Friday, September 26, 2008

Great pricing on Redfly

Announced today, Celiocorp ( are releasing a limited quantity of Redflys at $199 ea through Oct 31st. Great deal.

I lurv my Redfly. It's incredibly useable.

Available here:

what the good guys (and the bad ones) are doing to get at the data on your phone

John mentioned CSI Sticks in the Network World article. Worth reading more on to educate yourself a bit about what they do:

Available here: Note the list of devices isn't that large.

Even better (or worse, depending on your viewpoint) is this:

So, the onus is more and more on the people implementing and supporting mobile phones in the enterprise to educate your users.

The greatest risk is, imo, human. Social engineering is a long-standing practice which gets used a lot for the simple reason that it works.
If I'm sitting next to you in the airport and ask to borrow your cellphone to let my wife know that my flight is delayed, the probability is really high that you'd agree. Where's the harm, eh?

If, however, you're not educated to the risks and make the simple mistake of not treating a corporate resource appropriately - exactly as you would, or rather should do with a laptop - you're opening the door to the bad guys.

4 Steps to take control of your mobile device

Hot off the press from Network World (hard copy comes out next week). Mighty quick, as John only interviewed me on Monday for contributing to this piece. He's done a good job of getting the salient points out:
4 steps to take control of your mobile devices
Managing every iPhone, Android device and connection is key, wireless experts say
By John Cox , Network World , 09/25/2008

If you've ever let a stranger borrow your corporate smartphone, you may have just given him a gift of your company's data.
The reason: he might have palmed a small USB device called the CSI Stick, and surreptitiously plugged it into your phone. The device can drain every bit of data from a cell phone in seconds, says Patrick Salmon, a mobility architect for Enterprise Mobile, a technology services company that specializes in Windows Mobile deployments.
Increasingly, companies want to give mobile or field-based employees direct, instant access to critical corporate applications previously accessible only from a desktop. To do so, existing security, authentication and management infrastructures have to be extended and adapted so that mobile devices, along with their data and wireless connectivity (cellular or Wi-Fi), are managed as surely and fully as desktop PCs.
(Compare client management products.)
But that's not the case in many mobile deployments today, according to consultants who, like Salmon, specialize in working with enterprise customers. "What we see is an ill-defined policy regarding devices," says Dan Croft, president and CEO of Mission Critical Wireless, a technology services company that specializes in mobile deployments.
Often personal handhelds are granted wireless access, something that would never be allowed with a personal computer, creating security vulnerabilities, manageability challenges and tech support burdens, Croft says. Companies don't plan beforehand about how to handle lost, stolen or broken devices, or the data on them. "IT needs to get control of wireless [mobility] within their company," he says.
Taking control falls into four broad areas, says Jack Gold, principle of J. Gold Associates, a mobile consulting company: securing and managing every device; managing every connection; protecting every piece of data; and educating every user.

Securing and managing every device
Mobile devices, whether bought by the company or by the individuals, are accessing company networks and company data. Device security and management are closely intertwined, because you have to be able to monitor the devices in order to enforce policies.
In most cases, practitioners recommend standardizing on two or three mobile device models, minimizing the support, security and management challenges. "Other smartphones [brought in by users] might not be capable of supporting your specific security and administration polices," Enterprise Mobile’s Salmon says.
Using mobile device passwords or PINs is advised. "If your enterprise doesn't enforce a password policy on those devices, you might as well stop with all your [other] security measures," Croft says. Salmon favors PINs, coupled with a limit on the number of access attempts. After that number, the next attempt triggers an automatic lock or wipe of the handheld.
Enforcing effective passwords is one of the essentials at Florida Hospital, in Orlando, where wireless notebooks are widely used by staff and nurses, along with BlackBerry devices for e-mail. The hospital also is exploring what's involved in granting access to clinical systems from physicians’ smartphones.
The hospital enforces regularly changed passwords (a function of its enterprisewide identity management infrastructure), up-to-date antivirus software and some ability to remotely wipe data from mobile clients, says Todd Franz, associate CTO. "We see the need to protect the data on these mobile devices just as much as we do on a desktop PC," he says.
On selected notebooks, the hospital also uses the CompuTrace service from Absolute Software, a kind of "LoJack for laptops." A stolen computer can be traced and tracked down. Franz won't say how often hospital laptops have been stolen, but the hospital has successfully resolved 100% of the cases involving CompuTrace-protected laptops. According to some accounts, 10% to 15% of all mobile devices go missing.
Consider using comprehensive device management applications such as Sybase’s Afaria, Credant's Mobile Guardian, Nokia's Intellisync, Microsoft's System Center Mobile Device Manager, and others from the likes of Checkpoint and Trust Digital, to name just a few. These policy-driven suites blend monitoring and enforcement capabilities focus on mobile clients, and typically work with back-end authentication and other servers.
It's also important to have the ability to wipe, lock or kill any mobile device that’s stolen, lost or unaccounted for on a moment’s notice, including its SD card if it has one. A network manager should be able to issue a command that locks a device until the right password is used, wipes or deletes some or all of the corporate data on it, or shuts it down entirely, Croft says.

Managing every connection
"These connections are a pretty significant exposure if they're not done right," Gold says. "Don't leave it up to the end users."
These practitioners favor enforcing VPN connections with IPSec for mobile deployments. "SSL, which uses TCP port 443, is the path of least resistance," Enterprise Mobile's Salmon says. "I consider this the weaker of the two options." That's chiefly because while the target server has a certificate and is trusted, the SSL client is not. IPSec requires that ports have to be specifically opened, but both ends of the connection have certificates, he says.
A related issue is allowing mobile devices to connect only if they pass muster. Is the antivirus software up-to-date? Is the VPN active? Is the Wi-Fi connection from a public hotspot?

Protecting every piece of data
Selective data encryption should be an essential item in any mobile deployment.
With a managed mobile device, you can distribute and enforce encryption policies for specific data. "Document folders, your e-mail in-box, user data, contacts, certificates, and so on as the kinds of things that should be encrypted," consultant Gold says. Also consider encrypted or encryptable removable storage devices, such as high-capacity SD cards, he says.
"Unless you're in a 'James Bond environment,' most encryption levels will give you far more security than sending an unencrypted e-mail over the Internet, which happens all the time," Croft says.

Educating every user
"Few companies educate end users on the proper procedures and policies to safeguard [mobile] corporate assets," Gold says. "Get the users on your side."
"The greatest vulnerability is human," Enterprise Mobile's Salmon says. "If a stranger asked to borrow your laptop for five minutes to check his stock portfolio, you'd say 'No!' because you've been educated about the risks. There's no way you're going to let a stranger use your laptop. The same thinking has to apply to your mobile phone."
To school its nurses in mobile technology, Florida Hospital relies on trainers who also have been, or are, nurses. "They speak the same language as the users," Associate CTO Franz says. "We try to keep IT people out of the way of this training, because they do not speak the same language."
Franz makes a key point about nurses and mobile technology that's relevant to all such deployments. "People don't go to nursing school to become a clerk-typist," he says. "They go because they want to help people. Technology can assist them in doing that."
Acceptable use policies should be short and to the point, otherwise they won't get read. Training should cover all the elements (explaining the device, applications and intended usage), says Alphons Evers, global solutions manager with the mobility practice of Getronics, a global IT services company.
Educating users means willing to be educated yourself. Franz says Florida Hospital discovered that one major problem facing nurses with wireless laptops was finding enough convenient surface space with electrical power so they could be recharged, and finding a lockable locker or drawer to store the laptops when not in use. That was one aspect of mobility that hadn’t been anticipated.

Sometimes the technology advances are really slow...

In fairness, I'd add that if used as a projectile the iPhone could be every bit as effective as a rock. They need to work some on ruggedizing it in order for it to go beyond 'one-time use', but the destructive potential is definitely there.

Tuesday, September 23, 2008

Exchange Connections, Fall 2008

If you're interested, I'll be speaking at the up-coming Exchange Connections conference in Las Vegas (ptooey) in November.

Link here:

Much as I despise Vegas with a vengeance, and will plan on getting in as late as I possibly can then leaving in great haste, the conference itself is something I'm really looking forward to.

Coming from a very strong Exchange background, it's going to be a heck of a lot of fun to educate folks in just how powerful and enabling MDM is. It's a beautiful complement to the neat things you can do with both Exchange and OCS and ties things in together neatly.

Here are my session outlines:
EXC13: SCMDM and Exchange: Is there Room for Both? Like Exchange, SCMDM 2008 has numerous policies which the administrator can apply to the Windows Mobile device. At first glance it may appear that there’s considerable overlap, thus making it hard for the decision-maker to make the best choice for their organization. This session is aimed at the Architect, designer, and implementer who is looking to put the best solution in place for their organization and will highlight the differences and commonalities between both products.

EXC14: Fitting SCMDM into Your Exchange Environment Exchange is the "quick hit" Line of Business (LoB) application for SCMDM. Most customers when discussing provisioning, supporting, and managing Windows Mobile in the enterprise will look to Exchange as being the primary application that they’ll want to make available to their Windows Mobile community. This session is aimed at covering the key issues when it comes to planning, deploying, and scaling SCMDM in order to successfully integrate it with Exchange in your environment.

EXC15: Security Lessons Learned for OCS, Exchange, and SCMDM Deployment While taken from the numerous challenging customer scenarios encountered during the SCMDM 2008 TAP, the lessons shared here are equally applicable for those deploying OCS and Exchange Edge servers into the perimeter network. That hardest part of working with any security team is getting a Windows Server 2003 server into this exposed and potentially high-risk zone. This session is aimed at helping you, as someone tasked with equal responsibility for protecting the enterprise, to work with security, networking, and firewall professionals on the basis of presenting them with solutions instead of challenges.

Accessing production resources from your test environment

Comes up a lot. "I'm standing up MDM in the lab but really want to be able to get at (insert LoB here. Usually Exchange, but it can be anything)".

Makes perfect sense and adds a lot of validity to your testing. Plus, it means that if you're getting at your production email then you're more likely to actually use it, rather than have to carry a 2nd device solely for the purposes of kicking the tires.

My experience has been that the novelty wears off very quickly for customers if they don't have a genuine motivator to encourage usage, and putting their production email on the test device is a very good way of achieving this.

It's actually extremely easy to do (so long as you have buy-in from your Security and Firewalls team since they're the ones who have to approve this and make it possible to work).

The simple fact is that once an MDM device has connected to the MDM Gateway it has access from that point onwards to anything you choose - it comes down to whether (a) the host can resolve (usually through DNS) and (b) if there's a route from the vpn pool of addresses through the internal firewall to the target host.

The above image shows how it works giving Exchange (2K3-SP2, E2K7-RTM or E2K7-SP1) as the example of the target LoB host(s) in your Production environment.

On the left hand side you have your QA environment where you've stood up the MDM components (and requisites, like SQL, WSUS & CA). Completely separate from this is your Production environment where the Exchange mailboxes reside.

The device, once enrolled, will be managed from your QA environment. That's the left arc, showing the DM pushing down policies and .cab files. The users mailbox and corresponding AD User object, however, are located in the other domain.

All that the device has to do in order to access Exchange is, as detailed above, resolve the mailbox server and be able to route to it, following the right-hand arc/flow.

Client authentication takes over from this point, either with the user credentials being passed through the IPsec connection within an SSL tunnel, or the certificate being passed through via the same route. Very easy. Beyond MDM providing the transit route between the device and the GW, everything else is handled by the internal resolution/routing/authentication mechanisms.

That's why I refer to MDM as an enabler - it enables things like this very, very easily indeed. The Admin intervention is negligible, beyond getting the approval and active participation of your Security and Firewalls/Routing team.

Secondly, this highlights also just how low impact MDM is once it's in[1]. Nothing needed to be added since the MDM infrastructure is in place and the device can securely connect; all that was required was to ensure the device could get at the target host. Easy, eh? :-)

[1] OK, so I'll admit that getting it installed and working is a biotch, but once it's there everything else really is extremely easy indeed.

Sunday, September 7, 2008

Converting videos captured on your WM6.1 Phone

Just ran into this problem myself and as I found the fix it makes sense to pass on:

The default file type of a video file is .3gp... whatever the heck that may be. Copy the file across to XP or Vista and it doesn't have a clue what to do with it. Same thing if you take the "do you want to search the internet?" option.

cut to the chase, I found a freebie converter (one of many) that works really well. Free. No need to sign up for anything, no need to subscribe and get a gazillion unwanted emails.

Link here: