dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2358

DKS
Damn Kidney Stones

join:2001-03-22
Owen Sound, ON

DKS

Oops! BlackBerry PIN's are Not Confidential

If you have a Blackberry and think PIN to PIN messages are confidential and not stored, think again...

»www.theglobeandmail.com/ ··· usiness/ (Registration required)
quote:


BlackBerry battle chills Bay Street gossips

By SINCLAIR STEWART and RICHARD BLOOM
From Friday's Globe and Mail

UPDATED AT 1:44 AM EST Friday, Jan 7, 2005

Toronto — Most morning meetings on Bay Street are devoted to dreaming up the next megamerger or predicting the day's big winner on the stock markets. But as Canada's deal makers huddled over their coffees Thursday, the conversation was dominated by a very different concern: how to make sure their BlackBerry messages remain private.

At one brokerage house, traders and bankers spent much of their early meeting discussing whether employers, or even regulators, could tap into so-called PIN messages — those sent between BlackBerry users via a device's personal identification number instead of a normal e-mail address. (Each BlackBerry has a numerical PIN associated with the device.)

Until this week, this was considered to be a secure means of communication, safe from the prying eyes of bosses and outsiders. But that illusion was shattered by a nasty legal brawl that has erupted between Canadian Imperial Bank of Commerce and Genuity Capital Markets, a new investment-banking firm started by a group of ex-CIBC executives.

CIBC is suing six of its former employees, alleging that they took confidential information and orchestrated a “calculated scheme” to recruit colleagues to Genuity while they were still working for the bank.

At the heart of the case are scores of personal e-mails and BlackBerry messages between the former employees that CIBC claims are evidence of the plot.

“I would say that up to today, 99.9 per cent of the world felt this was secure,” said one brokerage official. “I think that's like finding out there's no Santa Claus.”

The official said employees in Toronto's financial district were hounding their information technology departments for answers as to whether BlackBerrys could be monitored. When people chat via PIN messages, they will often communicate things they would not divulge in a regular e-mail, he said.

“If you've got a guy's PIN, it's like another level of intimacy. It's like the next level in a relationship on Bay Street.”

An investment banker said he was surprised that the former CIBC employees were so naive as to believe their communications could not be tracked. He said it was especially odd, given that one of the CIBC bankers was a technology specialist and another was a lawyer.

The reality is, virtually every message sent and received through a company-issued BlackBerry is retrievable.

“It's a mistake to assume any corporate communication is not subject to be subpoenaed, or to be looked at and examined,” said Brian Sharwood, a telecommunications consultant in Toronto.

“You would have to be a fool to assume that kind of thing.”

Experts in the IT industry say that unless the device is disconnected from the company's server — and changed, for example, to a personal e-mail account offered through a private Internet service provider — every message is likely stored in a corporate computer.

“The only way around that is to disconnect yourself from your corporate e-mail,” said Lynn Greiner, a Toronto-based IT executive.

“If you were to disassociate your BlackBerry from the enterprise server, you would be able to send and receive mail privately over whatever account you want.”

However, employees using PINs to pass confidential information back and forth may not know the messages are indeed traceable, as companies can buy software that allows them to archive the e-mails.

BlackBerry users who have a personal account can send a PIN message that bypasses their Internet service provider's server and stores the text solely on the device (similar to the popular text-messaging services of cellphone companies).

While administrators in so-called sensitive sectors can disable PIN-to-PIN messaging, many choose to allow employees the service but insist on archiving the e-mails.CIBC isn't saying how it got access to the BlackBerry messages, but states in its lawsuit that the executives “seemed to have believed [they] did not create any record of their e-mails on the [bank's] central computer systems.”

David Kassie, a star investment banker who was forced to resign as head of CIBC's brokerage arm last February, said in an affidavit this week that Genuity has not improperly poached any of the bank's staff or taken confidential information. Mr. Kassie, who is named in the suit, is a founding partner of Genuity and its largest shareholder.

A spokeswoman for the maker of BlackBerry, the Waterloo, Ont.-based Research In Motion, would not comment on the matter.



shaner
Premium Member
join:2000-10-04
Calgary, AB

shaner

Premium Member

Wherever there's a 'secure' way of transmitting data, there's a hack for it. Anybody whoever believed PIN to PIN was completely secure or would stay that way is living in a dream world.

The Chick
Gnomes Are Not Food.
Premium Member
join:2002-07-22
London, ON

1 edit

The Chick to DKS

Premium Member

to DKS
theres no santa claus?


Snickerdo3
Premium Member
join:2001-02-28
Niagara Falls, ON

Snickerdo3 to DKS

Premium Member

to DKS
Okay, someone here want to tell me how mobile-to-mobile PIN messages (like SMS, I assume?) have ANYTHING to do with corporate email servers? That'd be like someone saying my employer has access to all my text messages, just because I could configure my cell to send and receive my corporate email. As it stands now, does Cogeco have access to my text messages because I've configured my phone to send and receive Cogeco email? Hardly.

Now, of course, whichever mobile provider serves these blackberries may have records of these messages on their server, but how in the heck does CIBC have anything to do with this? I highly doubt CIBC would be able to get access to Rogers'/Telus'/Bell's records for this purpose. It's civil, not criminal, and I doubt CIBC has the right to do what is effectively the same as a phone wire tap.
RobMcLeod
join:2002-01-06

1 edit

RobMcLeod to DKS

Member

to DKS
(speaking of GSM/GPRS here since that's my background. No idea how CDMA networks function)

The difference between SMS and (BlackBerry proprietory) PIN messaging is where the processing takes place.

With SMS, regardless of whether you use GSM or GPRS technologies, the information is relayed through a provider's SMS Service Centre (SMSC for short)

With PIN-PIN messaging, the messages are passed using the same technology that moves email across the carrier networks (notably a BlackBerry Enterprise Server (BES) and the RIM relay). To a carrier, this is only data and I doubt the carrier monitors this. However since it uses the BES (which is installed usually on company premesis and is owned/maintained by the company, they have access to this data. In short, if you wanted to move top-secret messages using a BlackBerry, I would use the SMS route since it does not touch any company infrastructure (except for the BlackBerry itself)

Edit: Sorry, DKS. Reply was supposed to be to Snickerdo's question...

Krispy1
Premium Member
join:2001-12-11
the stix

1 recommendation

Krispy1 to DKS

Premium Member

to DKS
"I would say that up to today, 99.9 per cent of the world felt this was secure, said one brokerage official. I think that's like finding out there's no Santa Claus."

Excellent analogy...it's like being surprised at the truth that was so glaringly obvious to everyone except those with immature minds that were being lied to!

Anyone who believes that anything transmitted over a network is confidential or not retrievable should ask Santa for a ka-billion dollars next year and start making some cookies and decorating the tree . Reality is that pretty much anything can be restored or detected given enough time and money...where there's a will there's a way.

Sounds like lawyer and tech guy are trying distract attention from their own misdeeds.

Snickerdo3
Premium Member
join:2001-02-28
Niagara Falls, ON

Snickerdo3 to RobMcLeod

Premium Member

to RobMcLeod
said by RobMcLeod:

With PIN-PIN messaging, the messages are passed using the same technology that moves email across the carrier networks (notably a BlackBerry Enterprise Server (BES) and the RIM relay). To a carrier, this is only data and I doubt the carrier monitors this. However since it uses the BES (which is installed usually on company premesis and is owned/maintained by the company, they have access to this data.
If PIN messages requires the use of a BES that the company owns, then they are fools for thinking that the company cannot get access to their information.
lawrence171
join:2001-12-24
Canada

lawrence171 to DKS

Member

to DKS
Where is PGP when you need it most? HAHAHA

Big DT
@unknown

Big DT

Anon

PIN-PIN messages do not require or use of the company BES Server, The are sent to a Server to a Blackberry Server at RIM, and then are re-directed to the other PIN number from RIM.

I suppose RIM could keep a log of this, but i doubt that this information ever sees the company's BES Sever.

the only way i can think of, that this might work, would be if the corp. BES Server was set to backup all of the messages on a handheld into an archive, possibly this archive could include PIN messages that were recieved by blackberry, as well as all the other messages

Styvas
Who are we? Forge FC!
Premium Member
join:2004-09-15
Hamilton, ON

Styvas to DKS

Premium Member

to DKS
Here's how I read this story. CIBC (I worked for them for a VERY short time before quitting) is a corporate bully who cares only about its shareholders. I've never worked for a company that cared less about its employees and customers. In CIBC's eyes, people are just pawns and a means to an end--that being higher profits and higher stock price.

Their monitoring of employees' Blackberry messaging may be legal. To me that's irrelevant. Instead of suing these guys, CIBC should be asking itself what it's doing wrong that drives employees away and trying to improve its human resource management strategies.

I've yet to speak to a former employee of CIBC who doesn't launch into a rant the minute you ask them about the company. They are a horrible bank! They won't lose this case, but I sure wish they would so as to teach them a lesson on not picking on kids smaller than them.

LookItUp
@rim.net

LookItUp to DKS

Anon

to DKS
Lot of misinformation and ignorance on this forum.

1. Pin messages never touch RIM's infrastructure nor do they touch the corporate infrastructure. A PIN message is sent directly from one device, over the wireless network to a second device, period.

2. PIN messages are encrypted during transmission using Triple-DES in much the same way emails are encrypted. The main difference is that all the PIN's use the same key, and as such are not considered "secure", even by RIM...this is not a secret. To be secure, RIM recommends using the corporate mail system to ensure messages are encrypted using a random key unique to the user.

3. Messages are only encrypted during transmission...they are not encrypted on the device or in the users mailbox, regardless of whether or not the user sent an email or even a PIN. If you want end to end securiy, RIM offers an s/mime security package which ensures that the email is always encrytpted.

These guys used BlackBerry's to send P2P messages, but there is no reason to believe that this information was deleted from the devices. Once those devices were turned in, the information on them would be easily and ethically accessible by the BlackBerry admins.

There is a security evaluation of there RIM security solution posted on their web site (and has been there for some time for those who care to actually investigate this issue) that was conducted by @Stake Security. Feel free to review it
here; »www.blackberry.com/knowl ··· vernum=1

Styvas
Who are we? Forge FC!
Premium Member
join:2004-09-15
Hamilton, ON

Styvas

Premium Member

Virtually every corporate employee these days signs an agreement stating that the company owns all information on any device provided by the company or connected to the company network. Most agreements also include a no non-company business use clause.

What surprises me about the CIBC case is that the actions of the employees would have been grounds for dismissal; but, usually lawsuits are only brought upon the transgressor if they have used company information (such as client lists, marketing data, etc.) in a way that could cause damage (financial or other) to the company.

The news article indicates that they recruited each other and made plans for the new company using their Blackberry devices, but does not suggest that they were also soliciting info on potential clients for the new company.

Again, what they did would be grounds for dismissal, but I'm not sure why CIBC would claim damages (assuming they have done so) unless these former employees also broke confidentiality agreements.

In certain countries in the past (I think Germany was one), it was illegal for an employee to leave certain kinds of companies and then immediately get a job in the same industry. The rationale was that they would inevitably have info that could hurt or unfairly put at a disadvantage their former employer. After a year or so (hypothetically) that info would be obsolete and less "dangerous" to their employer and the industry.

This is not the case in Canada. I'm not surprised that CIBC was pissed off, but I'd be curious to know the basis for their actual suit, not just the after-the-fact grounds for dismissal.

DKS
Damn Kidney Stones

join:2001-03-22
Owen Sound, ON

DKS to Styvas

to Styvas
said by Styvas:

Here's how I read this story. CIBC (I worked for them for a VERY short time before quitting) is a corporate bully who cares only about its shareholders.
Last time I checked, the bank had a sole obligation to their shareholders. And employees had obligations to their employer like loyalty... The CIBC may stink as an employer, but that has nothing to do with this matter. (My personal experience is that they aren't that great a bank, either).

Styvas
Who are we? Forge FC!
Premium Member
join:2004-09-15
Hamilton, ON

1 edit

Styvas

Premium Member

said by DKS:

said by Styvas:


Here's how I read this story. CIBC (I worked for them for a VERY short time before quitting) is a corporate bully who cares only about its shareholders.
Last time I checked, the bank had a sole obligation to their shareholders. And employees had obligations to their employer like loyalty... The CIBC may stink as an employer, but that has nothing to do with this matter. (My personal experience is that they aren't that great a bank, either).
Those employees shouldn't have been using company time and resources to plan their exit and subsequent company. It's the bottom line and that's why they're now being sued. However, no one can know if they were or weren't working very hard in the meantime. Knowing CIBC, they'd have been under a lot of scrutiny had they slacked off (and perhaps they were--I have no idea).

There are number of ways to build profit and benefit shareholders. While this can be accomplished by uncaring ruthless methods, I believe that any thinking professional will tell you that providing a supportive, interesting environment will increase employee productivity, and providing customers with quality choices and not foisting the products with the highest margins on them (whether they suit the customer or not) will produce customer loyalty. Both of these turn into profits and increased share price in the medium- to long-term (and even some in the short-term).

Unfortunately, CIBC seems to take a very term view and has decided that it will simply suck every last penny out of any source available. It makes me think of the joke:

"The beatings will continue until morale improves."

Anyway, that's not what this thread is about and I've said about everything relevant to this off-topic aspect that I wish to share.

Steve

dirtyjeffer0
Posers don't use avatars.
Premium Member
join:2002-02-21
London, ON

dirtyjeffer0 to LookItUp

Premium Member

to LookItUp
said by LookItUp:

Lot of misinformation and ignorance on this forum.

1. Pin messages never touch RIM's infrastructure nor do they touch the corporate infrastructure. A PIN message is sent directly from one device, over the wireless network to a second device, period.

2. PIN messages are encrypted during transmission using Triple-DES in much the same way emails are encrypted. The main difference is that all the PIN's use the same key, and as such are not considered "secure", even by RIM...this is not a secret. To be secure, RIM recommends using the corporate mail system to ensure messages are encrypted using a random key unique to the user.

3. Messages are only encrypted during transmission...they are not encrypted on the device or in the users mailbox, regardless of whether or not the user sent an email or even a PIN. If you want end to end securiy, RIM offers an s/mime security package which ensures that the email is always encrytpted.

These guys used BlackBerry's to send P2P messages, but there is no reason to believe that this information was deleted from the devices. Once those devices were turned in, the information on them would be easily and ethically accessible by the BlackBerry admins.

There is a security evaluation of there RIM security solution posted on their web site (and has been there for some time for those who care to actually investigate this issue) that was conducted by @Stake Security. Feel free to review it
here; »www.blackberry.com/knowl ··· vernum=1
good info...i know that blackberry's are about secure as you can get on a wireless device...by combining triple DES technology with CDMA, you have a VERY secure transmission.