Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2012
12:23 PM
50%
50%

Royal Security Fail: 'May I Speak To Kate?'

The oldest -- and most effective -- social engineering trick in the book remains getting on the phone and impersonating an insider. Ask Kate Middleton, the Duchess of Cambridge.

Want to obtain health information about a princess? Call a hospital, and pretend to be the queen.

Call it a joke, except that the setup worked. Earlier this week, a male-female DJ duo from an Australian FM radio show searched Google for the phone number for the Edward VII Hospital where the former Kate Middleton -- now known as the Duchess of Cambridge -- was receiving treatment for hyperemesis gravidarum, which is a severe form of morning sickness. Then the pair phoned, and in Australian-tinged accents, pretended to be Elizabeth II, Queen of Great Britain, and her son, Prince Charles.

After the female DJ -- posing as the queen -- asked how her granddaughter was doing with her "tummy bug," a nurse replied that she was sleeping and unable to receive a phone call. "Okay I'll just feed my little corgis then," said the supposed monarch. "When is a good time to come and visit her, because I'm the queen and I need a lift down there?"

[ Is it fair for a hacker to get a longer prison sentence than a murderer? Should LulzSec Suspect Face Life In Prison? ]

To be clear, while the nurse -- in the course of a two-minute phone call -- revealed the comings and going of Kate's husband, she apparently divulged no details about the patient's medical condition. On the other hand, the nurse appeared to believe that she was indeed speaking with the queen, which means the hospital evidently hadn't trained its staff on the basics of safeguarding patient confidentiality, especially when on the phone.

Does no one remember their Kevin Mitnick? The surest path to obtaining desired information, especially if you're not authorized to have access to that information, is to get on the phone, pretend to be an insider, and politely request what you need. It's called a social-engineering attack, and it's one of the oldest tricks in the book, because it's cheap, easy and effective.

John Lofthouse, the hospital's chief executive, attempted to deflect the blame onto the callers. "This was a foolish prank call that we all deplore. We take patient confidentiality extremely seriously and are now reviewing our telephone protocols." In a video message later released by the hospital, he said, "Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery."

Not preparing staff to handle potential trickery of any sort -- from unscrupulous journalists, investigators, even spouses who might be stalking their former partners -- represents a clear failure by Lofthouse and the hospital's management team, and should serve as a lesson for any other organization charged with safeguarding information of any kind. Of course patient information may at times need to be relayed via phone. But the nurses that fielded the phone call didn't even perform the most basic of checks to verify their caller's identity, such as asking for a phone number so that it could be verified and the call returned. Equally, they might have approached the royal security detail that was likely camped down the hall to verify that their boss was indeed on the phone.

The hospital incident comes after the recent conclusion of the Leveson inquiry in Britain, which investigated whether the country's media should be subject to new regulations. The inquiry was kicked off by the phone wiretapping scandal that centered on Rupert Murdoch's News International. But even new regulations wouldn't prevent a determined social engineer -- or in this case, a pair of prankster Australian DJs -- from outsmarting their target.

To be fair to the hospital staff, however, they're far from the first people who have fallen victim to a social-engineering attack, and similar techniques have been used in high-profile cases involving Apple and Amazon, as well as HBGary Federal.

This week, meanwhile, the Internet Crime Complaint Center -- a joint effort between the FBI and the National White Collar Crime Center -- released a warning about a malware-driven scam that locks people's PCs, then tells people they have to pay a fine to the FBI to unlock it. This isn't the first time the government has released that warning, meaning that people keep falling for the ruse. Similarly, the continuing prevalence of tech support telemarketing scams suggests that the criminals involved are scamming enough people to make it economically worth their while.

How can people stop falling for these scams? Whether it's a hospital handling confidential information, or a cold call from someone who tells you that your PC is broken and they want to fix it, the response should be clear: Always verify a caller's identity before divulging sensitive information. If necessary, make the caller jump through hoops. Don't bow to pressure or apparent authority -- monarchs included. If in any doubt, take their phone number, hang up and phone your security team. Especially if the queen says she's calling.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 4:27:28 PM
re: Royal Security Fail: 'May I Speak To Kate?'
It was a very foolish prank but it did prove that the hospital; was not trained properly. That is not the nurse's fault she did not do anything wrong in my opinion. Social engineering attacks are just that they prey on human behaviors and that is all this was. It a an elaborate social engineering skit for entertainment purposes. Did the DJ know that what they were doing was 'hacking' probably not, and thought it was just that a prank call. Hopefully the hospital will use this information and properly train their staff so as this dopes not happen again.

Paul Sprague
InformationWeek Contributor
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
12/13/2012 | 7:19:54 PM
re: Royal Security Fail: 'May I Speak To Kate?'
I agree with Paul CerratoGs comment: You canGt blame others for having poorly trained staff or allowing such a low-level setup to work. At the end of the day, everyone that has access to patient information should be trained on how to handle such information.

Jay Simmons Information
Week Contributor
pcerrato10
50%
50%
pcerrato10,
User Rank: Apprentice
12/7/2012 | 6:36:34 PM
re: Royal Security Fail: 'May I Speak To Kate?'
"Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery." What a poor excuse.

The author has a point. The hospital should be training staffers to spot tricksters like this.

Paul Cerrato
Editor
InformationWeek Healthcare
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19393
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
CVE-2020-16844
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
CVE-2020-24620
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
CVE-2020-25017
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
CVE-2020-25018
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.