Full Disclosure mailing list archives
RE: Undisclosed breach at major US facility
From: "The Shadow" <shadow () geek-guy com>
Date: Tue, 4 Jul 2006 15:04:40 -0700
Hi there, I'm assuming that the reason that you don't want to share the information with that particular hospital is because you don't want to be viewed as a black hat, or someone hacking. But while I'd probably also consider a lawyer, if you document your "legally" justified steps in maintaining software for update purposes (including screen shots) then you could contact them directly and let them know of the issue. I'm sure they'd be happy to hear about it. Just make sure you have evidence of your authorized use so that no one can come back on anything. Just my 2 cents L8tr www.Geek-Guy.com -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of r r Sent: Monday, July 03, 2006 3:58 PM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Undisclosed breach at major US facility Need some advise here. I would like to know what to do if I --hypothetically speaking-- I were to retrieve _complete_ databases of a MAJOR us hospital. My hypothetical model is not brute force, but rather an 'accidental' discovery by trying to retrieve updates from a software vendor. Let's say this Big Name software vendor, who sells itself as being an authority on security, is so flipping retarded that they stick their customer data on a public CVS server. Let's say I sync to this and dump a couple hundreds of meg of 'updates' only to later discover that those are NOT updates. Those are data files for other customers (which when prodding, reveals itself to be very real, verified data of at least one high-profile hospital) I read up as much as I could on HIPAA, but this is beyond the slip-ups to be covered by HIPAA. Beyond medical records and privacy, this wreaks of woeful incompetence by who should be freaking security professionals!! (4 MAJOR organizations who have royally screwed up here). First thoughts are to call HIPAA (has to be federally reported for number of people and different states affected). And while HIPAA is supposed to protect the 'whistleblower', I don't put much confidence in it. Maybe a webpost through anonomizer (and borrowed connections) like I do to check gmail. And if these companies are notified, what happens? A slap on the wrist? Wash it under the rug and label the person discovering it all to be a Black Hat? Let's not forget about the diebold fiasco(s)---(fwiw I don't work for any of the involved companies--in my theoretical model I would solely be the customer of questionable software). One idea (by one of my imaginary friends who pretends to be a doctor and a former hospital board member) was to ABSOLUTELY NOT tell the hospital for various reasons. That alter-ego of mine instead suggested I get an attorney that specialized in that. That sounds expensive. Now, I feel like a victim. If _I_ have been able to discover such a gaping hole (and I didn't even TRY to find it), then I am pretty sure that it already has been taken. In any case, it will be stolen in a matter of weeks. Since that is inevitable, I should just remove all the data I obtained and forget about it. In the end, I feel bad for the hundreds of thousands of people who can be totally raped of their identities (or be scammed for extraneous chargesl, etc etc). But, why should I be the scapegoat for pointing out that the Emperor has no clothes? Any useable thoughts? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Undisclosed breach at major US facility, (continued)
- Re: Undisclosed breach at major US facility nobody Wuss (Jul 04)
- Re: Undisclosed breach at major US facility Eric Ericson (Jul 04)
- Re: Undisclosed breach at major US facility Eric Ericson (Jul 04)
- Re: Undisclosed breach at major US facility pauls (Jul 04)
- Re: Undisclosed breach at major US facility Stack Smasher (Jul 04)
- Re: Undisclosed breach at major US facility Valdis . Kletnieks (Jul 04)
- Re: Undisclosed breach at major US facility Q-Ball (Jul 04)
- Re: Undisclosed breach at major US facility mikeiscool (Jul 04)
- Re: Undisclosed breach at major US facility Stefan Keller (Jul 04)
- Re: Undisclosed breach at major US facility Valdis . Kletnieks (Jul 04)
- Re: Re: Undisclosed breach at major US facility Valdis . Kletnieks (Jul 05)
- Re: Re: Undisclosed breach at major US facility Javor Ninov (Jul 05)
- Re: Undisclosed breach at major US facility evilrabbi (Jul 26)
- Re: Undisclosed breach at major US facility kaiser scapegoat (Jul 26)
- Re: Undisclosed breach at major US facility c0ntex (Jul 26)
- Re: Undisclosed breach at major US facility kaiser scapegoat (Jul 26)