{ "name": "stig_blackberry_handheld_device", "date": "2012-10-01", "description": "BlackBerry handheld STIG in XCCDF format", "title": "BlackBerry Handheld Device Security Technical Implementation Guide", "version": "2", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-11865", "title": "When the Password Keeper is enabled on the BlackBerry device, the DAA must review and approve its use, and the application must be configured as required.", "description": "Password Keeper is a default BlackBerry application provided by RIM that can be installed on the BlackBerry handheld device. This application allows users to store passwords. The use of Password Keeper should be reviewed and approved by the local DAA. Passwords are stored using 256-bit AES encryption using the BlackBerry FIPS 140-2 certified encryption module. Passwords in the Password Keeper can be copied and pasted into other applications but the password is unencrypted while it resides in the BlackBerry handheld device clipboard. ", "severity": "low" }, { "id": "V-11866", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.\n", "description": "Insecure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "low" }, { "id": "V-11870", "title": "Onset Technologies METAmessage software must not be installed on DoD BlackBerry devices or on the BES.\n", "description": "Onset Technologies METAmessage software is production software which may introduce a virus or other malicious code on the system. This software is not approved for use on DoD systems.", "severity": "high" }, { "id": "V-11871", "title": "BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications or any other email required by DoD policy. ", "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy.", "severity": "low" }, { "id": "V-11872", "title": "If BlackBerry email auto signatures are used, the signature message must not disclose that the email originated from a BlackBerry or mobile device (e.g., “Sent From My Wireless Handheld”). ", "description": "The disclaimer message may give information which may key an attacker in on the device. This is primarily an OPSEC issue. This setting was directed by the JTF GNO.", "severity": "low" }, { "id": "V-11875", "title": "All Internet browser icons must be disabled from the BlackBerry device except for the BlackBerry Internet Browser icon.\t\n", "description": "The BlackBerry Browser forces all Internet browsing to go through the site internet gateway, which provides additional security over the carrier's browser.", "severity": "low" }, { "id": "V-16340", "title": "BlackBerry devices managed by the site must be scanned with the DoD Autoberry tool or the commercially available Fixmo Sentinel tool as required.\n", "description": "The purpose of this scan is to determine if there has been an unexplained change in the BlackBerry file system that may indicate the device has been compromised.", "severity": "medium" }, { "id": "V-19213", "title": "BlackBerry devices must have required operating system software version installed.", "description": "Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions.", "severity": "medium" }, { "id": "V-19216", "title": "Mitigation actions identified by Autoberry or Fixmo Sentinel scans on site managed BlackBerrys must be implemented. (The results and mitigation actions reported by the tool should be available from the site IAO or BlackBerry administrator.)", "description": "If mitigation actions identified by the Autoberry or Fixmo Sentinel tools are not implemented, DoD data and the enclave could be at risk of being compromised.", "severity": "medium" }, { "id": "V-19217", "title": "The results and mitigation actions from Autoberry and Fixmo Sentinel tool scans must be maintained by the site for at least 6 months (1 year recommended).", "description": "Scan results must be maintained so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends for site managed BlackBerry devices.", "severity": "low" }, { "id": "V-19227", "title": "Security configuration settings on the BlackBerry devices managed by the site must be compliant with requirements listed in Table 5, BlackBerry STIG Configuration Tables. ", "description": "These checks are related to a defense-in-depth approach for the BlackBerry, including ensuring the locked BlackBerry is not identified as a DoD BlackBerry and providing visual indicators when the Bluetooth radio is being used so users can verify they have initiated a Bluetooth connection attempt or if a hacker has initiated the connection.", "severity": "low" }, { "id": "V-19228", "title": "The setup of group BlackBerrys must be compliant with requirements listed in Appendix E of the BlackBerry STIG Overview.", "description": "If the configuration is not compliant, actions on team BlackBerrys will not be traceable to a specific user as required by DoD audit policies.", "severity": "low" }, { "id": "V-19281", "title": "BlackBerry devices must be provisioned so users can digitally sign and encrypt email notifications. ", "description": "S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance that the message is authentic and is required by DoD policy.", "severity": "low" }, { "id": "V-19311", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.\n", "description": "Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "medium" }, { "id": "V-19312", "title": "Blackberry Bluetooth SCR use with site PCs must be compliant with requirements.\n", "description": "Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.\n", "severity": "medium" }, { "id": "V-19313", "title": "BlackBerry Bluetooth SCR use with site PCs must be compliant with requirements.\n", "description": "Non-secure Bluetooth configuration on the PC could make it vulnerable to compromise via a Bluetooth attack.", "severity": "low" }, { "id": "V-21949", "title": "Required version of the Blackberry Smart Card Reader (SCR) hardware must be used and required versions of the drivers must be installed both on the BlackBerry and the SCR.", "description": "Required SCR security features are not available in earlier versions and, therefore, Bluetooth vulnerabilities will not have been patched.", "severity": "low" }, { "id": "V-22058", "title": "BlackBerry Web Desktop Manager (BWDM) or Blackberry Desktop Manager (BDM) must be configured as required. ", "description": "The BWDM provides the capability for users to self provision their BlackBerry, and to synchronize the BlackBerrys to the BES. The BWDM works by providing a web client interface to the BlackBerry database via the BlackBerry Administrative Service (BAS). Users must log into the BAS to access the data service. The BAS is a private web server. CTO 0715rev 1 requires either CAC authentication or a complex 15-character password to log into DoD private web servers. DoD users must use their CAC for authentication to the BAS because they do not know their 256 character AD password.", "severity": "low" }, { "id": "V-26508", "title": "Only approved Bluetooth headset and handsfree devices must be used with site managed BlackBerry devices. ", "description": "Bluetooth usage could provide an attack vector for a hacker to connect to a BlackBerry device without the knowledge of the user. DoD data would then be vulnerable.", "severity": "medium" } ] }