Author Topic: Who knows me?  (Read 6232 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Who knows me?
« on: May 18, 2007, 10:30:31 am »
So yesterday morning (or was it Wednesday? I don't remember anymore...) I went to the doctor to see about a sore on my foot. I won't go into details. But as I was sitting there, I heard a request for some medical charts go through and was shocked at how easy it was!

So that got me thinking about other places were people might be able to steal personal information. Then my editor said that she needed a blog to fill in a gap today, so I wrote a blog about the situation.

Some of you might find it an interesting read, especially because it's nice and short (around 350 words):
http://www.symantec.com/enterprise/security_response/weblog/2007/05/who_knows_me.html

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Who knows me?
« Reply #1 on: May 18, 2007, 05:29:25 pm »
Yea... its a pretty well known fact that Canada's medical records and policies are considerably more lax than in the states.  Of course, that won't change as long as it lets Canada publish an inflated life expectancy age by simply not documenting eskimos. 

While I agree that medical records are a serious source to protect you are missing a few key 'security features' you might not have noticed.

a) Caller ID
b) At least in my town(s) most of the receptions for doctors offices and hospitals are on a first name basis with each other and would probably not need to ask for any kind of credentials when calling from the expected line with the expected voice

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Who knows me?
« Reply #2 on: May 18, 2007, 05:58:53 pm »
a) Caller ID
b) At least in my town(s) most of the receptions for doctors offices and hospitals are on a first name basis with each other and would probably not need to ask for any kind of credentials when calling from the expected line with the expected voice
Although I agree, these points may not be 100% valid:

a) can be faked
b) it's a city of over a million, and she had to tell the person on the other end what her fax number was, which tells me that it couldn't have been a common request.

I thought of both of those, but I didn't really have enough room to mention them all. Thanks, though :)

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Who knows me?
« Reply #3 on: May 20, 2007, 03:50:49 am »
I'm not sure what the basis was for distributing the doctor's fax number, but that could be a credential too.

Edit: Fixed a neat typo caused by Symantec's damn calendar bug. :P
« Last Edit: May 20, 2007, 03:53:20 am by Joe[x86/64] »
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Who knows me?
« Reply #4 on: May 20, 2007, 11:54:38 am »
The sad reality is that it's not particularly hard for a determined person to get that sort of information with some social engineering.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Who knows me?
« Reply #5 on: May 21, 2007, 12:28:11 am »
The doctor's fax number, you mean?

EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.

What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?
« Last Edit: May 21, 2007, 12:30:21 am by Joe[x86/64] »
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Who knows me?
« Reply #6 on: May 21, 2007, 03:20:48 am »
Mobile security has been done to death by Ollie Whitehouse. He's an expert on that on the Advanced Threat Response team. If you Google his name, it'll probably bring up his blogs.

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Who knows me?
« Reply #7 on: May 21, 2007, 11:16:41 am »
The doctor's fax number, you mean?

EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.

What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?

Caller ID is not something you want to rely on for authentication.  Easily spoofable, to say the least.  We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Who knows me?
« Reply #8 on: May 21, 2007, 06:33:55 pm »
We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.

There was a number I called when I prank call (1-310-361-0161) and you could call anybody you wanted with any number you wanted as the caller ID.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Who knows me?
« Reply #9 on: May 22, 2007, 12:55:24 am »
Someone mentioned this article at work independently; guess you're famous, in a way, iago :p

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Who knows me?
« Reply #10 on: May 22, 2007, 12:00:49 pm »
Nice! It's awesome to get to write for a widely-read blog. I almost feel famous :)

Offline mynameistmp

  • Full Member
  • ***
  • Posts: 111
  • Hi! I'm new here!
    • View Profile
Re: Who knows me?
« Reply #11 on: October 01, 2007, 12:13:29 am »
The doctor's fax number, you mean?

EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.

What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?

Caller ID is not something you want to rely on for authentication.  Easily spoofable, to say the least.  We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.

See orange boxing. Years ago orange boxes were hardware devices that had to be constructed, but soon after software was written to emulate the devices. Many common users don't realize that your CID is determined by an analog signal the routing unit propagates (similar to the sounds the buttons make), so essentially all an orange box does is translate input into necessary tones. One popular method for 'social engineering' with said devices was to call store departments with the CID of another intercom line and request information. Usually if you can access the phone, the local # is located on the receiver. If you take the branches' (or stores') external number and sub the desired local you'll get the direct line if it's available.

http://www.artofhacking.com/orange.htm

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Who knows me?
« Reply #12 on: October 01, 2007, 03:09:07 am »
Blue boxes are cooler than orange boxes, because blue boxes are used for hacking. Orange boxes are used for spoofing, not hacking.

[edit]
Quote from: iago
These are only a few examples of where, despite my best defenses, my information can leak out. How can I prevent it? Besides the usual technique of providing as little information is necessary, there isn't much I can do, except hope that my information stays secret.
Maybe you should consider firing your editor.
« Last Edit: October 01, 2007, 03:13:53 am by Camel »

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Who knows me?
« Reply #13 on: October 01, 2007, 10:45:50 am »
Blue boxes are cooler than orange boxes, because blue boxes are used for hacking. Orange boxes are used for spoofing, not hacking.

[edit]
Quote from: iago
These are only a few examples of where, despite my best defenses, my information can leak out. How can I prevent it? Besides the usual technique of providing as little information is necessary, there isn't much I can do, except hope that my information stays secret.
Maybe you should consider firing your editor.

We've had like 3 editors since then, myself included. :P

Offline BigAznDaddy

  • Hero Member
  • *****
  • Posts: 2163
    • View Profile
Re: Who knows me?
« Reply #14 on: May 12, 2008, 08:10:09 pm »
if you work at a hospital like me you see peoples personal info... its kinda funny yet scary if it gets in the wrong hands