On August 12, visitors to the United Nations Web site could see a protest message directed at the U.S. and Israel. This message was posted in the area of the site where Ban Ki-moon's speeches were listed. The message read:|
"Hacked By Kerem 125 M0sted And GsyAn Italian software developer Giorgio Maone, on his blog hackademix.net, proposed that the trespassers had gotten access to the U.N. Web site using a well documented security vulnerability in the data base program SQL. (1) The vulnerability was described as the "SQL injection". There is a Wikipedia entry (2) describing the mechanisms and prior instances when it was used to gain unauthorized access to other sites.
Offering a clue to the incident, Maone wrote, "while most of us may agree with the message, many will object to the spelling and specifically to the dont used instead of don't."
He went on to explain that the missing apostrophe in the word "dont" was a clue to the software vulnerability in the SQL software used by the hactivists to plant their message on the U.N. Web site in place of the Secretary General's speeches.
"This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile Web site," Maone said.
Others posting on his blog disagreed that one should be surprised finding such problems on a "high profile site." Another poster explained:
"Are we really surprised? I thought it was pretty standard that most of the 'high profile sites' out there are the ones least likely to understand the importance of keeping their software up to date. It seems like the larger the company/organization/multi-national quasi-governmental agency, the more likely they are to simply buy into whatever is being promoted by (insert your favorite vendor here), and won't upgrade unless something breaks or they can afford to buy whatever (insert your favorite vendor here) is selling in quantities and packages they are selling...."
Others discussing the incident on "hackademix.net" described how even after the initial Web posting by the hactivists had been removed, the U.N. Web site continued to have vulnerabilities which could be exploited. "The U.N. staff put a patch to 'hide' the most obvious vulnerability," Maone wrote in a post, "but the flaw is still there and could be easily exploited again." (13 Aug 2007 6 UTC update).
Other sources of news in the online community like PC World (3) and Slashdot (4) provided links to the hackademix.net blog. In the discussion on Slashdot, several posts described the system problems in software programming for large corporations or government related institutions where business oriented decisions often fail to take into account the need for technical skill and knowledge.
On Heise Online (5), where the posts are in German, and ShortNews.com (6) with English posts, there were discussions about the political issues referred to by the hactivists' message.
At the Monday press briefing at the U.N., the Secretary General's spokesperson assured journalists that the problem had been dealt with. Yet the hactivists' message continued to appear on the United Nations Environmental Programme (UNEP) Web site (7) Monday evening, and no new text files were posted to the U.N. Web site on Monday or part of the day on Tuesday.
On both Monday and Tuesday, questions were raised at the U.N. during the briefing for journalists. Little information about what had happened or how it happened, was offered, however. The problem was a mystery for most of the journalists who subsequently wrote about it.
For example, one journalist wrote, "The hackers were able to infiltrate the system, U.N. spokeswoman Michelle Montas said yesterday, by using what she referred to as 'pseudonyms.' (NY Sun article, Aug. 14, 2007 "Hacker Attacks U.N. Web Site") In this story the fact that the hactivists gave false names with their post was confused with the mechanism of how they gained access to the U.N. Web site to post their message. Some at the press briefing wondered if the incursion onto the U.N. Web site was an example of "cyberterrorism".
In response to a question, the U.N. spokeswoman said she would try to make someone available from the U.N. staff to provide information that would provide clarity. She did not say, however, when this would happen.
One of the posts on slashdot.com explained that it was difficult for software programmers to remain up to date in dealing with all the software vulnerabilities that exist in Microsoft products.
Responding to a request for his views on the subject, Terry Culkin, a systems analyst at Columbia University explained that the U.N. site was using some of the most vulnerable Microsoft products on the market. Given the many vulnerabilities in Microsoft products Culkin explained, "its hard for a systems administrator to keep up with the patches." Also he referred to systemic problems such as when a number of different technical staff members are needed, it becomes difficult to maintain communication among them and their different areas of responsibility.
An article in CNET (8) reported that Maone offered his services to the U.N. technical developers to help solve the problem, but there had been no response at the time the CNET article went to press.
In a subsequent email, Maone explained that he offered his help to the U.N. technical staff on Monday. As of late Tuesday he had not heard back from them. He has subsequently continued to monitor what is happening with the vulnerabilities at the U.N. Web site and reports that he has seen some of the vulnerabilities fixed only to reappear. He continues to make updates (9) on his blog. As of Wednesday afternoon, the Spokesperson for the Secretary General indicated that the technical staff was working to analyze and fix the security problems on the U.N. Web site.
2007/08/16 오전 10:55
© 2019 Ohmynews
|◀ Return to Article|