[JRV]

I'm setting up BES 4/Exchange for a client. They have about 180 users on their system, 100 of which will have BlackBerrys.

I've set security policies (mostly) in line with RIM's "security best practices" appendix in the Admin document.

We've rolled it out to 8 pilot users. Feedback is unanimous: Passwords gotta go. Not just shorter, not just remove complexity requirements, not just remove password history...gone.

They say to those who feel it's important set their own passwords of whatever quality they choose.

Client is a general contractor. Users include the full gamut from executive to PMs to HR to marketing to accounting. No Sarbonne-Oxley or other compliance requirements.

They understand that confidential information is in those e-mails and that messages can be read, sent impersonating company officers, etc. Contacts including marketing leads, will be available.

I'm know I'm going to lose...no matter what my recommendation, the owner doesn't want security forced on the users and he's going to tell me to remove it before we roll it out.

But I'm curious: Are there any BES admins out there who think this sounds OK?

I know there are lots more possible poll answers than I could ever think of...so choose the one that comes closest, but post your comments, too!

[NJBlackBerry]

It'll be fine until the owner loses his BlackBerry with the list of important customers. Then it will be your fault. Tell me, do their laptops have passwords?

[JRV]

You'd think...but owner has lost several PDAs in the last year, actually! He was quite concerned about shutting down his PDA's e-mail last time, when it was stolen, so he's aware of the risk, which makes me a bit surprised that this is coming up now.

All their user accounts have complex passwords that expire, have minimum lengths, etc. So, yes, their laptops have passwords...but the counter to that is that they only have to log on once per day (if that) on the computers. And having passwords was not the Owner's idea; he just hasn't fought it like he's fighting this.

We set handheld inactivity timeout to 5 minutes...I should have mentionned that because that definitely increases the nuisance value of passwords.

[FlemmingRiis]

passwords are a must , if people complain simple ones are acceptable with autolock on cradle.

passwords even resonable simple still gives the time needed from a device is lost to its killed.

If they dont want passwords explain in writing the downsides and your recomendation to the customer so your rear end is clear, it is after all their installation.

[NJBlackBerry]

Shutting down his e-mail won't help if his contacts list (and existing e-mail) is compromised. I guess if he tells you quickly enough you can wipe out the handheld from the BES. My words to people here are that laptops are stolen, but BlackBerrys are LOST. Two different concepts.

It's a bad idea, but it may not be worth fighting over.

[JRV]

I will definitely document my concerns. Will likely include a copy of this thread, in fact.

[DoomBringer]

I'm not using passwords, only because my devices are in house devices *only*. Development and testing work doesn't go on at home, so they stay here.
I reccomend a 6 letter password, with one number. Most people's thumbs will break before they can brute force that...
While changing the password on a regular basis is a good idea, I've never done it. I probably should, though. I'm proactive enough to make my desktop require a password with a digit, symbol, and longer than 12 chars, but I am too lazy to change it once a month.

Oh, and I think the guy is a tard. "Hey everyone, lets NOT FOLLOW SOUND ADVICE! Security is for wusses!"
BlackBerries are easy to lose or forget, and the data on them can be worth a lot.

[PhilMax]

A little off topic, but I bet those people who only log on once a day do not have password activated screensavers either and they don't "lock" their computer while away from them. I have an information security role in my company and when anyone is away from their desk for very long and I happen to notice I love to send them an email from their computer to themselves warning them that I could just have easily sent an email to the president of the company cussing him out (explain that away) or I could have compromised any of the data to which they were connected through the network. Usually, one such lesson per department gets the message across.

BB's should definitely have passwords. Recognizing the inconvenience, we are testing a simple 4 character "pin" requirement with a 30 minute lock down. No expiration, no complexity. We are also emphasizing to our people the necessity to IMMEDIATELY report a lost or stolen unit. We are only concerned with password security for, hopefully, a brief time before we can wipe the unit and disable it remotely. We have warned them that the first time someone loses one or has one stolen and it is not reported in a timely fashion it will be the cause for a much stricter policy.

[DoomBringer]

Quote:

Originally Posted by PhilMax

A little off topic, but I bet those people who only log on once a day do not have password activated screensavers either and they don't "lock" their computer while away from them. I have an information security role in my company and when anyone is away from their desk for very long and I happen to notice I love to send them an email from their computer to themselves warning them that I could just have easily sent an email to the president of the company cussing him out (explain that away) or I could have compromised any of the data to which they were connected through the network. Usually, one such lesson per department gets the message across.

BB's should definitely have passwords. Recognizing the inconvenience, we are testing a simple 4 character "pin" requirement with a 30 minute lock down. No expiration, no complexity. We are also emphasizing to our people the necessity to IMMEDIATELY report a lost or stolen unit. We are only concerned with password security for, hopefully, a brief time before we can wipe the unit and disable it remotely. We have warned them that the first time someone loses one or has one stolen and it is not reported in a timely fashion it will be the cause for a much stricter policy.

Yes. 4 digit PIN is actually ok for a BB, given input constrictions of the device (no way to programmatically attack the thing), it works pretty well. The 30 min lockout is good too, only after like 3 attempts though.
Reporting lost or stolen devices is crucial.
Security isn't all that hard to do, really. All you need is an educated IT person (a rarity, really, finding one that doesn't spew anti-Microsoft or anti-whatever gibberish is hard enough) and the organization has to allow the IT person to do his job.

[JRV]

Lots of good ideas & comments, folks. Thanks and keep 'em coming...good stuff.

Doomfinger's brute-force attack point is an interesting one. There may (or may not) not be any such thing as a programatic brute-force attack on a BB today...but part of that is that no one's given it much attention. If BBs continue to gain market share that will change. Are brute-force attacks something we can just rule out?

PhilMax's point about password-protected screen savers is well taken. A (now) ex-employee of this same company sent a bunch of embarassing e-mails out under another employees' name a few years ago by walking up to an unattended, unlocked computer. Nothing to prevent that from happening with a BB left behind a meeting for a few minutes.

[Digger]

I have 200 BB deployed, on campus and off. Every single one of them are forced to lock in holster/cradle, lock after ten minutes, and a minimum 6 digit w/one numeric password. We are also running multiple configs and policies depending on the type/model of phone. They have complained in the past about the security and I just tell them that they do not have to have a Blackberry at all. Pen and paper works too.

[DoomBringer]

Quote:

Originally Posted by JRV

Lots of good ideas & comments, folks. Thanks and keep 'em coming...good stuff.

Doomfinger's brute-force attack point is an interesting one. There may (or may not) not be any such thing as a programatic brute-force attack on a BB today...but part of that is that no one's given it much attention. If BBs continue to gain market share that will change. Are brute-force attacks something we can just rule out?

PhilMax's point about password-protected screen savers is well taken. A (now) ex-employee of this same company sent a bunch of embarassing e-mails out under another employees' name a few years ago by walking up to an unattended, unlocked computer. Nothing to prevent that from happening with a BB left behind a meeting for a few minutes.

Well, my comments about brute force being hard to do in a programmatic fashion are true. There is virtually no way (that I can think of) to pipe external input into a BB. Given the device's security hardware features, it isn't going to be possible without great effort.
A 30 minute timeout after 5 failed attempts will greatly slow down any brute force attack. A dictionary attack, however, could still be useful to the attacker in that scenario. If the password is a simple one ("password" is the first thing *any* hacker will try), then forget it. That is why complexity rules are a must. I wonder if BES has a list of disallowed passwords ("pass123" is a valid password under the 6 digits with min 1 number rule... and "pass123" is the very next thing a hacker will try).
And yes, document your concerns. In bold font even. When the s*** hits the fan (and it always will, eventually), you'll have your "I told you so" in writing.

[DoomBringer]

Quote:

Originally Posted by Digger

I have 200 BB deployed, on campus and off. Every single one of them are forced to lock in holster/cradle, lock after ten minutes, and a minimum 6 digit w/one numeric password. We are also running multiple configs and policies depending on the type/model of phone. They have complained in the past about the security and I just tell them that they do not have to have a Blackberry at all. Pen and paper works too.

Yes. Complain once, you get the security explanation, plus a "because I said so". Complain twice, you no longer have a BlackBerry.

[NJBlackBerry]

In our case I mention that our CEO asked for the password policy (he was given a choice); that tends to keep them quiet. Plus it is a simple 6 character password;60 minute timeout.

[DoomBringer]

Quote:

Originally Posted by NJBlackBerry

In our case I mention that our CEO asked for the password policy (he was given a choice); that tends to keep them quiet. Plus it is a simple 6 character password;60 minute timeout.

Wow, you have a competent CEO! That is outstanding! lol

[corey@12mile]

Quote:

Originally Posted by DoomBringer

Well, my comments about brute force being hard to do in a programmatic fashion are true. There is virtually no way (that I can think of) to pipe external input into a BB.

I think if you hookup the handheld to the desktop manager and run a script that will programmatically attack the password you could eventually break in...

cd.

[DoomBringer]

Quote:

Originally Posted by corey@12mile

I think if you hookup the handheld to the desktop manager and run a script that will programmatically attack the password you could eventually break in...

cd.

How so? Is there a way to have the BB accept keypad input from other than the hardware one?

[PhilMax]

Quote:

Originally Posted by corey@12mile

I think if you hookup the handheld to the desktop manager and run a script that will programmatically attack the password you could eventually break in...

cd.

How long would that take? In a BES environment, we are expecting that the password will only protect the company information that may reside on the handheld long enough for us to do a wipe of all data after it has been reported lost or stolen and before an eventual break in occurs, trying to balance deterrence with user inconvenience. We are not looking nor expecting these to be impenetrable.

[JRV]

Quote:

Originally Posted by DoomBringer

How so? Is there a way to have the BB accept keypad input from other than the hardware one?

Doesn't the Desktop Manager need the password? I don't have DM, and we're not using it here, so I'm out of my depth. But if DM needs the BB password, then it's got to be authenticating with the BB, and if it's authenticating, a password attack is possible.

As for how long it would take...not very long if length & complexity rules aren't in place. "aaaa" "asdf", "password", "secret"...that's what your users will be doing. 'Course, complex password requirements can still produce lousy passwords. Take this "complex" password that a user here chose: qweasd7zx (look at the BB keyboard to see what he did and why he did it). He's changed it but its replacement isn't much better. BB keyboard-savvy crackers will be including those in their dictionaries, too.

Better keep the Maximum Password Attempts number low!

[Snyder81]

So is anyone out there mandating Content Protection on their deployed BlackBerry handhelds? I have ~450 users and we are implementing a 4-character password in the near future with only 5 attempts allowed before a wipe takes place. We will also enabled content protection(level 0 - 163-bit ECC) in case a device is stolen and forensic attacks are used on the device.