I reccomend you steal the databases and sell them for cash.<br><br><div><span class="gmail_quote">On 7/3/06, <b class="gmail_sendername">r r</b> <<a href="mailto:anothersecurityquestion@gmail.com">anothersecurityquestion@gmail.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Need some advise here.<br>I would like to know what to do if I --hypothetically speaking-- I
<br>were to retrieve _complete_ databases of a MAJOR us hospital. My<br>hypothetical model is not brute force, but rather an 'accidental'<br>discovery by trying to retrieve updates from a software vendor.<br><br>Let's say this Big Name software vendor, who sells itself as being an
<br>authority on security, is so flipping retarded that they stick their<br>customer data on a public CVS server. Let's say I sync to this and<br>dump a couple hundreds of meg of 'updates' only to later discover that<br>
those are NOT updates.<br><br>Those are data files for other customers (which when prodding, reveals<br>itself to be very real, verified data of at least one high-profile<br>hospital)<br><br>I read up as much as I could on HIPAA, but this is beyond the slip-ups
<br>to be covered by HIPAA. Beyond medical records and privacy, this<br>wreaks of woeful incompetence by who should be freaking security<br>professionals!! (4 MAJOR organizations who have royally screwed up<br>here).<br>
<br>First thoughts are to call HIPAA (has to be federally reported for<br>number of people and different states affected).<br>And while HIPAA is supposed to protect the 'whistleblower', I don't<br>put much confidence in it. Maybe a webpost through anonomizer (and
<br>borrowed connections) like I do to check gmail.<br><br>And if these companies are notified, what happens? A slap on the wrist?<br>Wash it under the rug and label the person discovering it all to be a Black Hat?<br>Let's not forget about the diebold fiasco(s)---(fwiw I don't work for
<br>any of the involved companies--in my theoretical model I would solely<br>be the customer of questionable software).<br><br>One idea (by one of my imaginary friends who pretends to be a doctor<br>and a former hospital board member) was to ABSOLUTELY NOT tell the
<br>hospital for various reasons. That alter-ego of mine instead<br>suggested I get an attorney that specialized in that. That sounds<br>expensive. Now, I feel like a victim.<br><br>If _I_ have been able to discover such a gaping hole (and I didn't
<br>even TRY to find it), then I am pretty sure that it already has been<br>taken. In any case, it will be stolen in a matter of weeks. Since<br>that is inevitable, I should just remove all the data I obtained and<br>forget about it.
<br><br>In the end, I feel bad for the hundreds of thousands of people who can<br>be totally raped of their identities (or be scammed for extraneous<br>chargesl, etc etc).<br>But, why should I be the scapegoat for pointing out that the Emperor
<br>has no clothes?<br><br>Any useable thoughts?<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>