Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import A defibrillator management platform was riddled with vulnerabilities including a remote command execution flaw that could seemingly be invoked by uploading an Excel spreadsheet to the platform. Or so warned the US's Cybersecurity and Infrastructure Security Agency, which said the Defibrillator Dashboard software, made by …
Summary of my experiences installing/upgrading ERP/MRP/CRM systems
Director: "And get rid of all that Excel stuff - I want everything on the new system. We can't afford to be shifting stuff back and forth between Excel and if Anna leaves no-one knows how to compile the reports cos she wrote all those macros that no one understands"
Team: "These are the costs of customizing the vanilla product to match our current processes."
Director: "Bugger that. There's nothing special about what we do so we'll change our processes to fit the vanilla product. "
.... vanilla system installed, processes changed, all tested, gone live, things running smoothly......
Director, waving powerpoint full of Excel charts: "I need the report that looks like this for this quarter"
Team: "We can't do that because you wouldn't pay for customization or for the OLAP add-on"
Director: "But I need it tomorrow for the board meeting. Just do it all in Excel"
Team "...anyone got Anna's phone number?"
I once did an ISO 27001 review of an organisation. Each sales person / representative had their own little Excel spreadsheet or other means of recording their contacts. I hd to point out that firstly, they were the organisations' clients not the salespeople's clients so should all appear on an organisation database, and secondly, as each person's way of storing their client data was ad hoc, there was no chance that anyone would be able to retrieve that data in the absence of the originator and thirdly, this way of handing personal details 300 (yes three HUNDRED) separate 'databases' was almost certainly in breach of then data protection legislation.
Excel is wonderful, for some things, but the problem is that 'ordinary people'* rather than database specialists can use to store and manage data without really knowing very much and can get into an awful mess.
We should leave it to the highly trained professionals, probably.
*for example, me.
I see "Purchase Orders" arrive as Excel spreadsheets every week or two although these days more of the infection attempts arrive as Purchase_Order.HTML ... occasionally they are real. To keep everyone safe I block all suspect attachments in the mail-server and only release them after a detailed check.
I've seen invoices created off-system for an important customer who insisted on a special template. The accounts system could manage this without much effort but for some reason it was all done via Excel. A macro pulled the data from accounts, created the invoices, mailed them to the customer's hard-coded email address, set the ledger flag to "issued" and printed a copy on the printer that used to be in Accounts - now somewhere else and next to a handy shredder, which is where the invoices were put by the locals. It worked fine until the customer changed email address and got pretty annoyed when they were hassled for not paying invoices they had never seen.
I'm having a bit of trouble with the concept of fleets of defibrillators controlled by Excel spreadsheets. Am I misreading something? No?
Look, I wasn't all that wild about the parallel universe I was living in. In fact, it looked to be wall-to-wall crackpots back there. But I'm clearly not cut out for this one. Can anyone provide me with instructions for returning home where my biggest worry was whether Covid vaccine would magnetize me?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
