|
A year ago, I did a Proof of Concept for insider threat detection in a hospital group. By creating a user behaviour index, I was able to identify a few misuse events, that pointed to a potential auth issue. After playing around a bit, I found the following: billing system patient management for ICU, Pre/post natal, Surgical and Ward Dispensary Practitioner management I was able to add myself as a medical practitioner, prescribe medication, assign patients to my roster, order a transfer and ultimately kidnap children from their hospitals by co-opting their ambulance service. None of the above had any form of authentication in place. All of the above are hosted in a lovely server farm in a consumer isp. As of yesterday, nothing had been done to resolve this clusterfuck. What is everyone's opinion on the matter? Full public disclosure?
|
# ¿ Mar 4, 2016 12:48 |
|
|
# ¿ May 5, 2024 17:01 |
|
OSI bean dip posted:Talk to a lawyer; health care is one of those things that could get you sued to all hell. Are you American? Did you do this as an individual or are you working for a firm that was hired to do the PoC? Do you have any NDAs with them? Thanks for the advice. Lawyers have been approached. ming-the-mazdaless fucked around with this message at 16:55 on Mar 7, 2016 |
# ¿ Mar 7, 2016 12:35 |
|
Sharktopus posted:do you think that patient safety will be increased more by you politely asking the hospital to spend resources, or by forcing them to fix these very real problems? ming-the-mazdaless fucked around with this message at 16:55 on Mar 7, 2016 |
# ¿ Mar 7, 2016 12:47 |
|
BangersInMyKnickers posted:Tavis Ormandy turned his terrible gaze towards Symantec and hit paydirt. Expect big rounds of emergency patching in the next 3 months if you're running their products. Or maybe they don't do anything and you get some 0day CVEs when he goes public. On this subject. How in the gently caress, in 2016 are we still encountering failures to patch and hold a spreadsheet with just the most cursory loving information about your critical apps and hosts. AV: Heartbleed - 107 instances of vulnerable OpenSSL in AV. This version is three years old. Java: 44 versions, not one instance of current revision - IT confirms no need for Java, so it really isn't a problem as far as they are concerned, as in "we don't use Java so we don't see this as a risk". Adobe acrobat reader: 63 versions - Including adobe acrobat reader 6. This customer has 107 staff and 3 computer janitors and an IT manager. Customer allows personal webmail, including unvetted 100+ Megabyte downloads from Tencent QQ personal webmail service. Customer allows unencrypted USB. Customer feels proud that they have a handle on Data Loss through dropbox. How? Well, only IT can access drop box and will download your files and send them to you via email (which has led to a full scale information security breach and the reason I am involved). The IT admin responsible for downloading? Yes, you guessed it. The same pokemon downloading fucktard that is in charge of patch management. The same IT admin with Java 6 and Adobe 11.0.10 on his workstation.
|
# ¿ May 3, 2016 14:15 |
|
Thanks Ants posted:A KnowBe4 subscription With "training" by mitnick? No thanks.
|
# ¿ May 4, 2016 10:03 |
|
loving AV poo poo merchants must die in a toxic chemical fire. In this particular case, webroot.
|
# ¿ Jun 14, 2016 11:55 |
|
Successful execution of mimikatz (not via metasploit) on an end-point is not a threat according to webroot.
|
# ¿ Jun 29, 2016 15:10 |
|
Are VulnScan vendors the new AV shitbirds? I am having the worst time trying to do business with Tenable.
|
# ¿ Jul 11, 2016 14:29 |
|
Info sec people, let's have a show of hands. Would you react badly if you conducted a P-o-C for a product and the vendor passed you data that had been completely scrubbed of any identifying detail? If not, would you react badly if the report covered criminal activity and the vendor asked you to pay for the detail?
|
# ¿ Aug 22, 2016 09:36 |
|
Mustache Ride posted:
let me first.
|
# ¿ Aug 22, 2016 13:38 |
|
Dex posted:brutal, but fair Honest is not brutal. This kind of poo poo is the curse of IT and Info Sec.
|
# ¿ Sep 5, 2016 13:10 |
|
Cugel the Clever posted:Akamai's kicked him off their servers, because that's totally the appropriate response to incipient cyber-terrorism... They were offering him services pro bono.
|
# ¿ Sep 23, 2016 07:23 |
|
Senior Research Analyst
|
# ¿ Nov 4, 2016 13:59 |
|
|
# ¿ May 5, 2024 17:01 |
|
Thanks Ants posted:"Hi please check over these pentest results for your customer" Job's a good one!
|
# ¿ Nov 8, 2016 13:33 |