This week Red Sox nation got to celebrate and be reminded again that the Red Sox were World Series champs. My favorite photo was obviously the “Big Papi” David Ortiz and President Obama selfie! Like the Oscars however, everyone now suspects money was spent by Samsung to pretend and hype up a spontaneous moment for a selfie like they did with Ellen DeGeneres and some of our favorite A-list celebrities.
The Sox photo struck a nerve with me and thus I decided to write this blog as a response to the news when the WSJ reported that the White House and possibly President Obama were testing Samsung as a replacement to BlackBerry devices. A White House spokesman went on to rebut that the Executive Office of the President is not involved in any pilot program for testing non-BlackBerry phones and that there is nothing new to share about the president’s BlackBerry. It was buried in all the other major news we get each week and thus a marketing win and score for Samsung. Let me be clear: while Samsung phones might be just fine for White House staff involved in housekeeping, cooking, and gardening – they are no where near ready for protecting national security communications and data privacy.
If you watch Samsung as closely as I do, you can easily spot their continued usage of slight-of-hand marketing and selfies to prop up their position as mobile leaders with the highest security. While I take no issue with the marketing and messaging of their great consumer phones like the new Galaxy S5, it’s my job to not be confused and watch the ball during the shill. The shill is Samsung mobile security.
On March 3, 2014, Samsung with great fanfare announced at RSA Conference 2014, the world’s leading security conference, that they had received Common Criteria certification.
Samsung goes on to say in the broader release published by Korea IT Times “Common Criteria is the international “gold standard” for secure and trusted systems, specifically to ensure that they satisfy the predefined set of security requirements designed for enterprises. Samsung KNOX confers enhanced security upon mobile devices, helping enterprises protect mobile access to high-value information assets.” Before their SVP of KNOX Business states that this news is ‘not’ about just security, it reads: “The components certified in CC form a strong cryptographic foundation on which more advanced KNOX security features are implemented. This certification validates that enterprises can safely provide their workers access to networks and high-value information assets using CC-certified Galaxy devices with KNOX embedded.”
Now here comes the selfie in case you missed it.
“In my twenty-five years doing security evaluations, rarely have I seen a company that could complete an entire Common Criteria evaluation, from the very first meeting to complete, in under four months”, said Jim Arnold, Director of Gossamer Security Solutions. “At Gossamer we pride ourselves on our responsiveness and Samsung’s speed and agility as a company certainly challenged us.”
This is a clear “selfie” as Gossamer has no inherent interest other than a paid advertisement to say something as wishy-washy as this. Samsung, along with every other vendor who wants to get certified with the Common Criteria Testing Laboratory (CCTL), should in fact present all his or her documentation and paperwork in a clear and orderly state. Don’t get me wrong, I am sure there are plenty of small tech startups that might not be as squared away and know the process, but Samsung at last count had an operating profit of roughly $8.3 billion. I don’t give them points for wearing a suit and tie to a funeral. That is what you’re supposed to when you know better and can afford to do so. Lastly, this Common Criteria Testing Laboratory (CCTL) selected by Samsung for their evaluation is a paid vendor evaluation and has no government authority whatsoever. In their own lab words:
“This Validation Report is not an endorsement of the Target of Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied”
Let’s look deeper into their newly announced MDFPP Common Criteria Certification and what it might mean to you if you’re responsible for enterprise mobile security. I covered this previously in my blogs titled Samsung Knox Finally Gets a Good Boost at MWC14 on February 25, 2014 and Why Samsung Knox has Flopped on December 31, 2013. The Common Criteria Certification is a “framework in which computer system users can specify their security functional and assurance requirements” and “vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.” Unlike the Samsung hype that hit a home run, their certification is just a base hit. They are on first base only.
First, some additional facts mistakenly absent from Samsung’s press release:
– The Target of Evaluation (TOE) are the Samsung Galaxy Devices with Qualcomm Snapdragon Processors including the Galaxy S4, Galaxy Note 3 and the Galaxy NotePRO Tablet only.
– The Gossamer Security Solutions evaluation team concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL) 1 were met.
– TOE Missing: Samsung Galaxy S5 has NOT been evaluated!
Source: Gossamer Laboratories
So, to be clear: Samsung, for all their selfies and market hype, are only at EAL1. They have far to go to join EAL4 with Good Technology’s Good for Enterprise and BlackBerry 7. Additionally, BlackBerry 10 just got awarded “Authority to Operate” on U.S. Department of Defense Networks. There is a giant leap from EAL1 to EAL4. Taking a peek at an excerpt I pulled from another vendor certification document during my research on what’s involved in certifying an EAL2 vendor highlights my point:
“Clarification of Scope for EAL2 – As with all EAL 2 evaluations, this evaluation did not specifically search for, nor seriously attempt to counter, vulnerabilities that were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources.”
Think about the paragraph above for another moment. The “evaluators” of EAL Level 2 have to “ignore any attempt to counter vulnerabilities that were not ‘obvious’ or other vulnerabilities.” In other words, the evaluators have to stick to the “script” provided by the vendors (not their domain knowledge or technical experience) and look the other way for EAL2. So, exactly how much confidence should an enterprise security team have in Samsung’s EAL1 certification?
In my view, Samsung has continued to cloud the market with hype and noise on their true security position, rather than just being transparent and forthright. First, it was their failed release of Samsung Knox at Mobile World Congress in 2013. Now, it’s the hype of “MDFPP Common Criteria Certification.” Security certification for devices and software is a process that takes time and has many hurdles on purpose. One quick read of the 128-page document titled “Protection Profile for Mobile Device Management” should be enough to suggest how much time it takes and what’s involved.
Finally, just like putting nine one-month pregnant women in the same room won’t make a baby, Samsung and Knox cannot hype and selfie themselves into real security for regulated industries, such as financial services, healthcare and government. Those are the hard true facts. Selfie replies welcome.