OpSec: Why you should care about yours.
By: Mike Baker mike@bhafsec.com Date: Tuesday, August 9th, 2016
I don't remember exactly how I came to view the tweet and subsequently the twitter account associated, but last night (8/8/16 into early 8/9/16) around 11:30pm Eastern, I did. The now deleted tweet that I first saw came from an account named "@HillsMedRecords"
The first tweet that I saw from the account was an image. @HillsMedRecords reported that they were reports from a doctor that treated Hillary Clinton in 2014 and 2015. Immediately browsing to the profile page for the user, I noted that the account seemed to have been just created earlier on the 9th based on the earliest tweet listed.
As I was scrolling back to the earliest entry on @HillsMedRecords timeline, outside of the images that were purportedly of printed-to-paper reports relating to Hillary Clinton and her health / conditions, my attention was immediately drawn to one tweet in particular:
For reasons only known to the person responsible for the @HillsMedRecords account, they decided to include a massive amount of details in that tweet for no apparent reason. As a result, my infosec/osint brain immediately shifted into gear, driving an intense desire to figure out who was behind the account because of their lack of caution in posting details that I immediately felt like would lead me (or any motivated person, entity, government, etc.) to discovering their identity.
I should take this opportunity to note that this blog entry is completely non-political in nature. That is, I am not stating support for any candidate, including Hillary Clinton, by posting this blog, nor by the actions I am outlining herein. This is simply an exercise in explaining why, if you intend to whistle-blow, you need to practice absolutely flawless OPSEC if you intend to go about doing so independently rather than through the normal channels such as trusted media sources, etc. Failure to do so may be detrimental to your own well-being or anonymity. Now, back to the topic at hand.
Scrolling up a bit on the timeline after that, I came across this tweet with image:
Again, @HillsMedRecords seems to be going out of their way to out themselves via the method of allusion in this case, implying the building in the image was the one in which the images of the printed-to-paper medical reports originally came from. The tweet itself only had 1 reply, from an individual asking what/where the building was. However, @HillsMedRecords did not supply the requested information.
A quick google reverse image search of that image revealed that the building was the "Mount Kisco Campus" of the formerly-known-as "Mount Kisco Medical Group", which had subsequently changed its name to Caremount Medical. Image of the result:
Clearly the images are the same. This was the only result that google found as a direct match for the image. Additionally, a TinEye search also revealed the same results. I immediately thought back to the tweet I show in the first image above, in which the end of the tweet states: "Luckily I saved a few things when I left for a new job".
What facts can we draw from all of this information so far? Hopefully you already know, but if you don't, here is an overview of the logical assumptions that I considered to be likely facts based on the tweets and their contents so far:
- The person using the account @HillsMedRecords on Twitter was formerly employed at the Mount Kisco Campus of the Mount Kisco Medical Group aka Caremount Medical in Mount Kisco, New York.
- The person must've been employed by Mount Kisco Medical Group / Caremount Medical, at minimum, in the range of dates between the two images they tweeted of the purported medical reports: February 2014 and March 2015. I considered that start-date for the person would likely have been earlier than that though, given the "hostile" sort of language aimed at Kisco Medical Group / Caremount in the tweets that allude to them.
- The person is very likely currently employed by a company / organization that some might consider to be a "better" place to work, or at least in a position that would be considered a "step up" from whatever their position was within Kisco / Caremount.
Armed with these assumptions / facts to go on, the obvious next stop was at LinkedIn Search. I went through several search filter arrangements, first trying with only the "Past Company" filter set to "Caremount Medical Group", which yielded far too many results (346 to be exact!):
Looking through the rest of the filters, and considering the assumptions/facts list above, I realized we should also enable the "Current Company" filter and see if there are more reasonable results when doing so. I was not disappointed when I did, as shown in the screenshot below. The number inside the parenthesis is the number of results in the set if the given filter item is checked/enabled:
From that list, "Health Quest" didn't seem like a name that I would consider a step-up in employment from Kisco, so I decided to start looking through the 4 results under "West Cornell Medicine", since Cornell is a semi-well known name. Of the 4 results that were displayed, only 2 were not set to private. Of those two, one immediately stood out. I'm not going to go into too much more detail or screenshots from here related to their identity to protect their anonymity, but here are some highlights of what was listed as their responsibilities / achievements during their time at Mount Kisco Medical Group:
- They worked extensively in an administrator-level capability group on the EHR (Electronic Health Record) System, including report template creation, sample creation, SSRS report creation (accompaniment to EHR reports), EHR SQL Database Back-end troubleshooting, administration, and overall management of the EHR System and its report templates.
- They started their new job at their new company in May 2015.
These two facts alone make me immediately stop searching and label this find as the likely person responsible for the @HillsMedRecords handle. As a result, I decided to DM @HillsMedRecords and test my theory. Unfortunately, I do not have screenshots/records of the DM other than by memory, for reasons that I'll explain below. However, the messages (3 in total) that I sent were essentially this:
"Hi - I first want to assure you I do not currently work for any government or law enforcement agency. The information I provide below was all information I found via publicly-searchable / available information on the internet, and you should know that I found this information with a matter of 15-20minutes of actually looking."
"If your name begins with the letter , and you worked @ MKMG in the EHR administration area, you really, really need to be much more careful with your OPSEC on your tweets, because I was able to find your actual name in that 15-20minutes with nothing more to go on than the information you provided in your first few tweets. If I can do it in that amount of time, its likely that any government or law enforcement entities can likely do the same, if not faster."
"Cheers! - Mike"
The time that I sent those messages was around 3am Eastern. By the time that I woke up and got to the office around 10am eastern time, all of the tweets referenced above had been deleted. Then, very shortly after (~10min) I noticed the tweets were deleted, I also noticed that the direct message I sent was no longer showing in my inbox. I then attempted to browse to @HillsMedRecords profile page, and the account had been deleted.
This, seemingly confirming my theory on identity, since the user had first deleted the tweets before deleting the account, suggesting it wasn't a suspension or removal by Twitter, but rather the user themselves.
Moral of the story: don't spill details when you don't have reason to, unless you want to be found out...
- Mike (@Bike_Maker) (mike@bhafsec.com)
Update: August 9th, 2016 @ 3:16PM Eastern: Here is a screenshot of the full profile via google-cache pre-deletion: