Risk
12/6/2012
12:23 PM
Connect Directly
RSS
E-Mail
50%
50%

Royal Security Fail: 'May I Speak To Kate?'

The oldest -- and most effective -- social engineering trick in the book remains getting on the phone and impersonating an insider. Ask Kate Middleton, the Duchess of Cambridge.

Want to obtain health information about a princess? Call a hospital, and pretend to be the queen.

Call it a joke, except that the setup worked. Earlier this week, a male-female DJ duo from an Australian FM radio show searched Google for the phone number for the Edward VII Hospital where the former Kate Middleton -- now known as the Duchess of Cambridge -- was receiving treatment for hyperemesis gravidarum, which is a severe form of morning sickness. Then the pair phoned, and in Australian-tinged accents, pretended to be Elizabeth II, Queen of Great Britain, and her son, Prince Charles.

After the female DJ -- posing as the queen -- asked how her granddaughter was doing with her "tummy bug," a nurse replied that she was sleeping and unable to receive a phone call. "Okay I'll just feed my little corgis then," said the supposed monarch. "When is a good time to come and visit her, because I'm the queen and I need a lift down there?"

[ Is it fair for a hacker to get a longer prison sentence than a murderer? Should LulzSec Suspect Face Life In Prison? ]

To be clear, while the nurse -- in the course of a two-minute phone call -- revealed the comings and going of Kate's husband, she apparently divulged no details about the patient's medical condition. On the other hand, the nurse appeared to believe that she was indeed speaking with the queen, which means the hospital evidently hadn't trained its staff on the basics of safeguarding patient confidentiality, especially when on the phone.

Does no one remember their Kevin Mitnick? The surest path to obtaining desired information, especially if you're not authorized to have access to that information, is to get on the phone, pretend to be an insider, and politely request what you need. It's called a social-engineering attack, and it's one of the oldest tricks in the book, because it's cheap, easy and effective.

John Lofthouse, the hospital's chief executive, attempted to deflect the blame onto the callers. "This was a foolish prank call that we all deplore. We take patient confidentiality extremely seriously and are now reviewing our telephone protocols." In a video message later released by the hospital, he said, "Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery."

Not preparing staff to handle potential trickery of any sort -- from unscrupulous journalists, investigators, even spouses who might be stalking their former partners -- represents a clear failure by Lofthouse and the hospital's management team, and should serve as a lesson for any other organization charged with safeguarding information of any kind. Of course patient information may at times need to be relayed via phone. But the nurses that fielded the phone call didn't even perform the most basic of checks to verify their caller's identity, such as asking for a phone number so that it could be verified and the call returned. Equally, they might have approached the royal security detail that was likely camped down the hall to verify that their boss was indeed on the phone.

The hospital incident comes after the recent conclusion of the Leveson inquiry in Britain, which investigated whether the country's media should be subject to new regulations. The inquiry was kicked off by the phone wiretapping scandal that centered on Rupert Murdoch's News International. But even new regulations wouldn't prevent a determined social engineer -- or in this case, a pair of prankster Australian DJs -- from outsmarting their target.

To be fair to the hospital staff, however, they're far from the first people who have fallen victim to a social-engineering attack, and similar techniques have been used in high-profile cases involving Apple and Amazon, as well as HBGary Federal.

This week, meanwhile, the Internet Crime Complaint Center -- a joint effort between the FBI and the National White Collar Crime Center -- released a warning about a malware-driven scam that locks people's PCs, then tells people they have to pay a fine to the FBI to unlock it. This isn't the first time the government has released that warning, meaning that people keep falling for the ruse. Similarly, the continuing prevalence of tech support telemarketing scams suggests that the criminals involved are scamming enough people to make it economically worth their while.

How can people stop falling for these scams? Whether it's a hospital handling confidential information, or a cold call from someone who tells you that your PC is broken and they want to fix it, the response should be clear: Always verify a caller's identity before divulging sensitive information. If necessary, make the caller jump through hoops. Don't bow to pressure or apparent authority -- monarchs included. If in any doubt, take their phone number, hang up and phone your security team. Especially if the queen says she's calling.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pcerrato10
50%
50%
pcerrato10,
User Rank: Apprentice
12/7/2012 | 6:36:34 PM
re: Royal Security Fail: 'May I Speak To Kate?'
"Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery." What a poor excuse.

The author has a point. The hospital should be training staffers to spot tricksters like this.

Paul Cerrato
Editor
InformationWeek Healthcare
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:19:54 PM
re: Royal Security Fail: 'May I Speak To Kate?'
I agree with Paul CerratoGÇÖs comment: You canGÇÖt blame others for having poorly trained staff or allowing such a low-level setup to work. At the end of the day, everyone that has access to patient information should be trained on how to handle such information.

Jay Simmons Information
Week Contributor
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 4:27:28 PM
re: Royal Security Fail: 'May I Speak To Kate?'
It was a very foolish prank but it did prove that the hospital; was not trained properly. That is not the nurse's fault she did not do anything wrong in my opinion. Social engineering attacks are just that they prey on human behaviors and that is all this was. It a an elaborate social engineering skit for entertainment purposes. Did the DJ know that what they were doing was 'hacking' probably not, and thought it was just that a prank call. Hopefully the hospital will use this information and properly train their staff so as this dopes not happen again.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.