SlideShare a Scribd company logo

Six health privacy experiments that should *NEVER* be caried out

Download as PPTX, PDF
Chris Hammond-Thrasher
Chris Hammond-Thrasher

In April 2004, a bold experiment by the Infosecurity Tradeshow in London proved what everyone suspected, over 70% of people passing through Liverpool Street Station would reveal their password in exchange for candy (http://news.bbc.co.uk/2/hi/technology/3639679.stm). Some commentators applauded this validation of a previously unproven assumption about Londoner’s attitudes towards password secrecy. Other commentators had serious ethical concerns with the experiment. This candy-for-password experiment got me thinking about health privacy/security experiments. Many suspect that the healthcare system has serious human and technical privacy vulnerabilities, but how can we validate this suspicion? Would a patient hand over their provincial health number for a chocolate bar? Would a medical professional hand over a patient’s information for a chai latte? The more I thought about it, the more extreme – and both frightening and funny – the research projects became.

Health & MedicineTechnologyBusiness
1 of 39
© Fujitsu Canada Six Health Privacy Experiments That Should Never Be Conducted WCHIPS 2013, Winnipeg Chris Hammond-Thrasher Associate Director Security, Privacy and Compliance Fujitsu Canada chris.hammond-thrasher@ca.fujitsu.com
1
© Fujitsu Canada Phone Disclosure
© Fujitsu Canada Conference Number Dial into the XYZ Disease / Syndrome / Dysfunction Conference Call Now! 204-800-5580 3
2
© Fujitsu Canada5 Social Media
© Fujitsu Canada6
© Fujitsu Canada Long Memory 7
© Fujitsu Canada Long Memory 8 • Version 1.0 of the NCSA Mosiac browser was released in November 1993 • Netscape Navigator was released in December 1994 • TELUS launched commercial Internet services in 1995 • Facebook launched in February 2004
© Fujitsu Canada Teens on Facebook “Self-definition is about identity, one’s needs and attitudes, and the presentation of the self to others. Teenage patients present themselves on Facebook as regular teenagers. They do not write public status updates about their stays at CHEO or the treatments they receive.” - Van der Velden and El Emam, 2012 9
© Fujitsu Canada10
3
© Fujitsu Canada12 A Simple Wi-Fi Attack
© Fujitsu Canada The Demonstration Network Join now! SSID: wchips2013 Password: wchips2013 13
© Fujitsu Canada Countermeasures The basics: Any Wi-Fi network with significant security requirements must be configured to use WPA2-Enterprise. No exceptions. VPNs are excellent defenses when moving sensitive data across non-trusted networks, but there is no completely safe way to connect to and use a hostile Wi-Fi network. There is no good defense to Wi-Fi denial of service. The best that you can do is have a good wireless incident response team on hand. 14
4
© Fujitsu Canada Win an iPad Mini! 16
© Fujitsu Canada17
© Fujitsu Canada Phishing Discussion Use HTTPS and put the survey on your own domain  i.e. https://primarycaresurvey.albertahealthservices.ca Without HTTPS I can try to impersonate the site and phish for personal health information As of last night, primarycaresurveys.ca is available for purchase (they used primarycaresurvey.ca) but albertahealthservice.ca has been purchased by a domain squatter 18
© Fujitsu Canada QR Code Phishing 19
5
© Fujitsu Canada21 Hospital Netwars
© Fujitsu Canada22
6
© Fujitsu Canada24 Healthcare Mysticism
7
© Fujitsu Canada26 Medical Malware
© Fujitsu Canada A Common Malware Model 27 Command and Control Server Infected Laptop Infected Tablet Infected Smartphone
8
© Fujitsu Canada29 Balloon Clown Audit
9
© Fujitsu Canada31 Elicitation
© Fujitsu Canada Definition: “Elicitation” “In the spy trade, elicitation is the term applied to subtle extraction of information during an apparently normal and innocent conversation. Most intelligence operatives are well trained to take advantage of professional or social opportunities to interact with persons who have access to classified or other protected information. Conducted by a skillful intelligence collector, elicitation appears to be normal social or professional conversation and can occur anywhere – in a restaurant, at a conference, or during a visit to one’s home. But it is conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.” 32
© Fujitsu Canada Elicitation Plan Goal  Elicit personal information on at least one individual Method  Seek advice on when teenage girls should start dating as a way to get a parent talking about their own children Objectives  Parent’s Name __________________  Target’s Name __________________  Relationship __________________  Target’s Gender __________________  Target’s Birthday __________________ Achieved _________ of five objectives 33
C
© Fujitsu Canada Bibliography  Capps, Rusty. "The Spy Who Came to Work," Security Management, February 1997.  *Celent. Using Social Data In Claims and Underwriting, http://www.celent.com/reports/using-social-data- claims-and-underwriting  Hadnagy, Chris. Social Engineering: The Art of Human Hacking. Wiley, 2011.  Li, Jingquan. “Privacy Policies for Health Social Networking Sites,” Journal of the American Medical Information Association, March 2013.  Malin, El Emam and O’Keefe. “Biomedical Data Privacy: Problems, Perspectives, and Recent Advances,” Journal of the American Medical Information Association, January 2013.  Van der Velden, El Emam. “’Not All My Friends Need to Know’: A Qualitative Study of Teenage Patients, Privacy, and Social Media,” Journal of the American Medical Information Association, July 2012. *Subscription required. Hammond-Thrasher, Six Health Privacy Experiments, 2013
© Fujitsu Canada Conclusions There are significant challenges facing privacy professionals and academic researchers who want to understand real risk including,  Research ethics  Research funding and  The reputational concerns of personal health information custodians. The reality of the real risk scenarios examined today is that the threat agents – whether insiders or outsiders – are not bound by the constraints that govern privacy and security professionals. Van der Velden and El Emam’s paper on sick teens using Facebook is a warning to the complexity of real risk – our assumptions about how good or bad things may be need to be tested. 36
© Fujitsu Canada Challenge Questions For you, is the title of this talk a true statement?  Should experiments like these *NEVER* be performed?  Are some acceptable and not others?  And if so why? Please email your answers to: chris.hammond-thrasher@ca.fujitsu.com 37
Chris Hammond-Thrasher Associate Director, Consulting Security, Privacy and Compliance Fujitsu Canada chris.hammond-thrasher@ca.fujitsu.com

Recommended

An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...HackerOne
 
[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...
[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...
[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...CODE BLUE
 
Cyber Liability - Personal
Cyber Liability - PersonalCyber Liability - Personal
Cyber Liability - PersonalRichardson Cyber
 
Wormeli global forum 2012
Wormeli global forum 2012Wormeli global forum 2012
Wormeli global forum 2012GlobalForum
 
An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of GovernmentsRobbie Mitchell
 
Cybersafety
CybersafetyCybersafety
CybersafetyLee-Anne P
 
Misinformation on the internet: Video and AI
Misinformation on the internet: Video and AIMisinformation on the internet: Video and AI
Misinformation on the internet: Video and AIVasileiosMezaris
 
New literacies, new challenges
New literacies, new challengesNew literacies, new challenges
New literacies, new challengesmadaboutelt
 

Recommended

An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...HackerOne
 
[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...
[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...
[CB19] From Advanced Persistent Threats to "Advanced Persistent Manipulators"...CODE BLUE
 
Cyber Liability - Personal
Cyber Liability - PersonalCyber Liability - Personal
Cyber Liability - PersonalRichardson Cyber
 
Wormeli global forum 2012
Wormeli global forum 2012Wormeli global forum 2012
Wormeli global forum 2012GlobalForum
 
An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of GovernmentsRobbie Mitchell
 
Cybersafety
CybersafetyCybersafety
CybersafetyLee-Anne P
 
Misinformation on the internet: Video and AI
Misinformation on the internet: Video and AIMisinformation on the internet: Video and AI
Misinformation on the internet: Video and AIVasileiosMezaris
 
New literacies, new challenges
New literacies, new challengesNew literacies, new challenges
New literacies, new challengesmadaboutelt
 
Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netChris Hammond-Thrasher
 
How hackers do it
How hackers do itHow hackers do it
How hackers do itChris Hammond-Thrasher
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSAShafaan Khaliq Bhatti
 
Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and SecurityPYA, P.C.
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignThe Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignDr. Ann Cavoukian
 
LifeLock Javelin Presentation
LifeLock Javelin PresentationLifeLock Javelin Presentation
LifeLock Javelin PresentationLifeLockBusinessSolutions
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
 
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...ijcisjournal
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technohoney690131
 
Welch beyond the beeper
Welch beyond the beeperWelch beyond the beeper
Welch beyond the beeperRobert Welch
 
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docx
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docxChapter 14Ethical Risks and Responsibilities of IT Innovations.docx
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docxbartholomeocoombs
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by DesignUnisys Corporation
 
Ethics and social media
Ethics and social mediaEthics and social media
Ethics and social mediakmtj1979
 
Post covid 19 era new age of cyber security
Post covid 19 era new age of cyber securityPost covid 19 era new age of cyber security
Post covid 19 era new age of cyber securityIgnitec Inc
 
Data Privacy and Security in Clinical Data Management
Data Privacy and Security in Clinical Data ManagementData Privacy and Security in Clinical Data Management
Data Privacy and Security in Clinical Data ManagementClinosolIndia
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKBoston Global Forum
 
Infodemia y COVIDofobia
Infodemia y COVIDofobiaInfodemia y COVIDofobia
Infodemia y COVIDofobiaJavier González de Dios
 
Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Dave Holland
 

More Related Content

Viewers also liked

Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netChris Hammond-Thrasher
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Joshua Thijssen
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 

Viewers also liked (6)

Alice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the netAlice and bob: Love & the most important crypto on the net
Alice and bob: Love & the most important crypto on the net
 
How hackers do it
How hackers do itHow hackers do it
How hackers do it
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101
 
Alice & bob public key cryptography 101
Alice & bob public key cryptography 101Alice & bob public key cryptography 101
Alice & bob public key cryptography 101
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
Public key cryptography and RSA
Public key cryptography and RSAPublic key cryptography and RSA
Public key cryptography and RSA
 

Similar to Six health privacy experiments that should *NEVER* be caried out

Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and SecurityPYA, P.C.
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignThe Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignDr. Ann Cavoukian
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
 
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...ijcisjournal
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technohoney690131
 
Welch beyond the beeper
Welch beyond the beeperWelch beyond the beeper
Welch beyond the beeperRobert Welch
 
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docx
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docxChapter 14Ethical Risks and Responsibilities of IT Innovations.docx
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docxbartholomeocoombs
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by DesignUnisys Corporation
 
Ethics and social media
Ethics and social mediaEthics and social media
Ethics and social mediakmtj1979
 
Post covid 19 era new age of cyber security
Post covid 19 era new age of cyber securityPost covid 19 era new age of cyber security
Post covid 19 era new age of cyber securityIgnitec Inc
 
Data Privacy and Security in Clinical Data Management
Data Privacy and Security in Clinical Data ManagementData Privacy and Security in Clinical Data Management
Data Privacy and Security in Clinical Data ManagementClinosolIndia
 
Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Dave Holland
 
Health (mis)information behaviour in the COVID-19 era
Health (mis)information behaviour in the COVID-19 eraHealth (mis)information behaviour in the COVID-19 era
Health (mis)information behaviour in the COVID-19 eraDiane Rasmussen Pennington
 
Ethics and Social Media
Ethics and Social MediaEthics and Social Media
Ethics and Social MediaPhysiopedia
 
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...jsnyder40
 
Top 10 Social Media Liability Issues for PR Independent Consultants
Top 10 Social Media Liability Issues for PR Independent ConsultantsTop 10 Social Media Liability Issues for PR Independent Consultants
Top 10 Social Media Liability Issues for PR Independent ConsultantsDeborah Gonzalez, Esq.
 

Similar to Six health privacy experiments that should *NEVER* be caried out (20)

Hot Topics in Privacy and Security
Hot Topics in Privacy and SecurityHot Topics in Privacy and Security
Hot Topics in Privacy and Security
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignThe Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
 
LifeLock Javelin Presentation
LifeLock Javelin PresentationLifeLock Javelin Presentation
LifeLock Javelin Presentation
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
GIVING UP PRIVACY FOR SECURITY: A SURVEY ON PRIVACY TRADE-OFF DURING PANDEMIC...
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking techno
 
Welch beyond the beeper
Welch beyond the beeperWelch beyond the beeper
Welch beyond the beeper
 
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docx
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docxChapter 14Ethical Risks and Responsibilities of IT Innovations.docx
Chapter 14Ethical Risks and Responsibilities of IT Innovations.docx
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
 
Ethics and social media
Ethics and social mediaEthics and social media
Ethics and social media
 
Post covid 19 era new age of cyber security
Post covid 19 era new age of cyber securityPost covid 19 era new age of cyber security
Post covid 19 era new age of cyber security
 
Data Privacy and Security in Clinical Data Management
Data Privacy and Security in Clinical Data ManagementData Privacy and Security in Clinical Data Management
Data Privacy and Security in Clinical Data Management
 
COMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORKCOMMON GOOD DIGITAL FRAMEWORK
COMMON GOOD DIGITAL FRAMEWORK
 
Infodemia y COVIDofobia
Infodemia y COVIDofobiaInfodemia y COVIDofobia
Infodemia y COVIDofobia
 
Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...
 
Health (mis)information behaviour in the COVID-19 era
Health (mis)information behaviour in the COVID-19 eraHealth (mis)information behaviour in the COVID-19 era
Health (mis)information behaviour in the COVID-19 era
 
Ethics and Social Media
Ethics and Social MediaEthics and Social Media
Ethics and Social Media
 
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
CORPORATE ESPIONAGE "How Really Safe Are Your Secrets" presented by Argus Int...
 
Top 10 Social Media Liability Issues for PR Independent Consultants
Top 10 Social Media Liability Issues for PR Independent ConsultantsTop 10 Social Media Liability Issues for PR Independent Consultants
Top 10 Social Media Liability Issues for PR Independent Consultants
 

More from Chris Hammond-Thrasher

Spiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsSpiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsChris Hammond-Thrasher
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Chris Hammond-Thrasher
 

More from Chris Hammond-Thrasher (11)

Spiritualists, magicians and security vendors
Spiritualists, magicians and security vendorsSpiritualists, magicians and security vendors
Spiritualists, magicians and security vendors
 
hackers vs suits
hackers vs suitshackers vs suits
hackers vs suits
 
Introduction to Green IT
Introduction to Green ITIntroduction to Green IT
Introduction to Green IT
 
Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)Hacker tooltalk: Social Engineering Toolkit (SET)
Hacker tooltalk: Social Engineering Toolkit (SET)
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
Hacker tool talk: maltego
Hacker tool talk: maltegoHacker tool talk: maltego
Hacker tool talk: maltego
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
Open Source Library Software
Open Source Library SoftwareOpen Source Library Software
Open Source Library Software
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007
 
Popular GIS: a webliography
Popular GIS: a webliographyPopular GIS: a webliography
Popular GIS: a webliography
 
Popular GIS
Popular GISPopular GIS
Popular GIS
 

Recently uploaded

97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAA97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAAjennyeacort
 
Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...
Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...
Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...narwatsonia7
 
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...rajnisinghkjn
 
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...saminamagar
 
See the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy PlatformSee the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy PlatformKweku Zurek
 
Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...
Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...
Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...narwatsonia7
 
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original PhotosBook Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photosnarwatsonia7
 
Call Girls Viman Nagar 7001305949 All Area Service COD available Any Time
Call Girls Viman Nagar 7001305949 All Area Service COD available Any TimeCall Girls Viman Nagar 7001305949 All Area Service COD available Any Time
Call Girls Viman Nagar 7001305949 All Area Service COD available Any Timevijaych2041
 
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service MumbaiVIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbaisonalikaur4
 
Call Girl Bangalore Nandini 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Nandini 7001305949 Independent Escort Service BangaloreCall Girl Bangalore Nandini 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Nandini 7001305949 Independent Escort Service Bangalorenarwatsonia7
 
Call Girl Service Bidadi - For 7001305949 Cheap & Best with original Photos
Call Girl Service Bidadi - For 7001305949 Cheap & Best with original PhotosCall Girl Service Bidadi - For 7001305949 Cheap & Best with original Photos
Call Girl Service Bidadi - For 7001305949 Cheap & Best with original Photosnarwatsonia7
 
Glomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxGlomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxDr.Nusrat Tariq
 
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...narwatsonia7
 
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service ChennaiCall Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service ChennaiNehru place Escorts
 
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy GirlsCall Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girlsnehamumbai
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...narwatsonia7
 
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...narwatsonia7
 
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Availablenarwatsonia7
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceNehru place Escorts
 
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersnarwatsonia7
 

Recently uploaded (20)

97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAA97111 47426 Call Girls In Delhi MUNIRKAA
97111 47426 Call Girls In Delhi MUNIRKAA
 
Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...
Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...
Russian Call Girl Brookfield - 7001305949 Escorts Service 50% Off with Cash O...
 
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
Dwarka Sector 6 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few Cl...
 
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
call girls in Connaught Place DELHI 🔝 >༒9540349809 🔝 genuine Escort Service ...
 
See the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy PlatformSee the 2,456 pharmacies on the National E-Pharmacy Platform
See the 2,456 pharmacies on the National E-Pharmacy Platform
 
Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...
Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...
Housewife Call Girls Bangalore - Call 7001305949 Rs-3500 with A/C Room Cash o...
 
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original PhotosBook Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
Book Call Girls in Yelahanka - For 7001305949 Cheap & Best with original Photos
 
Call Girls Viman Nagar 7001305949 All Area Service COD available Any Time
Call Girls Viman Nagar 7001305949 All Area Service COD available Any TimeCall Girls Viman Nagar 7001305949 All Area Service COD available Any Time
Call Girls Viman Nagar 7001305949 All Area Service COD available Any Time
 
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service MumbaiVIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
VIP Call Girls Mumbai Arpita 9910780858 Independent Escort Service Mumbai
 
Call Girl Bangalore Nandini 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Nandini 7001305949 Independent Escort Service BangaloreCall Girl Bangalore Nandini 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Nandini 7001305949 Independent Escort Service Bangalore
 
Call Girl Service Bidadi - For 7001305949 Cheap & Best with original Photos
Call Girl Service Bidadi - For 7001305949 Cheap & Best with original PhotosCall Girl Service Bidadi - For 7001305949 Cheap & Best with original Photos
Call Girl Service Bidadi - For 7001305949 Cheap & Best with original Photos
 
Glomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptxGlomerular Filtration rate and its determinants.pptx
Glomerular Filtration rate and its determinants.pptx
 
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
Call Girls Service in Bommanahalli - 7001305949 with real photos and phone nu...
 
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service ChennaiCall Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
Call Girls Service Chennai Jiya 7001305949 Independent Escort Service Chennai
 
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy GirlsCall Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
Call Girls In Andheri East Call 9920874524 Book Hot And Sexy Girls
 
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
Call Girls Kanakapura Road Just Call 7001305949 Top Class Call Girl Service A...
 
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
Russian Call Girls Gunjur Mugalur Road : 7001305949 High Profile Model Escort...
 
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service AvailableCall Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
Call Girls Hosur Just Call 7001305949 Top Class Call Girl Service Available
 
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort ServiceCollege Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
College Call Girls Vyasarpadi Whatsapp 7001305949 Independent Escort Service
 
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbersBook Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
Book Call Girls in Kasavanahalli - 7001305949 with real photos and phone numbers
 

Six health privacy experiments that should *NEVER* be caried out

  • 1. © Fujitsu Canada Six Health Privacy Experiments That Should Never Be Conducted WCHIPS 2013, Winnipeg Chris Hammond-Thrasher Associate Director Security, Privacy and Compliance Fujitsu Canada chris.hammond-thrasher@ca.fujitsu.com
  • 2. 1
  • 4. © Fujitsu Canada Conference Number Dial into the XYZ Disease / Syndrome / Dysfunction Conference Call Now! 204-800-5580 3
  • 5. 2
  • 9. © Fujitsu Canada Long Memory 8 • Version 1.0 of the NCSA Mosiac browser was released in November 1993 • Netscape Navigator was released in December 1994 • TELUS launched commercial Internet services in 1995 • Facebook launched in February 2004
  • 10. © Fujitsu Canada Teens on Facebook “Self-definition is about identity, one’s needs and attitudes, and the presentation of the self to others. Teenage patients present themselves on Facebook as regular teenagers. They do not write public status updates about their stays at CHEO or the treatments they receive.” - Van der Velden and El Emam, 2012 9
  • 12. 3
  • 13. © Fujitsu Canada12 A Simple Wi-Fi Attack
  • 14. © Fujitsu Canada The Demonstration Network Join now! SSID: wchips2013 Password: wchips2013 13
  • 15. © Fujitsu Canada Countermeasures The basics: Any Wi-Fi network with significant security requirements must be configured to use WPA2-Enterprise. No exceptions. VPNs are excellent defenses when moving sensitive data across non-trusted networks, but there is no completely safe way to connect to and use a hostile Wi-Fi network. There is no good defense to Wi-Fi denial of service. The best that you can do is have a good wireless incident response team on hand. 14
  • 16. 4
  • 17. © Fujitsu Canada Win an iPad Mini! 16
  • 19. © Fujitsu Canada Phishing Discussion Use HTTPS and put the survey on your own domain  i.e. https://primarycaresurvey.albertahealthservices.ca Without HTTPS I can try to impersonate the site and phish for personal health information As of last night, primarycaresurveys.ca is available for purchase (they used primarycaresurvey.ca) but albertahealthservice.ca has been purchased by a domain squatter 18
  • 20. © Fujitsu Canada QR Code Phishing 19
  • 21. 5
  • 24. 6
  • 26. 7
  • 28. © Fujitsu Canada A Common Malware Model 27 Command and Control Server Infected Laptop Infected Tablet Infected Smartphone
  • 29. 8
  • 31. 9
  • 33. © Fujitsu Canada Definition: “Elicitation” “In the spy trade, elicitation is the term applied to subtle extraction of information during an apparently normal and innocent conversation. Most intelligence operatives are well trained to take advantage of professional or social opportunities to interact with persons who have access to classified or other protected information. Conducted by a skillful intelligence collector, elicitation appears to be normal social or professional conversation and can occur anywhere – in a restaurant, at a conference, or during a visit to one’s home. But it is conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.” 32
  • 34. © Fujitsu Canada Elicitation Plan Goal  Elicit personal information on at least one individual Method  Seek advice on when teenage girls should start dating as a way to get a parent talking about their own children Objectives  Parent’s Name __________________  Target’s Name __________________  Relationship __________________  Target’s Gender __________________  Target’s Birthday __________________ Achieved _________ of five objectives 33
  • 35. C
  • 36. © Fujitsu Canada Bibliography  Capps, Rusty. "The Spy Who Came to Work," Security Management, February 1997.  *Celent. Using Social Data In Claims and Underwriting, http://www.celent.com/reports/using-social-data- claims-and-underwriting  Hadnagy, Chris. Social Engineering: The Art of Human Hacking. Wiley, 2011.  Li, Jingquan. “Privacy Policies for Health Social Networking Sites,” Journal of the American Medical Information Association, March 2013.  Malin, El Emam and O’Keefe. “Biomedical Data Privacy: Problems, Perspectives, and Recent Advances,” Journal of the American Medical Information Association, January 2013.  Van der Velden, El Emam. “’Not All My Friends Need to Know’: A Qualitative Study of Teenage Patients, Privacy, and Social Media,” Journal of the American Medical Information Association, July 2012. *Subscription required. Hammond-Thrasher, Six Health Privacy Experiments, 2013
  • 37. © Fujitsu Canada Conclusions There are significant challenges facing privacy professionals and academic researchers who want to understand real risk including,  Research ethics  Research funding and  The reputational concerns of personal health information custodians. The reality of the real risk scenarios examined today is that the threat agents – whether insiders or outsiders – are not bound by the constraints that govern privacy and security professionals. Van der Velden and El Emam’s paper on sick teens using Facebook is a warning to the complexity of real risk – our assumptions about how good or bad things may be need to be tested. 36
  • 38. © Fujitsu Canada Challenge Questions For you, is the title of this talk a true statement?  Should experiments like these *NEVER* be performed?  Are some acceptable and not others?  And if so why? Please email your answers to: chris.hammond-thrasher@ca.fujitsu.com 37
  • 39. Chris Hammond-Thrasher Associate Director, Consulting Security, Privacy and Compliance Fujitsu Canada chris.hammond-thrasher@ca.fujitsu.com

Editor's Notes

  1. Thesis: Patients will trust claims of anonymity when the technicalities of disclosure of personally identifying information is not immediately obvious.Experiment: A group of patients with a common diagnosis are separately invited to call into a support group conference call where they do not divulge their identities. What proportion of patients will make the call? Will that proportion increase with incentives? Do patients understand that the phone number from which they made the call is disclosed to multiple parties?Photo credit: http://www.flickr.com/photos/seattlemunicipalarchives/Turn on your phone. Turn the volume way up. Now dial this number…
  2. Thesis: Patients are exposing their medical history in ways that may negatively impact their long term future – employment, insurance, etc.Scenario: Conduct deep open source research on a population to determine what proportion have exposed potentially damaging – in terms of employment, insurance, etc. – health information. A follow-up research effort could include understanding how difficult it is to remove such material.Photo credit: http://www.flickr.com/photos/khalidalbaih/
  3. This woman blogged about her heart surgery in grueling detail and provided this photograph of her wrist bands.Photo credit: http://mayajoyfully.blogspot.ca/2012/09/my-incision-decision.html
  4. Not all patient groups seem ignorant of their online privacy.The issue of the disclosure of PHI in social media is clearly more complicated than it seems on the surface.
  5. What about auditing the medical social networking sites?
  6. Thesis: Healthcare facilities relying on Wi-Fi are vulnerable to very simple Wi-Fi attacks.Scenario: Establish a rogue free Wi-Fi access point covering the target facility.DoS the legit Wi-Fi network.Monitor the rogue network for PHI.
  7. Thesis: As demonstrated by the “candy for password” story, patients will readily part with sensitive personal information with minimal incentive.Scenario: Nothing more than a health sector phishing campaign. It could be QR code driven, but need not be.
  8. You know that link in that suspicious email? The one that if you follow it, it will infect your computer with a virus?Every QR code is just like that link, except that you cannot even analyze it before following it.Ran a QR code campaign two years in a row at the Red Deer career fair under the auspices of the Canadian Information Processing Society.In 2012, scattered about 200 QR codes around the venue and received 80 views. 45 of these followed the map to our booth.In 2013, we were not allowed to scatter the codes around so they put it in the fair’s flyer. We received 6 views (one was my colleague) and no one claimed to have followed the map to our booth.
  9. Thesis: Canadian acute care networks are not capable of withstanding a sustained remote attack. If validated, there are policy implications ranging from a.) determining the magnitude of the risk, to b.) privacy compliance questions, to c.) the exposure of critical infrastructure to terrorist attack.Scenario: Carry out a military style red team vs. blue team exercise on operational acute care networks – or at least create a realistic simulation of an operational acute care network as the battlespace.Photo credit: http://www.social-engineer.org/wp-content/uploads/2010/01/se-3d-mesh-by-DigiP.jpg
  10. Do the bad guys follow this prohibition of not “breaking the rules” on airplanes or acute care networks?Until you test it, all that you know is that it is theoretically secure. So, what do you do when it matters, but you cannot test it?
  11. Thesis: A mystical practitioner – psychic, fortune teller, numerologist, etc. – not only could make a lot of money in a healthcare facility but would be a significant privacy risk while doing so.Scenario: A psychic entertainer “reads minds” in a hospital lobby or cafeteria and comes away with a pocket full of PHI.
  12. Credit to Dr. Khaled El EmamThesis: Physicians are at least as vulnerable to cyber-attack vectors based on user naïveté and social engineering as other groups. If this hypothesis can be validated it has significant impact on health privacy policy due to the privileged access to PHI afforded to physicians.Experiment: Distribute specially crafted malware to physicians via USB sticks at medical conferences, by direct mail and other targeted methods. This malware is designed to be innocuous and its only function is to “call home” to the researcher’s simulated command and control server. How many physicians will run the malware?Image creditshttp://www.flickr.com/photos/williamhook/http://www.flickr.com/photos/medithit/
  13. Thesis: An individual perceived as non-threating and therapeutic in a clinical setting could gather significant PHI.Scenario: A balloon twisting clown visits acute care wards and with either overt or hidden cameras photographs charts, wrist bands, monitors, nursing station boards, etc. while going about his entertainment activities.Just as everyone trusts someone in a lab coat holding a clipboard, no one suspects a clown.Photo credit: http://www.flickr.com/photos/wonker/
  14. Photo credit: Fujitsu
  15. Rusty Capps, "The Spy Who Came to Work," Security Management, February 1997.
  16. http://www.flickr.com/photos/molotalk/