11:19 I found a hole in the security system site gosuslugi rf | |
The course of their professional activities I often give different kinds of expert opinions to the media about cyber attacks and security of computer systems. Just recently I got a call from the Voice of Russia "and was asked to comment on the security portal Gosuslugi.rf. I quote: "Russia automates the workflow, thereby increasing its competitiveness in the eyes of other states. Therefore, the security portal of public services is a key concept. Necessary to provide a system which would strengthen the confidentiality of information on technical, administrative, organizational levels. Need a comprehensive protection system that will work constantly. " Link: rus.ruvr.ru/2010/06/03/9011959.html After my conversation with a journalist, I myself was curious about how the security system site meets the requirements placed upon it. So I decided to register under an assumed name. Further describe the algorithm of my actions. 1.For gain access to the portal, for example on behalf of Ivanov Ivan Ivanovich, we need: HPI Ivanova II Insurance certificate for the state pension insurance Registration data Ivanova II - And these data are not checked so you can specify any, the main thing that after the arrival of a letter to this address you could get it. For this purpose, buy a "gray" database for Taxpayer and pension insurance certificate in any market type "Gorbushka", "Scoop," "Mitinki. In principle, at every intersection, until you stand in a traffic jam, you need to podbegut and offer this kind of database. Having bought it, checking in with us gosuslugi.rf 2. The last step of registration, is to receive a registered letter to the specified address and the earlier introduction of the code in the appropriate registration window, which is specified in the letter. As it turned out, at this stage and is hiding the most obvious threat to the entire security system - namely, the human factor! The lion's share of employees almost never do not check your passport! In my case, as seen from the video below, and asked - "Passport to fill?"! That's it! So, anyone can register using your data on the site gosuslugi.rf. For what it may lead, I think no need to explain! This has turned out a free audit of site security for the Ministry of Communications of the Russian Federation | |
|
Total comments: 0 | |