[ale] palm pilots and unattended PCs

Wandered Inn esoteric at atlnet.com
Thu Sep 14 21:40:36 EDT 2000 

hirsch at zapmedia.com wrote:
> 
> I just read this article in comp.risks.  It points out that you can
> still sync your palm, even if your NT machine is locked and password
> protected.  I bet thet Linux has the same problem, though I haven't
> tested it.  It's an interesting security whole.
> 
> Does anyone know of a "secure xlock" which will not only keep users
> out of your X session, but also lock the various ports?  It sounds
> like a somewhat tricky problem.

I guess it depends on what you're using to sync your pilot with.  I'm
using jpilot.  If the package is not running, which I don't leave it up,
pushing the sync button does nothing, because there's nothing talking to
the cradle.

> 
> --Michael
> 
> From: rubin at research.att.com (Avi Rubin)
> Subject: Windows NT/2000 "Lock Computer" allows palm sync
> Date: Fri, 8 Sep 2000 15:03:39 GMT
> 
> In Windows NT and 2000, you can hit Alt-Ctr-Del, and one of the options is
> to lock the computer. Then, a password is required to unlock it. A reboot
> also requires a password to log in, so it would seem that this is a pretty
> safe state to leave your computer in when stepping away from your desk.
> 
> The other day, I pushed the button to sync my palm pilot, and it worked.
> Then I realized that I had locked my computer. I did some testing on Windows
> NT and 2000, and apparently, the Palm synchronization always works when the
> computer is locked.
> 
> There are several risks/attacks:
> 
> - I take a blank palm pilot to your computer, which is locked, and I
>   sync with it and copy all of your palm pilot data. Many people keep
>   a master list of accounts and passwords on their pilot, among other
>   valuable/sensitive data.
> 
> - In a more malicious version of the previous attack, I sync all your
>   palm data. Then, I zero out the contents of each record in every database.
>   Then I sync again. The result is very likely that I will delete all of the
>   data on the PC, and that the next time you sync, all of the data will
>   be deleted on the palm. I know of a case where this "attack" worked in
>   practice, by accident.
> 
> - I write a palm hack that does whatever I want it to do to your data. I then
>   sync with your PC, and the hack gets copied to your pilot desktop. The next
>   time you sync, the hack is installed on the palm.
> 
> I am sure there are other attacks that I haven't thought of.  Anyway, I think
> that if Windows NT/2000 is going to have an option to lock the computer, it
> must make access to something as important as all of the Palm Pilot
> databases inaccessible. Perhaps turn off access to the serial port, USB,
> port, etc, and not just the keyboard.
> 
> Avi   http://avirubin.com/
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
Until later: Geoffrey		esoteric at denali.atlnet.com

Microsoft != Innovation
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list