Tag Archives: Blackberry

Security News for the Week Ending August 20, 2021

Well That Seems Like a Bit Over the Top

A pharmacist in Illinois faces up to 120 years in prison for selling dozens of (I assume blank) Covid vaccine cards. The pharmacist sold 134 cards to 11 buyers for roughly $1276. He is being charged with theft of government property. That seems like a stretch, but maybe. Mostly they want to make a point that if you want a fake vaccine card, you should create them on Photoshop yourself. Yes, it will take you a few hours, but it isn’t very hard. That makes it harder for the feds to discover that you did that. And don’t brag about it on social media. Mind you, just because you do make it yourself doesn’t mean you aren’t breaking the law. Falsely using a government seal, for example, is crime, but it probably won’t get you 120 years, which is why the came up with this creative charge. Just doing a quick Google search, I found blank cards online, so I have no idea why anyone would buy one. Blank cards were also for sale on Amazon for a while – 10 for $12.99. Credit: Bleeping Computer

Another Day, Another Cryptocurrency Hack

Last week a hacker stole $600 million in cryptocurrency for fun … and then gave it back. This week hackers stole $97 million from the crypto exchange ‘Liquid’. This time it doesn’t appear to be a joke. The exchanges are getting better at freezing the money when this happens because the have so much experience at it. That is probably not a good thing. For the hackers, that is. Credit: Data Breach Today

Blackberry Says Older Versions of it’s QNX OS Vulnerable

Blackberry sells a real time operating system used in cars, medical equipment and other embedded equipment. This includes 175 million cars (this number doesn’t include the tens of millions of other devices which could have been bought pre-fix and are still in use in factories, warehouses and many other places). But the cars are older cars – Blackberry says that they fixed the bugs in 2012 – after denying for months that they existed. That likely (maybe) means that products that were DESIGNED after 2013 or 2014 are not vulnerable, but that could be a design date and not a manufacture date or sale date. Blackberry has released patches to manufacturers, but that doesn’t mean that patches have been installed. Credit: The Register

Ransomware 4.0? Maybe

First there was ransomware. Just encrypt your files and demand money. Then ransomware 2.0 – steal your data and demand money to get it back. Next came ransomware 3.0. With this generation, the hackers go directly to the businesses’ customers (one example was a psychotherapy practice where the hackers threatened to release the therapists’ notes if the patients didn’t pay up). Now comes version 4. With V4, the hackers offer employees of the intended victim a cut of the action if they release the ransomware into their employer’s network. Wow. This is getting out of hand. Credit: Brian Krebs

Blackberry WAS the Gold Standard For Security – Or Was It?

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals

For years we always thought Blackberry was the security standard that everyone else was measured by.  In April we found out that the Canadian and Dutch police had access to the Blackberry encryption key.

How’s this for security.  It turns out that for most users, there is ONLY ONE KEY!  Corporate users with their own BES server can create the own key, but all of the consumer and small business users that did not have their own BES server – they shared one encryption key.

In a document obtained by the Canadian Broadcasting Company (CBC),

One document obtained by CBC News reveals how the Waterloo, Ont.-based company handles requests for information and co-operates with foreign law enforcement and government agencies, in stark contrast with many other tech companies.
“We were helping law enforcement kick ass,” said one of a number of sources who told CBC News that the company is swamped by requests that come directly from police in dozens of countries.

Apparently extracting data from Blackberries is so popular that the company  has created a form for foreign governments to fill out.  As long as the requesting foreign government signs the form saying that it is legal in their country to get the information, Blackberry diligently decrypts the data and hands it over.

Of course they have no clue whether it is legal in that country, and apparently, they don’t care very much.

There is an international treaty called the Mutual Legal Assistance Treaty that governs this activity, but Blackberry is ignoring it – one assumes with a wink from the Canadian government in Ottawa.  I cannot believe that this has gone on for years at the apparent volume which it has and the Canadian government is not either aware or complicit.  Complying with the treaty that Canada signed allows Canadian government officials the time and ability to review requests to see if they are legal under Canadian law.

Ignoring the treaty is much simpler.  Easier.  And quicker.

Blackberry said there were not going to comment on whether they were violating international treaty.

I assume that sucking sound that you hear is the few remaining customers that they have leaving.

Of course, since they are doing this under the cover of secrecy, we have no idea what they have given to whom.

If they have given the KEY – the one and only key – to foreign governments, then all traffic is compromised.  Again supposedly except for those businesses that have a BES server.  Supposedly.

One more time, this means that people should continue to assume that unless they have gone to extraordinary measures, they should assume that communications they send from their mobile devices are not private.  This includes photos – especially ones of an adult nature.  You may remember Edward Snowden saying that analysts at the NSA  liked to especially share those with each other.

And even if you trust, say, the Canadian government, do you equally trust, say, the Russian government with whom they may have also shared that one and only key?

This does not mean that you should stop using your phone.  It is, however, useful to understand what protections you do – and do not – have.

Information for this post came from Techdirt.

We Only Thought Blackberry Was Secure

Blackberry CEO John Chen said that tech companies must balance customer privacy with lawful government interests.  The translation of this is “we have given the Blackberry keys to a variety of governments”.  And we only THOUGHT that Blackberrys were secure.

One point that is important to understand is that for companies that have their own BES (Blackberry Enterprise Server), we do not think that Chen has those keys to give out.  But who knows – we didn’t think he was giving out other keys either.

The President has a Blackberry.  Did Chen give the key to the President’s Blackberry to China?  I hope not, but…  To alleviate those concerns, while the Feds are silent on the issue, we can assume that the Prez’s phone has “extra” security in it.

In the cases in question, it appears that Blackberry may have given the KEYS to these governments, not just select messages from select customers.

That means that those governments can eavesdrop on any message from any customer without any further intervention from Blackberry.  Blackberry can plead ignorance because, basically, they unlocked the door and left it ajar.

What this means, if true, is that Blackberry customers should not assume that their communications are secure.  As consumers, we do not know what countries Chen gave keys.  Are those governments reading consumers’ messages because they think those consumers are terrorists?  Have committed a crime?  Or just disagree with the government.  Who knows?

For those people who have assumed that their Blackberry is more secure than say, an Android or Apple phone, maybe they should rethink that decision.

Information for this post came from Infoworld.