With all the concern about data being lost on laptops, and “vulnerabilities” in blackberries, Sprint is jumping into the action. They are offering a managed security service for SmartPhones (you know, like that Treo 700 your boss carries).

Sprint Mobile Security enforces password polices using personal identification numbers and other user-specific credentials for authentication. Customers also have the option of encrypting specific files, a device or memory card. This same encryption can be used by mobile customers to securely access their corporate VPN, the service provider says.

The service also scans, identifies and removes malware, viruses, worms and the like from mobile devices using a firewall that resides on the handheld or laptop. This firewall is also used to block denial-of-service attacks.

That’s good, because we’re all worried about phones getting DOS’d. What!?

This is the first of it’s kind to my knowledge, and may help them win some traction in the highly valued big business space. Now, they’re mostly deploying and managing some Mobile Armor software for you, and charging you $9/month although they have added some custom features like:

[The] ability to remotely lock a wireless device if reported lost or stolen and the ability to remotely erase all data from that device in an effort to protect corporate information.

Seems a little pricey to me, but I can imagine some companies going for it on some especially high-ranking sensitive employees.

Sprint beefs up wireless security services [Network World]

Press Release [Sprint]

What risks should we worry about, and when is it okay to let things go? This is a question that those of us dealing with Information Security Risks ask ourselves all the time.

Slate deals with the issue of risk and when it’s worth insuring and which risks we should absorb. They use the example of rental car insurance:

The correct response is to insure yourself only against the big risks, such as your house burning down. As for the dent in the rental car, you will simply have to tell yourself that in the scheme of things, it’s not that important.

Insurance is the classic example of risk mitigation, but everything else we do should be measured against the same standard: Is this a small enough risk to swallow. Unfortunately, we’re not very good at this because:

we find it impossible to put our losses into context. I should recognize that the value of my home fluctuates every hour by more than the value of the cell phone I put through the washing machine-but it will be the loss of the phone that upsets me, and it is the risk of that upset that the phone insurers will try to emphasize.

If you can measure your risks, and put them in context you’ve gone a long way towards knowing what are the right things to focus on. The two best books I’ve read on on he subject are Beyond Fear and Freakanomics.

Risky Business: Should you ever buy rental car insurance? [Slate]

Hack into your bosses computer and go to jail, even if you are security professional. This is this message the from DOJ to government employees with their “zero tolerance policy” about hacking into government computers.

A former computer security specialist at the Department of Education has been sentenced to five months in prison for hacking into his supervisor’s PC.

Kenneth Kwak, 34, of Chantilly, Va., admitted to installing remote control software on the computer and using that access to read his supervisor’s e-mail and monitor other Internet activity…

It’s not uncommon to meet security professionals with a God Complex. They think they can get away with anything because they have a substancial privledges and skills.

A criminal is still a criminal even when you have the word “Security” in your title.

Ex-government employee sentenced for hacking [news.com.com.com.com]

Former Federal Computer Security Specialist Sentenced for Hacking Department of Education Computer [doj]

Professor Spafford expounds on his previous article we talked about to say that we should examine all best practices to see which ones make since for a given application. My favorite example of this:

One example, told to me by a Federal law enforcement agent, is when he showed his badge and papers while passing though security. They didn’t make him take out his weapon when going through the metal detector…but then they insisted that he run his shoes through the X-ray machine!

The lesson here: don’t check your brain at the door when applying best practices. When security profeesionals walk around saying that all security requirements need to be met without doing even a back-of-the-napkin risk assessment, we all look bad.

Spaf: Passwords and Myth [Purdue’s CERIAS Blogs]

Our favorite quotable Computer Science prof, Eugene Spafford, has come out with a controversial article about the (un)importance of regular password changes.

He analyzes the threats and finds the mitigation is minimal. Even better he examines the sources of this “best practice”…

So where did the “change passwords once a month” dictum come from? … As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years.

This is one I have to agree with Spaf on. Since regular changes make a password harder to remember, it actually decreases security by:

• Discouraging long, complex passwords.
• Encouraging people to write their passwords down.

I would rather have 1 more character required in a password than require it to be regularly changed.

Spaf: Security Myths and Passwords