Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on May 18, 2007, 10:30:31 am
-
So yesterday morning (or was it Wednesday? I don't remember anymore...) I went to the doctor to see about a sore on my foot. I won't go into details. But as I was sitting there, I heard a request for some medical charts go through and was shocked at how easy it was!
So that got me thinking about other places were people might be able to steal personal information. Then my editor said that she needed a blog to fill in a gap today, so I wrote a blog about the situation.
Some of you might find it an interesting read, especially because it's nice and short (around 350 words):
http://www.symantec.com/enterprise/security_response/weblog/2007/05/who_knows_me.html
-
Yea... its a pretty well known fact that Canada's medical records and policies are considerably more lax than in the states. Of course, that won't change as long as it lets Canada publish an inflated life expectancy age by simply not documenting eskimos.
While I agree that medical records are a serious source to protect you are missing a few key 'security features' you might not have noticed.
a) Caller ID
b) At least in my town(s) most of the receptions for doctors offices and hospitals are on a first name basis with each other and would probably not need to ask for any kind of credentials when calling from the expected line with the expected voice
-
a) Caller ID
b) At least in my town(s) most of the receptions for doctors offices and hospitals are on a first name basis with each other and would probably not need to ask for any kind of credentials when calling from the expected line with the expected voice
Although I agree, these points may not be 100% valid:
a) can be faked
b) it's a city of over a million, and she had to tell the person on the other end what her fax number was, which tells me that it couldn't have been a common request.
I thought of both of those, but I didn't really have enough room to mention them all. Thanks, though :)
-
I'm not sure what the basis was for distributing the doctor's fax number, but that could be a credential too.
Edit: Fixed a neat typo caused by Symantec's damn calendar bug. :P
-
The sad reality is that it's not particularly hard for a determined person to get that sort of information with some social engineering.
-
The doctor's fax number, you mean?
EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.
What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?
-
Mobile security has been done to death by Ollie Whitehouse. He's an expert on that on the Advanced Threat Response team. If you Google his name, it'll probably bring up his blogs.
-
The doctor's fax number, you mean?
EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.
What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?
Caller ID is not something you want to rely on for authentication. Easily spoofable, to say the least. We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.
-
We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.
There was a number I called when I prank call (1-310-361-0161) and you could call anybody you wanted with any number you wanted as the caller ID.
-
Someone mentioned this article at work independently; guess you're famous, in a way, iago :p
-
Nice! It's awesome to get to write for a widely-read blog. I almost feel famous :)
-
The doctor's fax number, you mean?
EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.
What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?
Caller ID is not something you want to rely on for authentication. Easily spoofable, to say the least. We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.
See orange boxing. Years ago orange boxes were hardware devices that had to be constructed, but soon after software was written to emulate the devices. Many common users don't realize that your CID is determined by an analog signal the routing unit propagates (similar to the sounds the buttons make), so essentially all an orange box does is translate input into necessary tones. One popular method for 'social engineering' with said devices was to call store departments with the CID of another intercom line and request information. Usually if you can access the phone, the local # is located on the receiver. If you take the branches' (or stores') external number and sub the desired local you'll get the direct line if it's available.
http://www.artofhacking.com/orange.htm
-
Blue boxes are cooler than orange boxes, because blue boxes are used for hacking. Orange boxes are used for spoofing, not hacking.
[edit]
These are only a few examples of where, despite my best defenses, my information can leak out. How can I prevent it? Besides the usual technique of providing as little information is necessary, there isn't much I can do, except hope that my information stays secret.
Maybe you should consider firing your editor.
-
Blue boxes are cooler than orange boxes, because blue boxes are used for hacking. Orange boxes are used for spoofing, not hacking.
[edit]
These are only a few examples of where, despite my best defenses, my information can leak out. How can I prevent it? Besides the usual technique of providing as little information is necessary, there isn't much I can do, except hope that my information stays secret.
Maybe you should consider firing your editor.
We've had like 3 editors since then, myself included. :P
-
if you work at a hospital like me you see peoples personal info... its kinda funny yet scary if it gets in the wrong hands