lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon Jul  3 23:57:53 2006
From: anothersecurityquestion at gmail.com (r r)
Subject: Undisclosed breach at major US facility

Need some advise here.
I would like to know what to do if I --hypothetically speaking-- I
were to retrieve _complete_ databases of a MAJOR us hospital.  My
hypothetical model is not brute force, but rather an 'accidental'
discovery by trying to retrieve updates from a software vendor.

Let's say this Big Name software vendor, who sells itself as being an
authority on security, is so flipping retarded that they stick their
customer data on a public CVS server.  Let's say I sync to this and
dump a couple hundreds of meg of 'updates' only to later discover that
those are NOT updates.

Those are data files for other customers (which when prodding, reveals
itself to be very real, verified data of at least one high-profile
hospital)

I read up as much as I could on HIPAA, but this is beyond the slip-ups
to be covered by HIPAA.  Beyond medical records and privacy, this
wreaks of woeful incompetence by who should be freaking security
professionals!! (4 MAJOR organizations who have royally screwed up
here).

First thoughts are to call HIPAA (has to be federally reported for
number of people and different states affected).
And while HIPAA is supposed to protect the 'whistleblower', I don't
put much confidence in it.  Maybe a webpost through anonomizer (and
borrowed connections) like I do to check gmail.

And if these companies are notified, what happens?  A slap on the wrist?
Wash it under the rug and label the person discovering it all to be a Black Hat?
Let's not forget about the diebold fiasco(s)---(fwiw I don't work for
any of the involved companies--in my theoretical model I would solely
be the customer of questionable software).

One idea (by one of my imaginary friends who pretends to be a doctor
and a former hospital board member) was to ABSOLUTELY NOT tell the
hospital for various reasons.  That alter-ego of mine instead
suggested I get an attorney that specialized in that.  That sounds
expensive.  Now, I feel like a victim.

If _I_ have been able to discover such a gaping hole (and I didn't
even TRY to find it), then I am pretty sure that it already has been
taken. In any case, it will be stolen in a matter of weeks.  Since
that is inevitable, I should just remove all the data I obtained and
forget about it.

In the end, I feel bad for the hundreds of thousands of people who can
be totally raped of their identities (or be scammed for extraneous
chargesl, etc etc).
But, why should I be the scapegoat for pointing out that the Emperor
has no clothes?

Any useable thoughts?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ