It’s been an interesting week in IT and security here in Sweden. On Monday the Swedish publication Computer Sweden exposed that 2,7 million recorded phone calls roughly 170 000 hours from the Swedish Health Care Guide 1177 where completely exposed on the internet. These were calls made by people about their medical conditions containing sensitive and personal information about the individual or their children.
This in itself is catastrophic — but what is worse is that this is not the first time we see something like this and it is, most likely, not the last. In this case it’s also horrifying how the whole thing has progressed and been handled during the week. The turn of events show a severe lack of knowledge in both IT and security, which is not only scary but extremely dangerous.
When Davide Nyblom, the CEO of Medicall a sub-supplier to MedHelp who handles some calls from 1177, was confronted with the discovery — he not only claimed it was impossible according to his IT department — when further pushed he decided to hang up the phone.
The Alice in Wonderland-like scenario continues when Dagen Nyheter reached out to Tommy Ekström the CEO of Voice Integrated Nordics, a supplier of Biz 2.0 that claims to be a cloud-based callcenter system which is used by Medicall. Ekström not only claims that the error was due to someone plugging in an “internet cable” to a “hard drive” during an update. He also claims that you needed a special “commando movement” to access the data.
If we ignore that he is making up words and concepts the facts are that the data was openly accessible over HTTP on port 443 and the server had a DNS, nas.applion.se, pointed towards it. This clearly shows that Voice Integrated Nordics either has no clue of what they are talking about or blatantly lying.
Why would a cloud based service exist in a location were unauthorised personnel can just “plug in” a cable to do an update?
Why would the server that is not intended to be exposed have a DNS entry pointing a domain towards it?
If there was only one person on the Voice Integrated Nordics management team, or even on staff, that knew what they were doing the answer by Ekström should have looked completely different.
The obvious errors and extremely strange answers from the company indicate shoddy craftsmanship and questionable ethics. This is the result of betting on the cheapest option and not weighing quality in as a parameter.
“Many folks want to buy software the way they buy a car. They have a list of features in mind, they negotiate a price, and they pay for what they asked for.”
— Martin Fowler and Jim Highsmith
When buying systems and software clients should be able to know that they won’t be tricked or scammed. The people buying the system can’t be tasked with asking about non functional requirements like security and performance because they simply don’t have the knowledge to phrase those requirements correctly — their area of expertise is usually in a completely different field.
This is not only a matter of craftsmanship, it’s a matter of ethics. When you buy a system you should be able to trust that your supplier is an expert and will guide you to manage these things correctly. We are past the era of only coding what the spec says — we are professionals and craftsmen that should be able to translate our clients dreams into working and stable systems. Our biggest challenge as an industry right now is that there is so much money to be made on IT and software that everyone is trying to get a piece, and not all are well intentioned. The price race is on and the less serious suppliers are winning because they exploit the purchasers lack of knowledge and error-prone procurement procedures that weigh price higher than quality and security.
We as professional craftsmen need to speak up! Especially when our personal data is at stake and theses companies are payed by tax payer money. As software and technology grow more important, by the hour, in everything we do — we as a collective are responsible for maintaining quality and delivering well-crafted systems.