Subject Re: [firebird-support] practice information system
Author Marc Hakman
Hi Helen,

if I understand you well, I have a steel armor archive cabinet on wheels without a rear wall. Approved by all security agencies (NSA etc) and several other criminal organizations. And, I even didn’t know. ;)

I have contacted them, the supplier / developer (not vendor) and the certification body. Waiting for their reactions.
It is possible to sent you a personal mail? Uncleared ist my problem with the chip card.

Marc.

PS: read also the mail of rudyhuang10@...

Am 05.01.2014 um 11:16 schrieb Helen Borrie <helebor@...>:

At 05:25 p.m. 5/01/2014, Marc Hakman wrote:
>Hi,
>
>I am running a professional commercial practice information system, based on firebird in Germany. The system is certified by the german health agencies.
>
>
>Problem?
>The firebird account name and pasword are NOT changed.

Ouch!!

>The government is rolling out a patient chip card with the possibility to exchange the basic patients data with their social security health assurance agency by WAN. Is there a possibility for them to get access to (other) patient files (so the complete database) through a backdoor, e.g. via the admin account? 

The whole world knows 'masterkey' as the installation password for SYSDBA. Its *only* purpose is to provide access to the SYSDBA to set his own password at installation time.

>Is there another way?

If the SYSDBA password is 'masterkey' (or anything starting with 'masterke') then change it NOW, to something very obscure. (You have 8 characters, not 9).

>Is it a security risk not changing the account name and pw?

See above. But do you know about users and SQL permissions?

>I am not paranoia, just concerned about my business and even more the medical confidentiality.

If you are saying that you deploy this software with only one user - SYSDBA - then you have a serious problem. (SYSDBA should be used only for administering databases). If it is deployed with SYSDBA + 'masterkey' then you have a VERY serious problem, that should not have been passed by the certification authority.

Helen Borrie, Support Consultant, IBPhoenix (Pacific)
Author of "The Firebird Book" and "The Firebird Book Second Edition"
http://www.firebird-books.net
__________________________________________________________