Tag Archives: blackberry

SANS Mobile Device Security Summit Recap

2
Filed under Mobile Security
Tagged as , , , , , , , , ,

Just a quick post about the SANS Mobile Device Security Summit that I participated in.  Kudos to Kevin Johnson and Tony DeLaGrange from Secure Ideas for helping organize and lead the event.  They did a great job!  If you’ve been to SANS events in the past I assure you that this was much different.  First, there was a great line up which included Rafal Los (HP), Jack Mannino (nVisium Security), Chris Cuevas (Secure Ideas), John Sawyer (InGuardians), Josh Feinblum (The Advisory Board Company) and Daniel Miessler (HP ShadowLabs) to name a few.  Having a lineup of great speakers really made the summit flow as well as it did.

What I liked most about this event was that there were plenty of “real world” talks on how enterprises are deploying and managing mobile deployments.  Real in the “trenches” types of talks.  Here are some of the themes that I heard throughout all the talks:

  • Jailbreaking/Rooting is BAD
  • The OWASP Mobile Top 10 is going to be just as important as the traditional web application OWASP Top 10
  • Mobile Threats are an evolving, moving target.  Security teams have to be quick to adapt to new mobile technology
  • MDM (Mobile Device Management Solutions) are a requirement
  • Apple iOS devices are preferred over Android in the enterprise (seriously, that was the consensus).  No one seems to care about BlackBerry or Windows Mobile devices.  I think only one speaker mentioned Windows Mobile…

Speaking to the last point I find this pretty interesting.  Especially given the fact that Android seems to be beating Apple in regards to market share of devices and app store apps.  I also enjoyed hearing about some of the challenges and pitfalls real IT and security departments are facing.  Many of the speakers talked about some best practices they’ve developed and problems they’ve had.  One of the highlights for me was a talk by Det. Cindy Murphy from the Madison WI Police Department Computer Forensics Unit.  She shared some of her experiences with mobile device forensics and how this evidence holds up in court.  I highly recommend you check out this summit next year, it’s one not to miss!

I should have my slides from the latest version of my talk that I gave at the summit (Attacking & Defending Apple iOS Devices in the Enterprise) in the next day or so.

 

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Facebook SPAM on BlackBerry Devices

3
Filed under Mobile Security, Social Networks
Tagged as , , , , ,

I always thought the Facebook Application for BlackBerry was a buggy, slow piece of junk.  Now I have noticed that this application is being abused by spammers to propagate Viagra and Percocet SPAM.  The screen shot to the right is an actual Facebook notification I received on my BlackBerry.

There seems to be an interesting bug in the Facebook Application for BlackBerry in which a spammer can spoof the “facebookmail.com” domain to have SPAM messages show up in your notifications list within the BlackBerry Facebook application.  This only works if you have the Facebook for BlackBerry Application installed AND you have an email account configured on your BlackBerry (yes, this includes a corporate email account as well).  The email account you have configured on your BlackBerry is where you actually receive the SPAM message, not through Facebook.

The Facebook Application for BlackBerry appears to notify on any new email in one of your BlackBerry mailbox’s with “*.facebookmail.com” in the sender or return-path field.  This is a win for the spammer because now you think Facebook is spamming you and with the addition of an email, you’re more tempted to click on the link.  The Facebook Application for BlackBerry is no stranger to controversy and this particular bug has been noticed recently by others as well.  It also appears that this bug only affects the BlackBerry Facebook application.  When testing the iPhone app I couldn’t replicate the issue.

To test this bug I used EXIM4 in Ubuntu as a mail relay with mailtools to send the email.  This allowed me to send a spoofed email as “agent0x0@facebookmail.com” to one of the email accounts I have configured on my BlackBerry.  Here are screen shots of the spoofed email in my inbox and what it looks like in the Facebook Application for BlackBerry:

My opinion is that a mobile Facebook application should never be polling your personal email for these messages…but then again this could be a “feature” of this nicely designed application, right? :-)  Special thanks to Kevin Johnson for helping with some of the research/testing.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Potential dangers of BlackBerry Syncing Applications

2
Filed under Mobile Security
Tagged as , , ,

Syncing dangers?

Do you have a BlackBerry for work and you have a corporate policy pushed down and managed by your corporate IT team? Depending on how locked down the policy is for your corporate BlackBerry deployment you may be syncing sensitive or confidential data to a public web site.

So I recently installed the Facebook Blackberry Application v1.5 on my BlackBerry and noticed two interesting settings. First, you can sync your Facebook calendar with your BlackBerry calendar. Second, you can sync your Facebook contacts with your BlackBerry contacts. As far as I can tell syncing is only one way…sort of. The Facebook application has a disclaimer when you install the application that says:

Facebook will “periodically send copies of your BlackBerry device Contacts to Facebook Inc. to match and connect with your Facebook Friends.”

So does this mean Facebook has a copy of your corporate contacts? They must somewhere to do the proper sync matching. There is another disclaimer at the bottom of the “setup wizard” that says you allow Facebook to do this interaction per the same way applications have access to your profile data in Facebook. Interesting. Again, not a nightmare situation…but if any of your business contacts are sensitive in nature I would be hesitant to enable this feature. Worse case? I couldn’t think of a worse security nightmare then of all your users automatically sending sensitive calendar entries with proprietary data to Facebook! So yeah, one way is good. For now one way sync is all the Facebook application does but I would be willing to bet that this will change in the future. Be careful with this one.

So lets step this up a bit. What about two way syncing applications like Google Sync? Google Sync will sync your Google Calendar/Contacts with your Blackberry Calendar/Contacts…both ways! This might be a real problem if you make your Google Calendar public or share it with a group of friends. Same goes for your business contacts. You may have just given Google (and possibly the world) all your business calendar entries. Well..we know Google isn’t evil, right? :-/

What can we do about this? As a user…opt out of installing any syncing apps on your corporate BlackBerry for starters. But what about blocking syncing on the device via BES policy? As far as I can tell the only way is to block the application from being installed via policy. This will become problematic when Google/Facebook releases new versions for example. Not sustainable. I’m no BES administrator but there might be other ways to prevent the application from being installed or the syncing from happening but it brings up some interesting discussion. By the way, there are some problems when you have the Facebook application and Google Sync installed at the same time. No thanks.

Something else to think about. How does your company handle BlackBerry deployments? Are they company issued and owned? Or do you allow your users to own them and the company pays for the data plan? All of this would have to be considered before blocking or preventing syncing applications (or any third-party application) from being installed. If you have any thoughts or ideas on this, comment below!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS