A few week ago the McCain campaign started selling off all the items they collected to help run their campaign.  For cheap you could get desks, lamps, laptop, blackberries and many other office nicknacks.  As it ends up a Fox News station in DC picked up a blackberry for $20 and discovered it was chuck full of confidential information.  They found the private contact information for politician, political advisors and journalist.

Image by Margolove

When I heard this story the first thing that came to mind was: why the heck aren't they using a BES to secure these devices?  Blackberrys are probably the easiest mobile device to secure.  This can be accomplished using a software package RIM sells called the Blackberry Enterprise Server (BES).  The BES allow a Blackberry to wirelessly sync email and other information to a corporate Microsoft Exchange or Lotus Notes server.  However the BES also offers the ability to apply policies to all the devices that are attached to it, think of them as group policies for Blackberrys.  Using these policies it is possible to lock down the devices by requiring a password, specifying encryption levels, limiting what programs can be installed, etc.  If the McCain campaign would have simply required a strong password the leak described above would not have been possible.  For the reporter to access the device they would have either needed to reset the device, which would have cleared the memory, or tried to guess the password, which also would have caused the device to erase its memory.  Better yet using the BES the McCain campaign could have simply sent a remote wipe command to the devices resetting them to the factory default before they were even sold.

So the moral of the story?  If you have Blackberrys deployed at your company be sure the BES policies are being used to harden the device.

Cheers,

Matt

P.S. I wonder if the McCain campaign is selling off any servers or SAN devices in their going out of business sale?