lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <622BB5DE-DBDF-11D8-BAF7-0003939D6C78@westnet.com.au>
From: aqsalter at westnet.com.au (Adam Q)
Subject: Physical access exploit: Apple iTunes Visualiser disables screen lock

The full-screen Apple iTunes Visualiser currently disables the screen 
lock timer on both Mac & PC.

Synopsis:
This a physical access security concern at present since anybody who 
uses the iTunes Visualiser in full-screen mode is essentially leaving 
their PC unlocked for that duration. Since many people leave the 
Visualiser on in office or POS situations this leads to a computer that 
can easily be accessed as the local user.

Suggested workaround:
Never leave a computer running iTunes Visualiser in full-screen mode 
unattended. Never deploy a computer with iTunes installed in a POS 
situation, and carefully consider the ramifications on the IT Security 
Policy in an office environment.

Recommended action:
Have the default be to lock the screen after the required time elapsed 
(exactly as if the screensaver became enabled) and have a preference to 
disable screen locking if the user wishes. Most users (and IT 
departments) would assume if they had screen locking enabled for their 
screensaver that they would be safe.



iTunes is a registered trademark of Apple Computer Corp.
---
Adam Q Salter
aqsalter@...tnet.com.au


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ