The announcement is likely to shake the wrists: to violate an account WhatsApp, or Telegram would be a no-brainer. The vulnerability, brought to light by the InTheCyber, the milan-based company specialized in offensive security and defensive computing, is possible thanks to the ease of unauthorised access of the answering machines of some of the managers and the procedures for authentication of messaging systems, unwisely based on the phone messages voice. The simple procedure required for the breach was shown in the preview to the Courier of the Evening and will be presented tomorrow, Monday, October 24, during the 7° Conference on Cyber Warfare in Milan.
this Is a major security flaw (according to technical InTheCyber would be a different title about 32 million of SIM (Italian), also in consideration of the fact that in order to exploit them there is no guy inside to the inside of the telco, no equipment sophisticated enough technical skills minimum. A malicious or even just curious people can have free access to the full text of the chat, Telegram or groups of WhastApp, knowing only the phone number of the victim and nothing more: the technical details on the nature of the vulnerability are reported in the study of DDAY.it.
a Malicious or even just curious people can have free access to the full text of the chat, Telegram or groups of WhastApp, knowing only the phone number of the victim and nothing more.
The vulnerability of many voicemail systems is a well known thing for a long time, and unfortunately, not all telephone companies have made their systems sufficiently secure, since access to recorded messages from other phones, is also made available to other phone users with a security Pin code that is often left to the preset values, and all the same, but with techniques that are called “spoofing”, i.e. camouflage in the number of phone calls with the victim (an easily achievable even with Skype), some secretariats (in particular those of Wind and 3 Italy) open their doors without even ask for the Pin. This vulnerability, in itself odious, it becomes explosive if it is linked to the procedure applied by the main instant messaging systems, su ch as Whatsapp and Telegram, to authenticate its users on the Web: the verification of the user can be done with a code communicated by telephone from a synthesized voice. When the victim’s phone is turned off, the call ends up in voicemail, bringing in an insecure container in the security code. At this point in the game for those who launch the attack is easy: all that remains is the access to the secretariat and to "listen" on the Internet.
The problem, according to technical InTheCyber, at the moment is strongly underestimated: “WhatsApp, we were informed of the vulnerability, it is called simply, “not interested in the problem” because, according to the company, the responsibility would be of the telephone operators. Telegram has responded to our reporting, as well as the operators that we contacted”. A situation that contrasts with the inscription which stands on the site of WhatsApp: “privacy and security are in our Dna.”
“This vulnerability can be closed easily with the cooperation of the telco and service providers — explains Paolo Lezzi, Ceo and founder of InTheCyber — but it is only a demonstration of the state is not optimal to pay the security of computer systems and digital”. The widespread diffusion of the Internet of things and hyper-connection requires a greater awareness on the part of users, “but most of all we would like — goes on Foul — obligations and responsibilities for anyone who designs and manages the products and related services, in both the public and private”.
Often you think that the effects of an attack, remain confined to the digital sphere, and that can lead to, as a maximum risk, the erasure of the data; but the consequences of an attitude that is careless on the front of cyber security may ultimately affect also the physical sphere. “A vulnerability trivial as this we demonstrated above can endanger the safety of persons, to the waterfall that the institution or company for which they work and, in the case of using extremely malicious, of the whole Country”. The news comes on the day that the minister of the Interior Alfano has announced that from the beginning of the year were surveyed 626 cyber attacks to the critical structures in italy. Something more than an alarm bell.
October 23, 2016 (change to October 23, 2016 | 16:49)
© REPRODUCTION RESERVED
No comments:
Post a Comment