peacefinder's Journal: Ask a subset of /.: IT reality check

I need a technical reality check here.

I am currently under direction to set up some interation with a service that provides automated appointment reminders by phone. The information I'm to share with these people is HIPAA-protected information.

The setup process has been rocky: first the technician I'm working on didn't seem to understand the difference between FTP and SFTP, then he - after giving me my login information to their SFTP server by phone - did me the courtesy of e-mailing the password to me. Great.

So today I'm getting into their management interface website for the first time. It's IE-only, but whatever. It needs an ActiveX control to display properly. Okay, fine. The ActiveX auto-downloader doesn't work, so the technician directs me to a downladable EXE that installs the necessary components. My hackles go up, but it's a secure site so I fetch it. I ran the thing and it's unsigned, but again it came from a https site and that's not so uncommon, so I continue.

But the damn thing is trying to change some DLLs and/or OCX files in use by my Practice Management application... something far more critical than this reminder service. And what the hell is a website doing messing with DLL and OCX files, anyway?

So questions:

When's the last time y'all interacted with a website that requires messing around on the DLL/OCX level of your windows system?

I do not trust these people. Every It instinct I have tells me that if I use this service, I am going to end up reading abbout my own HIPAA data loss in the paper. Am I just being too paranoid, or does it seem like there's really something wrong here?

Hmm

[Captain Splendid]

Can't really speak to the details (although I wouldn't be surprised, this being Windows, that all kinds of weird files have to get messed with just to interact with a website), but this:

Am I just being too paranoid

I can answer: You can never be too paranoid.

Re:

[peacefinder]

That is my usual M.O., but I'm finding myself having to justify this particular paranoia to my boss. So I'm looking for some reality checks to see if I'm still at a sane level of paranoia.

Cost/Benefit

[Shadow Wrought]

I would try a cost/benefit approach. I know the costs associated with divulging HIPAA information can be quite staggering, so hopefully your boss understands just what's at stake here.

A larger question is about the vendor. Do they do this regularly with HIPAA stuff? I ask because in the legal world litigation scanning is a dedicated market. We had a vendor who specialized in scanning medical records win our scanning contract. They knew scanning, but not litigation scanning which comes with a whole pa

Re:

[peacefinder]

Yes, they apparently specialize in medical applications. I was apparently the first person in a while to insist on a HIPPA Business Associate Agreement with them, though.

As for breaches of other people's data on their server, I am confident that I would have about an 80% chance of successfully breaking into another client's account on their website in ten tries or less, because they use stupid* default passwords. All I'd really have to guess is another customer number. That can be solved for my own data by

Re:

[Shadow Wrought]

Well, if you explain to your boss how anyone with a little knowledge can compromise their security, and explain to him how easy that little knowledge is to attain, and he still wants to go ahead... Just document it like there's no tomorrow and hope for the best. I don't know that there's anything else you can do.

Tell boss these guys are a security risk.

[flaming error]

Let him/her know that their systems are insecure, and have him sign stuff saying he (not you) is the IT decision maker for HIPPA / Sarbanes-Oxley purposes.

Re:

[jawtheshark]

What he said.... I have seen many many IE-Only ActiveX stuff, but never was it unsigned and had to be installed with a separated installler. You need to report this to your superiors and it needs a thorough audit,

I've never seen an ActiveX try to mess with files

[Degrees]

We have had a couple IE-only apps with ActiveX controls. I've never seen an ActiveX try to update files local to the hard drive though.

Is it a requirement that you put the files to them? Perhaps they can get the files from you instead. You'd have to put up a secure FTP server....

FWIW, SANS isn't particularly fond of ActiveX: Client-side Vulnerabilities in Web Browsers [sans.org]. Microsoft Is Number 1! Microsoft Is Number 1! ... in supplying an exploit engine for malicious remote code execution. ;-)

Re:I've never seen an ActiveX try to mess with fil

[peacefinder]

The totally sick and wrong thing is that the ActiveX is just to view the result report.

Re:

[Degrees]

Hmmm. Maybe if they want you as a customer, they should throw up a Citrix server, and let you log into their box that runs the app. Chances are, they already have a Citrix server for their own use....

One of our apps uses the Business Objects / Crystal Reports plugins for IE. But again, they just run, and don't try to modify stuff on the C: drive.

I would wonder ....

[OldHawk777]

These days, what's in their source code? I am not a hacker, in the office a couple older hackers +45yo, I know a code-dog (attacks and rips code apart), in source/apps she finds all functional weaknesses and documents, and a code-hog in the office that can find some obscure stuff that makes him (eventually you) wonder why is that ... as relates to performance, functions, intentions, expectations....

Also, one project I read about, apparently all proprietary products were used to hide the extreme crappiness o