Sunday, 20 June 2010

Steve Jobs Won't Be Pleased

Yes I know, another post about phones. My apology to those who have never struggled with touch phone technology. The last sentence should bring a smile to lighten your day!

Ministers in the Westminster government have been told that they should not use iPhones for sensitive official communications.

Many ministers and advisers are devoted fans of the devices but the touch-screen phones, used by about 4 million people in Britain, have not been approved by information security experts for use in Whitehall.

Whitehall departments have been advised not to issue iPhones to staff because of the risk that they might be vulnerable to hacking or other interference. Instead ministers and staff have been advised to use Blackberry devices and other approved phones.

Apple denies the suggestion that iPhones are not secure although I have heard, quite off the record, they are not as secure as Blackberry. I can see a law suit looming.

There is good news for Apple lovers though, especially for those who enjoy a little spiritual guidance.


Joe Public said...

"I can see a law suit looming."

And if there isn't one, its a tacit admission that they're insecure.

Joseph Takagi said...

Many ministers and advisers are devoted fans of the devices but the touch-screen phones, used by about 4 million people in Britain, have not been approved by information security experts for use in Whitehall.

That's the main thing: "have not been approved". They're not saying it's not secure, just that it hasn't been approved yet. If you've worked in corporate IT, there's a whole load of processes in terms of approval for internal IT.

Andrew_S said...

OK, I have an iPhone. I run a consultancy business which from time to time deals in secure information. The iPhone is not suitable for secure communications because you cannot run any recognised encryption progammes on it. There isn't an app for that :-)

The Windows Mobile based phones we also use can run security and encryption applications making them suitable for secure and restricted level information. Government issue Blackberries are also very tied down for security purposes.

The iPhone only has basic PIN level protection. This doesn't meet the requirements of the government security standards.

While Civil Servants have demonstrated that they can leave folders on trains, post CD's by non-secure mail, and generally abuse security rules, losing an iPhone could open up even more holes in security.

They're consumer products, not business products.



subrosa said...

Aye true Joe. In fact I believe government security have seriously looked into this and decided they're not appropriate for use in these circumstances.

Time Apple upped the anti perhaps.

subrosa said...

That's right Joseph, they're not approved. That doesn't mean to say they haven't been tested though does it. I believe they have been.

subrosa said...

Andrew you have the answer I've been given. Time Apple upped their security don't you think. Mind you, Apple won't like the criticism and will fight it I'm sure.

Jay said...

I'm sure Apple will take appropriate actions regarding this issue. I believe they are opt for challenges when it comes to their products they want the best.


subrosa said...

Aye, they are sure to investigate thoroughly Jay and if found wanting, as Andrew suggests, then they'll come up with an app to solve it.

Richard said...

Echoes of the email security debacle in Westminster about a year ago. Honourable Members were advised not to install the reliable and trusted PGP email encryption application on their PCs.

"The manufacturers have confirmed that it doesn't work with MPs' PCs", said the Honourable Geeks in Parliament's IT department.

"Oh no we haven't" said the manufacturers. "It'll work just fine. Sounds a bit dodgy if the Speaker and his evil minions want you to use their security software in preference to something that's known to be unbreakable".

I believe that Blackberry emails are encrypted as they are transmitted "over the air". However, they'll be readable by anybody with access to Parliament's Blackberry Enterprise Server and email servers - such as the Speaker and his evil minions.

Paranoid conspiracy theorist? Me? Certainly not. But I would be if I was an MP using a Blackberry to fiddle my expenses and arrange extra marital assignations.

subrosa said...

With reference to your last paragraph Richard, I'm told that's why so many MPs are also fans of iPhones. :)

Surreptitious Evil said...

Oh, so many suggestions.

MPs are not allowed to use PGP because HoC IT will not make this compatible with their gateway anti-virus (of course, to do this, the HoC gateway would need to decrypt the email on the fly, have an ADK or use the Universal Gateway mail proxy in PGP terms - which would negate the force of Richard's point. Especially as MPs would tend to decrypt their emails and save them and anybody with admin access to the Parliamentary exchange server could ...) This is a relic decision from, hell - 2001, IIRC, when I was doing some security consulting for the Lib Dems (fully paid). PGP is only approved by CESG, at the moment, for disk encryption - Desktop, which includes the email and removable media functions (and appears to include Universal Server in the scope) is currently under testing - where it has been for some time.

The big problem with the iPhone is not the crap memory encryption (none on the 3G, dreadful on the 3GS, dunno about the 4) but the fact that, unlike a Blackberry tied to a BES instance, you cannot control the end-users' ability to add applications - all of which can then access data on the phone. A corporate blackberry locked down to HMG standards is somewhat less functional than a normal one ...

You can ensure that your emails are encrypted "over the air" with an iPhone too - just use an HTTPS connection.

Generally, the more functionality you have on a computer - and, let's be honest, both the iPhone and the Blackberry are just computers with a couple of specialised applications and a dreadful form factor - the less secure it is (or, technically, the greater the attack surface.)

Disclaimer - we use iPhones corporately. We prefer their functionality to the Blackberry alternative (as do most security professionals I meet.) Although we're entirely rational about their (lack of) security.

subrosa said...

Wonderful explanation SE. I understand a little more.

Of course, being the cynic and a simpleton, I thought it was just because the HoC had been offered a job lot of Blackberrys...

Related Posts with Thumbnails