[ISN] Microsoft push-email row escalates

From: InfoSec News (alerts@private)
Date: Wed Nov 08 2006 - 22:12:10 PST


http://news.zdnet.co.uk/communications/0,1000000085,39284628,00.htm

By David Meyer 
ZDNet UK
08 Nov 2006

Microsoft claims analyst allegations that its mobile phone operating 
system has inherent security flaws are inaccurate and should never have 
been published.

Last week the software giant refused to explicitly deny a report from 
Jack Gold, of US analyst firm J Gold Associates, that suggested 
enterprises might be turned off using Windows Mobile 5.0 devices, as 
data sent to the handsets via Direct Push was not encrypted on the 
device itself.

At the time, Microsoft would only reiterate that data was sent to the 
handset using SSL encryption, and suggested that password protection, 
coupled with the ability to remotely or locally wipe the handset, showed 
that "companies can trust the relationship between Windows Mobile 
devices and an Exchange Server to help control vital information".

However, on Wednesday Microsoft contacted ZDNet UK with a more detailed 
rebuttal of J Gold Associates' claims. Microsoft's UK and EMEA mobility 
business manager, Jason Langridge, said the company had been 
"disappointed by [the report] because we had made them aware that there 
were inaccuracies [in it], but the authors still chose to publish". He 
also repeated the claim that "the feedback from customers is that they 
feel the protection from the PIN code on the device, or [the fact] that 
we can remotely wipe it, or it can self-wipe, manages the risk".

"We don't encrypt the mail store, but we do have third parties that we 
work with if you wish to do that," Langridge added, suggesting companies 
such as Pointsec and Credant as examples. He also criticised companies 
such as RIM which does offer embedded encryption on its BlackBerry 
handsets for relaying email via network operations centres, saying: "The 
reason RIM has to encrypt the data is because there isn't end-to-end 
encryption. [Our] RC4 or triple-DES encryption ensures data is 
transmitted in a secure way without having to pass through a third-party 
relay."

Approached for a response, Jack Gold told ZDNet UK that Microsoft had 
indeed contacted him with "minor corrections" to several paragraphs of 
the report he had "purposely" sent them, and he had then incorporated 
those corrections into the final version.

"Their corrections we re related to [push email enabler] AirSync vs 
[local synchronisation tool] ActiveSync and how they functioned. Never 
did they refute the fact that data on the devices is not encrypted. They 
indicated that the data across the connection is encrypted via SSL, 
which I agree is a safe way to send the data. They never refuted that 
fact that data remains unencrypted on the device itself, which is, in my 
opinion, a significant flaw in their design," he said on Wednesday.

Gold then went on to repeat his assertion that, although client-side 
encryption can be incorporated by third-party products, "it will break 
the Direct Push (AirSync) mechanism If they do indeed add Credant or 
Pointsec, then they have to go with a different synching capability and 
forego use of Direct Push". He also suggested that remote wiping was an 
inadequate level of protection, as a device can be lost for hours or 
more before anyone realises it is missing and sends the "kill message".

As for Microsoft's comments on RIM's approach to push email, Gold 
explained: "On the BlackBerry, all data is also encrypted while stored 
on the device even after it is received from the [network operations 
centre], and decoded when used. That is a key difference, and a 
requirement for many security compliance tests."

"The bottom line is, we stand by our original contention that Microsoft 
Direct Push has a significant disadvantage over BlackBerry, Good, Sybase 
and others when it comes to security if you are a user who is concerned 
about data loss," Gold added.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Wed Nov 08 2006 - 22:32:53 PST