[Poma]

Hey guys, I am a systems administrator at a law firm and we are in the middle of setting up a Blackberry server and getting around 15 or so units on it.

I just came across an article from Wired.com, search for Blackberry a Juicy Hacker Target as I cannot post links yet.

Have you seen this yet, any thouhgts on it?

This would obviously be a serious problem for anyone who owns a Blackberry.

If this is true... which I am sure it is, can you think of any ways to prevent it from happening?

Thanks in advance.

Poma

[jibi]

Wired News Article:
Blackberry a Juicy Hacker Target

RIM KB Articles:
Protecting the BlackBerry device platform against malware
Placement of the BlackBerry Enterprise Solution in a Segmented Network

[richardsbd]

Quote:

Originally Posted by Poma

If this is true... which I am sure it is, can you think of any ways to prevent it from happening?

Thanks in advance.

Poma

1. Create IT policy which prevents users from installing applications on the handheld.

2. Have anti-virus running on the desktops/email servers to find and catch trojans before they can get to the handheld.

(probably both stated in the KB articles linked by jibi )

[jibi]

Seriously though, I think this is being slightly overblown. When the application is released, I'm going to test it out myself. We have MDS disabled for our production servers, so I'm sure that helps out a lot. As for the MAPI attack, the RIM KB article states the attacker must gain access to the internal network (through a PC) and know the victim's PIN number. If an attacker gets that far, then I'd personally think there were bigger issues to deal with.

[|||||||]

Quote:

Originally Posted by richardsbd

1. Create IT policy which prevents users from installing applications on the handheld.

2. Have anti-virus running on the desktops/email servers to find and catch trojans before they can get to the handheld.

(probably both stated in the KB articles linked by jibi )

This is exactly right

I hate saying "Its a feature not a bug" but this is the case. The BIG feature of Mobile Data Service is that you can access your internal network with it. It is the exact same as any computer within your firewall, the BlackBerry is too. Don't allow users to install apps (easier than windows) and run anti-virus on the desktops (you have worse problems if you dont')

[DoomBringer]

Quote:

Originally Posted by jibi

Seriously though, I think this is being slightly overblown. When the application is released, I'm going to test it out myself. We have MDS disabled for our production servers, so I'm sure that helps out a lot. As for the MAPI attack, the RIM KB article states the attacker must gain access to the internal network (through a PC) and know the victim's PIN number. If an attacker gets that far, then I'd personally think there were bigger issues to deal with.

This is not overblown, because the default IT Policy is to allow end users to install any application. I could have written this hack a year ago.

Edit: Well, certain apps have to be signed first. But even then, a signing key is $100.

[|||||||]

Quote:

Originally Posted by DoomBringer

This is not overblown, because the default IT Policy is to allow end users to install any application. I could have written this hack a year ago.

Edit: Well, certain apps have to be signed first. But even then, a signing key is $100.

You still have to download the app and then you have to allow it to access the network. So these are the same users that will download bonzi buddy on their PC.

[DoomBringer]

Quote:

Originally Posted by |||||||

You still have to download the app and then you have to allow it to access the network. So these are the same users that will download bonzi buddy on their PC.

Oh sure, but I assume that your average suit will be easily impressed by "Free game!!!1" and install it.
Trusting your users to do the right thing is network security suicide.

[|||||||]

Quote:

Originally Posted by DoomBringer

Oh sure, but I assume that your average suit will be easily impressed by "Free game!!!1" and install it.
Trusting your users to do the right thing is network security suicide.

Yeah so you lock down their BlackBerry as good as you lock down their PC. Windows doesn't come locked down out of the box either.

[DoomBringer]

Quote:

Originally Posted by |||||||

Yeah so you lock down their BlackBerry as good as you lock down their PC. Windows doesn't come locked down out of the box either.

Exactly. Proper administration is always needed...
One point raised by the article is the common perception that they are some kind of PDA that can't allow a channel into anything, but with the persistent connection to the LAN MDS gives, its a hole most people don't consider.