lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: insecure at ameritech.net (insecure)
Subject: Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5
 remote code execution

Tim wrote:

>>The first is that this IE bug is life-threatening. It's not.
<snip>
>>Where's the problem?
>>This is outrageous FUD. Web browsers are not used in medical
>>appliances.
> 
> 
> Oh?  Have you worked in a hospital?  I haven't, but I am willing to bet
> a lot of medical records and even appliances are run on Windows.
> Correct me if I am wrong.
> 
<snip>

I do work in a hospital in the US. No sane person would run a medical 
device on Windows, or at least connect same to a production network. 
However, insanity is rampant...

Many, if not most, medical record systems, diagnostic, and treatment 
devices run on Windows. The reason is simple: economics. The OS is 
cheaper than dedicated, hardened real-time OS's. Programming tools and 
programmers are cheaper, by far. The costs, as in the risk to patients' 
privacy and safety, can be easily shifted onto someone else.

One of the largest selling systems used for storing and annotating 
images of paper medical records is written in Word macros. It's a very 
unstable system, but who cares if it has to be rebooted every day? 
Probably only the patients whose records get corrupted or lost in the 
process.

Many of these systems come from the vendor with default shares enabled 
allowing anonymous access, no patches, default passwords, no anti-virus, 
etc. Many health-care organizations then proceed to plug them into the 
general network and pretend that nothing's wrong.

We've had both diagnostic and treatment devices infected with viruses 
and worms. We've had this happen such while devices were connected to 
patients.

So the next time you're at a hospital, consider that chances are anyone 
who has network access can find out more about you than you'd care to 
have them know, and may be able to modify records and treatment plans if 
they are feeling like it.

If you happen to be receiving some potentially dangerous computer-driven 
treatment, for example radiation therapy, be assured that the computer 
telling the linear accelator where to place to dose, and how much, is 
likely to be a Windows box that was set up and maintained by someone who 
has exactly zero knowledge and concern about security issues.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ