Ennectcom response to general communication
Preamble: This blog entry is in response to the ennetcom general communication received by users January 14, 2016 along with an link to advert web site to attempt to protect that which can not be protected.
Our Response: Ennectcom makes some wildly inaccurate claims in their general communique. Comments in blue are their direct statements.
a) Ennetcom claims that their devices are protected by the NFI chip-off technique. The Netherlands Forensic Institute (NFI) does not make any claims they used a chip-off strategy in decrypting Blackberry PGP data. They actually utilize cellebrite, plus an in-house method. To wit, from a translated Dutch NFI official document, "Data in the mobile phone are secured by the Dutch Forensic Institute (NFI) has developed forensic method and software, version 4.0.0.220, UFED4PC, the company cellebrite. From the protected data exported are email messages and then decrypted using a method developed by the NFI."
b) 1. No Trojans can be installed in the Blackberry
Really? In just a five minute Google search we found not only can you install trojan's but you can do a lot of other damage to the security of a Blackberry device
Blackberry trojan: Zeus Trojan
Blackberry malware: BlackBerry users targeted with malware-serving email campaign
Blackberry spyware: UAE Blackberry update was spyware
Blackberry jailbreaking: RIM has an internal division that exists for this issue
2. No data saving on the memory chips of the device.
Assume here Ennetcom means the flash drive of the device. It has been repeatedly shown that Blackberry, due to the architectural choice of NOT encrypting the data partition, is susceptible to having deleted data (including PGP email messages) recovered and decrypted.
3. Always have two passwords.
Repeatedly it has been reported from organizations like the NFI, that the passwords have not made a difference with the decryption of messages off a Blackberry device. Also, should they not mention password quality and length? Having two poor passwords is as useless as leaving your passwords written on the back of the Blackberry subscriber device.
They [EncroChat] will face the truth about that weak handset security in time. You can NOT use PGP on Android in the same secured way as on a Blackberry. That's a fact.
This is my personal favorite. Saying something is a FACT does not make it indeed a fact. We are not 11 year old children in a playground saying something is true "cause I say so." There is a little concept called empirical evidence. If you want to debate something actually state your facts. Here are some facts:
FACT: EncroMail PGP transitional application ensures users creates and stores the private key of public/private keypair on the local device. The vast majority of Blackberry resellers create the private keypair themselves and ongoing stores the subscriber keypair on their servers. This is unacceptable for any security solution.
FACT: EncroMail uses same or better ciphers and hashes than any Blackberry reseller in transmitting PGP messages.
FACT: Every connection Encromail mail server makes to transmit PGP messages destined to any third party mail server is protected by a Transport Layer Security (TLS)* tunnel to hide any metadata (to/from/subject/date). Many Blackberry resellers do not do this and expose this information to everyone on the Internet.
FACT: Every Blackberry resellers uses a mismash of software applications and operating systems that they do not understand the underpinnings of. How can you trust something when you can't analyze the code of what you are promoting? How can they guarantee or audit any of the activity of PGP message processing is actually secure?
FACT: Subscriber units send all their messages through RIM infrastructure. EncroChat does not. How do you trust the CEO of RIM when he states "We reject the notion that tech companies should refuse reasonable, lawful access requests. Just as individual citizens bear responsibility to help thwart crime when they can safely do so, so do corporations have a responsibility to do what they can, within legal and ethical boundaries, to help law enforcement in its mission to protect us."
FACT: EncroChat does not actually promote the usage of PGP. Our transitional EncroMail PGP application is the "best of a bad situation" with regards to the state of Blackberry usage today. We recommend you use EncroChat, our secure IM client. Reasons listed why you should are found here.
FACT: Any open operating system, such as Android, can be made as secure or as insecure as one designs. Blackberry OS has numerous exploits and bug issues, as does Android, Apple IOS, and Microsoft. How one deals with these things is what separates the wheat from the chaff. EncroChat security hardens our subscriber unit well beyond anything commercial sold today, including Blackerry. Please click here for a list of the many layers of protection of the EncroChat solution.
Lastly,
FACT: There are some PGP resellers that feel justified using their subscribers as a pawn in a war with newer encryption technologies. The adage "the emperor has no clothes" feels apt here. Many Blackberry PGP resellers are disrupting communications between subscribers and slandering products to protect the money machine they call PGP Blackberry. PGP resellers have stated directly to us personally, that they don't care about the security of the PGP Blackberry product, it is about making money. The are protecting their cash cow in any and every way possible. EncroChat is proud to state that we blacklist no competitors. Our belief is users should have the freedom to communicate with those they wish to. Subscribers should not be punished and their business impacted with these pathetic games some Blackberry resellers are desperate to play. We concentrate on educating users on the best security practices, so they may choose intelligently how to communicate securely.
Wall of Shame
These are the Blackberry PGP domains involved in disrupting communications with their subscribers for no valid security reason. Done simply to protect their business revenue: ennetcom.bizpgpelite.compublicpgp.compgpghost.org Most of the listed domains have many other small domains associated with them. These are the primary. Ennetcom organized these other domains in blacklisting EncroChat's encromail.ch domain. If you find you are blocked or are receiving "Can't decode messages" from your PGP Blackberry reseller please seek out an alternative supplier or investigate making the switch to EncroChat.
*Transport Layer Security
(
TLS
) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate,
TLS
ensures that no third party may eavesdrop or tamper with any message.
TLS
is the successor to the
Secure
Sockets
Layer
(SSL).