https://community.isc2.org/t5/Tech-Talk/Picking-a-Collab-Tool-NSA-Help/m-p/35147#M2623 <P>On April 24, 2020, the U.S. National Security Agency (NSA) released advice on</P><P><EM>Selecting and Safely Using Collaboration Services for Telework</EM></P><P>showing criteria to use in your selection and assessing those criteria for 13 commercial products.</P><P>The assessment table is based on claims by the companies offering those service, and not on any NSA testing. Even with that caveat, the document looks helpful.</P><P>&nbsp;</P><P>Three items are online at NSA:</P><P>Press release</P><P>&nbsp;<STRONG><A href="https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2163484/working-from-home-select-and-use-collaboration-services-more-securely/" target="_blank" rel="noopener">Working from Home? Select and Use Collaboration Services More Securely</A></STRONG></P><P>&nbsp;</P><P><STRONG><A href="https://media.defense.gov/2020/Apr/24/2002288653/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-SHORT-FINAL.PDF" target="_blank" rel="noopener">Selecting and Safely Using Collaboration Services for Telework</A></STRONG> - <EM>Short form</EM></P><P>&nbsp; &nbsp;Lists the criteria and includes the full comparison table.</P><P>&nbsp;</P><P><STRONG><A href="https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF" target="_blank" rel="noopener">Selecting and Safely Using Collaboration Services for Telework</A></STRONG> - <EM>Long form</EM></P><P>&nbsp; &nbsp;Adds a paragraph explaining each of the criteria. Same table as the short form.</P><P>&nbsp;</P><P>Observations:</P><P>1. Since the information is based on company documentation and not testing, you may need added information for your purposes. For instance, under End-to-End Encryption for Zoom, the table says Yes - Partial. Only if you have seen the reports for Zoom will you know that E2E is only for two-party connections. All group connections are encrypted only between clients and the central server (which may or may not be in the same country as participating clients).</P><P>&nbsp;</P><P>2. The legend code for Basic Functionality is a bit obscure in small print below the table.&nbsp;</P><P>(a) text chat, (b) voice conferencing, (c) video conferencing, (d) file sharing, (e) screen sharing.</P><P>&nbsp;</P><P>3. There are typos in the table footnotes, where it says 12 instead of 2 and 14 instead of 4 (Zoom E2E).&nbsp;</P><P>&nbsp;</P><P>PLUS</P><P>A report available gives solid reasons to think long and hard before selecting Zoom:</P><P><STRONG><A href="https://images.fullspectrumcyber.io/whitepapers/Zoom+China+and+Protecting+the+DIB.pdf" target="_blank" rel="noopener">Zoom-ing in on You: Why Other Video Conferencing Platforms may be a Better Choice</A></STRONG></P><P>Pointing out that, in addition to teh previously identified lie from Zoom that they use E2E encryption, they also claimed to use AES 256, but Citizen Lab reported that,</P><P>&nbsp;</P><P><FONT size="2"><EM>"However, a recent report found that Zoom only uses a single AES-128 key in Electronic Codebook (ECB) mode, which is less secure than AES-256, and ECB is not recommended for streaming media.13 Bill Marczak and John Scott-Railton from The Citizen Lab argue:</EM></FONT><BR /><FONT size="2"><EM>Zoom's encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea because this mode of encryption preserves patterns in the input. Industry-standard protocols for encryption of streaming media (e.g., the SRTP standard) recommend the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode.<A href="https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/" target="_blank" rel="noopener">14"</A></EM></FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>UAYOR.</P><P>&nbsp;</P><P>&nbsp;</P><P>Craig</P><P>(Also posted on my <A href="https://cragins.blogspot.com/2020/04/picking-collaboration-tool-nsa-help.html" target="_blank" rel="noopener">Randomness Blog</A>.)</P> Tue, 28 Apr 2020 22:01:15 GMT CraginS 2020-04-28T22:01:15Z https://community.isc2.org/t5/Tech-Talk/Picking-a-Collab-Tool-NSA-Help/m-p/35147#M2623 <P>On April 24, 2020, the U.S. National Security Agency (NSA) released advice on</P><P><EM>Selecting and Safely Using Collaboration Services for Telework</EM></P><P>showing criteria to use in your selection and assessing those criteria for 13 commercial products.</P><P>The assessment table is based on claims by the companies offering those service, and not on any NSA testing. Even with that caveat, the document looks helpful.</P><P>&nbsp;</P><P>Three items are online at NSA:</P><P>Press release</P><P>&nbsp;<STRONG><A href="https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2163484/working-from-home-select-and-use-collaboration-services-more-securely/" target="_blank" rel="noopener">Working from Home? Select and Use Collaboration Services More Securely</A></STRONG></P><P>&nbsp;</P><P><STRONG><A href="https://media.defense.gov/2020/Apr/24/2002288653/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-SHORT-FINAL.PDF" target="_blank" rel="noopener">Selecting and Safely Using Collaboration Services for Telework</A></STRONG> - <EM>Short form</EM></P><P>&nbsp; &nbsp;Lists the criteria and includes the full comparison table.</P><P>&nbsp;</P><P><STRONG><A href="https://media.defense.gov/2020/Apr/24/2002288652/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-LONG-FINAL.PDF" target="_blank" rel="noopener">Selecting and Safely Using Collaboration Services for Telework</A></STRONG> - <EM>Long form</EM></P><P>&nbsp; &nbsp;Adds a paragraph explaining each of the criteria. Same table as the short form.</P><P>&nbsp;</P><P>Observations:</P><P>1. Since the information is based on company documentation and not testing, you may need added information for your purposes. For instance, under End-to-End Encryption for Zoom, the table says Yes - Partial. Only if you have seen the reports for Zoom will you know that E2E is only for two-party connections. All group connections are encrypted only between clients and the central server (which may or may not be in the same country as participating clients).</P><P>&nbsp;</P><P>2. The legend code for Basic Functionality is a bit obscure in small print below the table.&nbsp;</P><P>(a) text chat, (b) voice conferencing, (c) video conferencing, (d) file sharing, (e) screen sharing.</P><P>&nbsp;</P><P>3. There are typos in the table footnotes, where it says 12 instead of 2 and 14 instead of 4 (Zoom E2E).&nbsp;</P><P>&nbsp;</P><P>PLUS</P><P>A report available gives solid reasons to think long and hard before selecting Zoom:</P><P><STRONG><A href="https://images.fullspectrumcyber.io/whitepapers/Zoom+China+and+Protecting+the+DIB.pdf" target="_blank" rel="noopener">Zoom-ing in on You: Why Other Video Conferencing Platforms may be a Better Choice</A></STRONG></P><P>Pointing out that, in addition to teh previously identified lie from Zoom that they use E2E encryption, they also claimed to use AES 256, but Citizen Lab reported that,</P><P>&nbsp;</P><P><FONT size="2"><EM>"However, a recent report found that Zoom only uses a single AES-128 key in Electronic Codebook (ECB) mode, which is less secure than AES-256, and ECB is not recommended for streaming media.13 Bill Marczak and John Scott-Railton from The Citizen Lab argue:</EM></FONT><BR /><FONT size="2"><EM>Zoom's encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea because this mode of encryption preserves patterns in the input. Industry-standard protocols for encryption of streaming media (e.g., the SRTP standard) recommend the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode.<A href="https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/" target="_blank" rel="noopener">14"</A></EM></FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>UAYOR.</P><P>&nbsp;</P><P>&nbsp;</P><P>Craig</P><P>(Also posted on my <A href="https://cragins.blogspot.com/2020/04/picking-collaboration-tool-nsa-help.html" target="_blank" rel="noopener">Randomness Blog</A>.)</P> Tue, 28 Apr 2020 22:01:15 GMT https://community.isc2.org/t5/Tech-Talk/Picking-a-Collab-Tool-NSA-Help/m-p/35147#M2623 CraginS 2020-04-28T22:01:15Z