10-27-2006, 04:00 PM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Windows Mobile "Email Security" Criticized, Lacking Details
"A new research report contends that by failing to offer onboard encryption for e-mail files stored on Windows Mobile devices, Microsoft may be putting itself at a competitive disadvantage and leaving users vulnerable to data loss...According to the latest report published by J. Gold Associates, a Northborough, Mass.-based wireless research firm, Microsoft's decision not to offer file encryption capabilities on its Windows Mobile platform reflects poorly on the technology compared to other popular wireless systems...Windows Mobile provides for encryption of data while it is in transit to the device, but leaves sensitive corporate data open to access if one of the handhelds has its password hacked, the analyst said. Gold specifically highlights an issue in Microsoft's Direct Push technology, which is used to move data between the latest versions of Exchange Server and Windows Mobile devices."
It's hard to figure out what exactly the reporter is saying in this incredibly poorly-written article, and the original report isn't free, but after Googling around and finding another writeup, I think J. Gold Associates is expressing concern that Server ActiveSync/Direct Push writes to an unencrypted Pocket Outlook email store, and that theft or loss of the device leaves only a brute-forceable device password between an adversary and the secure email content on the device, and that is a serious problem with WM security as opposed to RIM devices and others.
I don't know what RIM does beyond the usual password control, and I really can't comment on the report itself, but... this doesn't surprise me. Pervasive storage encryption takes up a significant amount of CPU and slows down device performance, and as it stands, WM devices are pretty slow working out of flash. Second, this is a mitigable situation; out of the box, WM5+MSFP devices have Remote Wipe capability, plus one can implement a password policy that will wipe the unit after a number of tries. So, unless we get more details, I'm forced to conclude this is an inflammatory article that doesn't really illustrate security or the lack thereof with respect to Server ActiveSync and Direct Push. :?
|
| |
|
|
|
10-27-2006, 04:30 PM
|
|
Neophyte
Join Date: Oct 2006
Posts: 1
|
|
Not a problem as far as I see, just spreading FUD
Windows Mobile has products availabel to layer on top to provide the device encryption he talks about form vendors such as BeCrypt, Pointsec and Credant.
|
| |
|
|
|
10-27-2006, 04:42 PM
|
|
5000+ Posts? I Should OWN This Site!
Join Date: Jun 2007
Posts: 5,067
|
|
7es, encryption of Windows\Messaging is possible with 3rd party tools. also, remote wiping is possible
|
| |
|
|
|
10-27-2006, 05:23 PM
|
|
Pontificator
Join Date: Mar 2007
Posts: 1,466
|
|
Re: Windows Mobile "Email Security" Criticized, Lacking Details
Quote:
|
Originally Posted by Janak Parekh
out of the box, WM5+MSFP devices have Remote Wipe capability, plus one can implement a password policy that will wipe the unit after a number of tries.
|
The remote wipe capability is through Exchange and hardly of use to non-corporate users.
The password policy interests me...How do I implement that?
|
| |
|
|
|
10-27-2006, 08:59 PM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Re: Windows Mobile "Email Security" Criticized, Lacking Details
Quote:
|
Originally Posted by Cybrid
The remote wipe capability is through Exchange and hardly of use to non-corporate users.
The password policy interests me...How do I implement that?
|
Well, this whole discussion revolves around the Server ActiveSync platform for Exchange. In fact, the password policy is implemented as part of MSFP and requires Exchange as well.
If you're looking for fancier password policy than is built into Pocket PC without an Exchange deployment, you'll have to look at a third-party solution.
--janak
|
| |
|
|
|
10-31-2006, 12:28 PM
|
|
Neophyte
Join Date: Oct 2006
Posts: 3
|
|
The in-build password protection on WM5 is not sufficient for most enterprises IMO (allowing the setting of a 'hint' for passwords - which pops up after x wrong attempts, allowing retrying the password multiple times via cradling with activesync, etc.).
Remote wipe doesn't wipe the SD card which is where many people store sensitive data such as attachments.
3rd party applications which secure the device are great but with direct push you have no easy way currently to:
* push security applications / updates to those apps to the devices
* ensuring a user that is connecting has security software enabled on their device before transmitting sensitive data (otherwise the user can just hard reset to remove that 'slow' security software and then connect back up to exchange)
So a lot of people are potentially left with sensitive data in unencrypted form on their devices whilst their IT team turn a blind eye and hope they don't get left in a taxi.
Third parties like Good Technology keep the sync'ed data encrypted on the device and allow third party app's to be pushed to the device and to be verified (make sure they are installed) before data is transferred.
I think that is what the report is on about...
|
| |
|
|
|
|
|
Linear Mode
