Bugtraq mailing list archives
Re: PalmOS password recovery
From: Mudge <mudge () L0PHT COM>
Date: Thu, 28 Sep 2000 15:58:04 -0500
Try looking more closely at the notsync program. This enables an auditing team or person to walk around with their own palm pilot and, upon finding a non-guarded palm pilot, fake the hotsync negotiation over the IR port and retrieve the password. Often it is much more important to retrieve the password that a person has chosen for future use in a threat scenario than to just go after the files on the PDA device. This is different in future threat vectors than simply wiping the password or slurping down the files without learning how this individual chooses to keyspace in passwords. This has been our experience at least. Empirical evidence leads us to believe that most people in organizations do not choose unique passwords for each device they are using. Hence we thought it worth an advisory. Hope that helped. cheers, .mudge On Thu, 28 Sep 2000, Nate Amsden wrote:
[disclamer: my comments do not represent that of any company or individuals other then myself.] I just read the advisory from @stake and was shocked. I wondered why they considered this worthy of a "advisory" there has been a well known program called "No Security"[1] that with a click of your stylus you can wipe the password off the palm device(in my case a Handspring visor deluxe) without any loss of data. in addition you can use a 3rd party program to synch the pilot, say Jpilot[2](which i use on linux) and it retrieves all "private" records and does not bother to protect them, also it unmarks the private flag. the private record security is a joke, it always has been. sure the information in the advisiory is nice and technical but you don't need to jump through hoops to get to the private data. must be a slow day for @stake. [1] http://www.geocities.com/SiliconValley/Cable/5206/nosecurity102.zip [2] http://jpilot.linuxave.net/ have a good one! nate -- Nate Amsden System Administrator Graphon http://www.graphon.com
Current thread:
- PalmOS password recovery Nate Amsden (Sep 28)
- Re: PalmOS password recovery Mudge (Sep 29)
- Re: PalmOS password recovery Peter W (Sep 29)