How I found a hole in the security system of the site of public services.
By the nature of my professional activity, I often have to give various kinds of expert evaluations for the media about cyber attacks and computer system security. Recently I received a call from Voice of Russia and asked me to comment on the security of the portal Gosuslugi.rf. I quote:
“Russia automates the process of document circulation, which increases its competitiveness in the eyes of other states. Therefore, security of a public service portal is a key concept. It is necessary to provide a system that would increase the confidentiality of information at the technical, administrative and organizational levels. We need a comprehensive protection system that will work all the time. ” Link: rus.ruvr.ru/2010/06/03/9011959.html
After my conversation with a journalist, I myself was wondering how much the site’s security system meets the demands placed on it. And I decided to register under a false name. I describe the further algorithm of my actions.
')
1. To get access to the portal, on behalf of Ivan Ivanovich Ivanovich, we need:
- INN Ivanova I.I.
- Insurance certificate of state pension insurance
- Registration data Ivanova I.I. - moreover, these data are not checked and therefore it is possible to indicate any, the main thing is that after the arrival of a letter to this address you could receive it.
For these purposes, we buy a “gray” database of TIN and pension insurance certificates in any market such as “Gorbushka”, “Sovka”, “Mitinka”. In principle, at every intersection, while you are standing in traffic, you will surely run up to you and offer this kind of base. Having bought it, we register on the portal of state services.
2. The last stage of registration is to receive a registered letter to the address specified earlier and enter the code into the appropriate registration window that is specified in the letter. As it turned out, at this stage the most obvious threat lurks in the entire security system, namely, the human factor! The lion's share of mail employees never check a passport! In my case, as can be seen from the video below, they asked - "Passport data filled?"! And that's it!
Thus, anyone can register using your data on the website of public services. What it may lead to, I think it is not necessary to explain
This was the free website security audit for the Ministry of Communications and Mass Communications of the Russian Federation.
“Russia automates the process of document circulation, which increases its competitiveness in the eyes of other states. Therefore, security of a public service portal is a key concept. It is necessary to provide a system that would increase the confidentiality of information at the technical, administrative and organizational levels. We need a comprehensive protection system that will work all the time. ” Link: rus.ruvr.ru/2010/06/03/9011959.html
After my conversation with a journalist, I myself was wondering how much the site’s security system meets the demands placed on it. And I decided to register under a false name. I describe the further algorithm of my actions.
')
1. To get access to the portal, on behalf of Ivan Ivanovich Ivanovich, we need:
- INN Ivanova I.I.
- Insurance certificate of state pension insurance
- Registration data Ivanova I.I. - moreover, these data are not checked and therefore it is possible to indicate any, the main thing is that after the arrival of a letter to this address you could receive it.
For these purposes, we buy a “gray” database of TIN and pension insurance certificates in any market such as “Gorbushka”, “Sovka”, “Mitinka”. In principle, at every intersection, while you are standing in traffic, you will surely run up to you and offer this kind of base. Having bought it, we register on the portal of state services.
2. The last stage of registration is to receive a registered letter to the address specified earlier and enter the code into the appropriate registration window that is specified in the letter. As it turned out, at this stage the most obvious threat lurks in the entire security system, namely, the human factor! The lion's share of mail employees never check a passport! In my case, as can be seen from the video below, they asked - "Passport data filled?"! And that's it!
Thus, anyone can register using your data on the website of public services. What it may lead to, I think it is not necessary to explain
This was the free website security audit for the Ministry of Communications and Mass Communications of the Russian Federation.
Source: https://habr.com/ru/post/97266/
All Articles