U.N. Website Vulnerability Exposed by Hactivists

Blog monitors U.N.'s ability to Patch Problem

On Sunday, August 12, visitors to the United Nations website could see a protest message directed at the U.S. and Israeli. This message was posted in the area of the UN website where Ban Ki-moon's speeches were listed.

The message read:

An Italian software developer Giorgio Maone, on his blog, proposed that the trespassers had gotten access to the UN web site using a well documented security vulnerability in the data base program SQL. The vulnerability was described as the "SQL injection". There is a wikipedia entry sescribing the mechanisms and prior instances when it was used to gain unauthorized access to other sites.

Offering a clue to the incident, Maone wrote, "while most of us may agree with the message, many will object to the spelling and specifically to the dont used instead of don't." He went on to explain that the missing apostrophe in the word "dont" was a clue to the software vulnerability in the SQL software used by the hactivists to plant their message on the UN website in place of the Secretary General's speeches.

This is a very well known kind of vulnerabilty, fairly easy to avoid and very surprising to find in such a high profile web site.

Giorgio Maone

Others posting on his blog disagreed that one should be surprised finding such problems on a "high profile site." Another poster explained:

Are we really surprised? I thought it was pretty standard that most of the 'high profile sites' out there are the ones least likely to understand the importance of keeping their software up to date. It seems like the larger the company/organization/multi-national quasi-governmental agency, the more likely they are to simply buy into whatever is being promoted by (insert your favorite vendor here), and won't upgrade unless something breaks or they can afford to buy whatever (insert your favorite vendor here) is selling in quantities and packages they are selling....

Others discussing the incident on hackademix.net described how even after the initial web posting by the hactivists had been removed, the U.N. website continued to have vulnerabilities which could be exploited. "The U.N. staff put a patch to 'hide' the most obvious vulnerability," Maone wrote in a post, "but the flaw is still there and could be easily exploited again."

Other sources of news in the online community like Slashdot provided links to the hackademix.net blog. In the discussion on Slashdot, several posts described the system problems in software programming for large corporations or government related institutions where business oriented decisions often fail to take into account the need for technical skill and knowledge.

On both Heise Online, where the posts are in German and English, there were discussions about the political issues referred to by the hactivists' message.

At the Monday press briefing at the U.N., the Secretary General's spokesperson assured journalists that the problem had been dealt with. Yet the hactivists' message continued to appear on the United Nations Environmental Programme (UNEP) web site Monday evening, and no new text files were posted to the U.N. web site on Monday or part of the day on Tuesday.

On both Monday and Tuesday, questions were raised at the UN during the briefing for journalists. Little information about what had happened or how it happened, was offered, however. The problem was a mystery for most of the journalists who subsequently wrote about it. For example, one journalist wrote, "The hackers were able to infiltrate the system, U.N. spokeswoman Michelle Montas said yesterday, by using what she referred to as 'pseudonyms.' (NY Sun article, Aug. 14, 2007 "Hacker Attacks U.N. Web Site") In this story the fact that the hactivists gave false names with their post was confused with the mechanism of how they gained access to the UN website to post their message. Some at the press briefing wondered if the incursion onto the UN web site was an example of "cyberterrorism". In response to a question, the U.N. spokeswoman said she would try to make someone available from the U.N. staff to provide information that would provide clarity. She did not say, however, when this would happen.

One of the posts on slashdot.com explained that it was difficult for software programmers to remain up to date in dealing with all the software vulnerabilities that exist in Microsoft products. Responding to a request for his views on the subject, Terry Culkin, a systems analyst at Columbia University explained that the U.N. site was using some of the most vulnerable Microsoft products on the market. Given the many vulnerabilities in Microsoft products Culkin explained, "its hard for a systems administrator to keep up with the patches." Also he referred to systemic problems such as when a number of different technical staff members are needed, it becomes difficult to maintain communication among them and their different areas of responsibility.

An article in CNET reported that Maone offered his services to the U.N. technical developers to help solve the problem, but there had been no response at the time the CNET article went to press.

In a subsequent email, Maone explained that he offered his help to the U.N. technical staff on Monday. As of late Tuesday he had not heard back from them. He has subsequently continued to monitor what is happening with the vulnerabilities at the U.N. website and reports that he has seen some of the vulnerabilities fixed only to reappear. He continues to make updates on his blog. As of late Tuesday night, part of the U.N. website may still be vulnerable and parts are unavailable, he noted.