news | articles | reviews | software | modules | accessories | discussion | faq | mobile | store
VisorCentral.com >> Discussion >> Visor Models >> Visor & Deluxe
Solution for Network HotSync vulnerability
Post a New Thread | Post A Reply
  Last Thread   Next Thread
Author
Topic: Solution for Network HotSync vulnerability    
monachus
Member

Registered: Jan 2000
Location:
Posts: 2

 Lightbulb

There is a vulnerability with network hotsyncs which was reported across the Net today. There is no patch available at this time, but there is a fix:

* left-click on the Hotsync Manager icon in the system tray
* make sure "Network" is NOT selected
* select "setup"
* select the "Network" tab
* uncheck all boxes from the list of users

This will disable network hotsyncs until a patch is available.

For more information on the vulnerability, please see:
http://www.securityfocus.com/vdb/bottom.html?vid=920
monachus is offline Old Post 01-07-2000 05:57 AM
Click Here to See the Profile for monachus Edit/Delete Message Reply w/Quote
JHromadka
VisorCentral Staff

Registered: Sep 1999
Location: Texan in Calgary for a while
Posts: 1361

 Question

Wouldn't this vulnerability be in all Palm-compatibles, as they all use the same NetHotSync and Desktop?

BTW, Network HotSync wasn't enabled by default on my Visor.

------------------
James Hromadka
VisorCentral.com
Personal Website: http://www.Hromadka.com
JHromadka is offline Old Post 01-07-2000 02:19 PM
Click Here to See the Profile for JHromadka Edit/Delete Message Reply w/Quote
monachus
Member

Registered: Jan 2000
Location:
Posts: 2

 Post

it may be, but the advisory was only posted for Handspring Visors. i don't have a palm to test with, nor do i use network hotsync with my visor. it was disabled (unchecked), but in the setup, it still said that my visor was one of the ones available for that type of sync.

i'm more concerned about the fact that Handspring hasn't posted anything about it. do you think they even know about it?
monachus is offline Old Post 01-07-2000 05:23 PM
Click Here to See the Profile for monachus Edit/Delete Message Reply w/Quote
VisorWA
Member

Registered: Dec 1999
Location:
Posts: 19

 Unhappy

I think the vulnerability is only present in the Visor HotSync. I imagine the Hotsync program is modified (notice the "H" at the end of the version #) to allow USB syncs.
VisorWA is offline Old Post 01-11-2000 11:25 PM
Click Here to See the Profile for VisorWA Edit/Delete Message Reply w/Quote
JHromadka
VisorCentral Staff

Registered: Sep 1999
Location: Texan in Calgary for a while
Posts: 1361

 Arrow

The Palm Desktop is the same accross all PalmOS versions after 3.0 (with a few updates). I had a Palm III and used NetHotSync and it never prompted me for a password. Monachus is correct that someone with the proper information could NetHotSync using your id, but as I said this vulnerability is not specific to the Visor. I think that if you use DHCP you can have your IP address change periodically.
I notified Handspring about the BugTraq post and the issue.

------------------
James Hromadka
VisorCentral.com
Personal Website: http://www.Hromadka.com
JHromadka is offline Old Post 01-12-2000 01:46 AM
Click Here to See the Profile for JHromadka Edit/Delete Message Reply w/Quote
CompuPika
Member

Registered: Nov 1999
Location: California
Posts: 108

 Question

Just wondering, but even if you know somebody's IP and user name isn't there still the matter of the auto-selected user id number (to look it up, I think it's Shortcut.4). I've heard that this number is used be hotsync instead of the user name to keep track of which palm is which. Just wondering.
CompuPika is offline Old Post 01-13-2000 02:43 AM
Click Here to See the Profile for CompuPika Edit/Delete Message Reply w/Quote
All times are GMT. The time now is 05:32 AM. Post New Thread    Post A Reply
  Last Thread   Next Thread
[ Show a Printable Version | Email This Page to Someone! | Receive updates to this thread ]

Forum Jump:

Powered by: vBulletin Version 2.3.4
Copyright ©2000, 2001, Jelsoft Enterprises Limited.