From the AEGIS e-Journal, Volume 4 Number 4, April 2001
Privatel™ 960V Personal Telephone Security L3 Communications 1 Federal Street, 3 A&E 3 SW, Camden NJ 08103 http://www.l-3com/privatel $595. The Privatel 960V is a small (5.5″ x 3.5″ x 1.65″), portable (under a pound) telephone encryption device. It comes with a normal-looking power adapter such as might be used with any portable device — either U.S. or European (get both if you travel) — and a carrying case. The Privatel connects between the handset of your telephone and the body of the telephone, which allows it to be used on proprietary PBXs, ISDN terminals VoIP phones, and INMARSAT terminals, as well as standard analog telephones. Connecting it is easy: You unplug the coiled handset cord from your telephone and plug it into the side of the Privatel. You then take a short (provided) cable and connect the Privatel to the jack where you just unplugged the handset. The encryption is 168 Bit Triple DES and the key management is 1024 bit Diffie-Hellman, which are public, rather than proprietary algorithms, which is advantageous as there is some assurance that people in the trade have been beating on the algorithm to find its weaknesses. Indeed, the device has FIPS 140-1 certification. The device has a self-test, can be locked for personal use by a Personal Identification Number (PIN) and allows verification that there is no third party spoofing the connection. Will the encryption impede real- time legal wiretaps? Frankly, we have no idea, and it is one of those questions for which we don’t actually expect a serious answer. Along the road from RCA to GE Aerospace to Martin Marietta to Lockheed Martin to L-3 the company has learned a lot about secure communications, and indeed make STEs, among other things. We ran into L-3 at the national OPSEC conference and exhibition sponsored by the IOSS. The Privatel is L-3’s commercial counterpart to their government offerings. Setup is trivial. Each model telephone uses a specific phone code (which tells the device things about the internals of the phone). While some models and their associated phone codes come in the instruction book and quick reference card, the online listing at http://www.l-3com.com/cs- east/programs/infosec/priva_codes.htm should be used, rather than the supplied instructions. If your phone is not listed, or there are problems, a call to their help line should get you straightened out. ÆGIS, April 2001 10 In relatively rare (they report three such incidents, of which we were the third) circumstances involving residential lines far from a switch, the software modem will be unable to make a secure connection, which is likely to tempt you to speak unsecured. L-3 is working on this problem. Operation, once everything has been set up, is straightforward. You make your phone call to another party with a Privatel, and, when they are on, one of you pushes the SECURE button. The modems then exchange keys, showing a unique key number on each device. You make sure this number is the same on both of your units to assure you are not being spoofed by a third party, and are then free to speak. Voice quality is excellent, and not markedly different from a non-secure call. If you get bounced out of a secure connection you get three beeps, and the display changes to say you are back to non-secure. Once you resolve any phone code issues, (and assuming you are not the fourth unfortunate with line problems) the Privatel is a pleasure to use, and you should have a high level of confidence in the privacy of the transmission from all but government intervention. In the works is a tri-band GSM handset. This will address the issue of using a cell phone. As it stands now, if you make a call from a GSM handset to a GSM handset you have some level of security in the transmission (albeit none within the switch, which is where legal taps are done). If you make a call to a landline, the call is vulnerable in the switch and on the landline side. The new handset would allow you to make a secure call — in transmission, and through the switch — to a Privatel-equipped landline, or another of the encrypted handsets. Given the widespread use of GSM in most of the world, its rapid growth in the US, and the upcoming implementation of GSM 1800 in Brazil (as well as places where the 900MHz bandwidth has been supplemented with 1800MHz GSM, this handset should make a welcome addition to secure commercial communication. 7. Free-Subscription/Unsubscription/Copyright Information •• ÆGIS e-journal is supported and maintained by voluntary efforts. This publication is owned, published, and copyright © 2001 by The LUBRINCO Group Ltd, Inc. and Financial Examinations and Evaluations, Inc. It is edited jointly by Richard Isaacs (RBIsaacs@lubrinco.com) and L. Burke Files (LBFiles@lubrinco.com). ÆGIS, April 2001 11 The LUBRINCO Group provides services in three high-threat areas, too specialized to be dealt-with in-house, that can adversely affect domestic and international bottom lines. • Protection of trade secrets and intellectual assets. o Anti-economic espionage. o OPSEC: The identification and protection of information that would give your competitors and adversaries an advantage. • International financial investigations and due diligence consulting. o Location and recovery of missing and hidden assets. o Establishing business relationships and strategic partnerships in Central and Eastern Europe, the offshore financial centers, Beijing and Shanghai, Central Asia, and Latin America and the Caribbean. o Anti-money laundering and financial fraud requirements under the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001 and the EU Revised Money Laundering Directive of 2001. • Protection of management, staff, and families. o In the high-threat environments of Latin America, Africa, the Mid- East, and Southeast Asia. o When traveling and living overseas. o When transporting items of substantial value. LUBRINCO identifies and quantifies threats and vulnerabilities, and their associated risk, then manages the vulnerabilities so you can transfer or live with the residual risk. We prevent disastrous financial loss to your company, and physical harm to you, your family, and your staff. For information on The LUBRINCO Group and its services, or for the archive of all past issues of ÆGIS e-journal in PDF format, please go to http://www.lubrinco.com/. To sign up for a complimentary subscription to ÆGIS e-journal or the ÆGIS e- journal PDF notification list, go to http://lb.bcentral.com/ex/manage/subscriberprefs?customerid=7768 or send an email to ejournal@lubrinco.com. To subscribe to our AvantGo channel, go to http://avantgo.com/channels/_add_channel.pl?cha_id=1773 ÆGIS, April 2001 12 To be removed from the subscription list, follow the instructions on the mailing you received, or send an e-mail to ejournal@lubrinco.com. If you know of anyone else who should be receiving ÆGIS e-journal, please send their e-mail address to ejournal@lubrinco.com. If there is a topic that you would like to know more about, send it to ejournal@lubrinco.com and the editors will consider it as the topic for an article in an upcoming issue. If you would like to submit an article for publication in ÆGIS e-journal, send it as an attachment to an e-mail to ejournal@lubrinco.com. Submission of an article certifies that (a) all information in the article is in the public record, or (b) that you are authorized to release any personal or corporate proprietary information contained in the article, and (c) that none of the article has previously been copyrighted. The submission of materials for publication in ÆGIS e-journal constitutes a license to The LUBRINCO Group Ltd, Inc., and/or Financial Examinations and Evaluations, Inc, their assigns, associates, or affiliates, to abridge and/or edit said submission, and to copyright and publish/republish any submitted materials in whatever written and/or electronic form they may choose. If you would like to go beyond normal fair-use in reproducing articles from this issue of ÆGIS e-journal, you may do so freely as long as appropriate source, copyright, accreditation, and link to the LUBRINCO website is included. This should be in the form
Article Title, from the April 2001 ÆGIS e-journal (© 2001 LUBRINCO & FEE), to be found at http://www.lubrinco.com/. ÆGIS e-journal is a forum for the exchange of information, ideas, operating styles, theories, and related topics for corporate managers who make decisions about threats typically outside the expertise available in-house, yet which have the potential to affect their company’s domestic and international bottom lines. Nothing appearing in ÆGIS e-journal should be construed as legal advice. The information provided is “general information,” not “specific advice.” The solution to any problem is highly dependent upon the precise facts involved. Thus, before making any reliance upon anything said here, you should consult with an appropriately skilled professional. Opinions expressed by contributors are not necessarily endorsed by the publisher, and may be presented to encourage a dialogue among subscribers. The publisher ÆGIS, April 2001 13 and any re-publisher cannot be held responsible for any loss incurred as a result of the application of any information published in ÆGIS e-journal. Please be safe, and be smart.