OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] Physical access exploit: Apple iTunes Visualiser disables screen lock

From: Adam Q (aqsalterwestnet.com.au)
Date: Thu Jul 22 2004 - 08:02:27 CDT


The full-screen Apple iTunes Visualiser currently disables the screen
lock timer on both Mac & PC.

Synopsis:
This a physical access security concern at present since anybody who
uses the iTunes Visualiser in full-screen mode is essentially leaving
their PC unlocked for that duration. Since many people leave the
Visualiser on in office or POS situations this leads to a computer that
can easily be accessed as the local user.

Suggested workaround:
Never leave a computer running iTunes Visualiser in full-screen mode
unattended. Never deploy a computer with iTunes installed in a POS
situation, and carefully consider the ramifications on the IT Security
Policy in an office environment.

Recommended action:
Have the default be to lock the screen after the required time elapsed
(exactly as if the screensaver became enabled) and have a preference to
disable screen locking if the user wishes. Most users (and IT
departments) would assume if they had screen locking enabled for their
screensaver that they would be safe.

iTunes is a registered trademark of Apple Computer Corp.
---
Adam Q Salter
aqsalterwestnet.com.au

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html