Re: iPad and access to university ERP

[Brad Judy <win-hied () BRADJUDY COM>]

If you configure your Windows systems to only allow high encryption levels
for RDP (configurable via GPO or locally), then you'll either get decent
encryption, or no connection.  In this case, it probably means this app
won't be able to establish an RDP connection.  

It would be nice to see an app like this support full, modern RDP with
TLS/SSL support.  

Brad Judy

Emory University



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ullman, Catherine
Sent: Wednesday, July 21, 2010 7:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

The 40-bit reference appears to be to the software itself, which is an
add-on app that can be downloaded and installed from a third party.  Note
the line that says "40-bit encryption" is a limitation:

http://www.mochasoft.dk/iphone_rdp_help/help.htm

So yes, I'd say there is a distinct concern.

-Cathy

Catherine J. Ullman
Information Security Analyst
Information Security Office
University at Buffalo
cende () buffalo edu



________________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
[bbasgen () PIMA EDU]
Sent: Wednesday, July 21, 2010 7:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

 Apple has an overview of security on the iPad here:
   http://images.apple.com/ipad/business/pdf/iPad_Security_Overview.pdf

 This is an interesting read: I didn't know, for example, that the iPad
appears to have quasi FDE functionality: "256-bit AES encoding
hardware-based encryption to protect all data on the device. Encryption is
always enabled and cannot be disabled by users."

 The lowest algorithm I can see in the document is 3DES, which is typically
implemented at either 112 or 168 bit strength. I don't see anything about
40-bit, but to the previous poster, that would be a concern since 40-bit is
well within the realm of brute force. By the looks of the Apple publication,
however, the iPad appears to have some pretty good security controls.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security Office
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Wednesday, July 21, 2010 3:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

But...given that the session *is* encrypted - and not persistent - wouldn't
*any* kind of encryption be serviceable for something like this?  (I'm
thinking that is someone *really* wanted the data, they aren't going to try
and tunnel through a relatively random wireless connection....?)

Just a thought...

M

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Greg Schaffer
Sent: Wednesday, July 21, 2010 10:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] iPad and access to university ERP

I believe the encryption is only 40 bit.

Greg

Greg Schaffer, CISSP
Assistant Vice President
Network and Information Technology Security
Middle Tennessee State University
615 898-5753

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe
Sent: Wednesday, July 21, 2010 11:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] iPad and access to university ERP

I just received this email from a department manager:

"First thing I did was installed an app called Remote Desktop Lite (free). I
used that to remote into my Windows machine on my desk and it worked
beautifully. I pulled up Banner and found it to be really easy to work with
on the iPad. What I liked the most was I didn't have to tab into the entry
fields. I could touch them and the cursor would move. If I only had that on
my desktop!"

Wonderful....  So I'm thinking what is open on the desktop and what is the
security of the transmission.  We force VPN use from off-campus.  I thought
we had the remote desktop thing handled in terms of accessing our ERP.

Am I unreasonably concerned?

--
Theresa Rowe
Chief Information Officer
Oakland University
**Think Green - Think before you print.**

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.