Security Basics mailing list archives
Re: iTunes for iPhone in an Enterprise
From: Florian Rommel <frommel () gmail com>
Date: Sat, 27 Nov 2010 11:21:24 +0200
yes you are being paranoid. There might be less security vulnerabilities.. (well the fact that RIM caved in and gave the encryption key and access to the servers to some certain countries worries me though), but there is also less functionality. I don't know how it is in the US nowadays but at least from our offices there we get the same impression than over here in the european countries. Security is more and more built around functionality, not any more lock down as much as possible. This has also other points. With more and more personal data stored on these devices (iOS, RIM, Symbian etc.) People take much more care of these devices because their OWN data is on there too. For example, we have had a lot less stolen and lost devices since we allowed the users to use the phones for personal use as well. isiOS the ultimate thing.. hell no.. is any of them? oh no, not by far. Personally I utterly dislike RIM but thats just a matter of taste. I do have a feeling from what I have seen on some of our sales guys in the US with new blackberries, they are slowly falling behind compared to the rest. Like it or not, people like the functionality and if they carry around one mobile device instead of 2 or 3 (business, epersonal etc.) the better. I think there is a HUGE social aspect to this debate but that is outside the scope of this. Yes, with each ios update you get security fixes, you also get functionality. With each symbian release you get the same. I am not sure how often RIM adds functionality or releases an update. IMHO from a CSO perspective, the weakest link is always the user and if I can make him become more aware and "paranoid", the better. I don't know how this will pan out but at least they are all moving into the right direction. Right now, I am not saying ANY of the big three is better but RIMs dominance is slowly fading and the reason for it? Coolness, and flashiness while still bringing security in as well. I remember the days of Windows when features was everything and windows was insecure as hell. Even though mobile OSs are moving that direction, at least they do take care of security. Oh, and Symbian has a tool that allows you to create one config and security file that you upload to your devices.. done.. all the same.. iOS has this with a 3rd party AFAIK. The fact that iOS could be jailbroken at one time is like saying that at one time slammer was reaking havoc on SQL servers... yes it was but it is not anymore. Just my 2cents.. //F On Nov 27, 2010, at 9:59 AM, Francois Lachance wrote:
So nobody sees an issue with the number of security related bugs in iOS, or the fact that at one time you could be jailbroken just by browsing a web site, or by the fact that you have no way to control what apps your users can install? At least with a BlackBerry BES I can control any aspect of the devices centrally. I don't think that's possible on the iPhone, at least not without a third-party add-on. It seems like every update released by Apple for the iPhone contained at least one security vulnerability fix. Not so for the BlackBerries. There has been a few vulnerabilities on the BES (all related to the PDF rendering), and all that was required was to upgrade one server, not every devices. I am not saying that there are no bugs in BlackBerry devices, but so far, none that have had a security implication. Am I being paranoid here? Please someone set me straight if I'm wrong here. Thanks, Francois On Tue, Nov 23, 2010 at 5:31 PM, Florian Rommel <frommel () gmail com> wrote:Actually with the release of iOS 4.2 and a little bit of tinkering we have our iPhones more secure than most of our HTCs, Windows mobiles or even device managed Nokias. Exchange remote wipe and MobileME find my phone service are very nice additions. However, we follow the same principle. IT has an iTunes Machine, everyone else has nothing and cannot do anything. We had a few incidents where people connected their iphones to their home PC and wiped them to hook them up to their iTunes in order to jailbreak or app install. This caused several disciplinary actions up to a dismissal in one country. Since then it has been nice and smooth. I don't see what the fuzz is about anymore. With passcode wipe and remote wipes and lock settings it's all ok on our end... So far that is.. //f On Nov 24, 2010, at 12:01 AM, Teena Horne wrote:J. Teddy, Just wondering, what is the need for iTunes to be available in the corporate environment just because you use iPhones? In our environment we support windows mobile, androids, or iPhones. No one here has iTunes installed on any business PC for their iPhones and don't need it. One machine has it so I can activate the iPhones when we first get them. Adrian, I certainly agree with your assessment of the iphone for a corporate environment, but I was shot down for keeping them out on account of the exchange server can remote wipe the phone. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adrian J Milanoski Sent: Saturday, November 20, 2010 12:56 AM To: J Teddy Cc: security-basics () securityfocus com Subject: Re: iTunes for iPhone in an Enterprise Hi, Sorry to burst your bubble about your iPhone in the corporate world but I personnally not even attempt he iPhone/iTunes in the corporate world. It was never designed for that. Personally I have and use an iPhone it's great as a 'personal' phone and no more. Having the ability to deploy and manage the secuirty aspects of things is much more important then applications. Blackberries have dominated that market and allows you to do and manage everything centerally with a BES server. Both Apple and RIM took different routes with their business, personal and enterprise. Honestly I don't mean to be negative about this but, if your talking this to an enterprise you got to think about Confidentiality, Integrity, and Availability. I have herd of companies wanting to deploy iPhones, but I don't think anything came of it do to these restrictions. I would be interested in if anyone else has. Thanks, Adrian _________________ Sent from my iPhone On 2010-11-17, at 7:54 PM, J Teddy <jteddylists () gmail com> wrote:Yes, my organisation is a little slow of the mark, and we are now looking at deploying iPhones. Currently it appears management is not comfortable with users having iTunes installed on individuals machines. I am not sure what these concerns are. Apparently other organisations have solved this issue with using kiosks, and this is the golden bullet that CIO's are talking about in their circles. A kiosk is simply just an internal computer that can be used by any employee, and has iTunes installed. If my understanding of iTunes is correct, I had some concerns and wish for your advise, help, and to understand what you did in this instance of managing iTunes. My concern is If all corporate users are to share a single instance of iTunes on a public kiosk computer they will all be required to share an iTunes account. This will involve all users knowing the username (an e-mail address) and password to the account. The downfall in this scenario is if a user wishes to purchase content through iTunes the same content will be shared among all the users. Further investigation needs to be taken if this breaches Apple's acceptable use policy. There may also be implications if the user stores their credit card information for the iTunes account. A logical solution would be to assign an iTunes account to all users on the kiosk. Unfortunately this can cause similar complications to the above. All the purchased or downloaded content will be on the iTunes library which other users will also be able to transfer to their device (re. investigate acceptable use policy). If an upgrade to a purchased application is released and a user other than the original purchaser wishes to upgrade the application they will be required to enter in the iTunes account username and password of the original purchaser. Individuals will also rely on iTunes to create backups for their device. These backups must be encrypted, or another user could restore their device using another users backup, revealing private information stored on their device. If you know anything about the legal side, it would be great to reference straight from Apple Policy, as I need to find something in writing. I have only found the below at this point in time. * Your Account ** As a registered user of the Service, you may establish an account ("Account"). Don't reveal your Account information to anyone else. Y ou are solely responsible for maintaining the confidentiality and security of your Account and for all activities that occur on or through your Account" Thank you all for taking the time out to read my mail, and kudos for those who help. Mr. Lacanian --- --------------------------------------------------------------------- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 --- --------------------------------------------------------------------------------------------------------------------------------------------- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- iTunes for iPhone in an Enterprise J Teddy (Nov 18)
- Re: iTunes for iPhone in an Enterprise Todd Haverkos (Nov 19)
- Message not available
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 26)
- Message not available
- Message not available
- Message not available
- Re: iTunes for iPhone in an Enterprise J Teddy (Nov 26)
- Message not available
- <Possible follow-ups>
- Re: iTunes for iPhone in an Enterprise Adrian J Milanoski (Nov 26)
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 26)
- Re: iTunes for iPhone in an Enterprise Saif El Sherei (Nov 30)
- Re: iTunes for iPhone in an Enterprise Francois Lachance (Nov 30)
- Re: iTunes for iPhone in an Enterprise Florian Rommel (Nov 30)