Moving onto Eaglesoft aka Patterson Dental
(Thanks Dissent!)
So I have been asking Eaglesoft since 2014 if they would improve the authentication of Eaglesoft. Eaglesoft uses Sybase iSQL Anywhere for its database.
How do they currently authenticate?
Currently for read access they use the default username and password dba and sql.
Do they support changing the backend database for reading AND writing?
I do not know but I plan on finding this out, I have asked US-CERT.
I have heard that if you want to write to their database, they do charge money, which I find odd because they don't seem to take great efforts into protecting write access, which is exactly what I heard is supposed to cost money.
I met their security guru Mike Snead via LinkedIn. He wanted to connecte with me and told me he liked my work regarding Dentrix. I thanked him and then said something he probably didn't like. I told him he had until Eaglesoft 18 to fix the authentication. He disconnected from me and I guess people in Dentistry are indignant so I am not that surprised.
I noticed this great post by Patterson (whom I like, don't get me wrong) on LinkedIn.
"Hackers are awful, evil, and rotten, but one thing they aren't is stupid. In fact, many hackers specifically target small dental practices, assuming they don't have "sophisticated" data protection systems. Learn how to secure your important data by reading up on PattLock, Patterson's "sophisticated" data protection service. #PinkyOut"
"Hackers are awful, evil, and rotten, but one thing they aren't is stupid. In fact, many hackers specifically target small dental practices, assuming they don't have "sophisticated" data protection systems. Learn how to secure your important data by reading up on PattLock, Patterson's "sophisticated" data protection service. #PinkyOut"
I thought about this and realized I most likely wasn't being taken seriously. Last week I went to an office that was giving out the 2Wire WPA2 key to PATIENTS (key=office phone number?). This offices has Eaglesoft. Somehow FEAR is the only thing that seems to work in Dentistry so.....
Other then spending time on how Eaglesoft authenticates, I noticed a free Eaglesoft 16 Developer License was on the Eaglesoft FTP site. This led to me wondering: What other careless mistakes have they put on their FTP Server?
OH... Let me tell you.
1. A file called Dental.Log which is a transactional log file without the actual Dental.DB file to go along with it. I converted the dental.log file to dental.sql and discovered patient data with over 5000 patients. The patients belong to Massachusetts General Hospital.
2. A Recall Report from ES that was converted to PDF. This file belonged to a Dental office in Canada. There are over 2300 patients in this file. The SSN is not present, but insurance info, balances, and patient alerts are present.
3. An entire Eaglesoft Database was also present. This database was to an office in Canada and has a little over 15 thousand patients in the database.
This is all pretty sad, in a way. Apparently they just finished having a seminar February 2nd over "how to protect yourself from a data breach"
I hope SOMEONE at Patterson Dental or Eaglesoft knows I mean business, and the only HARM that can happen in not fulfilling our wishes, is what can happen to the generation that follows after us.
Hints!