The field of dentistry is more than x-rays and implements of torture. Half the job of any office is simply dragging patients in for cleanings and check-ups. That’s where technology comes into play.

Henrik’s employer made patient management software for dentist offices. Selling IT solutions to businesses with no IT staff was challenging, but Henrik’s software had a “nag bomb” feature. It could call, text, and email patients, reminding them of upcoming visits as well as strongly encouraging them to make appointments on a regular basis. Once dentists saw the number of missed appointments drop and the number of scheduled appointments rise, they fell in love with the software. Coupled with a centralized web gateway which allowed patients to “self-service” their appointments, you had a winning product.

I think I need a root canal. I definitely need a long, slow root canal.

One morning, Henrik arrived to the office a bit early, and was finishing a cigarette when Otto, the service desk manager, ran from the building like his head was on fire. “We’ve been hacked! We’ve been hacked! God help us, we’ve been hacked!

God wasn’t taking Otto’s call, but Henrik was. He stubbed out his cigarette and rushed into the building to investigate.

“We’re pushing porn out to people’s phones!” Otto said, as he pulled up the growing queue of support tickets. The support tickets were filtered through the dentist’s offices: angry customers complained to the dentist offices, who in turn called the technical support line. This meant the tickets didn’t contain any useful information beyond, “You sent my 14 year old daughter pornography!”

Henrik went to the message logs, looking for a window when things changed. The sent messages were a little bit odd, if hackers were the culprit. “It’s time for your next appointment! Schedule it at www.XXX.com ,” didn’t really sound like something a hacker would do.

The messages started going out in this state starting the previous evening. What changed, according to the activity logs? There was an update to a configuration file… by Otto. The changed line now read ClientURL = www.XXX.com. Henrik confronted him.

“What? While the web team is making some changes, I wanted to point it at a dead link so nobody saw the in-progress page.”

“The… wha-.” Henrik caught his breath. “There are so many things wrong with that statement that I don’t know where to begin. Let me correct a few things for you, Otto. First, the web team won’t publish any changes until they’re done, so you don’t need to worry about the users seeing half-finished work. Second, you do not change things unless someone tells you to. Third, holy crap, you shouldn’t have even had access to change that file to begin with, and we’re going to make sure that never happens again. But Otto, there’s something that puzzles me: why or Earth did you pick that URL?”

“Who would make a website named ‘XXX’?”

Image from Little Shop of Horrors