02-28-13 07:01 AM
28 12
tools
  1. Fr3lncr's Avatar
    No real opinion on this but saw it and thought I'd share it for those interested:

    BlackBerry not as secure as believed, memo warns federal workers

    And the article:

    OTTAWA The federal department charged with overseeing cyber-security has warned its workers to think twice before sending a BlackBerry message, suggesting that the device believed to be the most secure in the world is more vulnerable than users may believe.

    The one-page policy memo from Public Safety Canada, updated in mid-January, attempts to dissuade government BlackBerry users from sending a PIN-to-PIN message largely because it could be read by any BlackBerry user, anywhere in the world. The messages are the most vulnerable method of communicating on a BlackBerry, a Public Safety Canada presentation says.

    The documents, released to Postmedia News under the access to information act, say PIN-to-PIN messaging isnt suitable for exchanging sensitive messages because protected or classified information could be inadvertently leaked, or a mobile user could inadvertently download malware or viruses that would compromise their phone.

    Almost two-thirds of federal government mobile users in Canada prefer to use the BlackBerry, with the remaining one-third using either Apples iPhone or Googles Android. The concentration of BlackBerry users is even more pronounced among federal politicians, with most cabinet ministers opting to use the BlackBerry. Even NDP Leader Thomas Mulcair has said he carries an extra BlackBerry battery to keep his mobile device from dying during the day.

    Political staffers use the device as well, regularly sending PIN-to-PIN messages and emails as government business has progressively migrated to mobile devices.

    Although PIN-to-PIN messages are encrypted, they key used is a global cryptographic key that is common to every BlackBerry device all over the world, the memo reads. Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.

    The PIN, or Personal Identification Number, is an electronic address given to a particular device. When a user turns in the device, the PIN stays with the device and doesnt follow the user to a new BlackBerry. Any BlackBerry the government decides to reuse therefore may expose information to compromise, the memo reads, because messages may be sent to the wrong person.

    There is also the threat that sending messages outside government firewalls and security filters could lead to a user opening a virus attached with a PIN message.

    PIN-to-PIN messaging bypasses all corporate e-mail security filters, and thus users may become vulnerable to viruses and malware code as well as spam messages if their PIN becomes known to unauthorized third parties, the memo warns.

    The document is one among others released to Postmedia News, all of which continually press the point that protecting information must be a priority for the department. It also shows how far the department goes in tracking sensitive information on portable data devices, with devices colour-coded so workers know what types of sensitive, protected or secret information are on devices and can follow protocols for wiping information from devices, or destroying them entirely.

    A security briefing for new staff underlines the point that classified information should always be locked in a container approved by the RCMP, and that guards patrolling departmental buildings who find protected or classified documents out in the open or unlocked will place the records in a locked safe overnight and issue an infraction notice to the employee.

    The rules at Public Safety Canada are similar to those for other departments, including Human Resources and Skills Development Canada, which is continuing to investigate two major data breaches, each almost four months old. In those breaches, personal information about more than 588,000 Canadians was lost, information categorized as protected B so labelled because its loss could be cause serious injury to an individual.

    Public Safety Canadas records and activities are among (the) most sensitive in government, according to a security presentation, and the potential for controversy is high. A bullet point on one of the presentation slides says that public confidence in the minister and (department) depends to a great extent on how well information is protected at all levels.

    Among the security suggestions in the presentation is this about mobile devices: Cellular telephones/BlackBerrys/PDAs are not secure and are frequently monitored by amateurs and professionals alike. The very next bullet point says that PIN-to-PIN messaging is the most vulnerable method of communicating on a BlackBerry because messages can be easily intercepted.

    According to figures obtained by Postmedia News, in a one-year span, the number of government-issued BlackBerrys increased by 14.5 per cent, to almost 90,000 in August 2012 from 78,000 in September 2011. The cost to government to use those devices domestically is more than $2 million per month.
    02-26-13 04:44 PM
  2. fcaputo4's Avatar
    So this is just stating that PIN to PIN communication is not as secure. Well that's only one of the many ways that people can communicate.
    02-26-13 04:46 PM
  3. kazmi's Avatar
    WTH? If anything, PIN to PIN messaging is probably so secure that the company themselves cannot get access to those messages. I'm amazed at the level of idiotic information there is floating around...did we forget the whole fiasco where entire governments have been asking BBRY to release encryption for these messages and BBRY has not been able to comply simply due to the fact that they themselves cannot break it!

    Now I'm not too sure how secure the latest BB10 is vs BB7 but I would be surprised if it wasn't as (if not more) secure.
    02-26-13 04:55 PM
  4. kill_9's Avatar
    The one-page policy memo from Public Safety Canada, updated in mid-January, attempts to dissuade government BlackBerry users from sending a PIN-to-PIN message largely because it could be read by any BlackBerry user, anywhere in the world. The messages are “the most vulnerable method of communicating on a BlackBerry,” a Public Safety Canada presentation says.

    The documents, released to Postmedia News under the access to information act, say PIN-to-PIN messaging isn’t “suitable for exchanging sensitive messages” because protected or classified information could be inadvertently leaked, or a mobile user could inadvertently download malware or viruses that would compromise their phone.
    BlackBerry smartphones activated against a BlackBerry Enterprise Server 5 use an encryption key held on the BlackBerry Enterprise Server on which the smartphone is associated and as such the encryption key for PIN-to-PIN messages can only be accessed by the BES administrator and is invisible to the BlackBerry users. If a PIN-to-PIN message is sent to an external BlackBerry smartphone then all bets are off. The only publicly shared encryption/decryption keys are for BlackBerry smartphone users associated with BlackBerry Internet Service with the exception of those users activated against BlackBerry Enterprise Server Express 5.

    Public Safety Canada, an oxymoron if ever there was such a beast, has merely stated the obvious. PIN-to-PIN messages are the least secure communications channel available to BlackBerry users even if associated with a BlackBerry Enterprise Server but it is not hackable or intercept-able by foreign governments unlike the messages sent by individual BIS subscribers.
    02-26-13 04:58 PM
  5. sevenkingdoms2's Avatar
    "The documents, released to Postmedia News under the access to information act, say PIN-to-PIN messaging isn’t “suitable for exchanging sensitive messages” because protected or classified information could be inadvertently leaked, or a mobile user could inadvertently download malware or viruses that would compromise their phone."

    Sounds like some key information has to be leaked first due to malware or virus. The question is, what is this information. Is it the private key?
    02-26-13 04:59 PM
  6. Andrew4life's Avatar
    WTH? If anything, PIN to PIN messaging is probably so secure that the company themselves cannot get access to those messages. I'm amazed at the level of idiotic information there is floating around...did we forget the whole fiasco where entire governments have been asking BBRY to release encryption for these messages and BBRY has not been able to comply simply due to the fact that they themselves cannot break it!

    Now I'm not too sure how secure the latest BB10 is vs BB7 but I would be surprised if it wasn't as (if not more) secure.
    Read the article more carefully.

    The PIN, or Personal Identification Number, is an electronic address given to a particular device. When a user turns in the device, the PIN stays with the device and doesn’t follow the user to a new BlackBerry. Any BlackBerry the government decides to reuse therefore “may expose information to compromise,” the memo reads, because messages may be sent to the wrong person.
    Very true. If someone changes their BlackBerry and you send classified info through PIN to PIN, you could potentially be sending it to whoever is now in possession of the new BlackBerry.
    This could very well be on a phone that is stolen. Someone steals the phone, wipes the phone, logs in themselves and if you send a message to the PIN. Whoever is in posession of that phone got your message.

    I agree, PIN to PIN messaging is not secure in this manner. However, if you are sure that the PIN matches the person, it's fairly secure. At least more so than SMS.
    02-26-13 05:03 PM
  7. gorang's Avatar
    So basically if you work for government and you replace your phone you have to notify everyone what you have new PIN.
    Problem solved, NEXT!
    Jake2826 and jafrul like this.
    02-26-13 05:06 PM
  8. kazmi's Avatar
    So the PIN is only visible to the administrator. Logically, when an employee hands in their handset, the administrator should deactivate or remove it from the list of authorized devices. Unless he/she doesn't decommission that device or assign it to a new user, how is this insecure? The PINs are not visible to BES users correct?
    02-26-13 05:17 PM
  9. superdirt's Avatar
    An exaggerated article title.

    Posted via CB10
    02-26-13 05:28 PM
  10. jafrul's Avatar
    and THIS is the reason why blackberry say we don't need bb pin anymore...
    instead we use bbid so that we can simply change devices without changing our bb pin.

    there's always a logical explanations to why things happened the way it is.
    02-26-13 10:06 PM
  11. omniusovermind's Avatar
    Correct me if I'm wrong here, but a Z10 out of the box, is by default normal day to day use not connected to BIS or BES unless you deliberately subscribe to them, and therefore not inherently any more secure than any other smartphone brand. Correct?
    02-26-13 10:18 PM
  12. jafrul's Avatar
    Correct me if I'm wrong here, but a Z10 out of the box, is by default normal day to day use not connected to BIS or BES unless you deliberately subscribe to them, and therefore not inherently any more secure than any other smartphone brand. Correct?
    logically yes... without connecting or registering to blackberry, it's just another smartphone in the market.
    albeit, a good one at this... lol.. i couldn't help continuing that last sentence...
    Zirak likes this.
    02-26-13 10:42 PM
  13. mapsonburt's Avatar
    Way back when, I sent my BlackBerry in to Bell for repairs and got back a replacement unit. That unit had been in possession of a deputy minister (back in the days of the Liberal Government). I started getting all these PINs on sensitive info. I started by responding that they shouldn't be sending PIN to PINs but I kept getting them. So I then said the next PIN was going to the Grope and Pail and miracle of miracles they stopped. This problem has been around ever since they associated PINs with the device. If you change devices the old messages follow the device. THAT'S what is not secure about them. Our corporation has had a policy against sending sensitive info on PINs since day 1. That's what their wonderful email system is for. No biggie. The government has 90K BlackBerry users... they need to remind them now and then.
    CDM76 likes this.
    02-26-13 10:53 PM
  14. bintheredundat's Avatar
    Lol @ "Grope and Pail" that's a keeper

    Posted via CB10 on my Z10 Oreo
    02-26-13 10:54 PM
  15. LockNLock's Avatar
    If a BB gets stolen, then yeah I guess that could lead to problems...
    02-26-13 11:01 PM
  16. fedakd's Avatar
    Yet another negative, sensationalist, BlackBerry headline. Nothing new here!
    02-26-13 11:04 PM
  17. Superfly_FR's Avatar
    If a BB gets stolen, then yeah I guess that could lead to problems...
    Declare it stolen, burn the pin. Solved.
    02-27-13 04:44 AM
  18. Bold_until_Hybrid_Comes's Avatar
    Not really much of an argument made. Every point made is under the assumption that someone spoofed a PIN and cracked Triple-DES encryption using the global cryptographic key. FYI - this has NEEVR been done once.

    1. a PIN-to-PIN message largely because it could be read by any BlackBerry user, anywhere in the world. The messages are “the most vulnerable method of communicating on a BlackBerry,”
    ------If a PIN is spoofed it can be read. Never been done. More likely that someone will guess your email password

    2. PIN-to-PIN messaging isn’t “suitable for exchanging sensitive messages” because protected or classified information could be inadvertently leaked
    -----How is that different then email or any electronic communication?????

    3. a mobile user could inadvertently download malware or viruses that would compromise their phone.
    ----What does that have to do with Blackberry or PIN???? That can happen on any phone

    4. “Although PIN-to-PIN messages are encrypted, the key used is a global cryptographic ‘key’ that is common to every BlackBerry device all over the world,” the memo reads. “Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.”
    -----True, not an argument though. Its just a statement. Like stating the security hotmail uses to store passwords. Doesn't make it more vulnerable because you are stating how the security works.

    5. Any BlackBerry the government decides to reuse therefore “may expose information to compromise,"
    ----I think reusing a phone is a user problem and should not be done for any brand.

    6. also the threat that sending messages outside government firewalls and security filters could lead to a user opening a virus attached with a PIN message.
    ----That can happen with email or other means too. On any brand of device.....

    7. “PIN-to-PIN messaging bypasses all corporate e-mail security filters, and thus users may become vulnerable to viruses and malware code as well as spam messages if their PIN becomes known to unauthorized third parties,
    ----yea, bypasses that and goes through the secure servers....

    8. PIN-to-PIN messaging “is the most vulnerable method of communicating on a BlackBerry” because “messages can be easily intercepted.”
    ----Repeated point from earlier in the article. Why would they repeat the exact same point twice? Easily intercepted? It has never been done once, how does that justify "easily"?????



    hmmmm all of a sudden with the bb10 launch they have articles like this. Why never anything like this when all was calm and still? But all of a sudden?
    02-27-13 11:25 AM
  19. dbmalloy's Avatar
    Silly article for two reasons... one change the encryption key.... issue done... 2... this memo is released by the government internally every year as part of security protocol...so in essence ... old news and no news ....
    Shanerredflag likes this.
    02-27-13 11:31 AM
  20. MobileMadness002's Avatar
    The only way Pin-to-Pin is secure if the BES admin has Encryption required. This was the only way to communicate via BBM or P2P is with others on the same BES.
    02-27-13 12:44 PM
  21. jstirtzinger's Avatar
    I am appalled at this article. This is clearly a person who is not very knowledgeable about technology and has written a sensationalistic heading without understanding the subject matter. The MOST insecure method of communicating on any mobile device is SMS/Texting which isn't even encrypted in any way and easily intercepted and read as clear ascii text. The 2nd most insecure thing you can do are simple passwords...Blackberry actually blocks you from using "1234" or "password" or "abc123" as examples. It is true that BBID now eliminates orphaned PINs on stolen phones so this is actually an old issue not really relevant today, but in the end, there is no antidote to stupidity.
    Shanerredflag likes this.
    02-27-13 02:46 PM
  22. andrewmcwhirter's Avatar
    Government agencies in Canada were made aware of this security concern back in March 2011 based on the following document: Security of BlackBerry PIN-to-PIN Messaging

    For departments where data is very sensitive, it was recommended to disable the PIN-to-PIN policy on BES to prevent people from using the feature.
    Shanerredflag and zyben like this.
    02-27-13 04:40 PM
  23. bobshine's Avatar
    I work in a bank and PIN to PIN message is banned. Anyway... PIN to PIN is dead now with Z10

    Posted via CB10
    02-27-13 04:52 PM
  24. ATMJOE's Avatar
    Very interesting how this news starts showing up, on the same week that Samsung announces its going after BlackBerry corporate customers with their version of secure BEZ

    Government Phones Should never be recycled to anyone, even with in the government.
    If they fail and can not be repaired, they should be returned to the government IT for security reasons,use the compactor and crush them.
    Its like a hard drive no matter how many times you security wipe it its possible something could be missed.
    02-27-13 05:16 PM
  25. Fuzzballz's Avatar
    I don't think it's that crazy an article. Keep in mind they're talking about 100% security. PIN messages are 99.9999% secure, but world governments like things that are 100% secure. PIN messages are not that, specifically because the cryptographic keys are not stored on the department's BES server. PIN messages go straight through RIM's servers from device to device.

    It's like the difference between Rijndael (the current AES) and Twofish. Twofish was 99.9999% uncrackable but Rijndael is (currently) 100% uncrackable. So governments went with Rijndael for AES.

    Also, PINs themselves are transmitted unencrypted. Whereas when using BES only the general BES server is transmitted that way. Therefore messages are "easily" tracked (by an adversary) to one device. It would take advanced cryptographers for that to be meaningful but, again, it's not 100% secure.

    The big problem to me is that PINs can't be erased from the phones. The phones must be destroyed after use, not recycled. Most governments don't want to dump usable phones after an employee retires or leaves the job.

    What's interesting is that the paper suggests that phone circuit boards be "broken into at least two pieces." However, I would suggest that governments would be best served by using large industrial shredders to completely annihilate the device. A 14 year old friend of mine back in the day could rebuild broken circuit boards with glue and solder. This to me is the weakest part of the paper.
    Last edited by Furballz; 02-27-13 at 09:50 PM.
    02-27-13 09:30 PM
28 12

Similar Threads

  1. Replies: 26
    Last Post: 05-08-13, 05:28 PM
  2. Blackberry not as secure as previously thought?
    By greyw0lf01 in forum BlackBerry 10 OS
    Replies: 3
    Last Post: 02-18-13, 06:59 PM
  3. Replies: 64
    Last Post: 09-22-12, 04:21 PM
  4. BlackBerry Interface Not as Good as Windows Mobile
    By dv310p3r in forum Storm Rants & Raves Forum
    Replies: 48
    Last Post: 01-09-09, 08:31 PM
  5. Blackberry push not marking emails as read???
    By irondad in forum General BlackBerry Discussion
    Replies: 9
    Last Post: 06-08-08, 10:16 AM
LINK TO POST COPIED TO CLIPBOARD