Journal peacefinder's Journal: Ask a subset of /.: IT reality check 11
I need a technical reality check here.
I am currently under direction to set up some interation with a service that provides automated appointment reminders by phone. The information I'm to share with these people is HIPAA-protected information.
The setup process has been rocky: first the technician I'm working on didn't seem to understand the difference between FTP and SFTP, then he - after giving me my login information to their SFTP server by phone - did me the courtesy of e-mailing the password to me. Great.
So today I'm getting into their management interface website for the first time. It's IE-only, but whatever. It needs an ActiveX control to display properly. Okay, fine. The ActiveX auto-downloader doesn't work, so the technician directs me to a downladable EXE that installs the necessary components. My hackles go up, but it's a secure site so I fetch it. I ran the thing and it's unsigned, but again it came from a https site and that's not so uncommon, so I continue.
But the damn thing is trying to change some DLLs and/or OCX files in use by my Practice Management application... something far more critical than this reminder service. And what the hell is a website doing messing with DLL and OCX files, anyway?
So questions:
When's the last time y'all interacted with a website that requires messing around on the DLL/OCX level of your windows system?
I do not trust these people. Every It instinct I have tells me that if I use this service, I am going to end up reading abbout my own HIPAA data loss in the paper. Am I just being too paranoid, or does it seem like there's really something wrong here?
Hmm (Score:3, Insightful)
Am I just being too paranoid
I can answer: You can never be too paranoid.
Re: (Score:2)
Cost/Benefit (Score:2)
A larger question is about the vendor. Do they do this regularly with HIPAA stuff? I ask because in the legal world litigation scanning is a dedicated market. We had a vendor who specialized in scanning medical records win our scanning contract. They knew scanning, but not litigation scanning which comes with a whole pa
Re: (Score:2)
As for breaches of other people's data on their server, I am confident that I would have about an 80% chance of successfully breaking into another client's account on their website in ten tries or less, because they use stupid* default passwords. All I'd really have to guess is another customer number. That can be solved for my own data by
Re: (Score:2)
Tell boss these guys are a security risk. (Score:3, Insightful)
Re: (Score:1)
I've never seen an ActiveX try to mess with files (Score:2)
Is it a requirement that you put the files to them? Perhaps they can get the files from you instead. You'd have to put up a secure FTP server....
FWIW, SANS isn't particularly fond of ActiveX: Client-side Vulnerabilities in Web Browsers [sans.org]. Microsoft Is Number 1! Microsoft Is Number 1! ... in supplying an exploit engine for malicious remote code execution. ;-)
Re:I've never seen an ActiveX try to mess with fil (Score:2)
Re: (Score:2)
One of our apps uses the Business Objects / Crystal Reports plugins for IE. But again, they just run, and don't try to modify stuff on the C: drive.
I would wonder .... (Score:2)
Also, one project I read about, apparently all proprietary products were used to hide the extreme crappiness o