Risk
12/6/2012
12:23 PM
50%
50%

Royal Security Fail: 'May I Speak To Kate?'

The oldest -- and most effective -- social engineering trick in the book remains getting on the phone and impersonating an insider. Ask Kate Middleton, the Duchess of Cambridge.

Want to obtain health information about a princess? Call a hospital, and pretend to be the queen.

Call it a joke, except that the setup worked. Earlier this week, a male-female DJ duo from an Australian FM radio show searched Google for the phone number for the Edward VII Hospital where the former Kate Middleton -- now known as the Duchess of Cambridge -- was receiving treatment for hyperemesis gravidarum, which is a severe form of morning sickness. Then the pair phoned, and in Australian-tinged accents, pretended to be Elizabeth II, Queen of Great Britain, and her son, Prince Charles.

After the female DJ -- posing as the queen -- asked how her granddaughter was doing with her "tummy bug," a nurse replied that she was sleeping and unable to receive a phone call. "Okay I'll just feed my little corgis then," said the supposed monarch. "When is a good time to come and visit her, because I'm the queen and I need a lift down there?"

[ Is it fair for a hacker to get a longer prison sentence than a murderer? Should LulzSec Suspect Face Life In Prison? ]

To be clear, while the nurse -- in the course of a two-minute phone call -- revealed the comings and going of Kate's husband, she apparently divulged no details about the patient's medical condition. On the other hand, the nurse appeared to believe that she was indeed speaking with the queen, which means the hospital evidently hadn't trained its staff on the basics of safeguarding patient confidentiality, especially when on the phone.

Does no one remember their Kevin Mitnick? The surest path to obtaining desired information, especially if you're not authorized to have access to that information, is to get on the phone, pretend to be an insider, and politely request what you need. It's called a social-engineering attack, and it's one of the oldest tricks in the book, because it's cheap, easy and effective.

John Lofthouse, the hospital's chief executive, attempted to deflect the blame onto the callers. "This was a foolish prank call that we all deplore. We take patient confidentiality extremely seriously and are now reviewing our telephone protocols." In a video message later released by the hospital, he said, "Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery."

Not preparing staff to handle potential trickery of any sort -- from unscrupulous journalists, investigators, even spouses who might be stalking their former partners -- represents a clear failure by Lofthouse and the hospital's management team, and should serve as a lesson for any other organization charged with safeguarding information of any kind. Of course patient information may at times need to be relayed via phone. But the nurses that fielded the phone call didn't even perform the most basic of checks to verify their caller's identity, such as asking for a phone number so that it could be verified and the call returned. Equally, they might have approached the royal security detail that was likely camped down the hall to verify that their boss was indeed on the phone.

The hospital incident comes after the recent conclusion of the Leveson inquiry in Britain, which investigated whether the country's media should be subject to new regulations. The inquiry was kicked off by the phone wiretapping scandal that centered on Rupert Murdoch's News International. But even new regulations wouldn't prevent a determined social engineer -- or in this case, a pair of prankster Australian DJs -- from outsmarting their target.

To be fair to the hospital staff, however, they're far from the first people who have fallen victim to a social-engineering attack, and similar techniques have been used in high-profile cases involving Apple and Amazon, as well as HBGary Federal.

This week, meanwhile, the Internet Crime Complaint Center -- a joint effort between the FBI and the National White Collar Crime Center -- released a warning about a malware-driven scam that locks people's PCs, then tells people they have to pay a fine to the FBI to unlock it. This isn't the first time the government has released that warning, meaning that people keep falling for the ruse. Similarly, the continuing prevalence of tech support telemarketing scams suggests that the criminals involved are scamming enough people to make it economically worth their while.

How can people stop falling for these scams? Whether it's a hospital handling confidential information, or a cold call from someone who tells you that your PC is broken and they want to fix it, the response should be clear: Always verify a caller's identity before divulging sensitive information. If necessary, make the caller jump through hoops. Don't bow to pressure or apparent authority -- monarchs included. If in any doubt, take their phone number, hang up and phone your security team. Especially if the queen says she's calling.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 4:27:28 PM
re: Royal Security Fail: 'May I Speak To Kate?'
It was a very foolish prank but it did prove that the hospital; was not trained properly. That is not the nurse's fault she did not do anything wrong in my opinion. Social engineering attacks are just that they prey on human behaviors and that is all this was. It a an elaborate social engineering skit for entertainment purposes. Did the DJ know that what they were doing was 'hacking' probably not, and thought it was just that a prank call. Hopefully the hospital will use this information and properly train their staff so as this dopes not happen again.

Paul Sprague
InformationWeek Contributor
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:19:54 PM
re: Royal Security Fail: 'May I Speak To Kate?'
I agree with Paul CerratoG«÷s comment: You canG«÷t blame others for having poorly trained staff or allowing such a low-level setup to work. At the end of the day, everyone that has access to patient information should be trained on how to handle such information.

Jay Simmons Information
Week Contributor
pcerrato10
50%
50%
pcerrato10,
User Rank: Apprentice
12/7/2012 | 6:36:34 PM
re: Royal Security Fail: 'May I Speak To Kate?'
"Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery." What a poor excuse.

The author has a point. The hospital should be training staffers to spot tricksters like this.

Paul Cerrato
Editor
InformationWeek Healthcare
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.