RE: how do you secure a blackberry

["Steve Armstrong" <stevearmstrong () logicallysecure com>]

Joe, 

This is not strictly true.  

If you trust the off the shelf blackberry software from RIM (so you are not the subject to a focused attack), and have 
your own Blackberry Enterprise Server (BES), you can configure the system to reject pushed items, and strictly 
configure the device as to what the user can and cannot do (link to systems, use Bluetooth, send IMs, use the camera 
etc).

If you are thinking about this in relation to the Dubai attacks, most of these were against individual users that had 
individual types of accounts or had poorly configured BES servers will few controls in place.  

If you users have standard devices using the ISPs BES servers then you do not have control of your devices and are open 
to this they of attack.

Check out the following if you want to know more about BES Security try this 200 page RIM document on configuring Sy on 
their devices.  
http://na.blackberry.com/eng/deliverables/1417/BlackBerry_Enterprise_Server_Policy_Reference_Guide[1].pdf

Steve A
(Twitter: Nebulator)



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Joseph Williams
Sent: 28 July 2009 18:48
Cc: security-basics () securityfocus com; enquiries () globalart4u com
Subject: RE: how do you secure a blackberry

This isn't true. Through "Service Books" a provider can basically push
anything software they want to the device.

Joe

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Aarón Mizrachi
Sent: Tuesday, July 28, 2009 1:26 AM
To: Shawn Merdinger
Cc: security-basics () securityfocus com; enquiries () globalart4u com
Subject: Re: how do you secure a blackberry

On Lunes 27 Julio 2009 15:38:20 Shawn Merdinger escribió:
> Hi Aarón,
>
> On Wed, Jul 22, 2009 at 1:55 PM, Aarón Mizrachi<unmanarc () gmail com> wrote:
> > The answer:
> > deciding not to install the update.
>
> I don't think it is that simple if the service provider is pushing 
> down software and controls the update process.  For the user to decide 
> not to install the update, the user must be presented with a choice.
> If the install is done silently over the network in the background, 
> then there is no choice for the user.

cheers, i don't really had a time to take a look in deep on this specific
case.

I'm talking the "generic". Usually, the blackberry handheld device does not
came with an automatic update software owned by your "telephony provider" or
rim. Therefore and moreover, any update should be done by hand. 

Moreover, real software updates provided by RIM should be installed using
the desktop manager application. Usually this is not an automatic process
and sometimes requires your handheld password to be done.

I understand that you can download blackberry updates from rim websites
according to your provider, but the trust rely in RIM who publish this
software.

> Cheers,
> --scm

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


The information contained in this e-Mail and any subsequent correspondence is private and is intended solely for the 
intended recipient(s). The information in this communication may be confidential and/or legally privileged. Nothing in 
this e-mail is intended to conclude a contract on behalf of Logically Secure Ltd or make Logically Secure Ltd subject 
to any other legally binding commitments, unless the e-mail contains an express statement to the contrary or 
incorporates a formal Purchase Order.  For persons other than the intended recipient any disclosure, copying, 
distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be 
unlawful.

Registered in England and Wales No: 05967368.  Registered Office: 36 Tudor Road, Lincoln, LN6 3LL.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------