carnal0wnage [Shared Reader]

Tuesday, July 17, 2007

Blackjacking Book Review


Blackjacking: Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise
By Daniel V Hoffman

Blackjacking takes on the task of educating both administrators and management about the threats of mobile devices to their enterprise. I believe this book succeeds in its task and serves as a great reference not only for the blackberry enterprise server (BES) administrators out there but also for the network administrators, help desk personnel, security personnel as well as a book that can aid in the education of the end users. It is written in a tone and dialog that can be useful to the technical reader and non-technical reader and does well digging into the relatively new field of mobile device (especially BlackBerry) security.

The book starts out with a very good overview of the threats to mobile devices (Malware, Direct Attack, Data Communication Interception, Spoofing and Sniffing, and Physical Compromise). It then moves into an excellent overview of the devices that will be covered in the book (BlackBerrys, Pocket PCs, Palm Handhelds, and Cell Phones).
From there each device is covered in depth with “Exploiting the Device”, “Hacking the Supporting Device Infrastructure”, and “Protecting your PC and LAN from the Device.”

The BlackBerry section (which is probably why you are thinking about purchasing the book) does a great job covering the current and future attacks given the fairly limited publicly available research, tools, and code and gives solid advice on setting up your network infrastructure to deal with the growing threat with mobile devices. The vignettes discussing plausible attacks for each attack scenario serve as good feasible examples to think about for your enterprise and users and how to protect your network.

Likes: Discussion of how BlackBerry communications work with your cell phone provider and within a BlackBerry Enterprise Server environment, all the background material on the BlackBerry device, multiple examples (for further research on what is best for your environment) for AV and firewall solutions for each type of device, and seeing attacks on most of the threats in the lab using available tools.

Dislikes: while not in the scope of the book more code examples would be nice (of course it would take away from the usability of the book to “non-technical” people) and the book didn’t list links for the tools and malware discussed (yes I know Google exists).

Overall an excellent book. I purchased the book for my BlackBerry admin (but I read it first ☺) and I think he will find it useful since he is not a “security” guy. It really ties together networking best practices and technologies and while not a “BlackBerry (or mobile device) or network lockdown guide” blackjacking serves as a good reference for further research into AV, firewalls, and VPNs for mobile devices as well as safe methods for allowing those devices entry and access into your network.

Links
DISA SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) for BlackBerry Devices
http://iase.disa.mil/stigs/checklist/Wireless_STIG_BlackBerry_Checklist_V5R1_2.doc

Good Post on Security Basics
http://seclists.org/basics/2005/Apr/0254.html


Technical White Paper BlackBerry™ Security
www.blackberry.net/support/pdfs/bb_security_technical_wp_exchange_21.pdf




No comments: