Vendor's secret 'fix' made critical app unusable during business hours

Re: Lost for words

Besides awful practice, it is a sign that they have no clue what they are doing and they should be avoided to touch your systems at all cost.

^{_{Only /tmp [and /var/tmp] require[s] 1777 (== 777 with the T-bit set).}}

Re: Lost for words

Many years ago I was doing a migration when abroad. Sites had control of their kit, but there were some global standards for workstations (they ignored the OS upgrade to W8). Servers all had to be in English.

Doing the migration which for the servers involved a lot fo scripting to reconfigure from the sites old standard / settings to our global ones. A well tried and tested script

The workstations which were now in W8 and in a non English language were a bit confusing at first, but commands are commands and established the scripts that ran on the clients to move domains, sort users, remap etc were all good too.

This all started on a Friday night - was a bit slow, but nothing too unusual

Sunday night comes and at this stage we are pissed off for a couple of reasons and then one of the local team who is checking all the users devices and configs says "I cannot get this users home drive to come up". I have a look and sure enough, no mapping to their homedrive. i check the server, its there, all set to go.

I spend some time and am a bit bemused as I cannot see anything that would l cause this and is working for my account (admin) then I ask "Is anyone else affected?". His response "Oh yes, everyone" I am now opened mouthed and ask "When did you notice this?" and their response was "Since the first machines we checked on Friday night..."

I had not choice at that stage to grant them all local admin on this box to get access to their data - just because they had to work on the Monday.

Took a few days back and investigations to find out that the local IT had set some setting on the server (I cannot recall what, but it was obscure) that would cause this. Reset the key and then removed local admin and it was all good.

The easy win would to have just left it - as it is a local box so not as critical as they being admins for that city/country, but it pressed that it needed to be dealt with and could not be left as it was

Re: Lost for words

Yeah, me too of course.

I find accounts package developers are the worst, going back to the early 1980s (in-house devs on an Olivetti S6000)

The most recent one was, of course, a Windows one who told me it absolutely had to run with Admin privs. Asked 'em why - "because it has to write to the registry".

Turned out to be just one key, so created an account for the app, changed the privs for the one key to that account, job done.

Unbelievable yet unsurprising. The usual cavalier attitude to security.

Re: Lost for words

I have seen enough applications where the DB username and password is the same (i.e. if app name is app001 then the username and password is both set to app001). Sad thing is that the password cannot be changed as it will break the application.

Re: Lost for words

There are almost certainly rules with the force of law that would make this a serious matter. Medical records are (a) sacrosanct and (b) not to be open to outsiders to read.

Re: Lost for words

Microsoft's in-Windows CD writer software would decide that because a CDROM was a read-only media, that it should also set all the *file* attributes to read-only, destroying the metadata. When copy things back off the CDROM to their destinatin, to get things to work you'd often have to do a recursive attrib -r *.* on everything without knowing what really should really be read-only. I tried to distribute data and applications via ZIP files on CDROM, but go too many users who couldn't comprehend the concept of archives. So, I wrote a simple "installer" than unzipped the data to the correct destination, and then got fails from a couple of users who had something installed that made ZIP files look like directories to all filesystem calls, so it bombed out with "Cannot do file actions on a directory" sort of errors.

Re: Lost for words

Especially galling since least privilege is baked into HIPAA and any unauthorized access would undoubtedly be a violation of Federal Law - for the clinic.

Re: Lost for words

And for those of us bad, sad, and dangerous enough to actually deploy such tools the quality of programming leaves a lot to be desired in terms of their function, stability, resiliency, and the expectation that they can be used in a virtualised desktop environment…

User profile specific configuration file encryption, so non-persistent VDIs can’t hold common approved settings.

Security prompts with no centralised/secure way to approve them resulting in repetitive user security warning click-through habits.

Screen recording failures through web browser add-ons regularly crash.

Session recording stored in a 300GB database alongside user/permissions/target host lists because they didn’t consider storing session capture in a different database.

No formal support for Microsoft AOAG, even if you have multiple data centres that use a shared Microsoft AD Domain, password changes are not unique to a specific site but must be known to users regardless of which site they log into so you have to able to reach the application data base even if one site drops offline.

The vendor thinks using a whole thread of a CPU, 100% of the time, is fine when you list available credentials.

Same vendor believes using an additional thread 100% of the time when selecting target hostname to login to is also acceptable.

Management you sign up.

SME’s don’t know the product enough to set it up correctly (“We’re the first to do this…. Uh-huh.)

Users hate it because the know you’ve taken their direct permission away, and put another tool in the path to doing their job.

The vendor just says “It’s not designed to work that way, we’ll have to raise a development note. No guarantees it will be changed/improved.”

The fallback is I have to deal with all of these levels on a daily basis. Sigh.

Real common when SELinux is active

And no, I will not disable it globally.

Re: Vendors...

I've seen that far too many times.

Re: Vendors...

I can’t believe the amount of times on windows servers a vendor has slapped an Everyone, Full Control on the entire OS drive.

It baffles me that there isn’t an understanding of the service account being used and apply least privilege.

Don’t get me started on the “Disable the Windows Firewall” instructions.

Re: Vendors...

Currently I have one such vendor on my List. No, there is no reason your install suite needs to trigger our malware scans. Except incompetence on your part, but I hesitate to label that as a *valid* reason.

Re: Vendors...

And of course they now all need their own DB admin.

Or every DB is running sub-optimally.

Still, once it's all in the Datalake, who cares about the access controls?

Re: Vendors...

If I were your auditor, I would make replacing that app mandatory.

Because, probably 99 times out of 100, just blindly following a script; works. Of course, when eventually it doesn't and their 'advice' takes out your production DB and possibly your company as well......

Sorry about that!

Because people who actually know SQL cost money, whereas people who can read off a script cost peanuts.

Re: Medical systems are a nightmare

I once went on a visit to a customer office to diagnose a problem in the wild. To fill the time I provided onsite support and training for the poor suckers lucky punters using our desktop software. It was the first time saw someone lift and invert their keyboard after being asked. "What is your password?".

Re: Medical systems are a nightmare

not sure that was understood correctly

2nd time I've had to use a password vault.

some times you have passwords of last resort that can't be easily changed.

guess what, you often have to share that password amongst people.

many jobs ago, we had to change that password quarterly or when ever someone left. a bit of a pain when you have thousands of systems where that password needed to be changed.

Some places reuse that same password across multiple systems. With a password vault that can also change that password then each system can have a unique password of last resort & that password can be shared on demand to all your team.

perhaps the purpose of the vault wasn't understood?

some password vaults also can do PAM so you may never need to know your admin password as the vault can rotate it & just log you in to your kit from the gui.

permits having a username & password & an admin-username & automatically rotated random password to login to kit & do work.

Re: Medical systems are a nightmare

We use a password vault all the time, mostly for things such as radius keys, snmp passwords, service account passwords. All those things you only need occasionally and it is better than writing them down.

Of course we share passwords for systems with over 2000 network devices just one person knowing the emergency password would be dangerous…

Re: Medical systems are a nightmare

A vault to "share passwords" is not wrong. You have a number of people, which then with their accounts can access the password they need for their role. Another group can access another set of passwords for their role. or in other IT words: Those 15 people are responsible for that customer, and NEED those passwords. The other 3000 of the company don't. Access is logged of course.

But I deduct from your words something was amiss? Please share more details.

Re: Medical systems are a nightmare

@caver_dave

My company tried to get us to use a company wide password vault.

One on the early items in the training was how a wonderful feature in the vault allowed you to share passwords.

At which point anyone with sense dropped off the call.

Even the HR droid monitoring the call noticed this drop in attendees and everything has gone quiet on the compulsory use of the tool.

https://www.theregister.com/2025/12/11/docker_hub_secrets_leak/?td=rt-3a

this is a pertinent reason why a vault should be used instead of a password.

instead of lots of passwords needing revoking, could just revoke the vault access if that was shared and have vault rotate passwords in its store if need be & not already rotated on a frequent basis.

sharing passwords is more about disseminating unique passwords for systems amongst automated tooling rather than sharing peoples individual passwords amongst others.

looks like your company should take another look & perhaps ask as many seemingly stupid questions as possible until it makes sense. Stupid questions are really just a failure of the answerer to communicate their message effectively which prompts what some deem as stupid questions. In reality they are not stupid.

Re: Medical systems are a nightmare

a business or organization is so underfunded that that choice -- security vs near-immediate patient death -- is truly binary

I can think of at least one organisation where this is true. But that's almost certainly down to misapplication of funds rather than lack of funding per se.

Re: Medical systems are a nightmare

[citation desired]

Re: Medical systems are a nightmare

1) It's all shades of grey, you spend money for _more_ cyber security or more clinical cover (or more training for them). Maybe the computer system doesn't get breached, maybe the patient doesn't die. These are largely publicly funded organisations with people from clinical backgrounds in charge and public sector unions making the case for more and better paid or trained staff.

2) Ireland's HSE breach by Russia being a case in point.

Re: Medical systems are a nightmare

1. If a business or organization is so underfunded that that choice -- security vs near-immediate patient death -- is truly binary, they should not be in business/operation.

2. A security breach of a medical organization's computers can lead to many deaths.

sounds like the NHS, same story regurgitated constantly yet nothing done to stop any waste.

Re: Medical systems are a nightmare

Regards item 1, in the US at least, due to the commercialization of medicine, this is this case in almost every business. The bean counters essentially demand it.

As for item 2, are you familiar with the term "overinsured"? If we want security to be viewed as insurance (as opposed to a cost), then we need to learn the lesson, which was espoused by L0ft before congress: security does not have infinite value. You must balance your security spending. For the case in question, you're talking about physical security being the primary guard--and it sounds like the only access was for doctors, who are REALLY motivated not to behave badly in this situation. Not that I agree with the business in this specific case--it would still be a violation of HIPPA, and as such, I would need to send an email including legal to that effect.

Re: Similar Story with FTP

Good old boys network fails strikes again!

Re: Similar Story with FTP

"I'd left a text file in there with a laundry list of about 120 items, including the above, that they'd need to fix before we'd even consider touching them."

So you had write access to the home folder root? And you weren't tempted to run a rm command, just to see what would happen?

Re: Vendor gone wild

It worked out very well, as a result of this another organization hired me to work on numerous databases for required reports under foxpro 2.0, 2.5 and visual foxpro.

That was fun until microsoft bought foxpro.

Shenanigans?

You wouldn't believe some of my experiences.

Re: Vendor gone wild

"Thanked by president? Given a bonus? Fired the best friend's company?"

The president had her job to protect. At that point it must have been looking very dicey indeed.