Who knows me?

iago · May 18, 2007, 10:30:31 AM

So yesterday morning (or was it Wednesday? I don't remember anymore...) I went to the doctor to see about a sore on my foot. I won't go into details. But as I was sitting there, I heard a request for some medical charts go through and was shocked at how easy it was!

So that got me thinking about other places were people might be able to steal personal information. Then my editor said that she needed a blog to fill in a gap today, so I wrote a blog about the situation.

Some of you might find it an interesting read, especially because it's nice and short (around 350 words):
http://www.symantec.com/enterprise/security_response/weblog/2007/05/who_knows_me.html

Chavo · May 18, 2007, 05:29:25 PM

Yea... its a pretty well known fact that Canada's medical records and policies are considerably more lax than in the states. Of course, that won't change as long as it lets Canada publish an inflated life expectancy age by simply not documenting eskimos.

While I agree that medical records are a serious source to protect you are missing a few key 'security features' you might not have noticed.

a) Caller ID
b) At least in my town(s) most of the receptions for doctors offices and hospitals are on a first name basis with each other and would probably not need to ask for any kind of credentials when calling from the expected line with the expected voice

iago · May 18, 2007, 05:58:53 PM

Quote from: unTactical on May 18, 2007, 05:29:25 PM
a) Caller ID
b) At least in my town(s) most of the receptions for doctors offices and hospitals are on a first name basis with each other and would probably not need to ask for any kind of credentials when calling from the expected line with the expected voice

Although I agree, these points may not be 100% valid:

a) can be faked
b) it's a city of over a million, and she had to tell the person on the other end what her fax number was, which tells me that it couldn't have been a common request.

I thought of both of those, but I didn't really have enough room to mention them all. Thanks, though :)

Joe · May 20, 2007, 03:50:49 AM

I'm not sure what the basis was for distributing the doctor's fax number, but that could be a credential too.

Edit: Fixed a neat typo caused by Symantec's damn calendar bug. :P

Skywing · May 20, 2007, 11:54:38 AM

The sad reality is that it's not particularly hard for a determined person to get that sort of information with some social engineering.

Joe · May 21, 2007, 12:28:11 AM

The doctor's fax number, you mean?

EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.

What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?

iago · May 21, 2007, 03:20:48 AM

Mobile security has been done to death by Ollie Whitehouse. He's an expert on that on the Advanced Threat Response team. If you Google his name, it'll probably bring up his blogs.

Skywing · May 21, 2007, 11:16:41 AM

Quote from: Joex86/64] link=topic=9405.msg119622#msg119622 date=1179721691]
The doctor's fax number, you mean?

EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.

What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?

Caller ID is not something you want to rely on for authentication. Easily spoofable, to say the least. We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.

Newby · May 21, 2007, 06:33:55 PM

Quote from: Skywing on May 21, 2007, 11:16:41 AM
We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.

There was a number I called when I prank call (1-310-361-0161) and you could call anybody you wanted with any number you wanted as the caller ID.

Skywing · May 22, 2007, 12:55:24 AM

Someone mentioned this article at work independently; guess you're famous, in a way, iago :p

iago · May 22, 2007, 12:00:49 PM

Nice! It's awesome to get to write for a widely-read blog. I almost feel famous :)

mynameistmp · October 01, 2007, 12:13:29 AM

Quote from: Skywing on May 21, 2007, 11:16:41 AM
Quote from: Joex86/64] link=topic=9405.msg119622#msg119622 date=1179721691]
The doctor's fax number, you mean?

EDIT -
Actually, you're right. If he said it out loud over the phone, anyone in the room (with a good ear, he may have said it quietly) could have penned it down and used it later I guess. But I think caller ID and voice are pretty strong credentials.

What really worries me is how easy it would be to "wiretap" a cell phone. That'd make an interesting blog, iago. How is the data transmitted, and it's it cyphered or not?

Caller ID is not something you want to rely on for authentication. Easily spoofable, to say the least. We do some VoIP stuff here at work, and you can pretty much pick the number that shows up for caller ID for a particular call, to give you an idea.

See orange boxing. Years ago orange boxes were hardware devices that had to be constructed, but soon after software was written to emulate the devices. Many common users don't realize that your CID is determined by an analog signal the routing unit propagates (similar to the sounds the buttons make), so essentially all an orange box does is translate input into necessary tones. One popular method for 'social engineering' with said devices was to call store departments with the CID of another intercom line and request information. Usually if you can access the phone, the local # is located on the receiver. If you take the branches' (or stores') external number and sub the desired local you'll get the direct line if it's available.

http://www.artofhacking.com/orange.htm

Camel · October 01, 2007, 03:09:07 AM

Blue boxes are cooler than orange boxes, because blue boxes are used for hacking. Orange boxes are used for spoofing, not hacking.

[edit]

Quote from: iagoThese are only a few examples of where, despite my best defenses, my information can leak out. How can I prevent it? Besides the usual technique of providing as little information is necessary, there isn't much I can do, except hope that my information stays secret.

Maybe you should consider firing your editor.

iago · October 01, 2007, 10:45:50 AM

Quote from: Camel on October 01, 2007, 03:09:07 AM
Blue boxes are cooler than orange boxes, because blue boxes are used for hacking. Orange boxes are used for spoofing, not hacking.

[edit]
Quote from: iagoThese are only a few examples of where, despite my best defenses, my information can leak out. How can I prevent it? Besides the usual technique of providing as little information is necessary, there isn't much I can do, except hope that my information stays secret.
Maybe you should consider firing your editor.

We've had like 3 editors since then, myself included. :P

BigAznDaddy · May 12, 2008, 08:10:09 PM

if you work at a hospital like me you see peoples personal info... its kinda funny yet scary if it gets in the wrong hands

Clan x86

News:

Who knows me?

iago

Chavo

iago

Joe

Skywing

Joe

iago

Skywing

Newby

Skywing

iago

mynameistmp

Camel

iago

BigAznDaddy