heh, I have seen worse cases. I had to go into a Hospital one night to get a few x-rays done, I'd say around 9pm or so. Ok, so on the way in being accompanied by one of the nurses I noticed that a cleaning person was tidying up a bit around the x-ray rooms, etc... ok thats cool I thought. But on the way out, I noticed that the person was in a different area of the facility tidying up around terminals STILL logged in and not screen locked or logged out. Go figure.
-b On Wed, 2004-02-18 at 21:50, Bill Royds wrote: > Last time I was at my doctor's medical clinic, I noticed all the shiny new > LCD monitors showing the Windows logon prompt with account Administrator. I > asked the receptionist why. She said so that anyone could sing on any > machine when they needed it, since individual machines lock out so only > signed user or administrator can sign on. They did have the screensaver > timeout so people off the street couldn't sign on. But the only way to make > the multiple workstations usable from for anybody was to use administrator > account on all of them. > This is a bit of a design flaw in the Windows network that means security > is much less than it ought to be. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of insecure > Sent: February 18, 2004 7:55 PM > To: Tim > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: Re: GAYER THAN AIDS ADVISORY #01: IE 5 > remote code execution > > Tim wrote: > > >>The first is that this IE bug is life-threatening. It's not. > <snip> > >>Where's the problem? > >>This is outrageous FUD. Web browsers are not used in medical > >>appliances. > > > > > > Oh? Have you worked in a hospital? I haven't, but I am willing to bet > > a lot of medical records and even appliances are run on Windows. > > Correct me if I am wrong. > > > <snip> > > I do work in a hospital in the US. No sane person would run a medical > device on Windows, or at least connect same to a production network. > However, insanity is rampant... > > Many, if not most, medical record systems, diagnostic, and treatment > devices run on Windows. The reason is simple: economics. The OS is > cheaper than dedicated, hardened real-time OS's. Programming tools and > programmers are cheaper, by far. The costs, as in the risk to patients' > privacy and safety, can be easily shifted onto someone else. > > One of the largest selling systems used for storing and annotating > images of paper medical records is written in Word macros. It's a very > unstable system, but who cares if it has to be rebooted every day? > Probably only the patients whose records get corrupted or lost in the > process. > > Many of these systems come from the vendor with default shares enabled > allowing anonymous access, no patches, default passwords, no anti-virus, > etc. Many health-care organizations then proceed to plug them into the > general network and pretend that nothing's wrong. > > We've had both diagnostic and treatment devices infected with viruses > and worms. We've had this happen such while devices were connected to > patients. > > So the next time you're at a hospital, consider that chances are anyone > who has network access can find out more about you than you'd care to > have them know, and may be able to modify records and treatment plans if > they are feeling like it. > > If you happen to be receiving some potentially dangerous computer-driven > treatment, for example radiation therapy, be assured that the computer > telling the linear accelator where to place to dose, and how much, is > likely to be a Windows box that was set up and maintained by someone who > has exactly zero knowledge and concern about security issues. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
