NSA’s Introduction to VPN Exploitation Process (2010)

In 2015 Der Spiegel released this slide-deck, provided to them by Edward Snowden. The slide-deck was a TOP SECRET internal presentation that the NSA’s VPN Exploitation Team (internally designated as S31176) was doing to new SIGINT analysts of the Agency in order to introduce them to what their team, part of NSA’s OTP (Office of Target Pursuit), could provide in terms of decrypting VPN traffic. The slide-deck was dated on September 13th, 2010. 00:00 - Introduction 00:50 - Presentation start 01:11 - Introduction to Virtual Private Networks (VPN) 02:24 - Overview 02:38 - S31176 and its mission 05:35 - NSA structure 08:26 - VPN exploitation services 12:15 - BLEAKINQUIRY 17:09 - IPSec signals processing 18:25 - Type 1: IPSec 19:56 - Type 2: PPTP 20:46 - Type 3: SSL/TLS 21:31 - Type 4: SSH 22:35 - VPN Exploitation Team’s customers 22:55 - VPN Exploitation Team’s requests & process 25:24 - Successful VPN decryption process 25:26 - Failed VPN decryption process 27:29 - Sustained exploitation 28:00 - Establishing the data flow 28:41 - Data flow integrity 29:33 - Decrypt processing 30:44 - Target Office of Primary Interest (TOPI) evaluation 31:20 - Thread monitoring 31:52 - Case study IPSec: Follow-the-Money (FTM) and TAO targets 32:49 - Case study PPTP: Airlines, telecommunications, governments, banking and financial, IRGC, and private companies 33:58 - Reminders 34:16 - Conclusion 35:12 - Closing References: - Spiegel (via EFF): NSA Intro to the VPN Exploitation Process: - LDAPWiki: TOYGRIPPE: - ElectroSpaces: NSA Glossary: - ElectroSpaces: NSA documents and cover names from the book Dark Mirror: - ElectroSpaces: NSA’s organizational designations: - Ars Technica: NSA has VPNs in Vulcan death grip—no, really, that’s what they call it: - Computer World: Vulcan mind-meld, Vulcan death grip & turtle-power used in NSA’s VPN crypto cracking: - Wikipedia: SIGINT Activity Designator: - Wikipedia: Five Eyes: