GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET
LAS VEGAS — Anyone with a keyboard and a cause can have a living person declared legally dead by taking advantage of security weaknesses in the online death registration process, says Chris Rock, chief executive officer of Australian-based security company Kustodian.
Mr. Rock used online databases to pose as a doctor – and even registered as a funeral director – to prove he could game the system and issue death certificates for friends or enemies.
Despite concerns his research may inspire a wave of fraud, Rock detailed a how-to guide to the process to a packed room at the famous DEF CON conference in Las Vegas last Friday. “I have not contacted any vendor for fixes. Here is the definition of irresponsible disclosure,” Rock told an overflowing room of hackers. Why go this route? Because, he says, “it’s not so much a vulnerability – it’s a [mistake.] And it’s a global [mistake].”
Rock also uncovered vulnerabilities in countries’ birth registration processes, which could allow people to create a totally new virtual baby – and use its identity as a cover for illegal activity such as drug trading. Rock says it’s a lot more convenient, in some ways, for criminal hackers to try to get a totally new Social Security Number than risk stealing someone else’sor buying one off the black market.
At DEF CON, Rock spoke with Passcode about how he discovered these flaws and why a fake death and birth market could change the cybercrime paradigm. Edited excerpts follow.
Passcode: Let’s start at the beginning. How did you get interested in this?
Rock: I’m a penetration tester [who is hired to attack clients’ networks to test their security] by trade. So, normally, I wouldn’t ever touch this process.
But I was watching the news one night in Australia, and saw Austin hospital [in Melbourne] actually sent out 200 death notices instead of discharge notices. I thought, “How could that possibly happen, if it’s a paper-based system? They’ve obviously gone online and done it in a mass instance.”
I then focused on the Australian system to see how it could happen, and was shocked to find [death registration] was an online system without any protection at all.