Bugtraq mailing list archives
Infocure "Exact Dental" Practice Management System - awful security policy
From: Dixieland <dixieland () SNIP NET>
Date: Mon, 8 Jan 2001 12:11:33 -0500
Intro: ----- Although painfully obvious to even intermediate users, I could not allow myself to not pass this information along to the public so that at least a handful of doctor's offices might be more secure. "Exact Dental" is a practice management system for dental offices that tracks typical data such as patient databases, appointment schedules, and financial information (billing and accounting). The Exact Dental software was originally distributed by National Data Corp. Currently it the software is property of Infocure. (http://www.infocure.com/) When offices grew and users requested a way to work with multiple systems, the ability to leverage MS Windows networking was used in a manner that client workstations could communicate via a LAN and the Exact Dental system would use mapped shares to direct data and communication. Issue: ----- The following sent shivers down my spine when I installed the system (one Main server and two workstations) in a Dental office recently: It is the policy of Infocure to recommend that users deploy their Exact Dental "server" machine with Windows 9x. The user is then directed to share the c: drive will FULL ACCESS permissions and NO PASSWORD. I was certain that this step in the process was a mistake, and I contacted Infocure's support staff to inquire about the matter. After much questioning back and forth, a (somewhat indignant) tech support representative informed me that i was completely wrong, and that sharing the server's c: drive will full access permissions was the only way that they system would work, since the client software looks for a mapped drive (typically the letter K is used) and that this mapped drive MUST be the server's system drive. Synopsis: -------- Due to minimal documentation and anticipation of user incompetence, it has become the policy of Infocure to make the default configuration of the Exact Dental software so devoid of permissions and restrictions that virtually no one will encounter difficulty using the system. Client workstations look to deposit data on a network resource. These network resources are specified in the exact.ini file (installed to c:\windows on client machines) as being "K:\NDCDENT\..." Inasmuch as the client anticipates that the k: drive is a mapping of the server's c: drive, one needs only to realize that the Exact Dental software (which resides in c:\NDCDent on the server) does not need a full path and a share compromising security on the server to function. A relative path works fine. Solution: -------- Do NOT share the c: drive on the server in any way. Instead, share the "NDCDENT" directory on the server computer. (Full access permissions are required for the clients to deposit data correctly, but username/password or password-protected shares can easily be used). Modification of the EXACT.INI file on the clients is necessary to direct the client software to the proper path. (essentially, change all lines reading "K:\NDCDENT\DIR_NAME" to "K:\DIR_NAME" and the system works very well.) Company Contact: ---------------- The Infocure representative to whom i spoke did not seem interested in my view of the security issue and simply reminded me of the fact that "this is how the system is configured." He expressed his opinion (or possibly he was relaying to me the official opinion of Infocure) to be that "most dental offices do not encounter security issues, really." Company Information: ------------------- "Exact Dental" is a practice management system for dental offices that tracks typical data such as patient databases, appointment schedules, and financial information (billing and accounting). With connectivity enablement, this system transmits insurance claims in batch to claims processing clearinghouses. Overall, the system houses and maintains ALL of the office's critical data. (This includes information such as patient records and financial payment records.) I am not aware as to whether or not the database format is proprietary, or if once compromised the information could be parsed and readable. The Exact Dental software was originally distributed by National Data Corp. Currently it the software is property of Infocure. (http://www.infocure.com/) The implications of a person using a Windows-based LAN to connect anonymously to a server in this sort of environment are staggering. One could easily corrupt the dental office's database, or (possibly worse yet) take for their own observation the office's COMPLETE patient records and financial information. I will not even discuss in this email the possibility of an office with a Cable or DSL connection with which Windows Networking protocols are bound improperly. In such an instance, a remote user could compromise all data of the practice, then either disable or destroy the database, and leave without a trace. It is frightening to me that this sort of no-security approach is presented to users in an attempt, as i see it, to reduce technical problems during setup and installation of this Practice Management Software. Overall, it should not go unmentioned that the Exact Dental software is a fine product that, when properly configured, can provide dental offices with fantastic functionality and service. At this time I am not familiar with any other products from Infocure or National Data Corp. I cannot comment on the vulnerability of their other systems.
Current thread:
- Infocure "Exact Dental" Practice Management System - awful security policy Dixieland (Jan 08)