Subject Re: [firebird-support] practice information system
Author Helen Borrie
At 05:25 p.m. 5/01/2014, Marc Hakman wrote:
>Hi,
>
>I am running a professional commercial practice information system, based on firebird in Germany. The system is certified by the german health agencies.
>
>
>Problem?
>The firebird account name and pasword are NOT changed.

Ouch!!

>The government is rolling out a patient chip card with the possibility to exchange the basic patients data with their social security health assurance agency by WAN. Is there a possibility for them to get access to (other) patient files (so the complete database) through a backdoor, e.g. via the admin account?

The whole world knows 'masterkey' as the installation password for SYSDBA. Its *only* purpose is to provide access to the SYSDBA to set his own password at installation time.

>Is there another way?

If the SYSDBA password is 'masterkey' (or anything starting with 'masterke') then change it NOW, to something very obscure. (You have 8 characters, not 9).

>Is it a security risk not changing the account name and pw?

See above. But do you know about users and SQL permissions?

>I am not paranoia, just concerned about my business and even more the medical confidentiality.

If you are saying that you deploy this software with only one user - SYSDBA - then you have a serious problem. (SYSDBA should be used only for administering databases). If it is deployed with SYSDBA + 'masterkey' then you have a VERY serious problem, that should not have been passed by the certification authority.


Helen Borrie, Support Consultant, IBPhoenix (Pacific)
Author of "The Firebird Book" and "The Firebird Book Second Edition"
http://www.firebird-books.net
__________________________________________________________________