Schools are pretty bad, too, who are strongly enforced by federal security policies.
Recently I had an fMRI done as part of a research program at North Western and had to sign a bunch of paperwork where it was said that my data would be secured with a best effort.
Well, fast forward to last night where I was curious if their psych department had any webservers exposed to the internet, which it shouldn't. I found sip servers, printers with admin rights, routers, personal computers, etc etc etc. HIPAA hell. And that was only on three subnets and only 80/443.
I sent their heads of technology an email to see if they could look into it, since I'd prefer that my data not be stolen by anyone who knows how to run wget. They closed the ticket with this:
bpchaps, I believe you do have good intentions. That being said, we are already performing regular scans of our systems. If you do stumble upon anything significant, please do contact us again.
UMD has a great class where their cyber security students do pentesting on the school network for credit, simultaneously securing the network and providing a great education.
Nothing to get a network admin to close a hole like an annoying undergrad stopping by your office every day, trying to get his extra credit before the semester is over.
I'm a UMD student, and I had no idea this existed!
I've been hesitant about reporting holes/vulnerabilities in the school's infrastructure until now, but it's reassuring to see that there are official channels for doing so.
Don't think this was around when I went there, but I'm super excited that it is.
I did take a Software Engineering course while I was there that directly interacted with real-world clients and had to ship customer ready software at the end of the semester. It was intense and a fantastic learning experience. I'm biased, but they do it right at UMD. Go Terps!
I'd file a complaint with their bosses. Your privacy is important. If the tech staff won't take HIPAA seriously, their bosses better or they'll lose their job. Don't let this go, please, be proactive.
The first response was civil. I'd go straight to the HIPAA complaint now. They had their chance. Being overly polite is a waste of your time. For all you know you're being filtered by a moron covering his own ass.
My only concern with that, from personal experience, is that groups like HIPAA tend to be about as dismissive, but often significantly more. But you're right. If I don't get a decent response by tomorrow mid-afternoon, I'll raise the issue higher and follow through. My lawyer is very good with these sorts of issues, so I can go to him if needed, too.
Oh, the rabbit holes...
Edit: also, for what it's worth, I wasn't polite at the end - far from it.
I helped build a learning management tool for our med school, even set up SSO with their AD. They scanned the hell out of us. And we had flaws. But when the dean said he wanted it on the school's domain, on their server, IT did as told.
I don't know the answer. If you do interesting things, there will be bugs. And a university is full of people doing interesting things. If IT locks everything down you end up hamstrung, like the DoD often is. Another kind of pain I know all too well.
Oh trust me, I get it. There's definitely a middle ground, though.
If you want to know locked down, my last place locked down icmp between vlans for security reasons. Ironically, it's what got me to learn nmap. It was also hell. :)
Careful, people have been prosecuted for running unauthorised portscans before. It's probably easier for them to report you to the police than it is for them to fix the problems.
My uncle had surgery in a very well regarded hospital in the Northeast US. I visited him in one of their buildings and they were absolutely in a shambles from an IT perspective. Someone with bad intentions and a USB drive of almost any description could probably wreak havoc there.
I know of a local clinic where I live that has decided to stay on Windows XP and just told their staff "not to surf" as their way of dealing with security issues. While in the waiting room when I took my sister in for an appointment I discovered you could look around pretty much anywhere, it has no network security and the doctors computers are on the same LAN as the public unencrypted wifi.
Recently I had an fMRI done as part of a research program at North Western and had to sign a bunch of paperwork where it was said that my data would be secured with a best effort.
Well, fast forward to last night where I was curious if their psych department had any webservers exposed to the internet, which it shouldn't. I found sip servers, printers with admin rights, routers, personal computers, etc etc etc. HIPAA hell. And that was only on three subnets and only 80/443.
I sent their heads of technology an email to see if they could look into it, since I'd prefer that my data not be stolen by anyone who knows how to run wget. They closed the ticket with this:
bpchaps, I believe you do have good intentions. That being said, we are already performing regular scans of our systems. If you do stumble upon anything significant, please do contact us again.
:(