Is your root password blank?

For complex topics that regular users would not be interested in. For power users and database administrators.
Post Reply
User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Is your root password blank?

Post by Justin Shafer » Sat Oct 06, 2012 8:00 am

Honestly guys... Set your root password.. We have the functionality.. We should take advantage.. If someone gains access to your lan.. they can just login to mysql..

This "other" PMS has the root password, or their version of it, hard coded to the database.. And its the same nation wide.. If someone knows that password they can login, and those customers do NOT have the ability to set their own password.

So lets rub it in their faces.

Set your root password.
Tell all your clients what the new root password is in the config. Then laugh.. Hahahaha. GLAD I HAVE OPEN DENTAL!
:D


User avatar
doctordoom
Posts: 41
Joined: Tue Sep 25, 2012 10:39 am
Contact:

Re: Is your root password blank?

Post by doctordoom » Sat Oct 06, 2012 11:46 am

how do i find that program Mysql workbench? I dont seem to have that installed...

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Sat Oct 06, 2012 9:48 pm


User avatar
jordansparks
Site Admin
Posts: 5739
Joined: Sun Jun 17, 2007 3:59 pm
Location: Salem, Oregon
Contact:

Re: Is your root password blank?

Post by jordansparks » Sun Oct 07, 2012 6:09 pm

I'm moving this to the advanced topics where it belongs. It's a non-issue for most offices.
Jordan Sparks, DMD
http://www.opendental.com

darrelldk
Posts: 1
Joined: Thu Dec 05, 2013 12:22 pm

Re: Is your root password blank?

Post by darrelldk » Thu Dec 05, 2013 12:28 pm

"I'm moving this to the advanced topics where it belongs. It's a non-issue for most offices." You certain about that, Jordan?

User avatar
jsalmon
Posts: 1551
Joined: Tue Nov 30, 2010 12:33 pm
Contact:

Re: Is your root password blank?

Post by jsalmon » Fri Dec 06, 2013 11:34 pm

For small to medium sized offices, yeah, pretty sure. You might want to read:
viewtopic.php?f=2&t=4687
viewtopic.php?f=1&t=4416
http://www.opendental.com/manual/mysqlsecurity.html
The best thing about a boolean is even if you are wrong, you are only off by a bit.

Jason Salmon
Open Dental Software
http://www.opendental.com

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Sun Dec 08, 2013 11:54 pm

http://justinshafer.blogspot.com/2013/1 ... reach.html

That is what I fear. Though.. at least Open Dental is open source. :P


User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Sun Jan 05, 2014 5:06 pm

Large offices have better wireless security then smaller offices? If you know what I mean. :)

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Mon Jul 14, 2014 2:21 pm

FUD anyone? 8)

Step 1: Keep an intruder with lan access out of mysql.
I know the password is in freedental.xml, but still, first thing first, keep an intruder off of the lan, and if he does get access.. make it hard to get root access to mysql. We IT guys are already in the habit of enabling windows automatic updates.... And that was a BIG step. :wink: That would force someone to want to gain access to freedental.xml.. which would require exploiting windows, or other services... And that is better then just logging into mysql with the credentials MOST use.

Or even better, require them to enter the password, and have programs that talk to mysql that are not OD use some other password? No idea.. but there has to be some better way to authenticate.. From what I have discussed with this other guy, a certain OMS program has the best way to authenticate. Each user in the PMS has a corresponding user in the database. The passwords are scrambled in the database and the client scrambles it.. Best we have in dentistry, is this.

For 'merica :idea: :wink:

http://www.politico.com/story/2014/07/e ... 08856.html

Electronic health records ripe for theft

By DAVID PITTMAN | 7/13/14 9:56 PM EDT
America’s medical records systems are flirting with disaster, say the experts who monitor crime in cyberspace. A hack that exposes the medical and financial records of hundreds of thousands of patients is coming, they say — it’s only a matter of when.

As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health care system as attractive bait, according to experts interviewed by POLITICO. On the black market, a full identity profile contained in a single record can bring as much as $500.

“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” said Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC. “I think the health data stewards are probably a little behind in the race. The criminal elements are incredibly sophisticated.”

The infamous Target breach occurred last year when hackers stole login information through the retailer’s heating and air system. Although experts aren’t sure what a major health care hack would look like, previous data breaches have resulted in identity and financial theft, and health care fraud.

Health care is the Johnny-come-lately to the digital world, trailing banks and retailers with decades of experience in cybersecurity. Most hospitals and doctors have gone from paper to electronic health records in the space of a few years while gobbling up $24 billion in federal incentive money paid out under the 2009 Health Information Technology for Economic and Clinical Health Act.

“Frankly, health care organizations are struggling to keep up with this,” said information security expert Ernie Hood, of the The Advisory Board Co.

Significant breaches are already occurring. Over the course of three days, hackers using a Chinese IP address infiltrated the St. Joseph Health System in Bryan, Texas, and exposed the information of 405,000 individuals, gaining names, address, Social Security numbers, dates of birth and other information.

It was the third-largest health data breach tracked by the federal government.

The L.A. Gay & Lesbian Center reported late last year that hackers attacked its computer systems over a course of two months trying to steal credit card, Social Security and other financial information. About 59,000 clients and former clients were left vulnerable.

While a stolen credit card or Social Security number fetches $1 or less on the black market, a person’s medical information can yield hundreds of times more, according to the World Privacy Forum. Thieves want to hack the data to gain access to health insurance, prescription drugs or just a person’s financial information

The Identify Theft Resource Center — which has identified 353 breaches in 2014 across industries it tracks, says almost half occurred in the health sector. Criminal attacks on health data have doubled since 2000, according to the Ponemon Institute, an industry leader in data security.

Health care is the industry sector least prepared for a cyberattack, according to security ratings firm BitSight Technologies. The industry had the highest volume of threats and the slowest response time, leading the FBI in April to issue a warning to health care providers.

The industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI stated.

Why health care and why now?

The high value of health information makes it attractive to hackers.

A credit card can be canceled within hours of its theft, but information in a patient’s health record is impossible to undo. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity.

A patient’s credit card information alone may be easier to hack from an unsuspecting hospital than from a company like Target, Michaels or Neiman Marcus, experts say.

“Criminal elements will go where the money is,” said Wah, who was the first deputy national coordinator in the Office of the National Coordinator for Health IT. “They’re seeking health records not because they’re curious about a celebrity’s blood type or medication lists or health problems. They’re seeking health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number.”

Other health security experts say hospitals’ response to cybersecurity issues has been lackluster, with providers still focused on privacy and confidentiality rather than data terrorists.

Security takes money and expertise to implement and isn’t a glamorous job, since success is measured by something not happening. The health system is still in the process of developing and vetting best practices.

The annual security assessment by the Health Information Management Systems Society showed that about half of surveyed health systems reported spending 3 percent or less of their IT budgets on security. Some 54 percent of the 283 IT security professionals surveyed had tested a data breach response plan, and slightly more than half of hospitals had an IT leader in charge of securing patient data.

Health facilities pay their security staffs less than any other industry, said Stephen Boyer, co-founder of BitSight. “This may be the case of you get what you pay for,” he said.

Read more: http://www.politico.com/story/2014/07/e ... z37TpLIm2r

User avatar
Hersheydmd
Posts: 700
Joined: Sun May 03, 2009 9:12 pm

Re: Is your root password blank?

Post by Hersheydmd » Wed Feb 04, 2015 8:13 pm

mark
Robert M Hersh DMD, FAGD
Univ. of Penn 1982
Brooklyn, NY 11234
https://www.facebook.com/pages/Robert-M ... 1471599429

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Wed Nov 04, 2015 5:47 am

Image
3 years of....ranting and "security research"...
Last edited by Justin Shafer on Thu Nov 26, 2015 2:06 am, edited 2 times in total.

apollonia
Posts: 40
Joined: Sat Nov 08, 2008 7:17 pm
Location: Bakersfield, CA

Re: Is your root password blank?

Post by apollonia » Wed Nov 04, 2015 7:50 am

to me there is a BIG difference between OD ALLOWING a user password vs when DTX made it IMPOSSIBLE to set one.

i'm kind of a libertarian, and i suspect i favor big naggy popups that request a user password, rather than requiring one. if one IS required, then OD should set a default, otherwise there will be many who are confused.

it might also be a good idea to automagically store the user's chosen password in a text file on the user's computer (not on the server). just thinking about dentists.

trentwolodko
Posts: 5
Joined: Fri Aug 14, 2015 8:11 am

Re: Is your root password blank?

Post by trentwolodko » Wed Nov 04, 2015 9:42 am

The entire reason that new Dentrix db security passphrase even exists is all because of Justin Shafer and the dude deserves recognition for calling H.S. out on its BS marketing.

OD may want to alter their installation instructions a little or polish up their help page on the topic just to press the issue a little more, something as simple as a windows dialog pop-up like the ones they have during installation regarding my.ini/grant tables... Something that says, "Hey folks... double down on database security by looking here: http://www.opendental.com/manual/passwordsmysql.html".

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Wed Nov 04, 2015 11:14 am

Thanks Trent! :D

I am just starting a fun dialog. At least we have the option in OpenDental to do it. :D

Dentrix used Jordan's quote once... and I didn't like it. Using a quote from someone I like, ain't gonna work. :lol:

Of course, I guess we were discussing tcpip encryption, but that is a longer story because back then it was plain-text authentication in the packets unless you used tcpip encryption with faircom, but then faircom fixed that, so that even with not using tcpip encryption, the authentication packets are still encrypted, so it is a pointless argument now....



---------- Forwarded message ----------
From: Roberts, Steve (Utah) <Steve.Roberts@henryschein.com>
Date: Thu, Nov 8, 2012 at 6:43 PM
Subject: RE: g5
To: Justin Shafer <justinshafer@gmail.com>


I followed up with the team and received some additional clarification.

The Dentrix G5 database is obviously encrypted as is the credentials within the data stream. All eServices data is encrypted at rest and during transmission. However, data transmitted between server and workstation on the LAN is not. Our team agrees with Jordan Sparks on this topic, specifically that there are so many other security issues to worry about that packet sniffing hackers with access to the LAN are down the list of threats. Why not simply apply packet encryption as you suggest - one word - performance. Encryption brings with it performance degredation (this is why we didn't choose the highest level of encryption available in ACE - speed).

Because most dentists don't maintain networks comprised of recommended systems we do everything we can to keep overhead low.

Steve

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Fri Nov 06, 2015 11:42 am

But... yeah... OD will always be more secure.. since they were the first to even have the entire idea in the first place.
:wink:

User avatar
Arna
Posts: 444
Joined: Tue Jul 09, 2013 3:16 pm

Re: Is your root password blank?

Post by Arna » Fri Nov 06, 2015 1:51 pm

Just out of curiosity- is this Passphrase to secure their TCP/IP traffic or to encrypt their database? I got a little lost in the email you posted.
Hats off! It's great to see that Dentrix is giving their customers the ability to secure themselves.
Entropy isn't what it used to be...

Arna Meyer

User avatar
Arna
Posts: 444
Joined: Tue Jul 09, 2013 3:16 pm

Re: Is your root password blank?

Post by Arna » Fri Nov 06, 2015 1:56 pm

trentwolodko wrote: OD may want to alter their installation instructions a little or polish up their help page on the topic just to press the issue a little more, something as simple as a windows dialog pop-up like the ones they have during installation regarding my.ini/grant tables... Something that says, "Hey folks... double down on database security by looking here: http://www.opendental.com/manual/passwordsmysql.html".
We're working on it. We're also tightening up security on the freedentalconfig.xml
As always, I cannot stress the importance of Security Risk Analysis enough. I want to scream every time I connect to a customer and see their mysql folder shared. Even moreso when it's not encrypted. I get on my soapbox with IT people when I find this. It's unnecessary and totally irresponsible.
Entropy isn't what it used to be...

Arna Meyer

Mifa
Posts: 141
Joined: Wed Nov 21, 2007 6:52 pm
Location: Saint-Bruno, QC, Canada
Contact:

Re: Is your root password blank?

Post by Mifa » Mon Nov 09, 2015 9:57 am

Do you mean that mysql's root password will not be saved in plain text anymore in freedentalconfig?

User avatar
Arna
Posts: 444
Joined: Tue Jul 09, 2013 3:16 pm

Re: Is your root password blank?

Post by Arna » Mon Nov 09, 2015 10:26 am

I believe there will be some trickery to that effect. Jason is working on it. He may have more to say about the matter.
Entropy isn't what it used to be...

Arna Meyer

User avatar
jsalmon
Posts: 1551
Joined: Tue Nov 30, 2010 12:33 pm
Contact:

Re: Is your root password blank?

Post by jsalmon » Mon Nov 09, 2015 10:40 am

Mifa wrote:Do you mean that mysql's root password will not be saved in plain text anymore in freedentalconfig?
Correct. We will encrypt it within the file. Because we are encrypting instead of hashing, you will still be able to type the password in plain text for first time users (new workstations or new customers) and Open Dental will detect the non-encrypted password and will automatically encrypt it within the xml file after connecting for the first time. This is of course assuming Open Dental is run with permissions to edit the files within it's installation directory.
The best thing about a boolean is even if you are wrong, you are only off by a bit.

Jason Salmon
Open Dental Software
http://www.opendental.com

User avatar
Justin Shafer
Posts: 596
Joined: Sat Jul 28, 2007 7:34 pm
Location: Fort Worth, TX.

Re: Is your root password blank?

Post by Justin Shafer » Thu Nov 26, 2015 1:03 am

WOW! Very cool! :)

All hail Open Dental. :D

Post Reply