Home / Software & Gaming / Security / NSA’s XKEYSCORE can identify you via repeated passwords

NSA’s XKEYSCORE can identify you via repeated passwords

When we first learned about the NSA's XKEYSCORE software back in the 2013 Edward Snowden revelations, it was clear that it was (and is) a pretty versatile piece of software, able to parse huge swatches of recorded information in order to store the most juicy bits of data on every person that holds some interest for the intelligence agency. Now though, thanks to more document reveals from that same NSA contractor, we know that it stores passwords and emails and can even identify people by their reuse of the same login information.

This is an important part of what the NSA does with its snooping, because as many anti-pirate organisations have shown, identifying someone online can actually be quite difficult. An IP address is a good start, but that may point to a university, cafe or at best, a flat with the potential for multiple occupants. Figuring out who exactly is inputting certain information is much easier with XKEYSCORE around though, since it looks at things like password reuse – the more unique the better – and browser cookies.

This means that with or without a VPN, with or without a private Wi-Fi connection, the NSA can figure out who's who by tracking the similarity of their login details across various sites and services.

Image source: The Intercept

This is even more pronounced on smartphones, where The Intercept explains a similar, but less powerful, tool called BADASS is used. It's whole purpose is to hoover up details on individuals using leaky smartphone applications. Often those apps use analytics software to learn what users want and therefore how to make better games and apps, or to improve the marketing of adverts to those individuals. That means unique identifiers, which if not secure properly, are hoovered up by the NSA to continue to augment its data collection.

Of course none of this would be too problematic if the tools were specifically targeted at international criminals, terrorist groups and other nefarious individuals. However the document dump also reveals that the NSA repeatedly used its snooping software on allied nations and friendly targets. In one instance, it used the programs to learn the talking points of UN Secretary General Ban Ki-moon before he met with President Obama in 2013.

The NSA does not deny these claims, but insists that it is stringent in its protection of individual privacy: “The National Security Agency’s foreign intelligence operations are 1) authorized by law; 2) subject to multiple layers of stringent internal and external oversight; and 3) conducted in a manner that is designed to protect privacy and civil liberties. As provided for by Presidential Policy Directive 28 (PPD-28), all persons, regardless of their nationality, have legitimate privacy interests in the handling of their personal information. NSA goes to great lengths to narrowly tailor and focus its signals intelligence operations on the collection of communications that are most likely to contain foreign intelligence or counterintelligence information.”

Discuss on our Facebook page, HERE.

KitGuru Says: This sort of power to snoop into everyone's lives through their highly personal and professional communication is dangerous on many levels, but perhaps most so because it dehumanises the people it tracks. It turns those viewing it into voyeuristic gods, rather than the protectors of those people's country and interests, which is the whole point of the intelligence agencies in the first place.  

Become a Patron!

Check Also

Sony investigating claims of major security breach

This week, a ransomware group claimed to have breached "all of Sony's systems", putting the stolen data up for sale on the dark web. Sony has yet to confirm that an attack has taken place but the company is now investigating.