The Security Berry-meter | Security and The Blackberry

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Blackberry Security

Flak upon flak, hay upon hay, has been dumped on the Blackberry, and its maker, RIM, since the announcement, few days ago, of availability of >a code allowing someone to turn the berry into a microphone. This is not an indictment against RIM, conversely – it is a triumph.



Unlike other electronic “toys” (such as the iPhone, see my article here and my other article (here), Blackberry always took security seriously. From the secure implementation of the “BES” system, to almost-bullet-proof browser, attacks against the Berry and its Operating Systems, have been many.

Successes have been very few.

There is still no other device with quite the popularity of the Berry, especially within the corporate world. Its Outlook integration is second to none. The push technology was revolutionary, and the keyboard lent to such historical quotes, as made by my pal Howard (More time in the Air than on the Ground) Schmidt: “Our next generation will be born with all thumbs” because of the Berry.

It took over ten years for such a “hack” as the listening software to be available. And it is not even a hack. It is no more a hack than a user being asked, in bold letters, to peform five steps to install spyware software on their pc.   In this case, the user would be asked to perform three(3) separate steps in order to install this software:




then provide a phone number:

then perform another step:


If someone does all of the above accidently, they should be reminded how to buckle their belts on every airliner they board, and they indeed do not deserve a berry.




PCI DSS Wireless Analysis and Recommendations, Part 5

This entry is part of a wonderful series, PCI DSS»


The PCI DSS Wireless Guidance document is filling out a very important need.  As I said in the previous parts, I, II, III and IV.   Today I will continue analyzing this Wireless Guidance document.  I will number them and ask that you refer to that number in your comments on my suggestions.  Remember – the goal is to help improve the document.


How to Improve on the PCI DSS Wireless Guidelines Document – Part V

Even More Processes

Continuing to analyze the flow chart on page 8, we get to a bit of a hairier situation.   Let me show you:


PCI DSS WirelessMy suggestion is here to (18) visit again the issue of HOW to Physically secure wireless devices.  Let me add another example:  what if you are auditing a large enterprise that uses microwave antennae to communicate on campus?  How can you, the Auditor, assure that the devices are indeed protected?










The crux of my concern, however, rests with the PCI Council’s repeated insitatnce that the policies be developed AFTER the fact.  Look at box I numbered (19).  Wouldn’t these belong at the BEGINING of this entire chart?  Shouldn’t they???  Please move this to the beginning.

PCI DSS Wireless

As for my final comment on this chart (20) – What does this box mean?  Just print screenshot of configuration?  How do you prove a negative?  Could we re-word this?



My intent is to continue analyzing this document on Wednesday and Friday of this week, unless something major happens.   Wednesday’s post will be rather late in the day, as I am speaking at the Technology Association of Georgia (TAG) event on Enterprise Security for Web 2.0.