It seems that is the time once again to talk about the relationship between software vendors and the security posture of different business verticals. Why are we beating this particular dead horse? Well with the Covid-19 Pandemic, the rush to shift to remote work force and an increase in attacker activity aimed at the remote workforce and healthcare you would think that there would be an increase level of effort to fix vulnerabilities in remote access and healthcare services software. If you thought that, you would be wrong. Instead during this time, we are seeing more software vendors pushing FDA as law and healthcare organizations even refusing opportunities to patch critical software. This on top of an extremely slow response to threat to the remote workplace.
We have written numerous articles on how bad corporate mentality is shaping security and risking your data, but we have one more to share with you today. We can also guarantee that this will not be the last one we write about. According to news reports the company EagleSoft has responded to a security researcher (part time) by asking the FBI to treat him like a criminal, instead of just fixing the issue as reported. The researcher’s name is Justin Shafer and his crime was reporting unencrypted patient data left on an open FTP server by EagleSoft. The FTP server did not require a logon to access the data, but EagleSoft, in order to protect themselves are trying to play this off as a criminal act.
What do Apple, Microsoft (Including Skype), Google (YouTube), Facebook, Yahoo, and PalTalk have in common? Well they all participate knowingly in one rather invasive program run by the NSA under the guise of National Security. The program called PRISM was started in 2007 in the last moths of the George W. Bush’s administration the program creates a cooperative system with the listed companies to allow the NSA to query systems for information. Ostensibly the program is intended to protect the US from foreign threats including terrorism, but it has such a wide license that it has already been shown to have captured data about US citizens. To make matters worse certain members of Congress knew about the project back in 2007 and even granted the DOJ the power to force companies to comply in 2008.