This has got to be a hot topic for all of us since the announcement earlier in the week.

Security pest found on BlackBerry | CNET News.com

More detail contained in PDF here Presentation - Blackjacking

Rim have overnight updated their security pages

BlackBerry

I've been watching this unfold over the past few weeks and frankly I'm not overly enamoured by the RIM suggested security provisions to combat this as the policies seriously reduce functionality of the platform and will no doubt help Microsoft win over people to the Mobile 5 devices.

Whats are your thoughts on this and what have steps have you taken to address it?

Not exactly new news.

How is this is a bad thing? They responded fairly quickly to reassure customer and investor fears.

I have to disagree with you that the security recommendations reduce device functionality.

Quote:

"There are a number of hoops that you have to go through to make this thing possible," Totzke said. For one, it is impossible to e-mail an application to the device; people have to download it, he said.

Removing the users ability to install 3rd party software on their BlackBerry virtually eliminates the risk as noted by the trojan author. Any company that is concerned with security was restricing this already. Not just for BlackBerry devices but also for PC, laptops, PDAs, etc.

I was thinking hasn't this been around months rather than weeks!

As Doug states, disable 3rd Party apps and you have no problems. The BlackBerrys are still one of the most secure Mobile Data formats around, once Windows Mobile starts getting big "hackers" will target those as A) It will be alot eaiser going on past Microsoft apps and B) WIll have a bigger audenice to work with.

Well the code was released on the web on saturday as was the warning that it has already be found hidden in a download - thats pretty recent if you ask me.

I'm not so sure that restricting 3rd party downloads is enough....

What is to stop someone installing this malicious code on their handset before they are added to the BES and have the policy applied.

Also what is to stop a user buying an infected handset (say off ebay) and activating it manually either through the DTM or via enterprise activation via the helpdesk? Unless you have physical access to the handset, how could you establish that it is safe before adding it to the BES? The policy doesnt remove preinstalled 3rd party apps, it just prevents you from installing new ones.

Plus, what security measures can be implemented for those still running 3.6?

Technically, nothing stops them. At my employeer you can be terminated for installed non-standard software on any company device. From my experience most BlackBerry BES users don't even take time to charge the batteries, let alone install software, before activating to the BES server.

One of the Policy Rules can disable the use of Desktop Manager to switch devices. Any corporation concerned with security does not allow personally owned devices connect to their BES server.

Forcing the user to wipe the device right before activation would remove the offending application. The BES admin still has to issue a password (assuming that desktop manager is disabled) and can enforce this step prior to giving the password out.

Same IT Policies apply. Actually, I think 3.6 would be easier to deal with. No wireless activation is possible so a requirement that an on site tech wipes the device prior to activation. Or, a simple requirement that all devices be v4.0 or higher.

Firstly, you cant stop this in BES 3.6 environment.

Secondly, I am not sure how you would enforse this policy in 4.1? Often its hard enough to communicate to the users how to do a wireless activation let alone talk them through wiping their handsets (which can be pretty flakey with random jvm errors) and then often it still leaves applications behind. Besides, how could you check that they have actually removed any applications if they are remote? With a presence all over the world and a centralised support mechanism, you have no on-site techs to perform this task.

Well its true you can disable the install of 3rd party applications but what if you have custom developed applications that you require users to use (applications written for 3.6) when you have no means of whitelisting as in 4.1? Its an all or nothing policy in 3.6 ... Plus, its rather dependent on having on site techs.