1. BitPusher2600's Avatar
    Hey all. My knowledge of security in computing is only basic at best and I'd like to ask a couple questions.

    1. I have enabled memory encryption (device), excluding media files. Is there any suggestions or advice regarding the encryption strength option?

    2. I don't have encryption set for my memory card because even though I can exclude media files, I can't find a way to be able to copy Docs To Go files on and off the card at will unless I email them, which is a pain. Is there any disadvantages to not securing the mem card, or is there a way to tell my device to not encrypt files fro D2G if I enable encryption?

    3. Is there any network protection offered by enabling the firewall if I don't select any of the options below it? (In other words, I don't want to block emails, texts, etc.)

    4. I of course have a device password, but are there any other suggestions you all would offer for keeping my data secure with regards to the fact I'm data connected almost 24/7?
    Thanks for your time folks.

    Posted from my CrackBerry at wapforums.crackberry.com
    07-17-11 06:25 PM
  2. belfastdispatcher's Avatar
    Hey all. My knowledge of security in computing is only basic at best and I'd like to ask a couple questions.

    1. I have enabled memory encryption (device), excluding media files. Is there any suggestions or advice regarding the encryption strength option?

    2. I don't have encryption set for my memory card because even though I can exclude media files, I can't find a way to be able to copy Docs To Go files on and off the card at will unless I email them, which is a pain. Is there any disadvantages to not securing the mem card, or is there a way to tell my device to not encrypt files fro D2G if I enable encryption?

    3. Is there any network protection offered by enabling the firewall if I don't select any of the options below it? (In other words, I don't want to block emails, texts, etc.)

    4. I of course have a device password, but are there any other suggestions you all would offer for keeping my data secure with regards to the fact I'm data connected almost 24/7?
    Thanks for your time folks.

    Posted from my CrackBerry at wapforums.crackberry.com
    Docs to Go have an app called Files, it syncs your files with your PC, works even though encryption is enabled.

    Posted from my CrackBerry at wapforums.crackberry.com
    07-17-11 06:28 PM
  3. T
    1. Here's what I could find in the BlackBerry Knowledge Base: "BlackBerry smartphones support individual security passwords between 4 and 14 characters in length. BlackBerry Device software 4.6 to 6.0 support individual security passwords between 4 and 32 characters in length."

    Other pertinent information:

    "Strong" is the default setting. The other choices are "Stronger" and "Strongest." The BlackBerry uses the Advanced Encryption Standard. For the encryption to work best, if you choose "Stronger," your password should be 12 characters; if you choose "Strongest," your password should be 21 characters. (Citation, page 8.) So be aware of the limitations of your device and its software.

    If you use "Stronger" or "Strongest," the encryption will work best with 12 and 21 character passwords respectively. If you don't want to use a password that long, just use the default setting "Strong." I use "Strongest," and my password is at least 21 characters long.

    Another thing to remember is that if you use encryption and you "Include Contacts" in the settings, your caller ID and custom contact alerts and ringtones won't work when your device is locked. That's because the BlackBerry device can't decrypt the contact information when a call comes in while the device is locked. Not that that matters to security conscious users, but it's just something to remember if you decide to put your phone on "Silent" at night and think that you will hear a call from one of your contacts for whom you've set a custom ringtone. You won't. You can opt not to include contacts in encryption, and your custom contact alerts and ringtones will work all the time (even when the device is locked), but that poses a slight security risk.

    Also remember that if you do not include contacts in encryption, and you allow outgoing calls when your device is locked, anyone who goes to make a call will have access to your contact list when he starts to dial a number. I do encrypt my contact list, and I allow outgoing calls when my device is locked. Were I to not encrypt contacts, I definitely wouldn't allow outgoing calls when the device is locked. You just have to find the balance between security and convenience that works best for you.

    2. Transferring encrypted memory card files between pc and device used to be a real pain, but in DM 6 it's now very convenient. If you hook your device up to your pc and use DM 6, you can use the "Files" option of DM 6 to transfer encrypted media files back and forth between pc and device using the drag and drop method. I'm not sure about Docs to Go, because I never tried it, but it works perfectly for pictures. If you decide to encrypt your media card, I would suggest you set "Device Password" and not "Device Key" or "Device Password & Device Key" as the mode of encryption. If you use one of the other two, you will not be able to decrypt your media card files in any other BlackBerry. If you don't encrypt your media card and its files, anyone can take your card out and view its contents in another BlackBerry or on a pc.

    Another important consideration is videos you make. I don't know if it's been remedied yet, but it used to be that if media card encryption was on, videos made using the device camera would not work even on the device. When my device had a camera, I used to have to remember to turn media card encryption off when making a video in order for the video to work and then remember to turn it back on afterwards to protect my card.

    3. I don't know the answer to number three, and I'll hope to learn from what others have to say, but I think there is a benefit to having the firewall on even if nothing is checked. On my old device, I had it set that way, and I would see firewall activity when certain applications were in use. Therefore, I have mine on with nothing checked.

    4. I keep my javascript in browser settings off. That will protect against a vulnerability in the webkit browser which I don't think has been patched. I do turn it on sometimes in trusted sites when I absolutely need additional javascript functionality.

    Also, take advantage of your Password Keeper application. It's terrific. I use mine all the time. Make sure to set a separate password for it.
    Last edited by Tnis; 07-17-11 at 07:29 PM.
    07-17-11 07:24 PM
  4. Branta's Avatar
    4. I of course have a device password, but are there any other suggestions you all would offer for keeping my data secure with regards to the fact I'm data connected almost 24/7?
    1. Regular backups. Security is more than just encryption, it means being able to recover if your phone is lost stolen or destroyed.

    2. Stay away from third party software unless you really need it, and avoid unofficial sources and cracked software-for-free.

    3. Look at the security permissions of any third party apps you install, and ask why they need to "Allow" everything. Either it's a lazy programmer, or the app does more than they tell you.

    Look closely at the (non) privacy policy of suppliers like Google who are known and admit datamining user data to sell for directed advertising.
    07-17-11 07:59 PM
  5. T
    A few more things:

    a. To go along with what Branta already said, make sure the regular backups you make are in a safe place or encrypted. My ThinkPad's hard drive is password protected, so I don't bother encrytping my backup file. But if your computer is protected only with a Windows password, or if you store your backups on a shared computer, make sure you use the "encrypt backup file" option that's presented whan you use DM 6 to make your backups.

    b. Choose a password timeout that coincides with your pattern of usage. If you're consatantly putting your phone down around other people and forgetting about it, use a short timeout. I'm currently using a one hour timeout, because I remember to manually lock my phone when putting it down. Otherwise, it's on my person. Therefore, I can afford the longer timeout.

    c. Also, be sure to set a password for your voicemail. If you don't allow outgoing calls when your device is locked, you can always use smart dialing to enter a pause followed by your password to conveniently access your voicemail. If you do allow outgoing calls when your device is locked, do not have smart dialing automatically enter your voicemail password. If outgoing calls are enabled, and someone goes to make a call with your phone, all he has to do is hit the BlackBerry (menu) key, and there's an option there to "call voicemail."
    07-17-11 08:27 PM
  6. BitPusher2600's Avatar
    Thank you folks!
    Most of that I knew, some I didn't, particularly with the length of password vs encryption strength.

    I don't use DM much because whatever version I have on my ppc mac is kinda pointless from what I can tell. It can do backups however and I do that once in a while. With regards to getting Docs2Go giles off with encryption enabled, I really don't follow. My documents always show up as .docx.rem and I've never found a smooth way around that short of shutting encryption off permanently. I'll look at it further.
    Thanks again folks.

    Posted from my CrackBerry at wapforums.crackberry.com
    07-17-11 10:05 PM
  7. T
    With regards to getting Docs2Go giles off with encryption enabled, I really don't follow. My documents always show up as .docx.rem and I've never found a smooth way around that ...
    You have to use Desktop Manager 6 for that. It has provisions for moving encrypted files between device and computer with drag and drop ease. You can't just use Mass Storage Mode; it will just transfer the files the way they are -- encrypted will stay encrypted, unencrypted will stay unencrypted. If the Mac and Desktop Manager don't play well together, try it on a Windows machine. I'm betting it would work. If I have some time tomorrow, I'll try it with a document.
    07-17-11 10:23 PM
  8. qbnkelt's Avatar
    1. Regular backups. Security is more than just encryption, it means being able to recover if your phone is lost stolen or destroyed.

    2. Stay away from third party software unless you really need it, and avoid unofficial sources and cracked software-for-free.

    3. Look at the security permissions of any third party apps you install, and ask why they need to "Allow" everything. Either it's a lazy programmer, or the app does more than they tell you.

    Look closely at the (non) privacy policy of suppliers like Google who are known and admit datamining user data to sell for directed advertising.
    I'd like to amplify on the following points:
    2. There is such a huge push for apps that one would think apps are needed for every single step of the day. The more apps you download the greater the chance that you'll lay hold of something you don't really want or open yourself up for possible phishing or spear phising scams.
    3. Remember the recent flak regarding data gathered through Android and Apple devices based on location services being wide open and information collected? When you download an app be careful what you authorise. I had a bit of a concern regarding an app in android market regarding use of my credit card. um....no....no app is worth having credit card information stored.

    The last sentence - hits home. I'd never been hit with a phishing scam. Right after getting my Atrix I had two spear phishing incidents. One...coincidence. Two...not so much.

    Not to sound like I'm paranoid...but I am.
    07-18-11 02:34 AM
  9. T
    Not to sound like I'm paranoid...but I am.
    You raise a great point about the apps. I wish you would elaborate about the spear phishing attempts.

    When I enabled the firewall and made the permissions stricter on my Curve, I was surprised to see weird stuff like even CaptureIt (or something associated with it) wanting to "listen to calls." Huh?!? As they say, "Just because you're paranoid doesn't mean they're not after you!"

    Posted from my CrackBerry at wapforums.crackberry.com
    Last edited by Tnis; 07-18-11 at 06:41 AM.
    07-18-11 06:34 AM
  10. BitPusher2600's Avatar
    I don't have access to or money for a Windows PC. Is memcard encryption a high priority?

    @Qbnkelt; what did you do or enable on your BB to discover things were wanting to listen to your calls? I have a decent handfull of apps, and the only one NOT from App World is CaptureIt. I try to be careful about third party apps, making sure it's a developer who's been around a bit and has a fair number of reviews. Hope nothing too sensitive was taken from your device!

    Posted from my CrackBerry at wapforums.crackberry.com
    07-18-11 08:04 AM
  11. Branta's Avatar
    Encryption on the SD card... It depends on your assessment of the data you have stored, and the risk the card may fall into bad hands. If all you have is some vacation pics it probably won't do much harm even if they get published on the thief's website. OTOH some other data should never be allowed to fall into the wrong hands, it could harm you, you family, or even your country if it was exposed. YOU have to make the risk assessment and make appropriate provision for the security you need.

    The problem is not specifically CaptureIT "listening" to calls. It almost certainly doesn't, and has been around long enough for someone to have noticed if it was misbehaving. However it is one of many apps where a cautious approach might consider the default install gives it more permission than it really needs. This problem comes from three areas - deficiencies in the RIM tools to set all permissions at installation; "lazy" developers who just set global "Allow" because it is easier than working out and testing what is really needed; "bad" developers who include hidden functionality for their own devious purposes.

    To clarify on the last point, an example might be a free app which provides custom LED flashes for different kinds of incoming messages. A week later you get emails from the developer, promoting his paid apps... but you never gave him your email address, so how did he get it? And all the contacts in your address book get similar emails... Then it gets worse, and your relative who works for a defense contractor gets an email with embedded spyware and links to a bogus chinese hosted web page which harvests his passwords... no, it wasn't a photo of your daughter's graduation he clicked. The email is (at first glance) apparently sent by you through a mailbox only used for family, and contains social-personal info harvested from other emails scraped from your phone, to increase his feeling that the mail is from you and must be safe.

    Too much to believe? That's almost exactly what happened to a number of very senior defense and security people recently in the widely discussed spear phishing attack focussed on gmail accounts. The main difference is that it has not been disclosed whether phones were involved to harvest the first seeds for target email addresses.
    07-18-11 10:09 AM
  12. T
    With regards to getting Docs2Go giles off with encryption enabled, I really don't follow. My documents always show up as .docx.rem and I've never found a smooth way around that short of shutting encryption off permanently.
    I confirmed it today. I made a document on my computer and transferred it to my BlackBerry using the drag and drop file transfer feature in DM6. The BlackBerry saved the document as a .rem (encrypted) file. I then modified the document on the device, saved it (automatically, as a .rem encrypted file) and transferred it back to my computer using the same procedure. The file I transferred back to my computer using this method was unencrypted and viewable.

    So there it is. DM6 will transfer encrypted media card Docs to Go files between device and pc. It works on my Windows box running xp. You can't transfer encrypted files between device and pc using the "USB" (mass storage mode) method. It never worked that way. You have to use DM6.
    07-18-11 02:17 PM
LINK TO POST COPIED TO CLIPBOARD