March 5, 2012 archive

Mar 05

NSA Develops Secure Android Phones For Top Secret Calls

An interesting piece in the Australian edition of SC Magazine covers a recent presentation at RSA 2012 by Margaret Salter, head of the US National Security Agency (NSA) Information Assurance Directorate. She spoke about the NSA's "Mobility Program that aims to provide secure communication for government agencies using commercial "off the shelf" equipment.

The SC article focuses on the "Fishbowl" phones designed by the NSA and includes a number of interesting comments on the state of security implementations provided by vendors. It mentions that the NSA was looking to use SSL VPNs but due to a lack of interoperability wound up using IPSEC instead. Similarly they were looking to use DTLS-SRTP, but didn't find the implementations and so instead used "descriptions". The article has this excellent statement by Salter (my emphasis added):

Salter said the security specifications, such as those sought for the voice application, would be useful to everyone.

She urged colleagues to demand vendors improve unified communications interoperability.

“We need to send a message [about] standards, interoperability and plug and play," she said.

This need for interoperability and standards support was certainly one of the themes I tried to bring out in the book. It is indeed critical for the long term success of securing unified communications systems.

I also found it interesting that the NSA encrypts the voice twice:

Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said.

While there certainly is value in having multiple layers of security, I do wonder what this means in terms of computational overhead and/or latency. As our mobile phones have become more powerful, perhaps this is no longer a major concern.

Separate from the article, I was intrigued to read over on the NSA Mobility Program page that the first document they are releasing is the "Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP)". From the page:

The first Mobility Capability document to be released is the initial draft release of the Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP). It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures necessary to build and implement a SVoIP capability using commercial grade cellular mobile devices. Future releases will build on this architecture and will include mobile device management and data applications; and ultimately integrate the WIFI service with an expanded list of end devices.

The 100+ page PDF file looks to be a fairly comprehensive view into what is involved with rolling out a secure mobile communications solution. It's great to see this from the NSA and it is a great contribution to the ongoing efforts to secure VoIP communications.

NSA SecureVoIP

Mar 05

NIST To Require US Government Agencies to Validate DNSSEC

NIST LogoOur friends over at the DNSSEC Deployment Initiative have noted today that the US National Institute of Standards and Technology (NIST) has announced proposed changes to the Federal Information Security Management Act (FISMA) controls that include among the many changes two relating to DNSSEC. The critical change is “SC-21″ as explained by the DNSSEC Deployment Initiative folks:

SC-21 is changed to require “[t]he information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.”  This means that all Federal systems must either request and validate DNSSEC responses, or have a trusted link to a validator that can provide that service for the system. Control SC-21 is also changed to be required for all security levels (Low, Moderate and High).

Essentially this means that when this is fully implemented all US government systems should be consumers/users of DNSSEC, meaning that they will validate domains if they are signed with DNSSEC.

The article also notes that this new requirement will become official 12 months from the final publication of the NIST document, expected to be July 2012.  The document released last week by NIST is a draft of “Special Publication 800-53 Revision 4″ that is open for public comment through April 6, 2012.

It’s great to see this requirement being added to FISMA controls and as it rolls out it will definitely increase the usage and visibility of DNSSEC.

Mar 05

A new “Introduction to Deploy360″ promotional video – comments?

Last week we had the whole team working on the Deploy360 Programme in our Reston, VA, office and so we took a moment to shoot some video segments describing the program.  I spent some time with iMovie and the result is this “promotional video” about our program. Our intent with this is to have it available to explain to people in a little under 3 minutes what it is we are doing with the Deploy360 Programme.

Comments and feedback are welcome – what do you think of this as a way to promote what we are doing?

P.S. And yes, the audio/podcast guy in me wishes the audio were a bit crisper, but unfortunately I didn’t have my audio recording gear with me and so what you are hearing is the audio recorded by my Nikon D90 DSLR. Another time I’ll have my audio kit with me… :-)