BlackBerry patching Heartbleed vulnerability for Secure Work Space, BBM

BlackBerry patching Heartbleed vulnerability for Secure Work Space, BBM
By Rene Ritchie on 13 Apr 2014 09:24 pm EDT
7
loading...
0
loading...
41
loading...

BlackBerry is working on patching Heartbleed, the recently discovered OpenSSL vulnerability that could potentially allow a malicious attacker to gain information off a server, including private keys and passwords. Primarily they're focusing on Secure Work Space and BBM. BlackBerry SVP, Scott Totzke, commented on the realities of the threat and the chances of the vulnerability being exploited.

"The level of risk here is extremely small," because BlackBerry's security technology would make it difficult for a hacker to succeed in gaining data through an attack.

"It's a very complex attack that has to be timed in a very small window," he said, adding that it was safe to continue using those apps before an update is issued.

Still, better safe than sorry. And it's reassuring to know BlackBerry not only has great security built-in, but that they're actively working to fix anything that does get caught.

How are you dealing with Heartbleed?

Source: Reuters

115 comments

RP Singh

No problem for me so far.

Sent from my iPuh-lease-as-IF

jcordova2819

All good here.

Posted via Q10

sinkingphoenix

You wouldn't notice a problem, the attack leaves no trace. Better to change all passwords tbh.

Posted via CB10

Dat Gui

Wtf is heartbleed?

Posted via CB10

RP Singh

A vulnerability with OpenSSL that caused CRA to shut down their website temporarily.

Sent from my iPuh-lease-as-IF

lemonpancake90

One of the largest security holes ever found regarding the Internet as a whole, affecting upto 2/3s of websites that use open SSL.

Posted via CB10

blocknards

A NSA backdoor that was discovered....>=)

THBW

Exactly. Yet again another reason the world can't trust a single line of code originating out of the US. At least the good news is that the NSA and the executive branch of the US government didn't deny it when they were discovered.

Posted via CB10

root56

Haven't read any such interview could you please give a link?

Gerii

Actually, this line of code came from Germany according to the reports.

Posted via CB10

Observation Junkie

I think it's a bleeding heart story.

 Posted by the Crackberry Pirate 

Killjoyhere

Renee doing Crackberry articles and Kevin doing Apple. This website gets stranger by the minute.

Posted via CB10

manonthemoon

Yeah I saw that right away. Very confusing as to why?

Posted via CB10 via Z30

Rene Ritchie

Because, Newsroom! http://crackberry.com/introducing-mobile-nations-newsroom

I'm working Sunday night so Kevin, Bla1ze, and Adam can get other stuff done :)

Killjoyhere

Thanks Renee you are a team player. :)

Posted via CB10

RP Singh

Renée is a girl's name. René is the author.

Sent from my iPuh-lease-as-IF

Rodney Wilder

Thank you for helping out, but you should update the posting to note that this is only for the IOS and Android versions of these apps as BlackBerry versions do not use OpenSSL but BB's own encryption.

jope28

Thanks. I would've never known that from the post. Surprised it wasn't mentioned in the article.

Posted via CB10

root56

Was in the last Artikel about this topic.

Jerale

+100. Exactly what I was thinking.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

artie

Thanks for clarifying that for us.

Kevmobile

Thank you Rene and thank you Rodney.

BGK

Thank you for pointing this out - it's good for BlackBerry (well, me for sure) people to know . :)

axllebeer

Had no idea René but still, I enjoy your articles wherever they are. :)

Looking forward to the next AdHoc as well.

Posted from my CB via the power of "Q"

manonthemoon

Thanks for clarifying why you were over helping out on Crackberry writing such a great BlackBerry article!

Posted via CB10 via Z30

bbdodgersdude

Thanks Rene!

Posted via CB10

Kamika007z

Thanks Rene. You've earned my respect just by doing this. :)

IJKBB10

Rene is cool. He helps Kevin and the Crackberry team with podcast s and etc!! And he's one smart dude as he knows his stuff as Kevin mentioned a while ago.

I have no problem with Rene writing articles for us Crackberry members :)

 Posted via CB10 on my  Z30

lengend

Rene sometimes posted articles and would be on the CB podcasts which I think is nice cause he's not biased and is always thoughtful.

Posted via CB10

Prem WatsApp

He's from "the other camp", but a gentlemen nonetheless, I don't mind articles from Rene, because he deals with everyone respectfully. Thanks for the write-up.

"No Q10?" -> "Buy from Chen... "

Fourspeed

LastPass has a nice security checker.

Q10 Rocks

Devil

That's a password checker - not a security checker.

Posted via CB10

Fourspeed

Point taken but it does check the security of sites visited and when to change your password.

littlesharkfish

When your survival is depending on security, is your customers will be OK with "the risk is extremely small"?

Posted via CB10

Puz_zled

If your survival depends on secure communications, then you shouldn't be using iOS and Android solutions even with BlackBerry secure work space and BBM. These are for good enough security just like all the other iOS and Android MDM providers. You should be using native BlackBerry handsets connected to BES for the highest security end to end solution and for whom Heartbleed is not an issue.

This post Powered by BlackBerry

root56

Don't they just put in a new cert? I mean my email provider has given me new certificates.

somerandombbusername

Yah, they confirmed there is an unpatched vulnerability, even with some vague details how to exploit it. Not the best security practice...

jrohland

It's way past time they made an announcement. Most everything else I deal with had a patch out by yesterday. And here BlackBerry still screws around.

Posted using my Peerless BlackBerry Z30

littlesharkfish

Specially when you brand yourself "national security ", someone needs to take his job seriously.

Posted via CB10

Rodney Wilder

Do note that this is only for the IOS and Android versions of these apps, as the BlackBerry10 and BlackBerry OS versions do not use OpenSSL but BB's own proprietary encryption.

THBW

Oh, those pesky facts getting in the way again.

Posted via CB10

root56

Isn't BlackBerry to ios/android also compromised? (or did I miss understand the op in the first article.

littlesharkfish

appearance matters!!...how can a security focused company makes a statement saying it's a "small risk", do you see any Honda or GM states that it's a small defect so we are not going to recall the cars?! for anyone who makes this kinda statement, I don't think he knows what really goes on in the real world!!

Puz_zled

Native BlackBerry of all types are not vulnerable. Just indicates the inherent potential vulnerabilities in the other two major platforms and the continued risks of using them where security is a priority.

This post Powered by BlackBerry

crackbrry fan

If you really believe that good for you. As far as I have read all those patches on other platforms are a waste. Till certificates expire in 2017, there is little that can be done about the potential threat of heart bleed. Now had security really been a concern to the consumer they would have gotten BlackBerry handsets! BlackBerry using their end yo end solution as far as has been reported aren't affected. I don't see media houses reporting this . This should be proof that you can't beat BlackBerry for peace of mind.

Posted via CB10

mavsguy842

At the university I work, we had to patch a few of our CentOS Linux servers, particularly our servers that house our Shibboleth IdP's and SP's. We determined there was an extremely low probability we were compromised, and we patched all our servers within 2 days of the news breaking.

slade632

These PSA by BlackBerry are quite awesome. Shows that they're concerned about the public reaction

Posted via CB10

rabbitupnorth

I write each financial institution I deal with to get their specific assurances that this vulnerability is either not applicable or has been patches. All but one have responded that either it never was a threat, or software has been updated.

jic999

It's not only how good your security is but how fast, an efficiently you can patch your security platform

Z30 : posted via CB10 app

Elvis Salvador

My heartbleeds only for my ex-girlfriend :0(

I don’t think I’m conscious of making monsters Outta the women I sponsor til it all goes bad. But it’s all good. I’m just sayin’ you could do better. Tell me have you heard that lately? I’m just sayin’ you could do better. And I’ll start hatin’ only if you make me.

Posted via CB10

Devil

Hahahahahaha

Posted via CB10

BerryRipe

Stop 13th steppin' lol!

 BlackBerry Q10  Keep The Faith 

Drmoe

Another reason why I love my BlackBerry soooooo much!

Posted using the best phone ever, the Z30!

steakman911

Not an issue, only apps that initially concerned me were the bank apps: PC Financial - all over it, TD - all over it, CIBC - all over it.....Amex.ca...?? nadda, no comment or dialogue box saying "we have several layers of added security".

Typical Quebec arrogance. Too bad they didn't secede...!

Via what's really, a BOLD X....on X.II.I

farmwersteve

Hey steak

I'm using some of those apps and online banks too. When you say all over it, what do you mean?

For me, I want to know if there was a problem for them and they patched it, if so, when so I can change my password again

Otherwise if there never was a threat, I want to go back to my original password

So who did you contact to let you know the status?

Thanks

Posted via CB10

oddboy

Assume your password is compromised. Don't go back to one you've used in the past 3 years.

BRON: a cron-like scheduler for BlackBerry 10. http://apps.oddelement.com

rickster2611

Cyber crime is the biggest threat the world will ever face due to out reliance and interwoven nature of the Internet.

When you are sane person in an insane world, people question your sanity.

When you put security before apps, people always question your sanity.

When there's a breach that affects Android, Apple and Windows devices will that be the time you start thinking BlackBerry.

Failure to prepare, prepare to fail.

A battle is won but the war continues...

Well played BlackBerry...time to beef up the security even more. Triple encryption.

BlackBerry...Get it done

Posted via CB10

FOR RIM

MY BLACKBERRY TAKES CARE OF IT

John Kastanes

Reuters mentions BlackBerry as a weak link when it is bbm on ios and droid os's.

Posted via CB10

rallen562

Here is the working LastPass Heartbleed checker. https://lastpass.com/heartbleed

Posted via CB10

HaberNik

Says it messed up.

Tapped and flicked from my BlackBerry Z30!

imcurved

How am I dealing with Heartbleed? A lot of soul searching Rene.

 CB10 

Elvis Salvador

Just free your mind and the rest will follow

Posted via CB10

RP Singh

Be colour blind, don't be so shallow.

Sent from my iPuh-lease-as-IF

mavsguy842

Why oh why must it be this way?

Elvis Salvador

I feel like love is in the kitchen with a culinary eye

Posted via CB10

RP Singh

Before you can read me you got to learn how to see me.

Sent from my iPuh-lease-as-IF

Solar 77

Lol at the posts above!

Posted via CB10

Elvis Salvador

Post don't mean anything if the mail man doesn't deliver

Posted via CB10

adams80

I just found a heartbleed channel, it's worth checking here's it's pin C003B3D7A

androidphanatic

BlackBerry ftw.

Posted via CB10

rodgoodman

It was about time to update passwords. Good thing I was able to document all passwords and add to my personal safe.

Posted via CB10

Lanre Folarin

Thanks

Posted with a Z30

ojaninoa10304

Thankfully, all is good here as well. I hate when these things happen.

Posted via CB10

trsbbs

And the NSA thanks you.

Sigh....

Posted via Verizon Z10 - OS v10.1.2.2174

Jerale

See Rene us BlackBerry users don't have to deal with Heartbleed. We aren't affected by it. You forgot to mention that the vulnerability is with BBM on iOS and Android which the app is tied to both their softwares which we all know are already full of holes (iOS) and malware (Android). Us BlackBerry users aren't affected by Heartbleed so we don't have to deal with it.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

cribble2k

Arrogance is bliss?

Remember when Mac users were smug that they'd never be hacked, most never used any anti virus software?

I think the point is blackberry (much like Mac computers) are so few, even the hackers won't bother.

But that's OK. When you sit there all smug and secure, thinking you have it all figured out, just remember - nothing is 100% secure. If people want your data, they'll find a way to get it.

Jerale

Dude do your research. BlackBerry has already said their devices weren't affected and if you didn't know they have better encryption keys and patents (thanks to acquiring Certicom) so I would say they're pretty secure. Only thing that can be breached is the network since those not in enterprise aren't on BES including me. It turns out you're the ignorant one. Peace.

Powered by my BlackBerry (Z10). Join my #BBM Channels C001227CF, C00476C37, C003829C9, C002454C9,C002190AC, C00120CE3

don_poky

Who wrote this article?

Posted via CB10

bhrgvr

My employer patching all our laptops through COE...

Posted via CB10

smoothrunnings

Hope this patch works on all versions of BES10 as I am very sure that not everyone who is running BES10 is running with the latest version.

Wawan Tea

I cant login to my gmail and yahoo account

Posted via CB10

Prem WatsApp

You're doing that from your 'Berry? Check in the forums or ask your question there.

"No Q10?" -> "Buy from Chen... "

Playbook007

That was a good read. I like how Rogers down plays the issue with android devices. They basically have abandoned BlackBerry and push Android devices in a big way. Looks good on them.

Posted via CB10

Ken Khosla

Fanboy writing an article not bashing BB. Guess that what happens when just become a part of Mobile Nations huh. May be your can get Apple insider on board to.

Stomps01

Didn't they say bb10 wasn't affected the other day? If it isn't affected why patch it?

Posted via CB10

ofutur

BlackBerry has still not acknowledged that part of their infrastructure was vulnerable... I'm sure someone clever could intercept interesting data if he had managed to steal the bbm.blackberry.com secure certificate.

SpartanSK117

Did someone create this Heartbleed? Or is it just a bug they discovered?

Posted via CB10 on the White BBQ5

SpartanSK117

Actually, I found it. A German called Robin Seggelmann. He claims it was an accident and he had no malicious intent. And Alcohol wasn't a factor xD

Posted via CB10 on the White BBQ5

Prem WatsApp

How ironic. No insult, but "Seggel" means something like idiot, moron or jerk in the Stuttgart (Swebian) dialect and elsewhere. "Depp" is another word that's very close (no drama, Johnny, you're still funny!).

If I lived in Germany, I would probably have requested a name change a long time ago...

"No Q10?" -> "Buy from Chen... "

nt300

This bug has been around for at least 2 years now. All I know is BlackBerry 10 devices were secure. At least 30% of Android devices were affected and about the same with iPhones.
That said, a year ago, they were all affected. Especially the iPads.

Posted via CB10

GoJaysGo

WTF? iOS devices are not affected by Heartbleed... Seriously, do people just make up shit now?

Prem WatsApp

We are talking about BBM on iOS, which is affected due to the fact that it's running and relying on certain components of the underlying OS.

"No Q10?" -> "Buy from Chen... "

SaintThomasAquinas

Generating a new cert with the original vulnerable code does not resolve the problem. So if your email provider or financial provider or whomever issues a new cert generated using the original openssl this will deny access to someone who has been able to implement the attack initially as now the cert is no longer valid. However to be completely secure the new certs should only be generated and issued after having installed the patched openssl code. So simply generating new certs using pre-patched code is a Band-Aid until you install the patched code.

SpartanSK117

How long have people's details been stolen!

Posted via CB10 on the White BBQ5

SaintThomasAquinas

@crackbrry fan - You are incorrect about this issue not being resolvable until certificates expire in 2017. First, SSL certificates do not all expire and get renewed for the entire internet all at one in the same way not all Apartment leases are issued or expire on the same day say for example Jan 1, 2015. You buy a certificate usually for 1 year or 3 year and the clock starts ticking the day you receive the email form Versign or whomever you bought that certificate from. Second, The problem in the openSSL code that causes this vulnerability was and I quote the German Developer who wrote the code, ""I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed,". If you are interested in how it works in very basic terms see this cartoon... https://xkcd.com/1354/

SaintThomasAquinas

@ofutur - The apps that use OpenSSL sit inside the Sandbox created on BB10 you know the whole "work/play" division. So when you install an Android App inside that "Container" it cannot access the BB10 "infrastructure" [to use your term]. Thus at no time was there a risk in BB10 unless you used an Android App and then you are just as vulnerable as any Native Android/IOS app user. Technology is complicated and scary when you don't understand it. But you do a disservice by speculating without understanding how things work. You create a Panic and we have all seen enough News footage of a Black Friday sale at Walmart to know what happens then...

SaintThomasAquinas

@SpartanSK117 - Their is no way to know whether a given site has ever been attacked successfully or otherwise. The vulnerability was in code that is Two Years old. So the answer is it is possible the vulnerability has been exploited for two years. Please understand... Anyone site or device that used the OpenSSL stack was/is vulnerable until patched. Blackberry does not use OpenSSL. So there was/is no vulnerability. The vulnerability effects websites and Apps that rely upon OpenSSL. So yes if you use a BBOS browser and visit a website that uses the OpenSSL stack [The majority do] then yes you were vulnerable. Nobody would be able to steal the private.rim.[whatever].cert from your device and thus rain down destruction upon the Earth, because the private key is on the server not the mobile device.

Papadesaoud

Never had a hiccup

Posted via CB10

jdcfinisher

Local paper had a story on this. Caption BLACKBERRY FIXING MAJOR SECURITY FLAW. Really? Makes it sound like it BlackBerries fault and Blackberries aren't safe. It's only once you start reading the story that they state it's the Internet not BlackBerry that has the flaw. but that didn't stop them from using BlackBerry as the example of what can go wrong , in worst case.

Posted via CB10

Rootbrian

Source?

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.

Rootbrian

I haven't had any issues dealing with it. Even though I have a website up, it doesn't have anything personally identifiable stored on it. Lol.

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.

nabollocks

Blackberry plans Heartbleed patches as mobile threat scrutinized - This is a terribly misleading headline!
Reuters has an agenda with this line of reporting and it is only negative news for BlackBerry.

Why is BlackBerry even mentioned in the headline of this article? Why doesn't the headline say Apple plans... or Samsung plans... or Google plans...

BlackBerry released a report indicating that their devices were immune from the heart bleed attack and only those platforms for which BlackBerry is not responsible are susceptible. This was not made clear in the article... on purpose?

BlackBerry released the following report before Reuters reported:

Affected Software

BBM for iOS and Android - There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.
Secure Work Space for iOS and Android - There are no mitigations for this vulnerability for Secure Work Space for iOS and Android.
BlackBerry Link for Windows - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
BlackBerry Link for Mac OS - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
Non-Affected Software

BlackBerry Enterprise Service 10
BlackBerry Enterprise Server 5
BlackBerry Universal Device Server
BlackBerry® 10 OS
BlackBerry® 7.1 OS and earlier
BBM for BlackBerry smartphones

So, why does Reuters turn this around and make BlackBerry responsible for Apple and Android phones?

After reading the article I am left feeling that this problem is with BlackBerry only. Notice Apple and Google declined to respond.

Reuters is making news again at the expense of BlackBerry.

Posted via CB10

nabollocks

Ironic is it not?!

Posted via CB10

Prem WatsApp

If someone calls him/her/itself a journalist.

"No Q10?" -> "Buy from Chen... "

Prem WatsApp

... and can't or doesn't read...

"No Q10?" -> "Buy from Chen... "

drfever

Slightly off topic but I got hit with the latest Ransom-Ware Trojan. encrypted all my files and demanded ransom for a special key to decrypt..Symantec was able to remove the Trojan but couldn't decrypt. Luckily an IT pro I know sent me Shadoware which is a utility to decrypt