Re: Undisclosed breach at major US facility

[Denis Jedig <seclists () syneticon de>]

r r wrote:

> I would like to know what to do if I --hypothetically speaking-- I
> were to retrieve _complete_ databases of a MAJOR us hospital.  My
> hypothetical model is not brute force, but rather an 'accidental'
> discovery by trying to retrieve updates from a software vendor.

In my opinion, a public service operated insecurely is a danger to every 
single of its customers. Publishing this kind of information (not the 
data dump of course, only pointing out the kind of flaws and the 
responsible persons or organizations) is a service to current and 
potential customers of the public service. You might try to get the 
"ordinary" (non-tech, non-security) press, but in my expirience the 
sensation index of such incidents is just too low to interest 
journalists and they think that the technical stuff is too complicated 
anyway. So the second option is to report an offence to the prosecutive 
authorities (no idea who handles data security issues in the states - 
the FBI maybe?) or supervisory bodies (US Department of Health?). You 
could do both, just so you tried, and maybe add some politican known to 
be keen on privacy and data security to your list of contacts.

If you expect that there is no chance for the flaw to be fixed correctly 
(i.e. without a chance to reoccur in a different flavour within some 
days), there is little sense in contacting the involved parties directly.

Denis

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/