I’m going to tell you about a method that always works and gives you phenomenal results when you conduct pen-testing assignments.  Really.  It always works.  Its nothing new; its actually so old that the ye olde hackres have used it so successfully in the past to gain access to just about anything and anywhere.  Well?  Guessed it yet?  Its Social Engineering.  “Bah!” you say, “that’s not really a useful tip, is it?”  I would disagree.  Its very effective and it works because of cognitive biases plaguing human psychology and behavior.

Now I’m not going on into how to social engineer or give you tips on what to say on the phone, there are experts who do this.  What I wanted to do was make you aware of why the recent spyware threat to BlackBerry users sorta worked.  I was once asked for the best piece of security advice I could give, it was simple:  Be paranoid.

Be suspicious, be paranoid.  I don’t mean smoke a cartload of the pot and gradually degenerate into a “they’re out to get me” sorta paranoia, but a healthy dose (of paranoia, not the pot).  Question everything.  Don’t accept what you’ve been told.  Whether its from your boss, from your government or from your telco provider.  You could even challenge me on this post.  Or any other one I’ve written.  Its all about your desire to know more, satisfy your own curiosity and not stop and just accept what someone tells you.

Its easy for me to sit here and tell you all of this.  Its actually easier to do once you get the hang of it.  I’ll take the BlackBerry case and give you some tips of what you should already know and do before you even think of going out and buying another software product to take care of the problem.

1. Never install programs that come advertised as part of an SMS message.  Note down the details, search for it online and try to get as much information on the program as possible, hell, mail me if you like.  Chances are, if its not on the Internet, it will most likely be something nasty.  Searching online will also help you find other users who have encountered the same problem or know something about the application.
2. Set your Default Permissions to Deny new programs access to the internet or your personal data.  Here’s a look at the permissions on my Bold: Connections, Interactions and User Data,   This is also an option that RIM provides during installation.  Before downloading a program, there is a little check box that allows you to set specific permissions for that application.  Then you will be prompted if the app behaves suspiciously.
3. The BlackBerry is a great mobility device.  It is never meant to be a replacement for a desktop computer.  In this regard, try to limit the amount of applications you download and install on it.  The device comes with a suite of tools and can be very useful on their own.  Granted enhancements and customizations will always be something you may want to do, but the more you limit the exposure to third party apps, the higher the probability that you will be safe.

Why are these tips even relevant?  I’ll tell you why: the BlackBerry handheld device has not had a vulnerability reported about it in the past 2 years.  Don’t just take my word for it, take Christian Rioux’s word from Veracode, webcast here and slides here.  This puts more of the responsibility on the user to secure his phone and to be more vigilant about what he installs on it.  RIM provides features like the Firewall and Default Permissions on BlackBerries for exactly this purpose.  Learn how to configure them and how to use them.  Learn to be vigilant and be a little paranoid.  It helps.  There’s no sense in throwing money at the problem and buying software when you still don’t know what goes on underneath and how you can control it.

That’s what I wanted to say before I end this BlackBerry spyware saga.  I’m going to focus on a web 2.0 app that I’ve been meaning to release for a long time.

I’ll leave you with this last quote: There’s no patch for your cognitive bias.