BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-13-2007, 02:31 AM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2006
Location: HK
Model: 7100g
PIN: oracle
Carrier: CSL
Posts: 22
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Security issue of BES

Please Login to Remove!

Does any one concern security issue of BES? Since BES admin can add any user from Global address list and assign an activation key for activate in any BB handset without entering user's Windows password for authenticatin. That means BES Admin can read user email through any BB handset in user transparent.
Offline  
Old 06-13-2007, 04:40 AM   #2 (permalink)
BlackBerry Genius
 
hdawg's Avatar
 
Join Date: Aug 2006
Model: hdawg
PIN: port3101.org
Carrier: hdawg
Posts: 6,632
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

With great power comes great restraint ... Your email administrators probably have that permission already. You can delegate responsibility with roles, but it really comes down to trust for those few key people that have more access.
Offline  
Old 06-17-2007, 10:53 PM   #3 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2006
Location: HK
Model: 7100g
PIN: oracle
Carrier: CSL
Posts: 22
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

By comparing with mobile5/smartphone using different protocol, eg IMAP4, POP3, push mail, it needs Windows authentication. However, RIM is such well known and popular in US, Canada, Europe, it does not implement with Windows authentication. Seems like, there is a security hole. In IT point of view, IT personnel has Exchange service account. Of course, they can do whatever they want. But, in user point of view, they do not have this kind of knowledge. When IT personnel deliver a BB handset with email, calendar.... downloaded and without asking user to input their Windows password. User may wonder, you can very easily get my email. Does any of your user ask BES admin of this kind of question?
Offline  
Old 06-17-2007, 11:28 PM   #4 (permalink)
BlackBerry Extraordinaire
 
CanuckBB's Avatar
 
Join Date: Feb 2006
Location: YYZ
Model: 9900
Carrier: Rogers
Posts: 1,183
Post Thanks: 0
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by ernchow View Post
By comparing with mobile5/smartphone using different protocol, eg IMAP4, POP3, push mail, it needs Windows authentication. However, RIM is such well known and popular in US, Canada, Europe, it does not implement with Windows authentication. Seems like, there is a security hole. In IT point of view, IT personnel has Exchange service account. Of course, they can do whatever they want. But, in user point of view, they do not have this kind of knowledge. When IT personnel deliver a BB handset with email, calendar.... downloaded and without asking user to input their Windows password. User may wonder, you can very easily get my email. Does any of your user ask BES admin of this kind of question?
Not really, but then again, my users are aware that as the netadmin, I have access to ALL data on the network, including e-mails.
Offline  
Old 06-18-2007, 12:05 AM   #5 (permalink)
BlackBerry Extraordinaire
 
Join Date: Jan 2005
Model: Many
Carrier: Sprint
Posts: 1,475
Post Thanks: 0
Thanked 6 Times in 5 Posts
Default

Email, and PIM information, is are not stored in the BES to begin with.
Offline  
Old 06-18-2007, 12:15 AM   #6 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by southwestcomm View Post
Email, and PIM information, is are not stored in the BES to begin with.
His point isn't that but the fact that I can add ANY user to the BES, activate a device and automatically have access to their email and PIM information on the device while having the appearance of being that user. It's a valid point.

With that said, as someone else mentioned, I believe there is a professional understanding that powers, while present, should not be abused. It's not a great answer to the question.

I've never had a user ask me about this, although I've never been in a situation where I didn't already have access to the information through the messaging environment (albeit, not as the user). As you mentioned, I think the persons where concern would arise would be the non-elevated IT staff, such as the help desk or device control.

It's an interesting point that should be presented to RIM as a valid security hole in their architectural design.

Another point is that the BES administrator could easily flip the auditing switch and suddenly have access to their phone call logs and text messages (and PIN messages if applicable). Just a thought, as I've never really thought RIM's implementation of these auditing/logging features was done correctly.
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 06-18-2007, 01:39 AM   #7 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2006
Location: HK
Model: 7100g
PIN: oracle
Carrier: CSL
Posts: 22
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jibi View Post
His point isn't that but the fact that I can add ANY user to the BES, activate a device and automatically have access to their email and PIM information on the device while having the appearance of being that user. It's a valid point.

With that said, as someone else mentioned, I believe there is a professional understanding that powers, while present, should not be abused. It's not a great answer to the question.

I've never had a user ask me about this, although I've never been in a situation where I didn't already have access to the information through the messaging environment (albeit, not as the user). As you mentioned, I think the persons where concern would arise would be the non-elevated IT staff, such as the help desk or device control.

It's an interesting point that should be presented to RIM as a valid security hole in their architectural design.

Another point is that the BES administrator could easily flip the auditing switch and suddenly have access to their phone call logs and text messages (and PIN messages if applicable). Just a thought, as I've never really thought RIM's implementation of these auditing/logging features was done correctly.
Not so many IT person understands this point of view. I have asked this question to our service provider in HK but I'm not sure if they have referred this issue to RIM or not.
Offline  
Old 06-18-2007, 07:58 AM   #8 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2007
Model: Z10
OS: 10.1.0.19
Carrier: Fido
Posts: 1,068
Post Thanks: 6
Thanked 30 Times in 29 Posts
Default

well,
there is no private data in corporate enviroment. It is all company's property including email, in the HH or outlook. If it is private, then too bad. HH belongs to company and IT stuff is appointed by MGMT. Minimum trust should exist. Who garantees employer that company's data isn't accesible through an employee to a competitor?
Get over it.
Offline  
Old 06-18-2007, 08:14 AM   #9 (permalink)
BlackBerry Extraordinaire
 
BBAdmin's Avatar
 
Join Date: Feb 2005
Location: Port 3101.org
Model: .
Carrier: .
Posts: 2,491
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

The answer is simple.....employ trustworthy staff!
__________________

Offline  
Old 06-18-2007, 09:32 AM   #10 (permalink)
x14
BlackBerry Extraordinaire
 
Join Date: Jul 2005
Location: NYC
Model: 9800
OS: 6.0.0.546
Carrier: AT&T
Posts: 2,344
Post Thanks: 0
Thanked 17 Times in 16 Posts
Default

At our shop we archive everything including instant messaging.

On the BES we audit PIN, SMS, and Call Log. If we could we would record the phone conversation.
__________________
Exchange 2007/BES 5.0.2 MR2
Offline  
Old 06-18-2007, 10:32 AM   #11 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2007
Location: Columbus
Model: 7130e
Carrier: Verizon
Posts: 25
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default IT Access to email...

This issue is not new. Microsoft tried to respond to users' concerns on this with the default admin blocking of access to users mailboxes in Exchange 2000. This was an abismal failure as admins just did the workaround to get access back because they needed that access to fix issues for the same users that complained to MS to have that put in in the first place.

As said before, audit your users that have access to get into mailboxes and keep the list to a small group of trusted users. Then don't give that access away freely under any circumstance. A good IT Policy is good in this case as you can fallback on it since it was signed off at the highest level. Funny how fast people back down when you tell them that, that they are audited if they do have access, and are now putting themselves in a bad position if something bad happens as anyone with access could be put under scrutiny.

As for the delivery of devices to the users and then having them put in the password right in front of the tech, which we have had users mention concern, we have implemented two things.

1) Set the password to something BEFORE sending it to the user and then giving them the password in email. This means the people that initially provision the device will have access. Keep this group small and trustworthy as before. We do this for our top people in the company as the group that supports them is trustworthy.

2) Setup the device for everything BUT enterprise activation. Then have the account setup on the BES and give the users the VERY simple instructions to activate the device themselves. This is our default for non priority users and keeps the techs from ever seeing the email.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.