Security
Palm OS Password Retrieval and Decoding
Palm OS devices offer a built-in Security application which is used for the legitimate user to protect and hide records from unauthorized users by means of a password. In all basic built-in applications (Address, Date Book, Memo Pad, and To Do List), individual records can be marked as “Private” and will only be accessible if the correct password is entered. It is possible to obtain an encoded form of the password, determine the actual password due to a weak, reversible encoding scheme, and access a user’s private data. In order for this attack to be successful, the attacker must have physical access to the target Palm device. [ continue ]
iKey 1000 Administrator Access
Rainbow Technologies’ iKey 1000 is a portable USB device providing authentication and digital storage of passwords, cryptographic keys, credentials, or other data. Administrator access to the iKey 1000 is provided with the MKEY (Master Key) password and allows device initialization, configuration, and access to all data stored on the key. [ continue ]
eToken R1 Private Information Extraction
Aladdin Knowledge Systems’ eToken is a portable USB authentication device providing access control for digital assets. By using any industry-standard device programmer to modify the unprotected external memory, the user PIN can be changed back to the default PIN. The attack requires physical access to the device circuit board and will allow all private information to be read from the device without knowing the PIN number of the legitimate user. [ continue ]
Compromising Voice Messaging Systems
Voice mail systems and answering machines are an important part of the corporate information flow. However, they are frequently left unprotected and are overlooked when security assessments are performed. Access to these systems may yield valuable information and may assist attackers to further their attacks on the company’s computer infrastructure. This brief paper introduces the concept and methodologies of compromising voice mail systems and answering machines, provides vendor specific characteristics to aid in voice mail compromise, and contains a reference of related news reports, security advisories, and software tools. [ continue ]
CRYPTOCard PalmToken PIN Extraction
CRYPTOCard’s CRYPTOAdmin software is a challenge/response user authentication administration system. The PT-1 token, which runs on a Palm OS device, generates the one-time-password response. A Palm OS .PDB file is created for each user and loaded onto their Palm device. By gaining access to the .PDB file, the legitimate user’s PIN can be determined through a series of DES decrypt-and-compares in under 5 minutes on a Pentium III 450MHz. [ continue ]