http://news.zdnet.co.uk/communications/0,1000000085,39284628,00.htm By David Meyer ZDNet UK 08 Nov 2006 Microsoft claims analyst allegations that its mobile phone operating system has inherent security flaws are inaccurate and should never have been published. Last week the software giant refused to explicitly deny a report from Jack Gold, of US analyst firm J Gold Associates, that suggested enterprises might be turned off using Windows Mobile 5.0 devices, as data sent to the handsets via Direct Push was not encrypted on the device itself. At the time, Microsoft would only reiterate that data was sent to the handset using SSL encryption, and suggested that password protection, coupled with the ability to remotely or locally wipe the handset, showed that "companies can trust the relationship between Windows Mobile devices and an Exchange Server to help control vital information". However, on Wednesday Microsoft contacted ZDNet UK with a more detailed rebuttal of J Gold Associates' claims. Microsoft's UK and EMEA mobility business manager, Jason Langridge, said the company had been "disappointed by [the report] because we had made them aware that there were inaccuracies [in it], but the authors still chose to publish". He also repeated the claim that "the feedback from customers is that they feel the protection from the PIN code on the device, or [the fact] that we can remotely wipe it, or it can self-wipe, manages the risk". "We don't encrypt the mail store, but we do have third parties that we work with if you wish to do that," Langridge added, suggesting companies such as Pointsec and Credant as examples. He also criticised companies such as RIM which does offer embedded encryption on its BlackBerry handsets for relaying email via network operations centres, saying: "The reason RIM has to encrypt the data is because there isn't end-to-end encryption. [Our] RC4 or triple-DES encryption ensures data is transmitted in a secure way without having to pass through a third-party relay." Approached for a response, Jack Gold told ZDNet UK that Microsoft had indeed contacted him with "minor corrections" to several paragraphs of the report he had "purposely" sent them, and he had then incorporated those corrections into the final version. "Their corrections we re related to [push email enabler] AirSync vs [local synchronisation tool] ActiveSync and how they functioned. Never did they refute the fact that data on the devices is not encrypted. They indicated that the data across the connection is encrypted via SSL, which I agree is a safe way to send the data. They never refuted that fact that data remains unencrypted on the device itself, which is, in my opinion, a significant flaw in their design," he said on Wednesday. Gold then went on to repeat his assertion that, although client-side encryption can be incorporated by third-party products, "it will break the Direct Push (AirSync) mechanism If they do indeed add Credant or Pointsec, then they have to go with a different synching capability and forego use of Direct Push". He also suggested that remote wiping was an inadequate level of protection, as a device can be lost for hours or more before anyone realises it is missing and sends the "kill message". As for Microsoft's comments on RIM's approach to push email, Gold explained: "On the BlackBerry, all data is also encrypted while stored on the device even after it is received from the [network operations centre], and decoded when used. That is a key difference, and a requirement for many security compliance tests." "The bottom line is, we stand by our original contention that Microsoft Direct Push has a significant disadvantage over BlackBerry, Good, Sybase and others when it comes to security if you are a user who is concerned about data loss," Gold added. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Nov 08 2006 - 22:32:53 PST