Slashdot Mirror

← Back to Stories (view on slashdot.org)

United Nations vs SQL Injections

Posted by CmdrTaco on from the virtual-security-is-hard-too dept.

Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message. This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."

2 of 144 comments (clear)

  1. The hole is still open, though... by caferace · · Score: 3, Interesting

    http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105' -jim

  2. Hardly a surprise by Opportunist · · Score: 5, Interesting

    You'll notice that webpages of governments, political parties and other highly bureaucratic systems are usually quite vulnerable. This is due to a few factors.

    First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.

    Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.

    And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.