FTP Server at LSUHealth New Orleans

In June, I found an FTP server full of medical information. I didn't show it to anyone, but emailed several addresses at the institution responsible for the server, lsuhsc.edu.

Within a few hours, the server was no longer accessible. I got no reply from the company, but regarded this as a success.

Today, I was informed about this article:

Professor hacks University Health Conway in demonstration for class

Everything in that title is incorrect. I didn't hack anything, I did a google search and connected to an open FTP server. I was not teaching classes at that time, and I didn't demonstrate it for anyone.

All I did was send this email:


Sam Bowne <sam.bowne@gmail.com>
to: webmaster@lsuhsc.edu,
nocompliance@lsuhsc.edu,
lhholl@lsuhsc.edu
date: Tue, Jun 17, 2014 at 11:45 AM
subject: Exposed patient data on public server
mailed-by: gmail.com

Hello:

I am Sam Bowne, an instructor at City College San Francisco, and I found two security problems on your server with a Google search.

Your FTP server has been compromised, and some files named "w0000000t" were added to it.

However, that's very minor compared to the fact that you have dozens of files publicly exposed on that server containing medical data about thousands of patients.

Here's the server root:

ftp://conway.lsuhsc.edu/

Here's an example file showing approximately 2000 of what appear to be patient names:

ftp://conway.lsuhsc.edu/EACHBSTMRP20121120.txt

Here are some patient addresses:

ftp://conway.lsuhsc.edu/EACHB20121122.txt

There are many more files there--you may have a serious violation of HIPAA regulations here.

These files have apparently been exposed for at least a year, and have already been copied to other servers by FTP search engines:

http://filemare.com/en-us/browse/155.58.160.62@@@60/12

The "w0000000t" file is apparently part of a mass compromise of Microsoft FTP servers, which was found but not explained by a French security company named QuarkLabs in this slide:

http://samsclass.info/lulz/w00t-ftp.png

Full presentation here:

http://www.quarkslab.com/dl/D2T1-Why-Port-Scans-are-for-Pussies.pdf

Please alert your technical and legal staff.

I am happy to answer any questions you may have.

Sam Bowne sbowne@ccsf.edu


I Object

It is outrageous for a journalist to write such lies, accusing me of serious crimes, without even contacting me to find out what happened.

I will post a comment on the article and contact him on Twitter, and update this if anything worthwhile happens.

I see that the article linked above is just repeating lies from this newspaper article, authored by "Staff":

Conway had server breach; no personal information lost

Here are screenshots of the articles as I saw them today, 8-28-14:

I posted this as both a Tweet and a comment to SC Magazine:

My comment on the SC magazine article vanished. It may be pending approval. However, I remembered a general principle I have learned from vulnerability disclosure: the person who created the problem will never admit it or fix it.

To find responsible people, one must go to the top.

So I found the owners of both papers and sent these Tweets to the CEOs.

HIPAA Complaint and Open Letter

HIPAA explicitly forbids LSU from retaliating against me for reporting a HIPAA violation, so I filed a federal complaint against them for their illegal retaliation.

Since the parties involved are all liars, I posted everything I did publicly in an open letter to all stakeholders:

http://samsclass.info/125/proj11/LSU-HIPAA.htm

No Media Response

My comments on the SC Magazine article were deleted. The "journalist" who invented the article has not altered it or contacted me in any way.

The two CEOs have also remained silent.

Apparently, committing libel is a common thing for them, and they are comfotable completely ignoring the protests of their victims.

I have begin inquiries with attorneys to find out the best way to force these liars to take some responsibility for their crimes.

Second, Contradictory SC Magazine Story

I found out today on Twitter that the same author of the original article has now written a second story, giving my side.

Professor says Google search, not hacking, yielded medical info

However, the original, false article remains online, with no link to the later corrective one, and my comment remains deleted.

Professor hacks University Health Conway in demonstration for class

This is a very strange way to run a news blog.

Victory! Article Corrected

On the advice of my attorney, I offered the journalist a phone call and the right to quote from it in return for amending the article.

This is far from ideal, since it might appear to reward him for extortion, but it did accomplish my primary objective of removing the libel which could harm me and CCSF.

Here is the amended article:

Thanks to Alex Muentz

As documented above, I struggled for days trying to fix this problem, and I was getting nowhere. A one-hour phone call to @alexuentz cleared it all up immediately, because he understood how the media works far better than I do, and he knew just what to do.

There's nothing like a good lawyer when you need one!


Posted 3:32 pm 8-28-14 by Sam Bowne
Tweet added 3:51 PM 8-28-14
CEO tweets added 0:45 am 8-29-14
Open letter and "No Media Response" sections added 6:36 am 8-30-14
Second SC article info added 7:13 am, 8-30-14
Amended article added 5:16 pm 8-31-14
Thanks to Alex Muentz added 8:49 am 9-1-14