FLYING PIG: GCHQ’s TLS/SSL knowledge base

 

Documents from the ICTR-NE (Information and Communications Technology Research – Network Exploitation) organisation at the GCHQ show that it operates a program under the name FLYING PIG that provides analysts with information about secure communications over TLS/SSL. The primary motivation for this program was the increasing use of TLS/SSL by GCHQ targets, according to one of the documents.

The documents, originally published by Brazilian TV program Fantástico in September, provide an insightful look into the program that allows analysts to query the vast repository of metadata about the world’s secure communications. In this article, I describe the program on the basis of some actual screen captures of its interface.

In addition to “Query FLYING PIG”, the user interface also shows two other tabs, “HRA Justification” and “Query QUICK ANT”. HRA Justification, where the letters ‘HRA’ presumably stand for Human Rights Act 1998 (more details), is probably an interface that allows an analyst to provide a justification for FLYING PIG and QUICK ANT queries. The third tab, “Query QUICK ANT – Tor events QFD”, where the letters ‘QFD’ stand for Question Focused Dataset, opens up an interface presumably similiar to that of FLYING PIG that allows an analyst to query QUICK ANT (Tor events). Neither HRA Justification and QUICK ANT are covered here. No further information is available on QUICK ANT.

Client

There are four ways to query FLYING PIG, by client, server, network or server certificate. In this section, I describe the client interface that allows one to query by client IP address (i.e., xx.xx.xx.127 in this example). It returns both detailed information about the client and the SSL servers it has visited.

General IP information

The first panel provides general information about the client, such as where it is geographically located and in which network it resides. The client IP address in this example resolves to “groupon.kr” and resides in the network of Korea Telecom. In the ‘AS info’ field you can find information about the IP address’ associated autonomous system (AS), which is basically a network (or a group of networks) under a single administrative control. If the server had been a Tor node, the ‘Tor’ field would have shown details about this node from QUICK ANT.

Geolocation
Country:	South Korea
City:	Seoul

WHOIS
Network:	xx.xx.xx.0/20
Network type:	No results
Company:	Korea Telecom
Domain:	groupon.kr

Autonomous System information
Advertised by AS:	4766
Found within network:	xx.xx.0.0/13
AS name:	KIXS-AS-KR Korea Telecom

DNS
No results

Tor node
No matches

SSL servers visited

The othe client-specific panel shows all SSL servers the client has visited. In addition to server details, it shows the date of the first and last visit, the total number of visits and the pairing status (e.g. both directions, client-to-server, or server-to-client). The table is almost entirely comprised of visits to servers of internet company Mail.Ru. Also, note the visit to a Mozilla server (second-to-last row) where the server connected to this client (server-to-client), rather than the other way around (client-to-server). The IP address of the server resolves to “snippets.zlb.nl.mozilla.com” (Mozilla Snippet Service, think of about:home), which would explain the server-to-client pairing status.

Server IP	Server country	Server company info
94.100.184.14	Russia	Mail.Ru
94.100.184.17	Russia	Mail.Ru
94.100.184.16	Russia	Mail.Ru
94.100.184.15	Russia	Mail.Ru
[server IP]	[server country]	[server company info]
63.245.213.87	Netherlands	Mozilla Corporation
94.100.181.127	Russia	Mail.Ru
94.100.191.213	Russia	Mail.Ru

Server

In this section, I describe the server interface that allows one to query by server IP (i.e., 94.100.184.14, a Mail.Ru server, in this example). It returns, amongst other information, details about the server, SSL traffic statistics, SSL certificates seen on this IP, and the top HTTP requests to this IP.

General IP information

This panel provides general information about the server, such as where it is geographically located (i.e., Moscow, Russia in this example), and in which network it resides. If the server happens to be a Tor node, the ‘Tor’ field shows further details about this node (populated from QUICK ANT). The server IP address in this example resolves to “mail.ru” and resides in the network of Mail.Ru, one of the world’s largest internet companies. The fact that Mail.Ru is listed among internet companies like Facebook, Google, and Twitter in an NSA document about XKEYSCORE, underlines the significance of this company.

Geolocation
Country:	Russia
City:	Moscow

WHOIS
Network:	94.100.176.0/20
Network type:	No results
Company:	Mail.Ru
Domain:	mail.ru

Autonomous System information
Advertised by AS:	47764
Found within network:	94.100.176.0/20
AS name:	MAILRU-AS Limited liability company Mail.Ru

DNS
No results

Tor node
No matches

Top 10 SSL client geolocations

This bar chart shows the top 10 geolocations (in this case, countries, depicted by two-letter country codes) from which SSL clients connected to this server.

Top 10 SSL server ports

It may not come as a surprise that all clients connected to this SSL server through port 443, the default SSL port.

Top 10 SSL case notations

All intercepted signals get assigned a case notation that identifies the target being intercepted. The “overall” bar chart (left) shows the top 10 SSL case notations, each bar represents the relative number of signals intercepted for that case. I’m not sure what the “paired” bar chart (right) tells us.

SSL traffic statistics

This stacked area chart shows the SSL traffic statistics for the period of a week. It shows what percentage of the SSL traffic was comprised of client-to-server, server-to-client or bidirectional over time. In this example, the system has seen 104,317 unique SSL clients in one week (week ending December 23, 2011). Also, it mentions that 14.7% of the client-server IPs have seen traffic in both directions (both client-to-server and server-to-client).

SSL certificates seen on this IP

The table depicted below shows the SSL certificates seen on the specified IP address 94.100.184.14 (Mail.Ru). For some reason, once a VKontakte certificate was seen on this IP (VKontakte is partly owned by the Mail.Ru).

First seen	Last seen	Count	Subject common name	Issuer common name
2011-09-22	2011-11-25	> 2.3 million	*.mail.ru	Thawte SSL CA
2011-08-08	2011-11-05	> 1.4 million	*.mail.ru	Thawte SSL CA
2011-11-16	2011-11-16	1	*.vkontakte.ru	Go Daddy Secure Certificate Authority

SSL pattern of life

Another panel shows the “average pattern of life” for a client, based on SSL events to the specified server. The table depicted below shows the top HTTP events to this server, ordered by percentage of occurrences.

Correlated event	Event IP	Event port	Percentage occurrences of event
GET request to top3.mail.ru	217.69.135.12	80	29.1
GET request to top5.mail.ru	217.69.135.13	80	15.1
GET request to de.c2.bf.a1.top.mail.ru	217.69.134.253	80	14.2
GET request to my.mail.ru	94.100.184.40	80	13.2
GET request to my.mail.ru	94.100.184.41	80	12.9
GET request to stat.my.mail.ru	94.100.184.41	80	10.8
GET request to stat.my.mail.ru	94.100.184.41	80	10.5
GET request to mrimraker1.mail.ru	94.100.189.183	80	10.4

Top 100 SSL clients of a server

This server-specific panel shows the top 100 SSL clients that have connected to this Mail.Ru server (94.100.184.14). One can apply a filter to explicitly include or exclude certain countries by entering the countries’ two-letter codes, separated by underscores. In this example the filter “GB_US_CA_NZ_AU” is applied to exclude SSL clients from both Great Britain, the United States, Canada, New Zealand and Australia. Another filter mentioned in the instructional text is “PK_IR_IQ” which can be applied to include or exclude clients from both Pakistan, Iran and Iraq.

Client IP	Client country	Client company
xx.xx.xx.212	Spain	Telefónica de España, S.A.U. (rima-tde.net)
xx.xx.xx.1xx	Spain	R Cable Y Telecomunicaciones Galicia, S.A. (mundo-R)
xx.xx.xx.111	Germany	Bertelsmann IT
xx.xx.xx.56	Norway	Telenor Nextel AS (telenor.net)
xx.xx.xx.38	[client country]	Vodafone ISP
xx.xx.xx.114	Germany	Bertelsmann IT
[client IP]	[client country]	[client company]
[client IP]	[client country]	[client company]
xx.xx.xx.152	Ecuador	EcuadorTelecom S.A.
xx.xx.xx.186	Ireland	Vodafone ISP
xx.xx.xx.9	Malaysia	TMNET
[client IP]	South Korea	[client company]
xx.xx.xx.53	Malaysia	Core IP Development
[client IP]	[client country]	[client company]
xx.xx.xx.41	Ireland	UTV plc
[client IP]	[client country]	[client company]
xx.xx.xx.38	Brasil	Comitê Gestor da Internet no Brasil
xx.xx.xx.87	South Korea	Korea Telecom
xx.xx.xx.156	South Korea	Korea Telecom
xx.xx.xx.1	Ireland	Vodafone ISP

Network

The network interface can be used to query by network (e.g. by CIDR) to show all SSL clients and servers present in the network or all HTTP requests that are made to IP addresses residing in the specified network (xx.xx.xx.0/24).

General network information

If available, this panel shows general information about a network, such as where it is geographically located. The network specified in this example is located in Seoul, South Korea.

Geolocation
Country:	South Korea
City:	Seoul

WHOIS
Network:	No results
Network type:	No results
Company:	No results
Domain:	No results

Autonomous System information
Advertised by AS:	No results
Found within network:	No results
AS name:	No results

SSL clients in network

This panel shows all the SSL clients that were, at some point, present in the specified network. Note that the header of the second column mentions that the client company information comes from “GEOFUSION”, which we know from a CSEC presentation (8th item in the list) is a repository that contains geolocation information.

Client IP	Client company information	First seen	Last seen
[client IP]	Korea Telecom: mailplug.co.kr	2011-09-04	2011-09-04
[client IP]	[client company information]	2011-10-26	2011-11-23
[client IP]	[client company information]	2011-10-22	2011-10-22

Certificate

The server certificate interface allows one to query by certificate metadata, e.g. by ‘subject’, ‘issuer’ or ‘RSA modulus’ (component of a public key). The default results view shows both the matching HTTP requests and server certificates.

HTTP requests

This panel shows all HTTP requests that match the query “%mail.ru”. The columns ‘First seen’ and ‘Last seen’ respectively show the first and last date an HTTP request was seen to a host. The other two columns, ‘Count w/o 25th new’ and ‘Count all time’, show the total number of HTTP requests to a host for the last week (e.g. week of 25th of November) or for all time respectively. For example, in a six-week period in end of 2011, more than 42 million requests were seen to only one host (94.100.184.105, swa.mail.ru).

Server IP	Host name	First seen	Last seen	Count
94.100.184.105	swa.mail.ru	2011-10-13	2011-11-25	> 42 million
94.100.184.104	swa.mail.ru	2011-10-13	2011-11-25	> 36 million
217.69.135.201	fc.ef.d4.cf.bd.a1.top.mail.ru	2011-10-13	2011-11-25	> 16 million
217.69.135.13	top5.mail.ru	2011-10-14	2011-11-25	> 14 million
217.69.135.12	top3.mail.ru	2011-10-14	2011-11-25	> 12 million

Certificates

All certificates that match the query are depicted in the certificates panel. The ‘basic’ view (which is the default) shows for each certificate the validity period, the number of times it was served, subject and issuer details, and whether it was self-signed. Right-clicking a row opens up another panel on the right that lists all server IPs that serve (or have served) the selected certificate. There’s also an ‘advanced’ view which adds RSA modulus (component of a public key) and cipher suite distribution details.

Valid from	Valid to	Count	Subject	Issuer	Self signed
2011-01-31	2012-03-27	> 15 million	*.mail.ru Russia LLC Mail.Ru	Thawte SSL CA United States Thawte, Inc.	No
2010-01-21	2011-01-20	> 1 million	*.mail.ru Russia LLC Mail.Ru	Thawte Premium Server CA South Africa Thawte Consulting cc	No
2011-09-25	2013-11-25	> 30,000	*.money.mail.ru Russia LLC Mail.Ru	Thawte SSL CA United States Thawte Inc.	No
2010-01-25	2012-01-27	> 8,000	mail.ru.is Iceland mail.ru.is	[common name] United States [organization name]	No
2011-03-04	2012-03-03	> 1,000	[common name] United States [organization name]	[common name] United States [organization name]	Yes
2011-09-27	2012-09-25	> 1,000	mail.ru-com-ru – mail.ru-com.ru	Thawte DV SSL CA United States Thawte, Inc.	No
2010-02-12	2012-11-08	> 1,000	mx1.shogo-mail.ru Russia Shog	shogo.ru Russia Shogo	No
2011-09-15	2012-09-14	> 600	imgs.mail.ru Russia [organization name]	[common name] [country] [organization name]	No
2011-10-05	2014-10-04	> 300	[common name] Russia [organization name]	mail.ru [country] mail.ru	Yes
2011-09-15	2012-09-14	> 200	auth.mail.ru Russia [organization name]	[common name] [country] [organization name]	No

Conclusion

FLYING PIG is a program that allows analysts to query GCHQ’s vast repository of metadata about the world’s secure communications over TLS/SSL. It’s certainly not a program through which the GCHQ, or NSA for that matter, performs man-in-the-middle attacks against internet services like Google, as reported by others, including Bruce Schneier. The reports that claim the NSA performed MITM attacks against Google are based on a small piece of a document that describes a FLYING PIG (which is a not an NSA program, as you may have noticed) use case (presumably, an investigation into the DigiNotar CA breach). That’s not to say the GCHQ doesn’t perform MITM attacks, but there’s no evidence to be found in this document. Though, FLYING PIG may be used to prepare MITM attacks, e.g. by providing information about a target.