radar System
  • MAGTF II Marine Air Ground Task Force II
  • GOMERS Global Online Marine Editing and Reporting System
  • IAS Intelligence Analysis System
  • FSR – Force Status Readiness (USSTRATCOM)
  • JSC – Joint Spectrum Center
  • DARWIN Dynamic Analytical Reporting Web-based Interactive Navigator
  • USN Observatory Time Source US Naval Observatory Time Sync Interface
  • TRMS Type Commander Readiness System
  • GCCS-M Global Command and Control System - Maritime
  • NNSOC Naval Network and Space Operations Command
  • FNMOC Fleet Numerical Meteorological and Oceanographic
  • NRTD Near Real Time Data
  • AMP Analysis of Mobility Platform (USTRANSCOM)
  • MAT Medical Analysis Tool
  • SMS Single Mobility System
  • ICIS Integrated Consumable Item Support
  • JFAST Joint Flow And Analysis System For Transportation
  • TCAIMS II Transportation Coordinators Automated Information For Movement System II
  • MIDB Modernized Integrated Database
  • NGA 5D Demand Driven Direct Digital Dissemination
  • WinJMEM Windows – Joint Munitions Effects Manual
  • NGA IPL Integrated Products Library
  • UAV GCS Unmanned Aerial Vehicle Ground Control Station
  • GPS Global Positioning System Time Source
  • DMS/AMHS Defense Message System/Automated Message Handling System
  • Raindrop Raindrop Point Mensuration
  • DMDC Defense Manpower Data Center
  • CFAST Collaborative Force-Building Analysis Sustainment and Transportation
  • DRRS Defense Readiness Reporting System
  • FEDB Failure Experience Data Bank
  • FEDMTC Federal Multi-TADIL Capability
  • JRAMS Joint Readiness Automated Management System
  • TDDS Tactical Data Dissemination System
  • TRIXS Tactical Reconnaissance Intelligence Exchange Service
  • GALE Lite Generic Area Limitation Environment
  • GTN Global Transportation Network
  • ETMS Enhanced Traffic Management System
  • SBMCS Space Battle Management Core System
  • ADSI Air Defense System Integrator
  • EPLRS Enhanced Position Location Reportying System
  • QTRACS Qualcomm Tracks
  • ADAMS Allied Deployment and Movement System
  • NATO ICC NATO Integrated Command and Control
  • NATO JOIIS Joint Operations Intelligence Information System

Note that PRISM is not in the list.

Did you find  Waldo  PRISM  ?

Let's focus on the left side of the image :

Let's zoom in...

Now, the big question... What PRISM are we talking about?

There are a few "PRISM" in the Army...

  • PRISM Portable Resource for the Investigation of Suspected MANPADS [MANPADS denotes Man-Portable Air-Defense Systems]
  • Planning Research and Intelligence Scalable Modeling (PRISM)
  • PRISM Input Tool (© Mitre Corporation)
  • There is a PRISM in Israel : Global Research in International Affairs (GLORIA) Center THE PROJECT FOR THE RESEARCH OF ISLAMIST MOVEMENTS (PRISM)

The PRISM everybody is talking about theses days is probably this one:

Planning Tool for Resource, Integration, Synchronization, and Management (PRISM), a subsystem of collection management mission application. A Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers.

Fortunately, you can find some definitions of PRISM in the Army's publications.

Where applicable, requests for SIGINT support should be entered into approved systems such as PRISM, for approval by the designated signals intelligence operational tasking authority (SOTA).Collection Management Mission Application (CMMA). CMMA is accessed through JWICS and SIPRNET and comprises a tailorable suite of interoperable automated tools designed to enhance the collection planning, execution, and ISR battle management capability of CCMDs, subordinate joint forces, and components. CMMA includes PRISM, which is used in collection planning, operations, and managing of intelligence collection assets that are deployed to all CCMDs and USFK.

Source : Joint and National Intelligence Support to Military Operations - 05 January 2012

The Rand Corporation also gives some clues: in 2007, the Rand published a paper entitled "A Strategies-to-Tasks Framework for Planning and Executing Intelligence, Surveillance, and Reconnaissance (ISR) Operations". This report suggest improving ISR collection planning and execution through the implementation of a strategies-to-task framework for collection planning.

The report states that PRISM is "Currently used to integrate collection requests from the JFC and various components and, with other tools, generate the daily collection deck".

It looks like PRISM is a tool you can use to integrate demands for intelligence and collect MANY kind of data. Not only the one from Google, Facebook, etc.

Remember GCCS-J : there are many networks, many sources. Not only PRISM.

Let's go back to the Army's definition :

JOINT ISR PLANNING SYSTEMS_Two joint ISR planning systems—the collection management mission application and the Planning Tool for Resource, Integration, Synchronization, and Management (PRISM)—help facilitate access to joint resources. PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers. In joint collection management operations, the collection manager coordinates with the operations directorate to forward collection requirements to the component commander exercising tactical control over the theater reconnaissance and surveillance assets. A mission tasking order goes to the unit responsible for the collection operations. At the selected unit, the mission manager makes the final choice of platforms, equipment, and personnel required for the collection operations based on operational considerations such as maintenance, schedules, training, and experience. The Air Force uses the collection management mission application.  This application is a Web-centric information systems architecture that incorporates existing programs sponsored by several commands, Services, and agencies. It also provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all disciplines. [Source](http://armypubs.army.mil/doctrine/DRpubs/dra/pdf/fm355.pdf)

Let's recap...

The PRISM you’ve read about in the media seems to be a small part of a bigger PRISM which in turn, is a small part of a huge system used by the Army, the Government and the Intelligence community : the GCCS-J.

Let’s have a look at the big picture once again :

Echelon: so 20th century...

PRISM may look as something huge, but this is the XXIth century, guys...

We don’t want to tap fax machines: let’s head for the backbones!

We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one”.

Edward Snowden

Hacking the backbones (the  backbones routers) isn't about getting some information from Google of Facebook, it's about tapping all the internet's information flows. This, is huge.

So, how’s PRISM working?

So far, we don’t know.

The journalists who have THE PowerPoint presentation only released 5 slides out of 41.

Too bad. Journalism has it's limits... People probably don't need to know everything, right?

Still, we can guess how PRISM is working. One thing's for sure: they have access to private US companies' data, but they could do without it. Big routers and backbones are easier to tap.

Don't forget the NSA has Narus and... so many backbones to tap.

Even if the US government decided to drop the PRISM program (the one your read about in the Press), they would still have all the tools needed to see what’s in your email.

Flower Pilgrim: like a virgin

How about France? What is doing our government? Do we also tap the backbones?

Fleur Pellerin, french state secretary for digital economy, said she was awaiting "explanations" from the US Gov. concerning this "alarming" PRISM news.

But Wait... There's more. She also said on Jan 1, 2013 :

"The Alcatel Submarine Networks (ASN) expertise is indeed unique and covers the production, installation and maintenance of submarine cables. This is a strategic activity to connect overseas territories and the African continent with broadband.  There is also an issue related to cyber surveillance and homeland security. We support a solution that maintains the integrity of ASN and its national roots. Let me remind you that any equity takeover would in any case be subject to a review of the Treasury under the decree on foreign investment in France."

Surprisingly, a few days after the PRISM leaks were published, Le Monde, on June 11 (2013) published a paper entitled "In France, the [secret services] DGSE at the core of an internet monitoring program".

Note this interesting quote:

"The French authorities argue that the [DGSE Internet spying] sites are, for the most part, based abroad, which exonerated the DGSE to respond to French law."

Can I h4Z a #PrismBurger ?

Surprisingly (or not), every time you can locate an internet surveillance Amesys Eagle installation, there is an Alcatel cable next to it:

  • Alcatel was leader of the consortium who built EIG.
  • Alcatel owns the routers
  • The EIG cable lands in Tripoli, Libya (a happy Eagle owner)
  • The EIG cable lands in Jeddah, Saudi Arabia (a suspected happy Eagle owner)
  • The EIG cable lands in Fujairah, United Arab Emirates (a suspected happy Eagle owner)
  • Another cable (FLAG Alcatel-Lucent Optical Network) lands in Qatar (a happy Eagle owner)
  • Another cable (Atlas Offshore) lands in Morocco (a happy Eagle owner)
  • The ACE (African Coast to Europe) cable installed by Alcatel lands in Gabon (a happy Eagle owner)
  • Jan, 2011 : Alcatel-Lucent announced that it has completed the deployment of the first gigabit passive optical network (GPON) in Astana, the capital city of Kazakhstan (a suspected Eagle owner) Networks have diplomatic consequences...

Tell me where is your network going through, I’ll tell you who’s your friend or foe.

As an example, let's look at Bahrain and its neighboring cables.

Did you notice nobody's talking about Bahrain and its popular protests, no more that it's bloody repression? Do you wonder why? Part of the answer might come from the fact that the U.S. military has a very important military base in this small country. The Defense Information System Network (DISN) South West Asia and DISN-Pacific is managed from Bahrain: "Network management is performed by the Bahrain RNOSC on a 7 x 16 basis and transfers to the Europe RNOSC after hours and anytime the Bahrain RNOSC needs assistance".

But there is more.

satcom2-550x413
satcom2-550x413

 

Oh-Oh... Wait... France (Istres) is here too :

 

Now, I guess Reflets.info would qualify as an unlawful combatant, don't you think ?

Are we helping Osama Bin Laden by publishing those maps? Oh Wait... He’s dead. Must be OK then.

Let’s look further into those documents then, while we keep asking ourselves:  how secure are those US military networks, like the NIPRNet?

When presenting the “Unclassified But Sensitive Internet Protocol Router Network (NIPRNet) Backbone” at a “Certification Decision Briefing” in 2003, there were a few bugs left pending.

Let’s have a look!

niprnet2
niprnet2
niprnet3
niprnet3

problem--source
problem--source

Problem?

Problems don't happen only with networks security.

The Iraqi war began on March 20, 2003 with Iraq's invasion (codenamed "Operation Iraqi Freedom") by the coalition led by the United States.

But guess what...

Seven days before, on March 13, the Office of the Chairman at the Joint Chiefs of Staff requested a secured line with the turkish government. At the time, they didn’t have any...

Why did they asked for such a secured line? Captain Obvious probably told them that they needed an official approval before flying some F16 over Turkey...

C4n I Haz a PhoN3 L1n3 pleAz ?

Shit happens. Not only with networks security, not only with phone lines... But also with the bandwidth when you want to wage war on the Universe.

Wait... A war ? Two wars ? Three wars ? Chill out ! We don't have enough bandwidth, says the Army!

9/11 led to the Afghan war (OEF), the Iraq war (OIF) and the infamous global war on terror (GWOT). But,  unprepared, the USA did not have enough bandwidth for such a plan. Houston, we have a problem...

Let's read what the Army has to say about that:

Upgrades since 9/11/01 have more than tripled the amount of DISN services bandwidth pre-positioned to support Warfighter STEP entries. (Jan 2003)Domain growth from 60 IDNX nodes to 213 nodes in 7 months (From October 2002- April 2003 – in the 2004 report : US DISA GWOT & OIF LESSONS LEARNED).BANDWIDTH FUELS TRANSFORMATIONAL WARFARE (Jan 2004) _Finding: Strategic C4ISR requires high bandwidth to support today’s net-centric warfare. Deployed forces are dependent upon bandwidth to disseminate large data and imagery files, conduct VTC’s and collaborative planning with command personnel around the globe, and receive real-time intelligence information on the battlefield. Recent OEF/OIF/GWOT operations in the Central Region that were enabled by exponential increases in conventional bandwidth clearly demonstrated the value and feasibility of net-centric operations, but greater flexible response in providing bandwidth across all echelons of the GIG, especially at the tactical level, are needed in support of GWOT’s current and probable missions.__ Context:_Current Military Satellite (MILSAT) constellation does not have the capability to provide sufficient bandwidth to support strategic C4ISR requirements. MILSAT only provided approximately 20% of the C4ISR bandwidth required in support of OEF/OIF/GWOT missions. The remaining 80% had to be acquired from commercial sources.

Now, if your eyes bleeded over the design of the PRISM slides, here's more:

grand-lam-2
grand-lam-2

Dealing with a coalition in Iraq and Afghanistan proved to be difficult. For example when the USA had to give access to the Iridium :

From: Moriarty, Patrick Col _Sent: Monday, March 31, 2003 6:20 AM__ To: Staton, Charles Col; Depalma, Evelyn; Sabin, Roger; Higgins, Frank COL; Lee, Gary COL; Fiedler, George Col; Bashore, John; Geist, Michael; 'Miller, Marcus Col (S)' Cc: Ponturiero, Augustine J. LCDR; Reilly, Daniel Maj Subject: FW: PROVISION OF SECURE EMSS (IRIDIUM) TO UK - LESSONS IDENTIFIED All, A couple of weeks ago, we (LCDR Ponturiero Wg Cdr Goslin) went through a goat rope trying to get Iridium handsets to the Brits. As Wg Cdr Ian Goslin points out, the success of making this happen was directly attributable to personalities and not processes. Ian believes we (DOD and DISA) need to take advantage of the valuable lessons learned in making this provisioning happen and establish a clear process with clear delineation of responsibilities so that  the next time we need to provision to one of our coalition partners, we aren't as screwed up as "Hogan's Goat. ”_Attached is Cdr Goslin's proposed solution, or starting point for a solution. As he states, "The key features of the new process need to address the areas that caused greatest difficulty in providing EMSS service to the UK i.e. a lack of a single US advocate for the request; no timely identification of who could/should authorize the request; unclear legal authority to provide the service; and difficulty in actually paying for the service."

Operation Iraqi Freedom was soooo... well prepared. You've read about Turkey. Now read about "spectrum management" :

SPECTRUM MANAGEMENT IN A GWOT ENVIRONMENT Findings: The Joint Spectrum Management Element (JSME) was stood up late in the planning process for Operation Iraqi Freedom (OIF). Stand up of the JSME must take place in the earliest phases of the OPLAN planning process. Trained spectrum managers are required at the component and JTF levels to functionally interact with adjacent and higher level spectrum managers. Radars used by maritime and land forces during OIF were not deconflicted amongst each other and resulted in unresolved Electromagnetic Interference (EMI). During OIF CFLCC had to establish a complex numbering scheme in order to track frequencies as units moved through phase of the operation. Finally, Multi-emitter platforms: AWACS, JSTARS, and Commando Solo were not completely cleared to operate in Host Nation (Turkey). The EMI was so severe that it affected the capability for shipboard radars to monitor the airspace for self-protection. (US DISA GWOT & OIF LESSONS LEARNED) 2004 - Booz Allen Hamilton

When it comes to sharing information and networks with other members of the Coalition... It's... Complicated. The USA is happy to get more men. It's OK if they get killed. But it's not OK to provide them with the same information given to the US "Warfighter".

_The warfighter (CENTCOM J3 and CENTAF) stated operational need to have instantaneous information sharing  with certain carefully selected coalition partners _. This meant giving these partners physical access to particular workstations attached to the SIPRNET, and logical access from these workstations to a small number of key servers that are also attached to the SIPRNET. This type of direct access by coalition partners to machines on U.S. Secret networks had never been done before. Errors were made and some non-releasable data was posted and shared  even with all of the processes in place to prevent it. The real time policy monitoring capability was helpful in quickly and thoroughly cleaning up/resolving the spill.

Let's look further into theses documents... You may be too young to remember, but in the early stage of OEF, OIF, coalition members used to shoot each other. They called it "Fratricide".

The US Army tried to act. Slowly.

OIF started in 2003. The Joint Requirements Oversight Council Memorandum (JROCM) was issued on April 2005 and the actions would take place 12 or 24 month later. Like "Analyse contributing causes of OEF and OIF MCO fratricide events"...

Data leaks someone ?

Emails, logins, everything was in the wild. Use google and you'll find tons of them.

Phone numbers, IP addresses... What else ?

Don’t fool yourselves, they know what is going on :

It's somehow reassuring to see that even if they can tap the whole backbones, get into Google's and Facebook's databases, the US Army and the Agencies still have "problems".  Huge ones.

 

0 Commentaires
Une info, un document ? Contactez-nous de façon sécurisée