[16957] in bugtraq
Re: PalmOS password recovery
daemon@ATHENA.MIT.EDU (Mudge)
Fri Sep 29 03:28:10 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.BSO.4.21.0009281552481.21673-100000@0nus.l0pht.com>
Date:         Thu, 28 Sep 2000 15:58:04 -0500
Reply-To: Mudge <mudge@L0PHT.COM>
From: Mudge <mudge@L0PHT.COM>
X-To:         Nate Amsden <natea@GRAPHON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <39D35EF5.8CCD296A@graphon.com>
Try looking more closely at the notsync program. This enables an auditing
team or person to walk around with their own palm pilot and, upon finding
a non-guarded palm pilot, fake the hotsync negotiation over the IR port
and retrieve the password.
Often it is much more important to retrieve the password that a person has
chosen for future use in a threat scenario than to just go after the files
on the PDA device.
This is different in future threat vectors than simply wiping the password
or slurping down the files without learning how this individual chooses to
keyspace in passwords.
This has been our experience at least. Empirical evidence leads us to
believe that most people in organizations do not choose unique
passwords for each device they are using. Hence we thought it worth an
advisory.
Hope that helped.
cheers,
.mudge
On Thu, 28 Sep 2000, Nate Amsden wrote:
> [disclamer: my comments do not represent that of any company or
> individuals other then myself.]
>
> I just read the advisory from @stake and was shocked. I wondered why
> they considered this worthy of a "advisory" there has been a well known
> program called "No Security"[1] that with a click of your stylus you can
> wipe the password off the palm device(in my case a Handspring visor
> deluxe) without any loss of data.
>
>
> in addition you can use a 3rd party program to synch the pilot, say
> Jpilot[2](which i use on linux) and it retrieves all "private" records
> and does not bother to protect them, also it unmarks the private flag.
>
>
> the private record security is a joke, it always has been. sure the
> information in the advisiory is nice and technical but you don't need to
> jump through hoops to get to the private data. must be a slow day for
> @stake.
>
>
> [1] http://www.geocities.com/SiliconValley/Cable/5206/nosecurity102.zip
> [2] http://jpilot.linuxave.net/
>
> have a good one!
>
> nate
>
>
> --
> Nate Amsden
> System Administrator
> Graphon
> http://www.graphon.com
>