[Jim Galbally]

The company i work for has decided that in light of recent stories in the UK press about data going missing they want ALL external media encrypted. this meant a mass rollout of PGP desktop to the laptop users, and the banning of non-encrypted mobile data storage (ie USB sticks)

someone thought it would be a good idea to include the blackberrys...

...whilst those of us with any sort of knowledge on the subject know that this is pretty much a POINTLESS idea (no we don't work for the Military) someone in a management position decided it was to be rolled out and enforced on all our devices. (the same guy who came up great ideas like "let's move all our servers to linux to save money")

i put together a brief argument against this policy a while ago which appeared to be ignored without even being read, so now it's been a few months i'm looking for a well put together argument against content protection, can anyone help me? presumably somoene somewhere has written up sometihng detialed on the subject as i'm sure ours isnt the first company to toy with the idea.

[TroyDBrown]

Quote:

Originally Posted by Jim Galbally

...whilst those of us with any sort of knowledge on the subject know that this is pretty much a POINTLESS idea

I guess I have no knowledge then. I see protecting data as vital. Even an address book.

[zerog46]

Same here I even have my personnel BB Protected.

[cruwl]

what do you see as a down side to having it?
We run it on all of ours, and well, the only down side we see is one hour wipe if they forget the Password. on the plus side they learn there passwords better.

[Neo3000]

We are on introducing content protection, mainly because of corporate IT security requirements.
Personally, I also think that encryption is vital and one of the outstanding advantages of Blackberry compared to the competitors (Iphone, ...)

We came up with the following risks to expect:

• There is no simple way back: if you later deactivate the enforcement, the users have to manually switch it off.
• Older devices (7xxx; OS 4.0x) get very slow and especially if the memory is nearly full, they are virtually too slow to use.
• Password reset impossible => more service desk calls, complaints
• Wipe takes waaaays longer => more service desk calls, inacceptable for top management guys
• Adressbook encryption means that incoming calls are not resolved => loss of convenience, complaints

To mitigate, we plan to introduce it as follows:

• Replace 7xxx+OS 4.0x devices with Curve 8900
• Establish a special "Service Policy" so that (top management) service personell is able to disable content protection for a quicker wipe
• Awareness and information activities

I hope that I will survive the switch ...

[DarthBBerry]

Being in IT, we are SUPPOSED to be paranoid about security. We know the true amount of daily intrusion attempts on our networks. You can't have too much security, even on mobile devices. Encrypt, secure and lock 'em down because if there is one incident in the future where data is compromised and could've been prevented with Content Encryption, management will point the finger at you.

[TreeDude]

I thought there was some level of encryption already on the Blackberry... Can anyone point me in the direction of the settings for such a feature? We are currently in the process of encrypting all portable devices, I thought I didn't need to worry about our Blackberries...

[DarthBBerry]

Quote:

Originally Posted by TreeDude

I thought there was some level of encryption already on the Blackberry... Can anyone point me in the direction of the settings for such a feature? We are currently in the process of encrypting all portable devices, I thought I didn't need to worry about our Blackberries...

Data is encrypted at the transport layer with 3DES or AES depending on your settings. There is no encryption on the device unless you set the policy.

[zerog46]

Options Security. BB are very secure, all you have to do is set it up.

[misterbulldog]

Quote:

Originally Posted by DarthBBerry

Being in IT, we are SUPPOSED to be paranoid about security. We know the true amount of daily intrusion attempts on our networks. You can't have too much security, even on mobile devices. Encrypt, secure and lock 'em down because if there is one incident in the future where data is compromised and could've been prevented with Content Encryption, management will point the finger at you.

I couldn't have said it better myself. We in the IT field shoud be looking for ways to secure all of our systems.

[TreeDude]

Ah I see it. Thanks guys. It's too bad I still have not gotten the go ahead to implement our IT policy. But at least mine is safe now .

Any benefit to having the wireless encryption the same as the handheld? I see ours is 3DES right now and would require a reactivation of all the BBs to change it to AES.

[Frank Castle]

Well considering there is pending regulation in a number of states that include mobile devices you will see a rapid deployment of encryption in large businesses. I would think the majority of F500 already is there.

For Blackberry we have the device on Strong (default) which is encrypted when the device is locked. You go higher and you need to roll out passwords of 12 and 24 character length. I doubt any user could remember anything like that. I've yet to see a Blackberry cracked so until then Strong is sufficient.

The MicroSD card we have encrypted to the Security password as users are always upgrading devices so that allows portablity.

I guess arguerment against having any of these measures depends on how your company handles their data - be it their own or customer related.

[icontech]

Anyone out there have content protection turned on for a large scale (500+) users? From the general lack of discussion on these boards about content protection I imagine most people don't use it depending on the industry/data they have.

[TreeDude]

Quote:

Originally Posted by icontech

Anyone out there have content protection turned on for a large scale (500+) users? From the general lack of discussion on these boards about content protection I imagine most people don't use it depending on the industry/data they have.

Almost every admin I met at WES had a least password policy in place. I am not 100% sure on encryption, but I would imagine most of them would have that turned on as well. When you are talking about 500+ users, data security is a very big deal, especially for executive emails.

[DarthBBerry]

Quote:

Originally Posted by icontech

Anyone out there have content protection turned on for a large scale (500+) users? From the general lack of discussion on these boards about content protection I imagine most people don't use it depending on the industry/data they have.

Yes, we have it enabled. The device and external media is encrypted to the device password.

[Jim Galbally]

ok guys maybe i'm missing the point then. the major problems have already been discussed above (the imability to efficiently support a large environment) as well as the issues with the speed of the devices and things like it auto-locking when playing media etc.

now can anyone tell me what someone would have to do to a password protected, non-encrypted blackberry in order to get the data off of it? yes thats right, take the thing apart, pry off the memory chips, slap em on chip readers, decode the bumpft and then read the data off.

hardly something the average joe who found the phone on the train is going to be doing.

in my opinion password protection is SUFFICIENT and content protection is overkill.

as for encrypting addressbook entries, why on earth would people turn this on if it is not a regulatory requirement? it was only included for certain MOD/DOD requirements in the US

[Frank Castle]

It's a bit outdated but the lone paper I've seen on this that did forensic discovery on a Blackberry (attached)

Also the review of the recent report by Fraunhofer Institute SIT

[TreeDude]

Quote:

Originally Posted by Jim Galbally

ok guys maybe i'm missing the point then. the major problems have already been discussed above (the imability to efficiently support a large environment) as well as the issues with the speed of the devices and things like it auto-locking when playing media etc.

now can anyone tell me what someone would have to do to a password protected, non-encrypted blackberry in order to get the data off of it? yes thats right, take the thing apart, pry off the memory chips, slap em on chip readers, decode the bumpft and then read the data off.

hardly something the average joe who found the phone on the train is going to be doing.

in my opinion password protection is SUFFICIENT and content protection is overkill.

as for encrypting addressbook entries, why on earth would people turn this on if it is not a regulatory requirement? it was only included for certain MOD/DOD requirements in the US

What if your CEO is targeted and the berry stolen rather than lost? The information on that device could be worth a lot to a competitor.

The performance impact of the encryption is minimal. It really only makes the log in time take an extra few seconds.

[DarthBBerry]

@ Jim Galbally
You've gotten a lot of opinions regarding Content Protection; most of them are FOR it yet you continue to argue against. It seems like anything we say is shot down. It's like you didn't get what you wanted to hear so you continue asking but in a differnet manner.

When it comes down to it, Content Protection/Encryption cannot harm you, it can only help you. It provides another layer of security.

Take it or leave it.

[Neo3000]

Quote:

Originally Posted by Jim Galbally

now can anyone tell me what someone would have to do to a password protected, non-encrypted blackberry in order to get the data off of it? yes thats right, take the thing apart, pry off the memory chips, slap em on chip readers, decode the bumpft and then read the data off.

hardly something the average joe who found the phone on the train is going to be doing.

in my opinion password protection is SUFFICIENT and content protection is overkill.

as for encrypting addressbook entries, why on earth would people turn this on if it is not a regulatory requirement? it was only included for certain MOD/DOD requirements in the US

First, Sometime ago, I worked at a well-known but now gone mobile phone manufacturer. Here, we had special attachment toolkits, which looked like a set of needles. With such a toolkit you can attach directly to the flash chips on embedded devices. You do not have to separate the chip from the board through this. So no sophisticated technology here and quite common in mobile phone industry ...

Second, Blackberry will use standard flash chips by the common vendors (Samsung, Intel, Hynix, ...). Access protocols are well known here - so the last obstacle might be indeed the file system. Just an ASCII dump might give you valuable information ...

Third, It might be worth encrypting the adress book as there are industries where contacts are worth hard cash (potential customers, competitors, ...).

But your mileage may vary - security is always strongly connected to risk analysis and should never be considered as an end in itself. So, if your data is not that important, the problems or restrictions introduced with content protection might have more impact than the actual gain in security ...

Just my 2ct ...