With all the concern about data being lost on laptops, and “vulnerabilities” in blackberries, Sprint is jumping into the action. They are offering a managed security service for SmartPhones (you know, like that Treo 700 your boss carries).

Sprint Mobile Security enforces password polices using personal identification numbers and other user-specific credentials for authentication. Customers also have the option of encrypting specific files, a device or memory card. This same encryption can be used by mobile customers to securely access their corporate VPN, the service provider says.

The service also scans, identifies and removes malware, viruses, worms and the like from mobile devices using a firewall that resides on the handheld or laptop. This firewall is also used to block denial-of-service attacks.

That’s good, because we’re all worried about phones getting DOS’d. What!?

This is the first of it’s kind to my knowledge, and may help them win some traction in the highly valued big business space. Now, they’re mostly deploying and managing some Mobile Armor software for you, and charging you $9/month although they have added some custom features like:

[The] ability to remotely lock a wireless device if reported lost or stolen and the ability to remotely erase all data from that device in an effort to protect corporate information.

Seems a little pricey to me, but I can imagine some companies going for it on some especially high-ranking sensitive employees.

Sprint beefs up wireless security services [Network World]

Press Release [Sprint]

Wired has a story out of DefCon picturing Blackberries as the perfect backdoor into your corporate network. Since many cop orations inherently trust the blackberry straight in through their firewalls, it might be worth a read.

The program, called proxy, has to be placed on a Blackberry either physically or as a Trojan horse delivered by e-mail. Once installed, it causes the Blackberry to call back to the attacker’s system in the background, opening a communications channel between the attacker and the company’s internal network.

Details are sketchy, and I can’t find the mentioned “documents on its website” or get to their website at all, but the fact that he says he’ll release the app in the next week or so doesn’t make me feel all warm and fuzzy.

Blackberry a Juicy Hacker Target [Wired]

The guys at Black Hat are demonstrating some interesting attacks against the device drivers for the wireless card in a MacBook Pro:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook’s wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system.

This highlights an emerging trend of attacks against device drivers. Should attacks like this become a trend I suspect we’ll see the following:

• Wireless Cards Hit First: Many attacks focused on Wireless cards, and not just because they are remotely accessible. The fact that there’s only a couple of chipset manufacturers will make attacks easier. Especially considering this:
  

  After the demo, Ellch … will talk about a new tool he’s developing that can remotely scan and figure out the chipset and driver version of a wireless device on a target computer. So far, Ellch said the tool currently recognizes 13 different wireless device drivers, breaking them down by operating system and firmware version.

  “I’m getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that ‘x’ number are running them on a Windows box with a specific version of the driver,” Ellch said. “The userful thing for that information is that if you have a device driver exploit and it’s version-specific, you could tweak [the exploit] before you launch it.”

• Homogenous Environments Hit Hardest: As demonstrated Macs will be easier targets, But think about other homogenous environments: Corporate networks whole use all the same PCs (or maybe just all the same nibs), ISPs that use all the same kind of DSL/Cable Modems, etc…
• Mitigates Slow to Come: There won’t be patches coming out of Windows Update for many of these. Expect longer windows of vulnerability and traditional mitigations like firewalls to prove ineffective.

So what do we do? Assuming the attack involves over running a buffer, some sort of kernel-level buffer overflow protection in a Host Intrusion Prevention-type product seems to be in order. The whole article is worth a read. Share your thoughts by leaving a comment below.

Hijacking a Macbook in 60 Seconds or Less [Security Fix]

Levi’s is among the ever increasing numbers of retailers using RFID to track inventory:

Levi Strauss & Co., one of the nation’s largest clothing manufacturers, confirmed April 28 its testing of RFID “hang tags” on clothing shipped to two retail outlets in Mexico and one in the United States

To their credit, they are making them removable, and posting notices about them to ease privacy concerns. Wired has an article in this month’s issue on RFID Hackers:

They then showed how easily they could upload one chip’s data onto another. “I could download the price of a cheap wine into RFDump,” Grunwald says, “then cut and paste it onto the tag of an expensive bottle.”

I’d take a pair of Levi’s for the price of some Two Buck Chuck anytime.

Levi’s New Style: RFID [eWeek]

The RFID Hacking Underground [Wired]

BMW’s X5 SUVs seem to have a slight <cough>flaw</cough> in their authentication systems. The net effect: Thieves have used laptops to steal two of European soccer star David Beckham’s X5’s.

Because the decryption process can take a while - up to 20 minutes, according to Hart - the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham - the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.

Now that’s strong encryption.

Maybe Mr. Beckham should stay away from wireless technologies all together.

Gone in 20 Minutes: using laptops to steal cars [Left Lane News] (via Engadget)