| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040219025022.MKNW83660.fep01-mail.bloor.is.net.cable.rogers.com@BillDell> From: full-disclosure at royds.net (Bill Royds) Subject: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Last time I was at my doctor's medical clinic, I noticed all the shiny new LCD monitors showing the Windows logon prompt with account Administrator. I asked the receptionist why. She said so that anyone could sing on any machine when they needed it, since individual machines lock out so only signed user or administrator can sign on. They did have the screensaver timeout so people off the street couldn't sign on. But the only way to make the multiple workstations usable from for anybody was to use administrator account on all of them. This is a bit of a design flaw in the Windows network that means security is much less than it ought to be. -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of insecure Sent: February 18, 2004 7:55 PM To: Tim Cc: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution Tim wrote: >>The first is that this IE bug is life-threatening. It's not. <snip> >>Where's the problem? >>This is outrageous FUD. Web browsers are not used in medical >>appliances. > > > Oh? Have you worked in a hospital? I haven't, but I am willing to bet > a lot of medical records and even appliances are run on Windows. > Correct me if I am wrong. > <snip> I do work in a hospital in the US. No sane person would run a medical device on Windows, or at least connect same to a production network. However, insanity is rampant... Many, if not most, medical record systems, diagnostic, and treatment devices run on Windows. The reason is simple: economics. The OS is cheaper than dedicated, hardened real-time OS's. Programming tools and programmers are cheaper, by far. The costs, as in the risk to patients' privacy and safety, can be easily shifted onto someone else. One of the largest selling systems used for storing and annotating images of paper medical records is written in Word macros. It's a very unstable system, but who cares if it has to be rebooted every day? Probably only the patients whose records get corrupted or lost in the process. Many of these systems come from the vendor with default shares enabled allowing anonymous access, no patches, default passwords, no anti-virus, etc. Many health-care organizations then proceed to plug them into the general network and pretend that nothing's wrong. We've had both diagnostic and treatment devices infected with viruses and worms. We've had this happen such while devices were connected to patients. So the next time you're at a hospital, consider that chances are anyone who has network access can find out more about you than you'd care to have them know, and may be able to modify records and treatment plans if they are feeling like it. If you happen to be receiving some potentially dangerous computer-driven treatment, for example radiation therapy, be assured that the computer telling the linear accelator where to place to dose, and how much, is likely to be a Windows box that was set up and maintained by someone who has exactly zero knowledge and concern about security issues. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists