Is your root password blank?

For complex topics that regular users would not be interested in. For power users and database administrators.

Is your root password blank?

Postby Justin Shafer » Sat Oct 06, 2012 8:00 am

Honestly guys... Set your root password.. We have the functionality.. We should take advantage.. If someone gains access to your lan.. they can just login to mysql..

This "other" PMS has the root password, or their version of it, hard coded to the database.. And its the same nation wide.. If someone knows that password they can login, and those customers do NOT have the ability to set their own password.

So lets rub it in their faces.

Set your root password.
Tell all your clients what the new root password is in the config. Then laugh.. Hahahaha. GLAD I HAVE OPEN DENTAL!
:D
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby Justin Shafer » Sat Oct 06, 2012 9:42 am

User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby doctordoom » Sat Oct 06, 2012 11:46 am

how do i find that program Mysql workbench? I dont seem to have that installed...
User avatar
doctordoom
 
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am

Re: Is your root password blank?

Postby Justin Shafer » Sat Oct 06, 2012 9:48 pm

User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby jordansparks » Sun Oct 07, 2012 6:09 pm

I'm moving this to the advanced topics where it belongs. It's a non-issue for most offices.
Jordan Sparks, DMD
http://www.opendental.com
User avatar
jordansparks
Site Admin
 
Posts: 5284
Joined: Sun Jun 17, 2007 3:59 pm
Location: Salem, Oregon

Re: Is your root password blank?

Postby darrelldk » Thu Dec 05, 2013 1:28 pm

"I'm moving this to the advanced topics where it belongs. It's a non-issue for most offices." You certain about that, Jordan?
darrelldk
 
Posts: 1
Joined: Thu Dec 05, 2013 1:22 pm

Re: Is your root password blank?

Postby jsalmon » Sat Dec 07, 2013 12:34 am

The best thing about a boolean is even if you are wrong, you are only off by a bit.

Jason Salmon
Open Dental Software
http://www.opendental.com
User avatar
jsalmon
 
Posts: 1486
Joined: Tue Nov 30, 2010 1:33 pm

Re: Is your root password blank?

Postby Justin Shafer » Mon Dec 09, 2013 12:54 am

http://justinshafer.blogspot.com/2013/1 ... reach.html

That is what I fear. Though.. at least Open Dental is open source. :P
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.


Re: Is your root password blank?

Postby Justin Shafer » Sun Jan 05, 2014 6:06 pm

Large offices have better wireless security then smaller offices? If you know what I mean. :)
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby Justin Shafer » Mon Jul 14, 2014 2:21 pm

FUD anyone? 8)

Step 1: Keep an intruder with lan access out of mysql.
I know the password is in freedental.xml, but still, first thing first, keep an intruder off of the lan, and if he does get access.. make it hard to get root access to mysql. We IT guys are already in the habit of enabling windows automatic updates.... And that was a BIG step. :wink: That would force someone to want to gain access to freedental.xml.. which would require exploiting windows, or other services... And that is better then just logging into mysql with the credentials MOST use.

Or even better, require them to enter the password, and have programs that talk to mysql that are not OD use some other password? No idea.. but there has to be some better way to authenticate.. From what I have discussed with this other guy, a certain OMS program has the best way to authenticate. Each user in the PMS has a corresponding user in the database. The passwords are scrambled in the database and the client scrambles it.. Best we have in dentistry, is this.

For 'merica :idea: :wink:

http://www.politico.com/story/2014/07/electronic-health-records-theft-108856.html

Electronic health records ripe for theft

By DAVID PITTMAN | 7/13/14 9:56 PM EDT
America’s medical records systems are flirting with disaster, say the experts who monitor crime in cyberspace. A hack that exposes the medical and financial records of hundreds of thousands of patients is coming, they say — it’s only a matter of when.

As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500.

“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” said Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC. “I think the health data stewards are probably a little behind in the race. The criminal elements are incredibly sophisticated.”

The infamous Target breach occurred last year when hackers stole login information through the retailer’s heating and air system. Although experts aren’t sure what a major health care hack would look like, previous data breaches have resulted in identity and financial theft, and health care fraud.

Health care is the Johnny-come-lately to the digital world, trailing banks and retailers with decades of experience in cybersecurity. Most hospitals and doctors have gone from paper to electronic health records in the space of a few years while gobbling up $24 billion in federal incentive money paid out under the 2009 Health Information Technology for Economic and Clinical Health Act.

“Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of the The Advisory Board Co.

Significant breaches are already occurring. Over the course of three days, hackers using a Chinese IP address infiltrated the St. Joseph Health System in Bryan, Texas, and exposed the information of 405,000 individuals, gaining names, address, Social Security numbers, dates of birth and other information.

It was the third-largest health data breach tracked by the federal government.

The L.A. Gay & Lesbian Center reported late last year that hackers attacked its computer systems over a course of two months trying to steal credit card, Social Security and other financial information. About 59,000 clients and former clients were left vulnerable.

While a stolen credit card or Social Security number fetches $1 or less on the black market, a person’s medical information can yield hundreds of times more, according to the World Privacy Forum. Thieves want to hack the data to gain access to health insurance, prescription drugs or just a person’s financial information

The Identify Theft Resource Center — which has identified 353 breaches in 2014 across industries it tracks, says almost half occurred in the health sector. Criminal attacks on health data have doubled since 2000, according to the Ponemon Institute, an industry leader in data security.

Health care is the industry sector least prepared for a cyberattack, according to security ratings firm BitSight Technologies. The industry had the highest volume of threats and the slowest response time, leading the FBI in April to issue a warning to health care providers.

The industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.

Why health care and why now?

The high value of health information makes it attractive to hackers.

A credit card can be canceled within hours of its theft, but information in a patient’s health record is impossible to undo. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity.

A patient’s credit card information alone may be easier to hack from an unsuspecting hospital than from a company like Target, Michaels or Neiman Marcus, experts say.

“Criminal elements will go where the money is,” said Wah, who was the first deputy national coordinator in the Office of the National Coordinator for Health IT. “They’re seeking health records not because they’re curious about a celebrity’s blood type or medication lists or health problems. They’re seeking health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number.”

Other health security experts say hospitals’ response to cybersecurity issues has been lackluster, with providers still focused on privacy and confidentiality rather than data terrorists.

Security takes money and expertise to implement and isn’t a glamorous job, since success is measured by something not happening. The health system is still in the process of developing and vetting best practices.

The annual security assessment by the Health Information Management Systems Society showed that about half of surveyed health systems reported spending 3 percent or less of their IT budgets on security. Some 54 percent of the 283 IT security professionals surveyed had tested a data breach response plan, and slightly more than half of hospitals had an IT leader in charge of securing patient data.

Health facilities pay their security staffs less than any other industry, said Stephen Boyer, co-founder of BitSight. “This may be the case of you get what you pay for,” he said.

Read more: http://www.politico.com/story/2014/07/e ... z37TpLIm2r
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby Hersheydmd » Wed Feb 04, 2015 9:13 pm

mark
Robert M Hersh DMD, FAGD
Univ. of Penn 1982
Brooklyn, NY 11234
https://www.facebook.com/pages/Robert-M-Hersh-DMD/118221471599429
User avatar
Hersheydmd
 
Posts: 684
Joined: Sun May 03, 2009 9:12 pm

Re: Is your root password blank?

Postby Justin Shafer » Wed Nov 04, 2015 6:47 am

Image
3 years of....ranting and "security research"...
Last edited by Justin Shafer on Thu Nov 26, 2015 3:06 am, edited 2 times in total.
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby apollonia » Wed Nov 04, 2015 8:50 am

to me there is a BIG difference between OD ALLOWING a user password vs when DTX made it IMPOSSIBLE to set one.

i'm kind of a libertarian, and i suspect i favor big naggy popups that request a user password, rather than requiring one. if one IS required, then OD should set a default, otherwise there will be many who are confused.

it might also be a good idea to automagically store the user's chosen password in a text file on the user's computer (not on the server). just thinking about dentists.
apollonia
 
Posts: 40
Joined: Sat Nov 08, 2008 8:17 pm
Location: Bakersfield, CA

Re: Is your root password blank?

Postby trentwolodko » Wed Nov 04, 2015 10:42 am

The entire reason that new Dentrix db security passphrase even exists is all because of Justin Shafer and the dude deserves recognition for calling H.S. out on its BS marketing.

OD may want to alter their installation instructions a little or polish up their help page on the topic just to press the issue a little more, something as simple as a windows dialog pop-up like the ones they have during installation regarding my.ini/grant tables... Something that says, "Hey folks... double down on database security by looking here: http://www.opendental.com/manual/passwordsmysql.html".
trentwolodko
 
Posts: 4
Joined: Fri Aug 14, 2015 8:11 am

Re: Is your root password blank?

Postby Justin Shafer » Wed Nov 04, 2015 12:14 pm

Thanks Trent! :D

I am just starting a fun dialog. At least we have the option in OpenDental to do it. :D

Dentrix used Jordan's quote once... and I didn't like it. Using a quote from someone I like, ain't gonna work. :lol:

Of course, I guess we were discussing tcpip encryption, but that is a longer story because back then it was plain-text authentication in the packets unless you used tcpip encryption with faircom, but then faircom fixed that, so that even with not using tcpip encryption, the authentication packets are still encrypted, so it is a pointless argument now....



---------- Forwarded message ----------
From: Roberts, Steve (Utah) <Steve.Roberts@henryschein.com>
Date: Thu, Nov 8, 2012 at 6:43 PM
Subject: RE: g5
To: Justin Shafer <justinshafer@gmail.com>


I followed up with the team and received some additional clarification.

The Dentrix G5 database is obviously encrypted as is the credentials within the data stream. All eServices data is encrypted at rest and during transmission. However, data transmitted between server and workstation on the LAN is not. Our team agrees with Jordan Sparks on this topic, specifically that there are so many other security issues to worry about that packet sniffing hackers with access to the LAN are down the list of threats. Why not simply apply packet encryption as you suggest - one word - performance. Encryption brings with it performance degredation (this is why we didn't choose the highest level of encryption available in ACE - speed).

Because most dentists don't maintain networks comprised of recommended systems we do everything we can to keep overhead low.

Steve
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby Justin Shafer » Fri Nov 06, 2015 12:42 pm

But... yeah... OD will always be more secure.. since they were the first to even have the entire idea in the first place.
:wink:
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Postby Arna » Fri Nov 06, 2015 2:51 pm

Just out of curiosity- is this Passphrase to secure their TCP/IP traffic or to encrypt their database? I got a little lost in the email you posted.
Hats off! It's great to see that Dentrix is giving their customers the ability to secure themselves.
Entropy isn't what it used to be...

Arna Meyer
User avatar
Arna
 
Posts: 439
Joined: Tue Jul 09, 2013 3:16 pm

Re: Is your root password blank?

Postby Arna » Fri Nov 06, 2015 2:56 pm

trentwolodko wrote:OD may want to alter their installation instructions a little or polish up their help page on the topic just to press the issue a little more, something as simple as a windows dialog pop-up like the ones they have during installation regarding my.ini/grant tables... Something that says, "Hey folks... double down on database security by looking here: http://www.opendental.com/manual/passwordsmysql.html".


We're working on it. We're also tightening up security on the freedentalconfig.xml
As always, I cannot stress the importance of Security Risk Analysis enough. I want to scream every time I connect to a customer and see their mysql folder shared. Even moreso when it's not encrypted. I get on my soapbox with IT people when I find this. It's unnecessary and totally irresponsible.
Entropy isn't what it used to be...

Arna Meyer
User avatar
Arna
 
Posts: 439
Joined: Tue Jul 09, 2013 3:16 pm

Re: Is your root password blank?

Postby Mifa » Mon Nov 09, 2015 10:57 am

Do you mean that mysql's root password will not be saved in plain text anymore in freedentalconfig?
Mifa
 
Posts: 136
Joined: Wed Nov 21, 2007 7:52 pm

Re: Is your root password blank?

Postby Arna » Mon Nov 09, 2015 11:26 am

I believe there will be some trickery to that effect. Jason is working on it. He may have more to say about the matter.
Entropy isn't what it used to be...

Arna Meyer
User avatar
Arna
 
Posts: 439
Joined: Tue Jul 09, 2013 3:16 pm

Re: Is your root password blank?

Postby jsalmon » Mon Nov 09, 2015 11:40 am

Mifa wrote:Do you mean that mysql's root password will not be saved in plain text anymore in freedentalconfig?

Correct. We will encrypt it within the file. Because we are encrypting instead of hashing, you will still be able to type the password in plain text for first time users (new workstations or new customers) and Open Dental will detect the non-encrypted password and will automatically encrypt it within the xml file after connecting for the first time. This is of course assuming Open Dental is run with permissions to edit the files within it's installation directory.
The best thing about a boolean is even if you are wrong, you are only off by a bit.

Jason Salmon
Open Dental Software
http://www.opendental.com
User avatar
jsalmon
 
Posts: 1486
Joined: Tue Nov 30, 2010 1:33 pm

Re: Is your root password blank?

Postby Justin Shafer » Thu Nov 26, 2015 2:03 am

WOW! Very cool! :)

All hail Open Dental. :D
User avatar
Justin Shafer
 
Posts: 576
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.


Return to Advanced Topics

Who is online

Users browsing this forum: No registered users and 6 guests