Announcement

Collapse
No announcement yet.

Zachary Minneker - How To Get MUMPS Thirty Years Later (or, Hacking The Government via FOIA'd Code)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Zachary Minneker - How To Get MUMPS Thirty Years Later (or, Hacking The Government via FOIA'd Code)

    Zachary Minneker - How To Get MUMPS Thirty Years Later (or, Hacking The Government via FOIA'd Code)

    Presentation Title: How To Get MUMPS Thirty Years Later (or, Hacking The Government via FOIA'd Code)
    Zachary "SeiRanib" Minneker, Senior Security Engineer, Security Innovation
    Length of presentation: 45 Minutes
    Demo, Exploit


    In the 60s, engineers working in a lab at Massachusettes General Hospital in Boston invented a programming environment for use in medical contexts. This is before C, before the Unix epoch, before the concept of an electronic medical records system even existed. But if you have medical records in the US, or if you've banked in the US, its likely that this language has touched your data. Since the 1960s, this language has been used in everything from EMRs to core banking to general database needs, and even is contained in apt to this day.

    This is the Massachusettes General Hospital Utility Multi-Programming System. This is MUMPS.

    This talk covers new research into common open-source MUMPS implementations, starting with an application that relies on MUMPS: the Department of Veterans Affairs' VistA EMR. We’ll cover a short history of VistA before diving into its guts and examining MUMPS, the language that VistA was written in. Then we'll talk about 30 memory bugs discovered while fuzzing open source MUMPS implementations before returning to VistA to cover critical vulnerabilities found in credential handling and login mechanisms. We'll close by taking a step back and asking questions about how we even got here in the first place, the right moves we made, and what we can do better.

    SPEAKER BIO(S)
    Zachary Minneker is a senior security engineer and security researcher at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including robots for kids, audio transcription codecs, and electronic medical systems. He has previous experience administrating electronic medical systems, and deep experience in fuzzing, reverse engineering, and protocol analysis. His research has focused on techniques for in-memory fuzzing, IPC methods, and vulnerability discovery in electronic medical record systems and health care protocols. In his free time he works on music and synthesizers.


    REFERENCES:
    https://www.politico.com/agenda/stor...piracy-000367/
    https://www.hardhats.org/history/hardhats.html
    https://docs.yottadb.com/Acculturati...lturation.html
    https://www.cs.uni.edu/~okane/
    https://gitlab.com/YottaDB/DB/YDB
    https://sourceforge.net/projects/fis-gtm/
    https://en.wikipedia.org/wiki/VistA
    http://vistadataproject.info
    https://github.com/kretst/VistA-FOIA


    []
    Last edited by number6; June 18, 2022, 13:04.
Working...
X