lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nodialtone at comcast.net (Byron Copeland)
Subject: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5
	remote code execution

heh,

I have seen worse cases.  I had to go into a Hospital one night to get a
few x-rays done, I'd say around 9pm or so.  Ok, so on the way in being
accompanied by one of the nurses I noticed that a cleaning person was
tidying up a bit around the x-ray rooms, etc... ok thats cool I
thought.  But on the way out, I noticed that the person was in a
different area of the facility tidying up around terminals STILL logged
in and not screen locked or logged out.  Go figure.  

-b

On Wed, 2004-02-18 at 21:50, Bill Royds wrote:
> Last time I was at my doctor's medical clinic, I noticed all the shiny new
> LCD monitors showing the Windows logon prompt with account Administrator. I
> asked the receptionist why. She said so that anyone could sing on any
> machine when they needed it, since individual machines lock out so only
> signed user or administrator can sign on. They did have the screensaver
> timeout so people off the street couldn't sign on. But the only way to make
> the multiple workstations usable from for anybody was to use administrator
> account on all of them.
>   This is a bit of a design flaw in the Windows network that means security
> is much less than it ought to be.
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of insecure
> Sent: February 18, 2004 7:55 PM
> To: Tim
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5
> remote code execution
> 
> Tim wrote:
> 
> >>The first is that this IE bug is life-threatening. It's not.
> <snip>
> >>Where's the problem?
> >>This is outrageous FUD. Web browsers are not used in medical
> >>appliances.
> > 
> > 
> > Oh?  Have you worked in a hospital?  I haven't, but I am willing to bet
> > a lot of medical records and even appliances are run on Windows.
> > Correct me if I am wrong.
> > 
> <snip>
> 
> I do work in a hospital in the US. No sane person would run a medical 
> device on Windows, or at least connect same to a production network. 
> However, insanity is rampant...
> 
> Many, if not most, medical record systems, diagnostic, and treatment 
> devices run on Windows. The reason is simple: economics. The OS is 
> cheaper than dedicated, hardened real-time OS's. Programming tools and 
> programmers are cheaper, by far. The costs, as in the risk to patients' 
> privacy and safety, can be easily shifted onto someone else.
> 
> One of the largest selling systems used for storing and annotating 
> images of paper medical records is written in Word macros. It's a very 
> unstable system, but who cares if it has to be rebooted every day? 
> Probably only the patients whose records get corrupted or lost in the 
> process.
> 
> Many of these systems come from the vendor with default shares enabled 
> allowing anonymous access, no patches, default passwords, no anti-virus, 
> etc. Many health-care organizations then proceed to plug them into the 
> general network and pretend that nothing's wrong.
> 
> We've had both diagnostic and treatment devices infected with viruses 
> and worms. We've had this happen such while devices were connected to 
> patients.
> 
> So the next time you're at a hospital, consider that chances are anyone 
> who has network access can find out more about you than you'd care to 
> have them know, and may be able to modify records and treatment plans if 
> they are feeling like it.
> 
> If you happen to be receiving some potentially dangerous computer-driven 
> treatment, for example radiation therapy, be assured that the computer 
> telling the linear accelator where to place to dose, and how much, is 
> likely to be a Windows box that was set up and maintained by someone who 
> has exactly zero knowledge and concern about security issues.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ