Blackberry Security concerns

Can you provide a link to the original source of the information from
Stefan Keller ?

C

4/15/05, Jason.Burzenski (AT) americanhm (DOT) com
<Jason.Burzenski (AT) americanhm (DOT) comwrote:
These are the documents that we found most helpful for the assessment (in no
particular order).




94/An_@


/
rnum=0


pe=3_5



This summary from Stefan Keller also provided this at the time I was doing
the research. I've paraphrased a bit but this formed a good foundation for
the recommendations we proposed.

Top 5 Blackberry Security Recommendations
1. Disable pin-to-pin messaging
2. Enable password-protection on the device (strong passwords, expiration)
3. Disable the installation of 3rd party applications
4. Make user aware that data on the device is at risk (awareness)
5. Communicate the procedure for loss of device and emergency shutdown of
service.

Hope this helps.

Jason

Message
From: Jason.Burzenski (AT) americanhm (DOT) com [mailto:Jason.Burzenski (AT) americanhm (DOT) com]

Sent: Thursday, April 14, 2005 11:17 PM
To: ddenton (AT) PAYLESSFFICE (DOT) com; eric (AT) piteduncan (DOT) com;
ntimperio (AT) hitechnique (DOT) com; security-basics (AT) securityfocus (DOT) com
Subject: RE: Blackberry Security concerns

If you review the blackberry security documentation, they advise it not be
placed in the DMZ so it is more protected from attack. We just completed an
assessment of a blackberry enterprise server and the weak points were
identified on the exchange side and on the mobile device side. The BES
never actually sees any data because the end-to-end encryption is between
the exchange component and the device.

Let me know if you need any help. I can send you some docs we used to
facilitate the assessment in the morning. Blackberry's own security
documentation and the assessment performed by eEye were most useful.

Jason Burzenski

Message
From: Dan Denton [mailto:ddenton (AT) PAYLESSFFICE (DOT) com]
Sent: Thursday, April 14, 2005 4:44 PM
To: Eric McCarty; Nicholas Timperio; security-basics (AT) securityfocus (DOT) com
Subject: RE: Blackberry Security concerns

I would have to agree. We did not need to open any incoming ports on our
firewall to make the software work.

Message
From: Eric McCarty [mailto:eric (AT) piteduncan (DOT) com]
Sent: Thursday, April 14, 2005 12:25 PM
To: Nicholas Timperio; security-basics (AT) securityfocus (DOT) com
Subject: RE: Blackberry Security concerns

Blackberry Enterprise server initiates the connection so no additional
incoming ports need to be opened.

Message
From: Nicholas Timperio [mailto:ntimperio (AT) hitechnique (DOT) com]
Sent: Thursday, April 14, 2005 9:10 AM
To: security-basics (AT) securityfocus (DOT) com
Subject: Blackberry Security concerns

Security-Basics -

We have a client that is thinking about having Blackberry Enterprise Server
installed on their Small Business Server. My first thought is, since this
requires punching a hole through the firewall that we do not have an
application layer proxy for, that this should exist on a demilitarized zone.
Has anyone deployed the Blackberry Enterprise Server in a manner that they
felt was secure? If so, what was done.

Thanks,

- Nicholas



Earn your MS in Information Security NLINE worldwide are in
need of highly qualified information security professionals. Norwich
University is fulfilling this demand with its MS in Information Security
offered online. Recognized by the NSA as an academically excellent program,
NU offers you the opportunity to earn your degree without disrupting your
home or work life.







Earn your MS in Information Security NLINE worldwide are in
need of highly qualified information security professionals. Norwich
University is fulfilling this demand with its MS in Information Security
offered online. Recognized by the NSA as an academically excellent program,
NU offers you the opportunity to earn your degree without disrupting your
home or work life.






Earn your MS in Information Security NLINE worldwide are in
need of highly qualified information security

professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.





Earn your MS in Information Security NLINE worldwide are in
need of highly qualified information security professionals. Norwich
University is fulfilling this demand with its MS in Information Security
offered online. Recognized by the NSA as an academically excellent program,
NU offers you the opportunity to earn your degree without disrupting your
home or work life.



>