Home page logo
/

basics logo Security Basics mailing list archives

RE: Blackberry Security concerns
From: Jason.Burzenski () americanhm com
Date: Fri, 15 Apr 2005 16:44:38 -0400

These are the documents that we found most helpful for the assessment (in no
particular order).

http://www.sans.org/rr/whitepapers/pda/258.php

http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/6450
94/An_ () stake_Security_Assessment pdf?nodeid=644990&vernum=0

http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/7979
/278286/278425/Wireless_IT_Policy_and_IT_Administration.pdf?nodeid=340697&ve
rnum=0

http://www.blackberry.com/products/software/server/exchange/upgrade.shtml?ty
pe=3_5

http://www.blackberry.com/products/software/server/exchange/security.shtml


This summary from Stefan Keller also provided this at the time I was doing
the research.  I've paraphrased a bit but this formed a good foundation for
the recommendations we proposed.  

Top 5 Blackberry Security Recommendations 
1.  Disable pin-to-pin messaging 
2.  Enable password-protection on the device (strong passwords, expiration) 
3.  Disable the installation of 3rd party applications 
4.  Make user aware that data on the device is at risk (awareness) 
5.  Communicate the procedure for loss of device and emergency shutdown of
service.

Hope this helps. 

Jason 

-----Original Message-----
From: Jason.Burzenski () americanhm com [mailto:Jason.Burzenski () americanhm com]

Sent: Thursday, April 14, 2005 11:17 PM
To: ddenton () PAYLESSOFFICE com; eric () piteduncan com;
ntimperio () hitechnique com; security-basics () securityfocus com
Subject: RE: Blackberry Security concerns

If you review the blackberry security documentation, they advise it not be
placed in the DMZ so it is more protected from attack.  We just completed an
assessment of a blackberry enterprise server and the weak points were
identified on the exchange side and on the mobile device side.  The BES
never actually sees any data because the end-to-end encryption is between
the exchange component and the device.   

Let me know if you need any help.  I can send you some docs we used to
facilitate the assessment in the morning.  Blackberry's own security
documentation and the assessment performed by eEye were most useful. 

Jason Burzenski

-----Original Message-----
From: Dan Denton [mailto:ddenton () PAYLESSOFFICE com]
Sent: Thursday, April 14, 2005 4:44 PM
To: Eric McCarty; Nicholas Timperio; security-basics () securityfocus com
Subject: RE: Blackberry Security concerns

I would have to agree. We did not need to open any incoming ports on our
firewall to make the software work.

-----Original Message-----
From: Eric McCarty [mailto:eric () piteduncan com]
Sent: Thursday, April 14, 2005 12:25 PM
To: Nicholas Timperio; security-basics () securityfocus com
Subject: RE: Blackberry Security concerns


Blackberry Enterprise server initiates the connection so no additional
incoming ports need to be opened.  

-----Original Message-----
From: Nicholas Timperio [mailto:ntimperio () hitechnique com]
Sent: Thursday, April 14, 2005 9:10 AM
To: security-basics () securityfocus com
Subject: Blackberry Security concerns

Security-Basics -

We have a client that is thinking about having Blackberry Enterprise Server
installed on their Small Business Server.  My first thought is, since this
requires punching a hole through the firewall that we do not have an
application layer proxy for, that this should exist on a demilitarized zone.
Has anyone deployed the Blackberry Enterprise Server in a manner that they
felt was secure?  If so, what was done.

Thanks,

- Nicholas

------------------------------------------------------------------------
---
Earn your MS in Information Security ONLINE Organizations worldwide are in
need of highly qualified information security professionals.  Norwich
University is fulfilling this demand with its MS in Information Security
offered online.  Recognized by the NSA as an academically excellent program,
NU offers you the opportunity to earn your degree without disrupting your
home or work life.

http://www.msia.norwich.edu/secfocus_en
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Earn your MS in Information Security ONLINE Organizations worldwide are in
need of highly qualified information security professionals.  Norwich
University is fulfilling this demand with its MS in Information Security
offered online.  Recognized by the NSA as an academically excellent program,
NU offers you the opportunity to earn your degree without disrupting your
home or work life.

http://www.msia.norwich.edu/secfocus_en
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE Organizations worldwide are in
need of highly qualified information security

professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE Organizations worldwide are in
need of highly qualified information security professionals.  Norwich
University is fulfilling this demand with its MS in Information Security
offered online.  Recognized by the NSA as an academically excellent program,
NU offers you the opportunity to earn your degree without disrupting your
home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault