lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 26 Feb 2007 18:35:18 -0500
From: "Roger A. Grimes" <roger@...neretcs.com>
To: "McCarty, Eric C." <emccarty@...ucsd.edu>, <chgsupra1@....com>,
	<bugtraq@...urityfocus.com>
Subject: RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass

Yes, with physical access a specialized, dedicated attacker can always
compromise the device. With this bug, the specialized skills needed
include pressing three buttons.  That's the problem.  You can't just
blow off the difficulty rating as inconsequential.

Yes, I agree with your other commonsense attestations.

But my main beef isn't with this particular exploit, it's with Palm's
policy of not fixing a security vulnerability in millions of phones.  

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@...neretcs.com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************


-----Original Message-----
From: McCarty, Eric C. [mailto:emccarty@...ucsd.edu] 
Sent: Thursday, February 22, 2007 5:55 PM
To: Roger A. Grimes; chgsupra1@....com; bugtraq@...urityfocus.com
Subject: RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password
Bypass

This vulnerability also assumes the attacker has physical access to the
device. Once a device is stolen or accessed physically by an attacker it
will be cracked, one way or another. 

Remote Device policies should dictate the importance of notifying IT
staff immediately if a device is lost or stolen so it can be remotely
"bricked". 

I agree that more and more companies are lacking in responsibility for
their security vulnerabilities. Yet often times mitigating factors can
assist a company in determining the priority to put on patches or
updates. For example the fact that someone needs physical access to
exploit this security risk certainly dictates a much lower priority for
patching.

Eric McCarty


-----Original Message-----
From: Roger A. Grimes [mailto:roger@...neretcs.com]
Sent: Thursday, February 22, 2007 11:13 AM
To: chgsupra1@....com; bugtraq@...urityfocus.com
Subject: RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password
Bypass

Is it truly an "emergency call" if you need to lookup the number?  Why
not put in your valid password and make a regular call.

Security is a lot about expectations. If a device is locked or
password-protected, the expectation is that all the data is fully
protected all the time. If it's not, then communicate it in the
documentation so I can make a valid marketing choice when buying a
product. 

If the concern is that some people would like to have this feature
as-is, make it a checkmark decision on the Preferences page. Then both
sides are happy. 

The bigger issue isn't this particular bug. It's a symptom of more and
more companies, who when faced with a security problem just decide not
to fix it. I think that as long as the product is still expected to be
reasonably used, or unless a shorter warranty period is communicated, if
a security bug gets revealed, it should be fixed. Note, we're not
arguing how long they should have to fix it, but rather if they will fix
it ever.  That's the central issue. And it's one I'll personally
remember when purchasing my next Treo product. I may buy another Treo
product, I don't know, but this will absolutely be on my mind as I look
at competitor devices.

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP,
MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@...neretcs.com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************



-----Original Message-----
From: chgsupra1@....com [mailto:chgsupra1@....com] 
Sent: Wednesday, February 21, 2007 9:52 PM
To: bugtraq@...urityfocus.com
Subject: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password
Bypass

I can understand why Palm does not want to fix it. This is my opinion,
it stems from feature richness: The initial state the phone is lock and
then you received a call, then it provides the user the ability to
search for contact/number/meeting/memo...etc (header/prefix only). If
this Find feature is blocked, then user would have to hang-up the call
and unlock the phone to retrieve the info, then call the user back.  I
have run into this situation on many occasion, since I did not know of
Find feature can be used in this mode.

The SecurityLockFindFix.prc is available to block the Find feature, but
for the non-security minded person flexibility may way overshadow
security, but that is a personal matter. There is no personal choice
when the Palm Treo is corporate own, so the fix should be applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ