It's incredibly easy to bump someone off online, and here's how to do it – infosec bod

Making fake babies is child's play, too

DEF CON 23 Most of us have had occasional fantasies about killing someone. Now, as governments demand more personal information from citizens online, it has apparently become surprisingly easy to turn that fantasy into a reality, at least on paper – courtesy of some glaring loopholes.

Or so says infosec bod Chris Rock, who presented his findings at DEF CON in Las Vegas this week.

The Australian chief of security firm Kustodian showed just how easy it could be to kill people, register a fake birth, and set up a new identity, all with the power of the internet.

"I call it an end of life vulnerability," he said. "it's a global fuck up and I have not contacted any vendor about fixes."

As governments move to online forms there are a number of loopholes that have opened up, he explained, and with the wealth of information out there it's not hard to get into the death business. It's not advised, he added, but it's certainly possible.

In order to register someone as dead, a form detailing the cause of mortality typically needs to be filled out by a doctor. A funeral director needs to countersign the form, and then the death certificate can be issued to the family.

In the US this is handled by the Electronic Death Registration System (EDRS) and it's all done online. Doctors need to publicly provide their licence number, address details and other identifying information, all of which can be easily found on the interwebs.

Those doc details have to check out with existing records before access to the EDRS system has been granted, but crucially – Rock noted – email addresses aren't checked, allowing a hacker to add a new email address and get access by stealing a legitimate doctor's details.

One point to remember, he said, was to make the cause of death uncontroversial, otherwise a coroner would get involved and there would have to be a formal investigation. A coroner is also called in if more than one child in a family dies. "So be careful killing your kids," he darkly joked.

The same system applies for funeral directors, and again their details are all stored in a searchable database online. there are also handy "How to" leaflets online to explain the process.

As an added bonus, Rock managed to get himself signed onto the Australian government's database as a legitimate funeral director. He explained how he set up a website, sent in an online application, and three days later was granted official government registration as a qualified handler of corpses.

In the US, individual states make their own rules, so in Colorado anyone can be a funeral director, in Nevada you need to pay $345 and take an exam, and in California you need an arts degree or equivalent.

After the forms have been filed, the registrar sends a death certificate to the next of kin, which can be anyone the attacker puts on the forms. This could apparently be used – with a phony will – to empty someone's bank account under the guise of wrapping up their affairs, or to commit insurance fraud.

"Why not enjoy your life insurance payout while you're still alive?" he asked.

Six feet under dot-com

Even if you don't go that far, faking someone's death will cause them serious problems. Passport applications and driving licences get blocked, credit ratings are zeroed and the law isn't equipped to handle such situations, he said.

Rock cited the 2013 case of Donald Miller, an Ohio man who abandoned his wife and children and disappeared in 1986 after losing his job. His family had him declared dead in 1994. IN 2005 he tried to apply for a driving licence and went to court to prove he was still alive, but the judge rejected his claim.

"We've got the obvious here. A man sitting in the courtroom, he appears to be in good health," the judge said, the BBC reported at the time, adding that rescinding a death certificate was illegal after three years had passed from time of death under local law. "I don't know where that leaves you, but you're still deceased as far as the law is concerned."

It's even easier to register a fake birth, Rock claimed, since that only needs the doctor and parents to sign off on the forms. Doing so would have many benefits since it, for example, could be used to collect social security payments for a dependent child.

Obviously, such behaviour is illegal. But it seems, based on Rock's insight, that governments around the world might want to rethink their move to online form filling with so few security safeguards in place. ®

Other stories you might like

  • China is trolling rare-earth miners online and the Pentagon isn't happy
    Beijing-linked Dragonbridge flames biz building Texas plant for Uncle Sam

    The US Department of Defense said it's investigating Chinese disinformation campaigns against rare earth mining and processing companies — including one targeting Lynas Rare Earths, which has a $30 million contract with the Pentagon to build a plant in Texas.

    Earlier today, Mandiant published research that analyzed a Beijing-linked influence operation, dubbed Dragonbridge, that used thousands of fake accounts across dozens of social media platforms, including Facebook, TikTok and Twitter, to spread misinformation about rare earth companies seeking to expand production in the US to the detriment of China, which wants to maintain its global dominance in that industry. 

    "The Department of Defense is aware of the recent disinformation campaign, first reported by Mandiant, against Lynas Rare Earth Ltd., a rare earth element firm seeking to establish production capacity in the United States and partner nations, as well as other rare earth mining companies," according to a statement by Uncle Sam. "The department has engaged the relevant interagency stakeholders and partner nations to assist in reviewing the matter.

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading
  • Is computer vision the cure for school shootings? Likely not
    Gun-detecting AI outfits want to help while root causes need tackling

    Comment More than 250 mass shootings have occurred in the US so far this year, and AI advocates think they have the solution. Not gun control, but better tech, unsurprisingly.

    Machine-learning biz Kogniz announced on Tuesday it was adding a ready-to-deploy gun detection model to its computer-vision platform. The system, we're told, can detect guns seen by security cameras and send notifications to those at risk, notifying police, locking down buildings, and performing other security tasks. 

    In addition to spotting firearms, Kogniz uses its other computer-vision modules to notice unusual behavior, such as children sprinting down hallways or someone climbing in through a window, which could indicate an active shooter.

    Continue reading
  • Arm says its Cortex-X3 CPU smokes this Intel laptop silicon
    Chip design house reveals brains of what might be your next ultralight notebook

    Arm has at least one of Intel's more capable mainstream laptop processors in mind with its Cortex-X3 CPU design.

    The British outfit said the X3, revealed Tuesday alongside other CPU and GPU blueprints, is expected to provide an estimated 34 percent higher peak performance than a performance core in Intel's upper mid-range Core i7-1260P processor from this year.

    Arm came to that conclusion, mind you, after running the SPECRate2017_int_base single-threaded benchmark in a simulation of its CPU core design clocked at an equivalent to 3.6GHz with 1MB of L2 and 16MB of L3 cache.

    Continue reading

Biting the hand that feeds IT © 1998–2022