VisorCentral.com
Show 20 posts from this thread on one page

VisorCentral.com (http://discussion.visorcentral.com/vcforum/index.php)
- Visor & Deluxe (http://discussion.visorcentral.com/vcforum/forumdisplay.php?forumid=1)
-- Solution for Network HotSync vulnerability (http://discussion.visorcentral.com/vcforum/showthread.php?threadid=908)

Posted by monachus on 01-07-2000 05:57 AM:

Lightbulb

There is a vulnerability with network hotsyncs which was reported across the Net today. There is no patch available at this time, but there is a fix:

* left-click on the Hotsync Manager icon in the system tray
* make sure "Network" is NOT selected
* select "setup"
* select the "Network" tab
* uncheck all boxes from the list of users

This will disable network hotsyncs until a patch is available.

For more information on the vulnerability, please see:
http://www.securityfocus.com/vdb/bottom.html?vid=920

Posted by JHromadka on 01-07-2000 02:19 PM:

Question

Wouldn't this vulnerability be in all Palm-compatibles, as they all use the same NetHotSync and Desktop?

BTW, Network HotSync wasn't enabled by default on my Visor.

------------------
James Hromadka
VisorCentral.com
Personal Website: http://www.Hromadka.com

Posted by monachus on 01-07-2000 05:23 PM:

Post

it may be, but the advisory was only posted for Handspring Visors. i don't have a palm to test with, nor do i use network hotsync with my visor. it was disabled (unchecked), but in the setup, it still said that my visor was one of the ones available for that type of sync.

i'm more concerned about the fact that Handspring hasn't posted anything about it. do you think they even know about it?

Posted by VisorWA on 01-11-2000 11:25 PM:

Unhappy

I think the vulnerability is only present in the Visor HotSync. I imagine the Hotsync program is modified (notice the "H" at the end of the version #) to allow USB syncs.

Posted by JHromadka on 01-12-2000 01:46 AM:

Arrow

The Palm Desktop is the same accross all PalmOS versions after 3.0 (with a few updates). I had a Palm III and used NetHotSync and it never prompted me for a password. Monachus is correct that someone with the proper information could NetHotSync using your id, but as I said this vulnerability is not specific to the Visor. I think that if you use DHCP you can have your IP address change periodically.
I notified Handspring about the BugTraq post and the issue.

------------------
James Hromadka
VisorCentral.com
Personal Website: http://www.Hromadka.com

Posted by CompuPika on 01-13-2000 02:43 AM:

Question

Just wondering, but even if you know somebody's IP and user name isn't there still the matter of the auto-selected user id number (to look it up, I think it's Shortcut.4). I've heard that this number is used be hotsync instead of the user name to keep track of which palm is which. Just wondering.
All times are GMT. The time now is 07:27 AM.
Show 20 posts from this thread on one page

Powered by: vBulletin Version 2.3.4
Copyright © Jelsoft Enterprises Limited 2000 - 2016.