First the standard mention related to my book 😉
In case you’re looking for a directory of companies that will send you well-paid work (evaluations and/or record reviews you can do from home), check out the current edition of the directory I wrote: Supplementing your income with medical records file reviews and independent medical examinations (IME’s), 3rd edition: A directory of referral sources for Reviews & IME’s by Todd Finnerty, Psy.D.
And now the rest of the blog post….
Psychologists (etc.): Can you recognize these computer security threats (devices) this holiday?
These low cost devices bring hacking to the masses
I know I haven’t updated this blog in a while but I thought I’d pass along a little PSA as we’re entering the holiday(s) season [happy holiday(s) BTW]. Also, devices like the Bash Bunny, Rubber Ducky and WiFi Pineapple and/or the threats they pose aren’t necessarily new, but we could use a reminder to keep on-the-look out for threats like this as the holiday travel season and crazy holiday chaos season starts.
Can you guarantee that the WiFi you’re using is safe? I won’t stoop so low as to ask if the WiFi you’re using is HIPAA-compliant and delve into a rabbit hole related to encryption– I just mean “safe” in a general, vague sense. How about access to your computer systems and other devices you use like networked printers/scanners? Would you like to see how easy it is for one of your patients/examinees/someone who has developed a grudge against you or even just some curious teenager to possibly compromise some or all of your security?
Well, check out this Black Friday sale from HAK5– just one website (albeit a major one) that sells Pentest tools that people could use to test how easy it would be to penetrate your security (and/or hack you). The devices can be purchased by the general public and most of them are less than $100. There are plenty of YouTube videos out there that show the prospective hacker how to use the devices (so no need to become a computer genius to use them and you don’t even need to write your own software).
We all know (I hope) that we shouldn’t click on suspicious links or download unsolicited attachments in files. We should run virus scanners and take lots or precautions. At this point if you’re running a VPN– virtual private network– perhaps you should get bonus points because I bet there are plenty of us out there who aren’t. Here are some things I wonder about though- what about your in-office physical security of your devices and any WiFi you may be using and what about your internet use when you’re out traveling?
We all have good days and bad days. Think about a scenario like this and whether security may suffer on one of your less than stellar security days. What might happen if a patient came to you and they arrived in your office with their healthcare records scanned on to a USB flash drive. They’d like you to print them out (or save a copy for yourself). Sure you’d like to have their former hospital records, old therapist’s notes, school records, etc. to assist with your exam and/or continuity of care. But- would you trust the device and stick that drive in your computer? Some large corporations won’t even let you use a USB port- but what if you’re one of the many professionals who actually has access to their USB ports? Did you know that if you did insert the drive there is a chance that in the blink of an eye that “flash drive” could make your computer think it was a keyboard and rapidly inject commands into the computer to steal your files and/or compromise your computer in a number of other ways. The attacker wouldn’t even need access to your computer’s keyboard or have to physically copy the files themselves- it would happen automagically as soon as the device was inserted. So while you think you’re getting a copy of the patient’s records from that drive, that drive is secretly stealing the documents that are on your computer or executing another attack automatically. Does that sound like some far-fetched James Bond stuff to you? It isn’t. You could have this capability yourself, instruction booklet included, for the low low price of $49.99. Needless to say if you find some flash drives lying around the waiting room DO NOT put them in your computer to find out who accidentally left them there- there is a good chance you may compromise your own security. I wouldn’t rely on recognizing the Rubber Ducky sticker since any flash drive inserted into your computer can be a threat (and the decal is optional).
What if you saw someone with something that had antennas (like a wireless router) in their backpack? You’d be lucky to even get that type of tip since devices used to do man-in-the-middle attacks on WiFi can be easily hidden. Someone could walk right into your office with one plugged into a battery in their backpack, purse or even a small pouch and you wouldn’t even know it (and of course they could be sitting next to you at the coffee shop or in some other room at whatever hotel you’re staying in and you wouldn’t know it). If you saw someone carrying around a little black pouch (like the one in the image below) with an electronic device that was probably a cell phone would you figure it was just a cell phone? For example check out this WIFI PINEAPPLE NANO TACTICAL package that connects to a battery. Hackers can use it to try to trick your devices into connecting to it instead of the WiFi networks your devices know and trust- and once they have access they can run all kinds of exploits on you. I wouldn’t rely on recognizing the pineapple product logo from the company HAK5, either, since this morale patch is velcro and comes off and on easily (and since they can just throw this in a bag or pocket). If you do see the pineapple decal though- run.
Going on open WiFi networks can be dangerous– I hope you know that by now– if not perhaps I’ll get into it in more detail in another post (fun tip before then, while it can be a hassle it may be smart to have your devices forget as many WiFi networks as possible since devices like the WiFi Pineapple can trick your devices into thinking they’re the network you’ve trusted). There are plenty of security tips out there on the internet right now for you to start researching with; perhaps in the future I will collect some of them here but for now feel free to use a search engine like DuckDuckGo and search away for tips. If you’re sufficiently nervous and curious about what the many devices hackers can use look like, from just Hak5 alone, feel free to follow this link to the company’s website to see images and more detailed descriptions about what they have for sale right now. This link is to be used for good only, of course.
Thanks, perhaps I’ll write some more on this topic in the future; but to sum up and oversimplify for now in relation to your holiday travels– be careful using any WiFi (you may think you’re on a trusted network when you really aren’t) and use extreme caution before ever leaving your laptop or other devices unattended since it only takes a moment for someone to slip in a device like a Rubber Ducky and compromise your machine.
P.S. Fun fact: in the popular TV show about hacking Mr. Robot, the main character hacks his therapist. Hopefully if we stay vigilant and have a bit of luck this won’t happen to us.
The images here on this blog belong to Hak5; they are presented here under fair use for educational purposes related to the public good for mental health professionals to be able to recognize them in the wild should they show up on their doorsteps/parking lot/waiting room/therapy couch 😉 etc.– You should check with Hak5 if you’re interested in the images: https://shop.hak5.org/