lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1865973b0607110355i1f407d7ey9a82788f03f3dc5@mail.gmail.com>
Date: Tue Jul 11 11:55:09 2006
From: gluttony at gmail.com (Andrew A)
Subject: Undisclosed breach at major US facility

I reccomend you steal the databases and sell them for cash.

On 7/3/06, r r <anothersecurityquestion@...il.com> wrote:
>
> Need some advise here.
> I would like to know what to do if I --hypothetically speaking-- I
> were to retrieve _complete_ databases of a MAJOR us hospital.  My
> hypothetical model is not brute force, but rather an 'accidental'
> discovery by trying to retrieve updates from a software vendor.
>
> Let's say this Big Name software vendor, who sells itself as being an
> authority on security, is so flipping retarded that they stick their
> customer data on a public CVS server.  Let's say I sync to this and
> dump a couple hundreds of meg of 'updates' only to later discover that
> those are NOT updates.
>
> Those are data files for other customers (which when prodding, reveals
> itself to be very real, verified data of at least one high-profile
> hospital)
>
> I read up as much as I could on HIPAA, but this is beyond the slip-ups
> to be covered by HIPAA.  Beyond medical records and privacy, this
> wreaks of woeful incompetence by who should be freaking security
> professionals!! (4 MAJOR organizations who have royally screwed up
> here).
>
> First thoughts are to call HIPAA (has to be federally reported for
> number of people and different states affected).
> And while HIPAA is supposed to protect the 'whistleblower', I don't
> put much confidence in it.  Maybe a webpost through anonomizer (and
> borrowed connections) like I do to check gmail.
>
> And if these companies are notified, what happens?  A slap on the wrist?
> Wash it under the rug and label the person discovering it all to be a
> Black Hat?
> Let's not forget about the diebold fiasco(s)---(fwiw I don't work for
> any of the involved companies--in my theoretical model I would solely
> be the customer of questionable software).
>
> One idea (by one of my imaginary friends who pretends to be a doctor
> and a former hospital board member) was to ABSOLUTELY NOT tell the
> hospital for various reasons.  That alter-ego of mine instead
> suggested I get an attorney that specialized in that.  That sounds
> expensive.  Now, I feel like a victim.
>
> If _I_ have been able to discover such a gaping hole (and I didn't
> even TRY to find it), then I am pretty sure that it already has been
> taken. In any case, it will be stolen in a matter of weeks.  Since
> that is inevitable, I should just remove all the data I obtained and
> forget about it.
>
> In the end, I feel bad for the hundreds of thousands of people who can
> be totally raped of their identities (or be scammed for extraneous
> chargesl, etc etc).
> But, why should I be the scapegoat for pointing out that the Emperor
> has no clothes?
>
> Any useable thoughts?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060711/af5913f1/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ