Monday, July 30, 2007

More Idiots

Why normal people should shut the eff up when their evil shoulder fairy tells them that they should talk about information security (emphasis mine):
In addition, he (RIM's Kevin Oerton) said, end users most often don't secure their Wi-Fi access points, which is what leads to problems. "That's why it's critical for the device all the way through to the BlackBerry Enterprise Server to provide triple AES encryption independent of whether the users set up Wi-Fi security at home."

Now, there is no such thing as triple AES - the previous official US standard crypto, DES, exists in several, still used, implementations collectively referred to as triple-DES ... In fact, Kevin even got it nearly right earlier in the piece when he referred to 256-bit AES (correctly, he should have said that BES offers a number of options for its end-to-end encryption, of which the most secure and recommended is 256-bit AES).

Now, looking at this, there are two completely separate points here. Blackberry Enterprise Server to Blackberry communications is protected by end-to-end encryption, therefore, despite Mr Arnold's (another non-security person opining) protestations, your email is not at increased risk.

However, and this depends on the way RIM have engineered the WLAN client engine (and your techies have configured it), not on your corporate WLAN itself - if you do web surfing over your Blackberry and it is configured to join open networks (like the stock XP and, to a lesser extent, OSX clients) you can find yourself joining untrusted networks unwittingly and, if things techy have not been set up properly, at a degree of risk. Just how much risk is difficult to abstract - the combinations of the web-sites and other IP-based applications the arbitrary "you" might use are too vast, as are the levels of user knowledge. The worst case scenario would be credential (username & password, or similar) capture (eg POP3 or unsecured web-site) or transparent HTTPS proxy (requires a bit of user dimness) via an "evil twin" type set-up. (Evil twin attacks work best on open, i.e. unencrypted, networks - if you have decent encryption set on your home or corporate WLAN, a pukka evil twin setup would require the attacker to know the key. If they have that info then you have other issues.)

On the other hand, if your corporate WLAN is set-up insecurely, then, to be honest, you shouldn't be worrying about your newest Blackberries, you have other things to worry about - and client devices (aka laptops) with a much worse attack surface (and tools readily available to attack them) .

Hat-tip to ISN. For the record, I have used Blackberry devices for three or four years now, and am currently using an 8100 "Pearl", which almost manages to be both a reasonable phone and a reasonable email device.


Apologies - having trouble with the English language today. Clearly, too much time spent in proximity to there.

No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.