Hackers can steal your details, your money, and even your identity, but at least victims of such attacks still had their health, eh? Not anymore: industrious keyboard-tappers can actually kill you. As in, a malicious computer-user can use a global exploit to have a living person declared legally dead.
The technique for ‘killing’ someone online was revealed by Chris Rock, Chief Executive Officer of Australian security company Kustodian at the DEF CON security conference last week. Using the exploit, Rock posed as both a doctor and a funeral director to have death certificates issued for both friends and enemies.
“I have not contacted any vendor for fixes. Here is the definition of irresponsible disclosure,” Rock told attendees of the conference, his actions designed to expose that “it’s not so much a vulnerability – it’s a [mistake.] And it’s a global [mistake].”
The same security hole allows people to create birth certificates, so you can invent your very own virtual baby, which could be a long-term method of selling fake identities.
Rock later outline his technique, speaking to Passcode. Essentially, when someone dies, the doctor gets called in,” he explained. “They’ll check your pulse, fill out a certificate of death with what you actually died of – and obviously all your personal details, like your name and that sort of stuff. The certificate of death is a two-part document. It gets passed on to the funeral director to fill out his portion of the document.”
“The Americans have moved on to a system called EDRS [Electronic Death Registration System]. So doctors, on the Internet, can actually register a death online, and a funeral director can actually take that case and bury the body.”
“The Australian system is identical. The Canadian system is identical. They’re all following, now, an online presence because governments want accurate, centralized death records.”
Rock then detailed the crux of the vulnerability: “The vulnerable spots are both the doctor and the funeral director’s access to the online portal. They have a DIY [do-it-yourself] access.”
So, what can be done to prevent this? It’s out of our hands, Rock says, but he hopes his work will motivate governments to shore up security. “The government first needs to look at it,” he concludes. “If you’re going to unroll a system this large to doctors and funeral directors, you actually have to put some security controls around it. The message is: Before you roll something out, have some penetration testers look at it first.” He jokes, “A phone call would have been nice.”
Thank you The Christian Science Monitor: Passcode for providing us with this information.
