Organizations that have installed BlackBerry servers behind their gateway security devices could be subject to a hacker attack, according to security researchers.
Secure Computing (Nasdaq: SCUR) is warning companies to prepare for security researcher Jesse D’Aguanno’s release of hacking code for the BlackBerry next week.
The hacking program — called BBProxy — can be sent as an e-mail attachment to an unsuspecting BlackBerry user. Once installed, BBProxy opens a back channel which can bypass an organization’s gateway security mechanisms to create a line of communication between the hacker and the victim’s network.
“We are not saying that this is a vulnerability in the BlackBerry. It is designed to provide this client-server model across an encrypted tunnel,” Paul Henry, vice president of Strategic Accounts for Secure Computing, told TechNewsWorld. “However, someone without the best of intentions may decide to use that capability to possibly gain entry into a corporate network and bring malware in or remove confidential information from the network.”
A Silent Attack
BBProxy could enter the corporate network through a tunnel that is most often opened by the administrator to allow the encrypted communications channel access to the BlackBerry server inside the organization’s network. A malicious person could potentially use this back channel to move around inside an organization’s network, undetected.
Because BBProxy uses an encrypted tunnel, Henry said, chances are no would know that an attack has occurred. Security personnel cannot inspect the tunnel properly because it is encrypted.
“The facilities are available within the BlackBerry to prevent the use of this application, but it would require that the administrator take the time to configure it,” Henry said.
Henry’s concern is that people tend to address issues such as BBProxy as non-issues. Often they believe that a pathway is secure because it is encrypted. That, he stressed, is simply not true. Encryption alone does not equal security.
Closing the Loop
Henry suggests some common sense network architecture and simple policies to reduce the risk of this impending threat, as well as others like it that depend on the encrypted tunnel to gain network access.
First, he notes, servers connecting to the public Internet have an inherent risk. Isolating these Internet-facing servers reduces the risk of a compromised server providing access to other critical servers. Hence, due diligence would require that any Internet-facing server like a BlackBerry server should be isolated on its own, Demilitarized Zone (DMZ) segment.
A DMZ is a part of the network that is neither part of the internal network nor directly part of the Internet. In other words, it is a network sitting between two networks.
Next, only those connections that are necessary to facilitate the operation of the BlackBerry server should be permitted, Henry said. The BlackBerry server should not be permitted to open arbitrary connections to the internal network or Internet.
In addition, Henry said the mail server that is working with the BlackBerry server is also an Internet-facing server, and should also be isolated on its own separate DMZ.
Only those connections necessary to facilitate the normal operation of the mail server should be permitted. Like the BlackBerry server, the mail server should not be permitted to open arbitrary connections to the internal network or Internet.
Finally, internal users should not be permitted to open arbitrary connections to either the BlackBerry server or mail server.
BlackBerry maker Research in Motion could not immediately be reached for comment.