Re: Back on topic.... Re: [SECURITY] Universitycredentials used by third parties

[Adam Carlson <ajcarlson () BERKELEY EDU>]

David,
        In situation #2, if you use the RIM IMAP service without running your own Blackberry Enterprise Server, RIM 
will cache your credentials (last time I checked in Summer '09).  This is because the default Blackberry mail 
application does not support native IMAP and instead it is a "fake" IMAP implementation where the RIM servers connect 
to your IMAP server and then push the messages to your phone.  In order to connect to your IMAP server, they must cache 
your credentials permanently on their system.  It took me quite some time to figure out this is what was happening but 
I confirmed this configuration at the time with a blackberry representative.  
        If people are forwarding email to a blackberry account or using POP/POPS, then that would prevent this problem 
but I think that IMAP is quickly becoming a more standard configuration on all devices to provide synced mail.  

-Adam

David Gillett wrote:
>   I haven't looked closely at Blackberry -- perhaps I need to?  The
> scenarios I'm aware of are:
>
> 1.  User sets their institution email to forward to a remote address -- in
> this case their Blackberry address.  No exposure of credentials unless they
> want to reply (or originate) on the device and have those messages go
> through our outbound servers....
>
> 2.  User configures personal device to download messages from their
> institution inbox.
>
>   Does either of these actually involve sharing the user's credentials with
> the *service*, beyond their device?  I had assumed not, but now I'm not so
> sure....
>
> David Gillett
>
>
> -----Original Message-----
> From: Mike Porter [mailto:mike () UDEL EDU]
> Sent: Wednesday, August 25, 2010 08:55
> To: SECURITY () listserv educause edu
> Subject: Re: [SECURITY] Back on topic.... Re: [SECURITY]
> Universitycredentials used by third parties
>
> On Wed, 25 Aug 2010, Jesse Thompson wrote:
>
> > On 08/24/2010 11:08 AM, Joel Rosenblatt wrote:
> > > Just to thorough another thought into this mix, does anyone prevent
> > > their students (or other users) from turning over their credentials
> > > to Gmail or Blackberry?
> > >
> > > We see lots of authenticated logins from these services - and if I
> > > were to come down hard on this Ultrinsic using our sharing of
> > > password policy (which we do have) I'm sure that this would amount to
> > > having to change our policy to - you can't share your credentials -
> > > except with (gmail, Blackberry, etc.)
> > >
> > > I really hate inconsistent enforcement of policies, so it's either
> > > change the policy or cut off everyone.
> > +1
> >
> > Our help desk created end-user instructions for IMAP-syncing email
> > accounts with Gmail, despite the fact that it completely violates password
> policy.
> > They did this specifically because they get flooded with "how do I
> > save my email" requests when we deactivate email accounts, but other
> > users take advantage of it as well.
> >
> > Yet, when we propose the idea of officially embracing this
> > Gmail-IMAP-sync option as a more reliable alternative to forwarding  -
> > essentially treating Gmail the same as any other IMAP client - the
> > idea is immediately shot down because it violates password policy.
>
> What was the violation?  The problem that users woud need to store a
> password, likely the regular one, at gmail in order to use imap?
>
> We ended up with a convoluted system to avoid some of those issues.
>
>
> Mike
>
> Mike Porter
> Systems Programmer V
> IT/NSS
> University of Delaware
>
> > Jesse
> > (an email admin at Wisconsin)
>
> -
> Mike Porter
> PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2

-- 
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis