{ "name": "stig_blackberry_os_7.x.x", "date": "2015-08-12", "description": "BlackBerry OS 7.x.x STIG in XCCDF format", "title": "BlackBerry OS 7.x.x Security Technical Implementation Guide", "version": "2", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-11865", "title": "When the Password Keeper is enabled on the BlackBerry device, the AO must review and approve its use, and the application must be configured as required.", "description": "Password Keeper is a default BlackBerry application that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local AO. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard.", "severity": "low" }, { "id": "V-11866", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.", "description": "Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "low" }, { "id": "V-11870", "title": "Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.\n", "description": "Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.", "severity": "high" }, { "id": "V-11871", "title": "BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy. ", "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for BlackBerry certificate configuration information.", "severity": "low" }, { "id": "V-11872", "title": "If BlackBerry email auto signatures are used, the signature message must not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”). ", "description": "The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the USCYBERCOM.", "severity": "low" }, { "id": "V-11875", "title": "All Internet browser icons must be disabled from the BlackBerry device except for the BlackBerry Internet Browser icon.\t\n", "description": "The BlackBerry Browser forces all Internet browsing to go through the site internet gateway, which provides additional security over the carrier's browser.", "severity": "low" }, { "id": "V-19213", "title": "BlackBerry devices must have required operating system software version installed.", "description": "Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.", "severity": "medium" }, { "id": "V-19227", "title": "Security configuration settings on the BlackBerry devices managed by the site must be compliant with requirements listed in Table 5, BlackBerry STIG Configuration Tables. ", "description": "These checks are related to a defense-in-depth approach for the BlackBerry, including ensuring the locked BlackBerry is not identified as a DoD BlackBerry and providing visual indicators when the Bluetooth radio is being used so users can verify they have initiated a Bluetooth connection attempt or if a hacker has initiated the connection.", "severity": "low" }, { "id": "V-19281", "title": "BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications. ", "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy. Reference the DoD CIO memorandum regarding interim guidance on the use of derived PKI credentials (2015-05-06 DoD Interim Guidance for Implementing Derived PKI Credentials on Unclass CMDs) for Blackberry BlackBerry certificate configuration information.", "severity": "low" }, { "id": "V-19311", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.", "description": "Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "medium" }, { "id": "V-19312", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.", "description": "Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "medium" }, { "id": "V-19313", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.", "description": "Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "low" }, { "id": "V-21949", "title": "Required version of the BlackBerry Smart Card Reader (SCR) hardware must be used, and required versions of the drivers must be installed both on the BlackBerry and the SCR.", "description": "Required SCR security features are not available in earlier versions, and therefore Bluetooth vulnerabilities will not have been patched.", "severity": "low" }, { "id": "V-22058", "title": "BlackBerry Web Desktop Manager (BWDM) or BlackBerry Desktop Manager (BDM) must be configured as required. ", "description": "The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.", "severity": "low" }, { "id": "V-26508", "title": "Only approved Bluetooth headset and handsfree devices must be used with site managed BlackBerry devices. ", "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.", "severity": "medium" } ] }