[codpet]

Quote:

Originally Posted by JerryD

If you password protect your BB, it will wipe all data after 10 (incorrect) attempts to enter the password. You can't access the device in any way - connected to a computer or stand alone - without the password.

You can also encrypt the data, but it will slow down the device, and heavens forbid you have to wipe it with encryption on, it can take HOURS - seriously!

That's why all Federal Government agencies will use ONLY Blackberries - they're the only truly secure mobile email devices!

J

My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.

[Corman]

Quote:

Originally Posted by codpet

My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.

As a mobile device the BB is hard to beat for security. It is only as good as the admin policies and adherence to those policies. Look around the secrecy business and the computer security people. A lot of BBs out there in that arena. I am sure the Navy feels it is easier to ban something than to gain compliance. Common military stance (22 years retired military).

As for the security of the information in a BB, even encrypted and password protected it is possible for a person to retreive the contents. It does require expertise, hardware and software. But, password protect it and the common person who picks up a lost BB will not be able to access the information stored inside.

[codpet]

Quote:

Originally Posted by Corman

As a mobile device the BB is hard to beat for security. It is only as good as the admin policies and adherence to those policies. Look around the secrecy business and the computer security people. A lot of BBs out there in that arena. I am sure the Navy feels it is easier to ban something than to gain compliance. Common military stance (22 years retired military).

As for the security of the information in a BB, even encrypted and password protected it is possible for a person to retreive the contents. It does require expertise, hardware and software. But, password protect it and the common person who picks up a lost BB will not be able to access the information stored inside.

I work for a military contractor myself. I agree with you that most military agencies think that way. They don't even take the time out to realize that the device can be tied down. I bet they don't even know Blackberry's come with a firewall, which is disabled by default.

My company contracts for the DoD, and all other branches of military, domestic, and foreign, and we use Blackberry's.

However, as someone in the security field... If you can physically touch a device, you can access the data.

[patrickh]

Quote:

Originally Posted by codpet

However, as someone in the security field... If you can physically touch a device, you can access the data.

How is it so? Assuming the encryption algorithm is secure and if the blackberry is set to encrypt data content "Content Protection Enabled", all data in the flash chip is encrypted and cannot be decrypted without the password. You can't access the data even if you physically take the memory chip out of the device.

- P

[greggebhardt]

Quote:

Originally Posted by codpet

My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.

So what do they use for communications. If proper precautions are taken, the Blackberry is quite secure.

[codpet]

Quote:

Originally Posted by patrickh

How is it so? Assuming the encryption algorithm is secure and if the blackberry is set to encrypt data content "Content Protection Enabled", all data in the flash chip is encrypted and cannot be decrypted without the password. You can't access the data even if you physically take the memory chip out of the device.

- P

Where is the decryption key on the BB device kept? I assume the decryption key isn't as secure as the encryption of the data itself. You are only as secure as your decryption key. When dealing with encryption there is always a weak link. There is a good reason why while we do use Blackberrys, we DO NOT use them for classified data. The only type of electronic communication we allow through our BES is unclassified.

Sure, the data is encrypted, but how is the decryption key kept?

Quote:

Originally Posted by greggebhardt

So what do they use for communications. If proper precautions are taken, the Blackberry is quite secure.

They don't use any form of mobile device for communication that allows data to be transmitted. In other words, voice only, and never for classified information unless the line is cleared for classified use. I have never seen a wireless phone used for classified work. The government uses land lines for this.

[NJBlackBerry]

Wonder what security they were using at the VA and Department of Energy.
Doesn't matter how good the technology is - the people are the problems here.

[Corman]

Quote:

Originally Posted by NJBlackBerry

Wonder what security they were using at the VA and Department of Energy.
Doesn't matter how good the technology is - the people are the problems here.

This is so right on track. The people are always the weakest link in security. Remember the slogan "Loose lips, sink ships".

As for patrickh's statement, there is a ton of ways to brute force encryption and passwords. I agree with codpet, if you can touch it, you can access it almost all of the time. There are a few exceptions and they are not based on the device. Just applied this concept last week alone.

[pm1072]

Quote:

Originally Posted by codpet

Where is the decryption key on the BB device kept? I assume the decryption key isn't as secure as the encryption of the data itself. You are only as secure as your decryption key. When dealing with encryption there is always a weak link. There is a good reason why while we do use Blackberrys, we DO NOT use them for classified data. The only type of electronic communication we allow through our BES is unclassified.

Sure, the data is encrypted, but how is the decryption key kept?



They don't use any form of mobile device for communication that allows data to be transmitted. In other words, voice only, and never for classified information unless the line is cleared for classified use. I have never seen a wireless phone used for classified work. The government uses land lines for this.

Interesting, guess that makes the T.V. show "24" a bit more far-fetched, with their wide use of PDAs'/Smartphones to communicate during their missions, enabling them to download floor plans and satellite images to Jack Bauer...lol

I know alot of the federal law enforcement branches seem to have migrated to Nextel now for radio communications during routine and surveillance/recon missions. Their conventional VHF/UHF channels, which at one time contained some clear, but mostly DES digital voice encryption, are rarely used at least in my area.

[phonemonkey]

Quote:

Originally Posted by codpet

I have never seen a wireless phone used for classified work. The government uses land lines for this.

There are both satellite and cellular (probaby AMPS and maybe GSM) terminals for STU-III. I've personally seen the cellular bag phone version as recently as summer 2004. There are plenty of people other than the president who need to always be in touch securely, and they aren't carrying around a desk phone scrambling around to find a POTS jack when there's a problem.

Not sure if STE has a version that works on public wireless networks, but there is a unit that can run on some kind of DOD radio system.

[Postalrecon]

Quote:

Originally Posted by codpet

My uncle works for the Navy's IT dept, and he said they won't allow the use of Blackberry's because they are not secure.

thats bs, every high ranking officer in the navy seems to have a blackberry, but as for the military, if youre sending top secret info over a blackberry youre an idiot anyways

[Postalrecon]

Quote:

Originally Posted by NJBlackBerry

Wonder what security they were using at the VA and Department of Energy.
Doesn't matter how good the technology is - the people are the problems here.

amen

[patrickh]

Simple.. The data encryption key in the device is encrypted by your password. With a good password and correct implementation of the security subsystem, the bb is secure.

- P

Quote:

Originally Posted by codpet

Where is the decryption key on the BB device kept? I assume the decryption key isn't as secure as the encryption of the data itself. You are only as secure as your decryption key. When dealing with encryption there is always a weak link. There is a good reason why while we do use Blackberrys, we DO NOT use them for classified data. The only type of electronic communication we allow through our BES is unclassified.

Sure, the data is encrypted, but how is the decryption key kept?

[codpet]

Quote:

Originally Posted by patrickh

Simple.. The data encryption key in the device is encrypted by your password. With a good password and correct implementation of the security subsystem, the bb is secure.

- P

So the decryption key is encrypted by the passcode? Then how does the device reference this decryption key? If the decryption key is encrypted, how is the device checking your passcode against it's credentials?

Simply put it doesn't work that way....

There is a good reason why if you are using secret key symmetric encryption that you never give access to both keys to a source.

The decryption key is not encrypted, as it is a part of the mathematical formula that allows decryption to take place to begin with. You can't encrypt any of the key's themselves.

I believe that the blackberry uses asymmetric key cryptography. That is, the device uses two private keys. The passcode is used to complete the formula which leads to the decryption process.

It would be too insecure to allow symmetric encryption on such a device.

[VR6]

Quote:

Originally Posted by mnv7498

If my Blackberry handheld is stolen, is my data secure? Would someone be able to connect an external cable to my Blackberry and access my data.

if they find your BB before it locks itself then they'll have access to all your information as long as they keep it active, unless of course you have it set to lock everytime it hits the holster or every 5 mins, which is probably a requirement for gov't agencies...no?

[Intrigue]

Wirelessly posted (BlackBerry7250/4.0.0 Profile/MIDP-2.0 Configuration/CLDC-1.1)

I work for a financial institution worth over 1 trillion dollars (total assets). If the blackberry was not secure do you really think they would issue me one with access to internal email and cust. access? I don't think so.

[Intrigue]

Quote:

Originally Posted by codpet

So the decryption key is encrypted by the passcode? Then how does the device reference this decryption key? If the decryption key is encrypted, how is the device checking your passcode against it's credentials?

Simply put it doesn't work that way....

There is a good reason why if you are using secret key symmetric encryption that you never give access to both keys to a source.

The decryption key is not encrypted, as it is a part of the mathematical formula that allows decryption to take place to begin with. You can't encrypt any of the key's themselves.

I believe that the blackberry uses asymmetric key cryptography. That is, the device uses two private keys. The passcode is used to complete the formula which leads to the decryption process.

It would be too insecure to allow symmetric encryption on such a device.

Not to sound condescending.. But please read this:

http://computer.howstuffworks.com/encryption.htm

Encryption would be far too easy to break if keys were plain-text/unencrypted. What would the point be? That would be like writing the logins to your network under your keyboard.

[patrickh]

To check if a password is correct, you don't need to store the password itself. No properly implemented system is done that way. To verify if a password is correct, all you need is use the password to decrypt a block of data to see if it decrypts to a known value. (When you set the password, a block of fixed data is encrypted by your password so that it can be used for checking for exactly this purpose).

All (properly implemented) symmetric key encryption with a password works somewhat like this:
A random encryption key is used to encrypt/decrypt data.
The random encryption key is encrypted by your plain-text password (with extra stuff "salt" to make your password stronger. The "encrypted encryption key" is stored together with the encrypted data.

When the device is locked, the device itself no longer has access to the encrypted data. That is why some people complaining why names from their address book stopped showing up when phone calls arrive all of a sudden. It is because they have turned content protection on.

Public key encryption is used for an entirely different purpose..

-P

Quote:

Originally Posted by codpet

So the decryption key is encrypted by the passcode? Then how does the device reference this decryption key? If the decryption key is encrypted, how is the device checking your passcode against it's credentials?

Simply put it doesn't work that way....

There is a good reason why if you are using secret key symmetric encryption that you never give access to both keys to a source.

The decryption key is not encrypted, as it is a part of the mathematical formula that allows decryption to take place to begin with. You can't encrypt any of the key's themselves.

I believe that the blackberry uses asymmetric key cryptography. That is, the device uses two private keys. The passcode is used to complete the formula which leads to the decryption process.

It would be too insecure to allow symmetric encryption on such a device.

[yimpster]

Slightly off topic i'm afraid. I am an IT admin with a high concern over the security of our BB's.

I am concerned about the wipe feature of the Blackberry, as I do not want our data to be recoverable after the wipe.

However, there seem to be plenty of data recovery experts offering the ability to recover data off of bb's.

Ontrack say they can recover data, however when pushed if they can recover from wiped BB's they have not returned my call as promised.

I would like to ensure that there is the highest percentage of security when returning BB's providers or switching users etc.

Any ideas gratefully received - plus top notch forum been reading ALL morning.

[JerryD]

Quote:

Originally Posted by yimpster

Slightly off topic i'm afraid. I am an IT admin with a high concern over the security of our BB's.

I am concerned about the wipe feature of the Blackberry, as I do not want our data to be recoverable after the wipe.

However, there seem to be plenty of data recovery experts offering the ability to recover data off of bb's.

Ontrack say they can recover data, however when pushed if they can recover from wiped BB's they have not returned my call as promised.

I would like to ensure that there is the highest percentage of security when returning BB's providers or switching users etc.

Any ideas gratefully received - plus top notch forum been reading ALL morning.

I think you need to ask RIM rather than Ontrack, the issue being does a wipe actually delete the data - replace all data with nulls, or does it only delete the underlying data structure. I suspect it's the former given how long a wipe takes. Also, unlike magnetic media, silicon media doesn't retain a "shadow" of the data formerly held (as far as I know anyway!).

That said, there are two things you can do as a BES admin to make devices secure.

First, set your IT Policy to require a password. Given that 10 failed attempts will automatically wipe the device, you may not need to require as strong a password as you would on a network where typically an account will be locked for only a short period of time. Also, if you do this, anticipate two things. First, that 7100 series have a keyboard that's difficult to use for passwords. Recommend to your users that they use a password that's easy to enter on their keyboards. Second, anticipate users leaving your BES environment so you can send them a blank IT policy that won't require them to use a password. Replacing the IT Policy is a real pain once the user's BES account has been disabled.

Second, Encryption is also available on the Blackberry which you can also enforce via IT Policy. I don't know how this comes into play when accessing the data by other means, but I do know one thing - a Blackberry 8700 (which has the FASTEST processor on ANY BB) with an average amount of data which was compressed (default) and encrypted (not default) took over FOUR HOURS to wipe! Again, check with RIM, but I suspect that the wipe performed something like a DES wipe which replaces the data with NULLS, and when Encryption is on it does it more than once. An 8700 without encryption typically takes around 10-15 minutes to wipe. I know I indicated it shouldn't be necessary to replace data with NULLS more than once given the media is silicone rather than magnetic, but I suspect it's a requirement of a DES wipe to replace the data multiple times, and Blackberry is the only thing (most) DOD services will use, so RIM is very careful to be as compliant as possible.