BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 08-07-2008, 10:54 AM   #1 (permalink)
New Member
 
Join Date: Aug 2008
Location: Bucuresti, Romania
Model: 8700
OS: 4.5.0.52
PIN: N/A
Carrier: Orange Romania
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Overall security of the BB

Please Login to Remove!

Hello all,
I am new to this forum and also to BlackBerry.
I have been assigned the task to lead a project about the information security of the BlackBerrys of my company. All of security : loss, theft, problems of confidentiality, server protection, software update...

We have around 60 devices of different models (all RIM) and a BES server interfaced with our Exchange server.

I would like to know what are the usual problems or risks in information security with BlackBerrys, what happened to you or your companies. In a word, what must I not miss when I speak about security, outside of what's in the manuals and the usual FAQs ?

Also, do some of you use the BB Policy Service?
Offline  
Old 08-07-2008, 11:37 AM   #2 (permalink)
Whoever
 
audit's Avatar
 
Join Date: Apr 2005
Location: Michigan
Model: xxxx
Carrier: AT&T
Posts: 1,213
Post Thanks: 36
Thanked 0 Times in 0 Posts
Default

Everyone uses the BB Policy by default if they are on a BES. Albeit that the default policy doesn't do much if anything at all for locking a device down. When I consult for companies that are thinking about migrating to Blackberry, I show them my personal BES that I have setup at home for testing things because my ISP blocks SMTP so I'm not able to use it for production but instead use it for testing SP's and playing around with policies. I show them all the entries in each section and explain to them what can be done. For kicks I've even VPN'd into my Office BES and pushed down a policy that I have that basically renders my BB useless as it disables the phone, locks right away with a stupid long password, etc.

All said and done, reading the Admin Manual and the security of the Blackberry should be enough to turn someone white if they have no clue as to what we can do with the policy's.

Loss of company data can be eliminated just by disabling mass storage so they can't put in a media card and also by not allowing Desktop Manager on the users computers. RIM has some of the best encryption that I've seen in 20+ years in the security field so I wouldn't worry about emails getting sniffed out of the air. Disabling BBM and BIS services is also a great way to eliminate theft of data because they can't email or send the data to another person. EVERYTHING can be logged on the BES and as long as the logs are reviewed, it's easy to catch something that doesn't look right and appropriate action taken.

Anyways that's just my .002

I'm sure you'll get plenty of great answers about this question from other BES Admins as it is a common question.
__________________
audit

Win or Lose... Everyone Has Their Fight
Offline  
Old 08-07-2008, 12:53 PM   #3 (permalink)
Wireless Sith Lord
 
DarthBBerry's Avatar
 
Join Date: Jan 2007
Location: Online
Model: iOS 6
Carrier: Verizon x2
Posts: 1,458
Post Thanks: 2
Thanked 27 Times in 22 Posts
Default

^ audit
"Everyone uses the BB Policy (Service) by default if they are on a BES."

Before you start toying with the Default policy on the BES, make a copy of it and play with the copy. You can lock down just about anything you want on the device by the Policy on the BES.
Example of our policy: (Yes, I am that strict. Other BB Admins who have met me in person know it to be true!)
  • Minimum 8 characters
  • Password must contain at least 1 UPPERCASE letter, 1 lowercase letter, 1 special character and 1 number
  • Password must be changed every 90 days
  • Previous 10 passwords cannot be used
  • BlackBerry device will lock after 30 minutes of inactivity
  • Letter repetition in passwords is restricted (e.g.: aaa, bbb, ccc)
  • 5 invalid attempts will erase & scrub all data from the device
  • Data encryption enabled
__________________
DarthBBerry
6-Time BlackBerry World Champion (2007-2012)
BlackBerry® Certified Support Specialist v5.0
BlackBerry® Certified System Administrator v5.0
Offline  
Old 08-07-2008, 01:07 PM   #4 (permalink)
Whoever
 
audit's Avatar
 
Join Date: Apr 2005
Location: Michigan
Model: xxxx
Carrier: AT&T
Posts: 1,213
Post Thanks: 36
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DarthBBerry View Post
^ audit
"Everyone uses the BB Policy (Service) by default if they are on a BES."

Before you start toying with the Default policy on the BES, make a copy of it and play with the copy. You can lock down just about anything you want on the device by the Policy on the BES.
Yes I agree with that as I leave the default alone and create 4 new policies and use those. The default is only used in "special situations" when I'm ordered to use that one for someone, other then that my general policy is very similar to yours. I do lock things down a little more for the people that have camera enabled devices and I do change policies for people based on where they are going such as clients that don't allow camera phones unless they are locked and not able to use the camera. Then I have my own policy that only goes on my device.
__________________
audit

Win or Lose... Everyone Has Their Fight
Offline  
Old 08-15-2008, 06:21 PM   #5 (permalink)
New Member
 
Crimesy's Avatar
 
Join Date: Dec 2006
Location: In a house
Model: 8800
Carrier: 02
Posts: 9
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I would agree that the best security on the device is the PIN and Password.

I would also recommend implementing the duress policy, it's a very useful feature which a user can input the password in an alternative format (put the first character of the password at the end) and this will trigger an e-mail to be sent to a predefined e-mail address. There's no indication on the device that anything has been sent.

Useful for lone workers.
__________________
"...There's nothing here for me and you, we're just sitting here with nothing to do..."

Ohne deine hilfe verliere ich mich in diesem ort!
Offline  
Old 08-18-2008, 08:45 AM   #6 (permalink)
New Member
 
Join Date: Aug 2008
Location: Bucuresti, Romania
Model: 8700
OS: 4.5.0.52
PIN: N/A
Carrier: Orange Romania
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Overall security of the BB

Thanks for all your answers.
Offline  
Old 08-20-2008, 10:32 AM   #7 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DarthBBerry View Post
^ audit
"Everyone uses the BB Policy (Service) by default if they are on a BES."

Before you start toying with the Default policy on the BES, make a copy of it and play with the copy. You can lock down just about anything you want on the device by the Policy on the BES.
Example of our policy: (Yes, I am that strict. Other BB Admins who have met me in person know it to be true!)
  • Minimum 8 characters
  • Password must contain at least 1 UPPERCASE letter, 1 lowercase letter, 1 special character and 1 number
  • Password must be changed every 90 days
  • Previous 10 passwords cannot be used
  • BlackBerry device will lock after 30 minutes of inactivity
  • Letter repetition in passwords is restricted (e.g.: aaa, bbb, ccc)
  • 5 invalid attempts will erase & scrub all data from the device
  • Data encryption enabled
With a device like the BB that wipes itself after in your case 5 bad passwords and the bad password time out is really long - other than loss of productivity for your users is the point of such a severe policy ?

Long complex passwords are designed to prevent a brute force attack or guessing - both of which are not an issue since the device wipes itself after 5 attempts. IMO a 4 character simple password is more than enough for most BB's

MY guess is the answer will be something like you make it overly complicated to look good to your boss, or because you can, or because you like enforcing your will on others..

PS letter repetition is prevented by the newer devices themselves irrespective of the IT policy
Offline  
Old 08-20-2008, 10:46 AM   #8 (permalink)
BlackBerry Elite
 
knottyrope's Avatar
 
Join Date: Jan 2008
Location: Massachusetts
Model: Z30
OS: 10.2.1
PIN: t of blood has been taken
Carrier: AT&T-US with I dee ten tee errors
Posts: 6,646
Post Thanks: 264
Thanked 271 Times in 257 Posts
Default

Quote:
Originally Posted by silver_2000 View Post

MY guess is the answer will be something like you make it overly complicated to look good to your boss, or because you can, or because you like enforcing your will on others..
Guess it depends on what he is protecting.

Sometimes opinions are like farts, everyone elses stinks and yours smell great.
__________________
irony : many old timer posters have de-evolved into the trolls they once fought
I am on http://supportforums.blackberry.com
BES 10 running sweet for my Z30, Z10 and Q10

Last edited by knottyrope : 08-20-2008 at 10:48 AM. Reason: farted and it smelled good
Online  
Old 08-20-2008, 09:15 PM   #9 (permalink)
New Member
 
Join Date: Dec 2007
Model: 8830
PIN: N/A
Carrier: Verizon
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Email/phone use IT policy question

My company is going to push a requirement on our BB that locks the phone after 30 mins of use...then a 5 digit PIN must be entered. I am being told by our IT that it will lock Email, Internet and outgoing calls...incoming requires no password if locked. This is kind of a bummer when on the road a lot.
Question, can an IT policy be created that will lock out email/internet only, but not in/out phone use?
Tks
Offline  
Old 08-20-2008, 09:26 PM   #10 (permalink)
iPhone Convert
 
juwaack68's Avatar
 
Join Date: Oct 2005
Location: Tulip City - MI
Model: iP5
OS: 6.0.2
PIN: to beans
Carrier: I'm not
Posts: 13,875
Post Thanks: 3
Thanked 72 Times in 55 Posts
Default

The IT Policy can be set to allow outgoing calls when locked. Once that is set, there is also as setting on the device that needs to be changed to allow the outgoing calls while locked.
__________________
No longer a BES Admin, but it was fun while it lasted!
Offline  
Old 08-21-2008, 07:53 AM   #11 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jrd1967a View Post
My company is going to push a requirement on our BB that locks the phone after 30 mins of use...then a 5 digit PIN must be entered. I am being told by our IT that it will lock Email, Internet and outgoing calls...incoming requires no password if locked. This is kind of a bummer when on the road a lot.
Question, can an IT policy be created that will lock out email/internet only, but not in/out phone use?
Tks
The policy is pretty granular - its easy and common to set it to allow outgoing calls while locked BUT you will only be able to dial recently recieved/sent numbers - you wont be able to get to the address book OR type in a new number
Offline  
Old 08-21-2008, 08:09 AM   #12 (permalink)
Thumbs Must Hurt
 
Join Date: Mar 2006
Model: 8820
Carrier: ATT
Posts: 85
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by knottyrope View Post
Guess it depends on what he is protecting.

Sometimes opinions are like farts, everyone elses stinks and yours smell great.
You are exactly right -

But if you were protecting the access codes to fort knox you could force a 100 character password that must contain 3 foreign language phrases BUT if the device locks after 5 bad attempts a 4 or 5 digit password would be adequate to secure the device.

My point of view is that with a device like BB that locks after 5 attempts, Entropy and bit strength are less important on those devices since they are essentially secure from brute force attacks

A 4 character password is 10 bits in strength and would require a minimum of 20,000,000,000 attempts to crack - The 5 attempt limit and the remote wipe capability make that impossible

Mine Smell Great ...

Edit - assuming the BB let you try a new password every minute with no wipe - which we know wont/cant happen, it would only take 38,051 years to crack the 4 digit password

Last edited by silver_2000 : 08-21-2008 at 12:35 PM.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.