OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] Undisclosed breach at major US facility

From: mikeiscool (michaelslistsgmail.com)
Date: Mon Jul 03 2006 - 18:08:05 CDT


On 7/4/06, r r <anothersecurityquestiongmail.com> wrote:
> Need some advise here.
> I would like to know what to do if I --hypothetically speaking-- I
> were to retrieve _complete_ databases of a MAJOR us hospital. My
> hypothetical model is not brute force, but rather an 'accidental'
> discovery by trying to retrieve updates from a software vendor.
>
> Let's say this Big Name software vendor, who sells itself as being an
> authority on security, is so flipping retarded that they stick their
> customer data on a public CVS server. Let's say I sync to this and
> dump a couple hundreds of meg of 'updates' only to later discover that
> those are NOT updates.
>
> Those are data files for other customers (which when prodding, reveals
> itself to be very real, verified data of at least one high-profile
> hospital)
>
> I read up as much as I could on HIPAA, but this is beyond the slip-ups
> to be covered by HIPAA. Beyond medical records and privacy, this
> wreaks of woeful incompetence by who should be freaking security
> professionals!! (4 MAJOR organizations who have royally screwed up
> here).
>
> First thoughts are to call HIPAA (has to be federally reported for
> number of people and different states affected).
> And while HIPAA is supposed to protect the 'whistleblower', I don't
> put much confidence in it. Maybe a webpost through anonomizer (and
> borrowed connections) like I do to check gmail.
>
> And if these companies are notified, what happens? A slap on the wrist?
> Wash it under the rug and label the person discovering it all to be a Black Hat?
> Let's not forget about the diebold fiasco(s)---(fwiw I don't work for
> any of the involved companies--in my theoretical model I would solely
> be the customer of questionable software).
>
> One idea (by one of my imaginary friends who pretends to be a doctor
> and a former hospital board member) was to ABSOLUTELY NOT tell the
> hospital for various reasons. That alter-ego of mine instead
> suggested I get an attorney that specialized in that. That sounds
> expensive. Now, I feel like a victim.
>
> If _I_ have been able to discover such a gaping hole (and I didn't
> even TRY to find it), then I am pretty sure that it already has been
> taken. In any case, it will be stolen in a matter of weeks. Since
> that is inevitable, I should just remove all the data I obtained and
> forget about it.
>
> In the end, I feel bad for the hundreds of thousands of people who can
> be totally raped of their identities (or be scammed for extraneous
> chargesl, etc etc).
> But, why should I be the scapegoat for pointing out that the Emperor
> has no clothes?
>
> Any useable thoughts?

so report it to the police anonymously?

or tell a tv/radio station?

or

put together a list of the hashed names/id's and put it in a site.
provide a tool that allows people to calculate their own hash of their
data, then they can check if their ident has been stolen. make sure
you definately don't use that tool to also steal their data, cause
that would be bad. also try to resist the urge to make the tool server
side, cause that would also be funny.

maybe www.hasmyidentbeenstolen.com. if the tool is server side you
don't even need to process it; just respond "yes".

anyway, assuming you do make such a tool, then if the user finds out
theirs has been stolen, they can call the police and deal with it
privately.

-- mic

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/