Slashdot Mirror

← Back to Stories (view on slashdot.org)

United Nations vs SQL Injections

Posted by CmdrTaco on from the virtual-security-is-hard-too dept.

Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message. This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."

4 of 144 comments (clear)

  1. Is it really a big surprise? by background+image · · Score: 5, Insightful

    This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site.

    Maybe it's not such a surprise, considering that

    • they've used MS Word to make their 'down for maintenance' page
    • the code (not including the image) for that one sentence page is > 11k...
  2. Waste of an exploit by JosefAssad · · Score: 5, Funny
    What a waste of an exploit.

    I personally would have sneaked in and invented a new UN agency with its own inscrutable and almost-pronounceable acronym, and then sat back and watched.

    Just imagine if, halfway down this page, you get an entry like this:

    UNCRP: Works in field missions to improve standards in accordance with self-determined metrics. Composed of members elected to permanent positions based on a variety of factors subservient to aforementioned goals, assuming goals have been determined prior to agency initiation. Primary work areas include inter-agency provision of UNCRP-related efforts, with the ultimate objective of improving standards, mainly in the field.

    One quick email to follow up:

    To: secgen@un.org
    From: Agency Coordination and Initiation Subcommittee to the Secretariat
    Subject: Need traction on UNCRP agency kickstart

    Dear sir:

    With respect to the newly established UNCRP agency, we respectfully request formal approval of resources. We expect to be operational within 5 years and will submit the initial statement of work within 3 years from approval.

    Thank you for providing the momentum to this newly founded agency; we have dedicated much effort to the realization of the UNCRP, as it is conducive to the eradication of, several things in the UN charter.


    Regards,


    Rolf Wittigersen

    And that should be it. Make yourself some popcorn, and watch the headless wonder of a new UN agency being created. At least with the UNCRP, it would be purposeless by design rather than through the diligent work of its employees.

    --
    The Banjo Players Must Die!
  3. Our agreements? The struggling Parliament of Man by Etherwalk · · Score: 5, Insightful

    As a nation, the US has made numerous commitments to the UN, and that includes agreements to follow things like the Universal Declaration of Human Rights. When we *agree* to follow International Law, we ought to, don't you think? Especially when we're heavily involved in creating that law in the first place?

    The fact is that the UN, while it does have a lot of problems, is also far more effective and dare-I-say-it even important than most people in the US ever give it credit for. It's far from a perfect system, but it's still the best we have. We're one of the rich kids on the playground, and one of the strong kids on the playground, and we don't always enjoy what the student government wants to do--so we turn away from it sometimes. But that doesn't mean that it isn't important, or helpful, or that it doesn't, sometimes, do what's right. And that doesn't mean we shouldn't work with it, sometimes, and give it more credit for what it does and tries to do.

    Instead, we tend to discount it. Because sometimes we don't like what it says about us or others in the playground, and because it's politically convenient (and salable) for our leaders to emphasize our strength and autonomy, all of our accomplishments and our not-inconsiderable military and economic muscle, and all of our pride. Some degree of Nationalism isn't a terrible thing, and we do have a lot to be proud of--but we also still have a lot to do, and to accomplish, as a nation and as members of larger world, and pretending the other children on the playground are irrelevant doesn't help us to do those things.

    Also, don't you want the Universal Declaration of Human Rights to apply to US Citizens in a US Court or on the streets? The Bill of Rights is getting stretched more thinly every day, and the anti-terrorist effort (though directed in part by well-meaning people) is cutting swaths in our Constitution.

    --Me

    The subtlest change in New York is something that people don't speak much about but that is in everyone's mind. The city, for the first time in its history, is destructible. A single flight of planes no bigger than a wedge of geese can quickly end this island fantasy, burn the towers, crumble the bridges, turn the underground passages into lethal chambers, cremate the millions. The intimation of mortality is part of New York now: in the sound of jets overhead, in the black headlines of the latest edition.

    All dwellers in cities must live with the stubborn fact of annihilation; in New York the fact is somewhat more concentrated because of the concentration of the city itself, and because, of all targets, New York has a certain clear priority. In the mind of whatever perverted dreamer who might loose the lightning, New York must hold a steady, irresistible charm.

    It used to be that the Statue of Liberty was the signpost that proclaimed New York and translated it for all the world. Today Liberty shares the role with Death. Along the East River, from the razed slaughterhouses of Turtle Bay, as though in a race with the spectral flight of planes, men are carving out the permanent headquarters of the United Nations -- the greatest housing project of them all. In its stride, New York takes on one more interior city, to shelter, this time, all governments, and to clear the slum called war. ...

    This race -- this race between the destroying planes and the struggling Parliament of Man -- it sticks in all our heads. The city at last perfectly illustrates both the universal dilemma and the general solution, this riddle in steel and stone is at once the perfect target and the perfect demonstration of nonviolence, of racial brotherhood, this lofty target scraping the skies and meeting the destroying planes halfway, home of all people and all nations, capital of everything, housing the deliberations by which the planes are to be stayed and their errand forestalled.

    -- E.B. White, from "Here Is New York," 1948

  4. Hardly a surprise by Opportunist · · Score: 5, Interesting

    You'll notice that webpages of governments, political parties and other highly bureaucratic systems are usually quite vulnerable. This is due to a few factors.

    First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.

    Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.

    And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.