Slashdot Mirror
Security Holes Found In RIM BlackBerry Service
An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"
Um, you might want to check back more often, latest news is that the Patent Office has admitted it will probably invalidate all of the patents held by NTP that are at the heart of the BlackBerry patent dispute. This will clear the way for RIM to resume "business as usual".
Just junk food for thought...
this is not a SMALL design mistake.. this is a HUGE GLARING ERROR. perhaps you thinking "they made a small design mistake" explains why you worked in the marketing department.
If the vast majority of the tech side is "very impressive" then this mistake wouldn't have been made, the structure and design of these systems should have been done in a team environment, and someone with experience should have flagged this in the very beginning.
there is, of course, a place for fresh grads, but it should be working along side seasoned professionals. Also, I don't think that age is a factor: 43 or 23, if you have 4 years of university under your belt, you're on your way to a good career, but you likely do not have the knowledge and know-how to replace someone with years of work "in the field"
Using a Microsoft product on a server is a small design mistake?!?! You must be new here!
The fact that they made a small design mistake isn't really that surprising. These things happen all the time.
I'm not sure you can write this off as a small design mistake. This seems to me more like a fundamental design flaw based on a series of bad choices. They want you to run a Windows based server, outside your firewall, running a number of services, with security data stored unencrypted, and full privileges to the corporate e-mail server. That sounds like someone's friend or nephew was running the server project and either would not listen to advice that things should be done right, rather than quickly, or simply was unable to hire competent personnel. This is why companies making products like these should have a security team outside each project's chain of command, and why that team should be listened to. Now, who will trust them to do the right thing next time. What security conscious company will consider them as a solution provider?
SQL injection flaws are related to how well the application using the database is written, not the database itself. Any database-backed application can have SQL injection flaws, no matter what the underlying database, so long as the application is written by an idiot.
Listen, kids: NEVER, NEVER, NEVER pass user-provided values into your SQL queries as strings. There's a reason every database access API in existance allows positional or named parameters to be passed outside the parser, and it's not just performance.
And if I sound a little grumpy on this topic -- like maybe I'd recently worked with a developer lacking just this sort of clue... well, maybe you'd be interpreting my tone correctly.