Royal Security Fail: 'May I Speak To Kate?'
The oldest -- and most effective -- social engineering trick in the book remains getting on the phone and impersonating an insider. Ask Kate Middleton, the Duchess of Cambridge.
Want to obtain health information about a princess? Call a hospital, and pretend to be the queen.
Call it a joke, except that the setup worked. Earlier this week, a male-female DJ duo from an Australian FM radio show searched Google for the phone number for the Edward VII Hospital where the former Kate Middleton -- now known as the Duchess of Cambridge -- was receiving treatment for hyperemesis gravidarum, which is a severe form of morning sickness. Then the pair phoned, and in Australian-tinged accents, pretended to be Elizabeth II, Queen of Great Britain, and her son, Prince Charles.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Cloud Security: It’s Not Just for IT Anymore
White PapersMore >>
After the female DJ -- posing as the queen -- asked how her granddaughter was doing with her "tummy bug," a nurse replied that she was sleeping and unable to receive a phone call. "Okay I'll just feed my little corgis then," said the supposed monarch. "When is a good time to come and visit her, because I'm the queen and I need a lift down there?"
[ Is it fair for a hacker to get a longer prison sentence than a murderer? Should LulzSec Suspect Face Life In Prison? ]
To be clear, while the nurse -- in the course of a two-minute phone call -- revealed the comings and going of Kate's husband, she apparently divulged no details about the patient's medical condition. On the other hand, the nurse appeared to believe that she was indeed speaking with the queen, which means the hospital evidently hadn't trained its staff on the basics of safeguarding patient confidentiality, especially when on the phone.
Does no one remember their Kevin Mitnick? The surest path to obtaining desired information, especially if you're not authorized to have access to that information, is to get on the phone, pretend to be an insider, and politely request what you need. It's called a social-engineering attack, and it's one of the oldest tricks in the book, because it's cheap, easy and effective.
John Lofthouse, the hospital's chief executive, attempted to deflect the blame onto the callers. "This was a foolish prank call that we all deplore. We take patient confidentiality extremely seriously and are now reviewing our telephone protocols." In a video message later released by the hospital, he said, "Our nurses are caring and professional, and not used to coping with this sort of journalistic trickery."
Not preparing staff to handle potential trickery of any sort -- from unscrupulous journalists, investigators, even spouses who might be stalking their former partners -- represents a clear failure by Lofthouse and the hospital's management team, and should serve as a lesson for any other organization charged with safeguarding information of any kind. Of course patient information may at times need to be relayed via phone. But the nurses that fielded the phone call didn't even perform the most basic of checks to verify their caller's identity, such as asking for a phone number so that it could be verified and the call returned. Equally, they might have approached the royal security detail that was likely camped down the hall to verify that their boss was indeed on the phone.
The hospital incident comes after the recent conclusion of the Leveson inquiry in Britain, which investigated whether the country's media should be subject to new regulations. The inquiry was kicked off by the phone wiretapping scandal that centered on Rupert Murdoch's News International. But even new regulations wouldn't prevent a determined social engineer -- or in this case, a pair of prankster Australian DJs -- from outsmarting their target.
To be fair to the hospital staff, however, they're far from the first people who have fallen victim to a social-engineering attack, and similar techniques have been used in high-profile cases involving Apple and Amazon, as well as HBGary Federal.
This week, meanwhile, the Internet Crime Complaint Center -- a joint effort between the FBI and the National White Collar Crime Center -- released a warning about a malware-driven scam that locks people's PCs, then tells people they have to pay a fine to the FBI to unlock it. This isn't the first time the government has released that warning, meaning that people keep falling for the ruse. Similarly, the continuing prevalence of tech support telemarketing scams suggests that the criminals involved are scamming enough people to make it economically worth their while.
How can people stop falling for these scams? Whether it's a hospital handling confidential information, or a cold call from someone who tells you that your PC is broken and they want to fix it, the response should be clear: Always verify a caller's identity before divulging sensitive information. If necessary, make the caller jump through hoops. Don't bow to pressure or apparent authority -- monarchs included. If in any doubt, take their phone number, hang up and phone your security team. Especially if the queen says she's calling.
Outsourcing let companies concentrate on their core competencies instead of managing IT infrastructure. Generally speaking, IT security processes tend to be a good fit for the outsourcing model, but organizations must be careful not to paint with too broad of an outsourcing brush. In the Finding The Right Security Outsourcing Balance report, we examine the security services that lend themselves best to the outsourcing model and provide some questions to ask to ensure that your organization’s assets remain safe. (Free registration required.)