OpSec: Why you should care about yours.

By: Mike Baker mike@bhafsec.com Date: Tuesday, August 9th, 2016

I don't remember exactly how I came to view the tweet and subsequently the twitter account associated, but last night (8/8/16 into early 8/9/16) around 11:30pm Eastern, I did. The now deleted tweet that I first saw came from an account named "@HillsMedRecords"

The first tweet that I saw from the account was an image. @HillsMedRecords reported that they were reports from a doctor that treated Hillary Clinton in 2014 and 2015. Immediately browsing to the profile page for the user, I noted that the account seemed to have been just created earlier on the 9th based on the earliest tweet listed.

As I was scrolling back to the earliest entry on @HillsMedRecords timeline, outside of the images that were purportedly of printed-to-paper reports relating to Hillary Clinton and her health / conditions, my attention was immediately drawn to one tweet in particular:

Image showing a screenshot of the original tweet

For reasons only known to the person responsible for the @HillsMedRecords account, they decided to include a massive amount of details in that tweet for no apparent reason. As a result, my infosec/osint brain immediately shifted into gear, driving an intense desire to figure out who was behind the account because of their lack of caution in posting details that I immediately felt like would lead me (or any motivated person, entity, government, etc.) to discovering their identity.

I should take this opportunity to note that this blog entry is completely non-political in nature. That is, I am not stating support for any candidate, including Hillary Clinton, by posting this blog, nor by the actions I am outlining herein. This is simply an exercise in explaining why, if you intend to whistle-blow, you need to practice absolutely flawless OPSEC if you intend to go about doing so independently rather than through the normal channels such as trusted media sources, etc. Failure to do so may be detrimental to your own well-being or anonymity. Now, back to the topic at hand.

Scrolling up a bit on the timeline after that, I came across this tweet with image:

Image of a medical center building

Again, @HillsMedRecords seems to be going out of their way to out themselves via the method of allusion in this case, implying the building in the image was the one in which the images of the printed-to-paper medical reports originally came from. The tweet itself only had 1 reply, from an individual asking what/where the building was. However, @HillsMedRecords did not supply the requested information.

A quick google reverse image search of that image revealed that the building was the "Mount Kisco Campus" of the formerly-known-as "Mount Kisco Medical Group", which had subsequently changed its name to Caremount Medical. Image of the result:

Caremount Medical Building

Clearly the images are the same. This was the only result that google found as a direct match for the image. Additionally, a TinEye search also revealed the same results. I immediately thought back to the tweet I show in the first image above, in which the end of the tweet states: "Luckily I saved a few things when I left for a new job".

What facts can we draw from all of this information so far? Hopefully you already know, but if you don't, here is an overview of the logical assumptions that I considered to be likely facts based on the tweets and their contents so far:

Armed with these assumptions / facts to go on, the obvious next stop was at LinkedIn Search. I went through several search filter arrangements, first trying with only the "Past Company" filter set to "Caremount Medical Group", which yielded far too many results (346 to be exact!):

Past Company Filter Options

Looking through the rest of the filters, and considering the assumptions/facts list above, I realized we should also enable the "Current Company" filter and see if there are more reasonable results when doing so. I was not disappointed when I did, as shown in the screenshot below. The number inside the parenthesis is the number of results in the set if the given filter item is checked/enabled:

Current Company Filter Options

From that list, "Health Quest" didn't seem like a name that I would consider a step-up in employment from Kisco, so I decided to start looking through the 4 results under "West Cornell Medicine", since Cornell is a semi-well known name. Of the 4 results that were displayed, only 2 were not set to private. Of those two, one immediately stood out. I'm not going to go into too much more detail or screenshots from here related to their identity to protect their anonymity, but here are some highlights of what was listed as their responsibilities / achievements during their time at Mount Kisco Medical Group:

These two facts alone make me immediately stop searching and label this find as the likely person responsible for the @HillsMedRecords handle. As a result, I decided to DM @HillsMedRecords and test my theory. Unfortunately, I do not have screenshots/records of the DM other than by memory, for reasons that I'll explain below. However, the messages (3 in total) that I sent were essentially this:

"Hi - I first want to assure you I do not currently work for any government or law enforcement agency. The information I provide below was all information I found via publicly-searchable / available information on the internet, and you should know that I found this information with a matter of 15-20minutes of actually looking."

"If your name begins with the letter , and you worked @ MKMG in the EHR administration area, you really, really need to be much more careful with your OPSEC on your tweets, because I was able to find your actual name in that 15-20minutes with nothing more to go on than the information you provided in your first few tweets. If I can do it in that amount of time, its likely that any government or law enforcement entities can likely do the same, if not faster."

"Cheers! - Mike"

The time that I sent those messages was around 3am Eastern. By the time that I woke up and got to the office around 10am eastern time, all of the tweets referenced above had been deleted. Then, very shortly after (~10min) I noticed the tweets were deleted, I also noticed that the direct message I sent was no longer showing in my inbox. I then attempted to browse to @HillsMedRecords profile page, and the account had been deleted.

This, seemingly confirming my theory on identity, since the user had first deleted the tweets before deleting the account, suggesting it wasn't a suspension or removal by Twitter, but rather the user themselves.

Moral of the story: don't spill details when you don't have reason to, unless you want to be found out...

Update: August 9th, 2016 @ 3:16PM Eastern: Here is a screenshot of the full profile via google-cache pre-deletion:Profile screenshot