This is the story of a grey hat called Black Jester, from Sudan, Africa. He identified vulnerabilities on two sites owned by the United Nations, which are reportedly connected to the main United Nations site (un.org).
Unfortunately, this is not one of those stories in which a hacker or a security researcher aids a company in the process of patching up its public website.
Instead, it’s another tale that shows how some organizations don’t have proper policies for reporting vulnerabilities and when they’re presented with such a situation, they are unaware of how things must be handled.
Black Jester is currently on a quest to make the UN fix the security holes that affect their websites and he hopes that by going public he can determine the organization to rush the patching process.
The interview we had with him shows his attempts to report the issues, but it also shows how institutions look at someone who tells them that all the sensitive information stored on a server can become publicly available because of some security flaws.
Of course, many security researchers and hackers may argue that they reported tens of vulnerabilities to the UN and other organizations whose public websites are unsafe, but Black Jester
didn’t just disclose the vulnerabilities via email. Instead, he went to the institutions he thought could take care of the problem in person.
Please tell us a bit about yourself.
I am not a “black hat”. I am just some guy who wants to improve his skills in pentesting and help someone to “not getting hacked” without permission or with it.
Here in this country they don’t know the meaning of security. My university dropped me out because I breached their network with their permission and they didn’t find anyone to blame except me.
I tried to hack any server I could just to improve my skills, cause there is nothing like a “real scenario”.
When did you uncover the vulnerabilities in the UN sites?
I found them in the last quarter of 2010.
When did you decide to exploit the security holes and why?
Well, at first I thought I should stay away from trouble and they will find it soon or later. After it has been over a year without fixing I decided to exploit them, to confirm it’s exploitable and also to inform them of my good intentions.
Finally, I wanted to improve my skills as they must have Tech guys better than me.
What did you do with all the information you came upon while exploiting their servers?
In the last quarter of 2011 I went to the nearest UN office and told them. They didn’t take it seriously.
They didn’t take me seriously because they didn’t know what’s the danger about hacking. They didn’t realize that anyone can bring sensitive data to the Internet and bring the network down.
The only thing they were considering was UN.org. As I didn’t breach it yet, I told them I can but I don’t have permission. They took my number and said they will check it.
They failed to do anything about it, so after 3 weeks I went to the American Embassy. I felt they should take care about the issue.
There, from 8:00 AM to 3:00 PM I was waiting, talking, they took my picture and asked me hundreds of questions because they felt like I was coming from a terrorist organization.
From 8:00 to 12:00 I was talking to the security staff. Then they called an American guy outside to meet me. He was laughing and joking about me being a hacker. I didn’t know if he was joking or being sarcastic. He just kept skipping the main topic and talked about hacking.
He was confused. Then I described the issue to him. He took my email, phone number, checked my id.
Then he said “if I were you I would delete the information from the laptop”. I told him “what’s the point then?”
Then he was again talking off the topic and confused until the security guard told him that I showed him the database stuff, and some serious info.
He got more serious and believed me. He went 4 meters away to talk on the phone. I was thinking they going to kidnap me :)
They said “this is not our issue. It’s the UN’s issue.” I told them that the UN headquarters are in America. I told them that I went to the local organization, but they didn’t take me seriously. I told them that I came to them to tell the counselor or anyone who could take care of the problem.
They told me to write everything on a paper and copy the files I have to a CD.
I asked for a guarantee or something like an NDA so I wouldn’t get illegally involved. He said “OK, but the problem is not confirmed yet.” And they kept skipping my needs.
I wrote like 3 pages. Not the full story, only a quick demonstration about what happened. Then they started to ask me where I live, where I work, blah blah blah.
Then I started to give them the data and again I asked for a guarantee, but nothing. After they took what they need they entered a room and I was kept waiting till 3:00PM outside.
I asked a guard and he said they said they will take the issue seriously, and after they checked it they said they can’t give a guarantee or a statement. Because I asked for a statement that said I gave them the information because it’s not mine, or ours, and that it can be considered illegal.
3 days later nothing changed.
Did you try to contact them by email and other means of communication or did you directly go to them in person?
I didn’t know which department I breached, and the UN is a huge organization. Also, in Sudan the UN went away for the last year because of the situation in the country. I checked the contact form, but they left Sudan. One office remained that I went to personally.
Why did you think that the American Embassy could help you?
Well, the UN office I talked to didn’t take any action or further investigation, and left the issue to nothing. As I felt that I didn’t talk to the right person I wanted to send my message to the headquarters in America, but didn’t want to do the same mistake.
The American embassy should have good contact with the UN and I felt they could handle the situation. Also, I was going to go to the British embassy, but I heard they have strict rules if I went there. So my choice was the American embassy.
How do you think organizations should handle these incidents?
With serious steps and immediate action as they put the organization in danger. Also, they should have trained people that can deal with these kinds of situations.
Someone else could use these vulns to gain access to sensitive information, use them for an attack or anything illegal.
Is there anything else you want to add?
Yes. I found the vulns by accident. Also, I put some backdoors in their systems in case it got fixed without contacting me.
I will complete my breach if there is no action, just to make them hurry up because I know if these vulns fall on the wrong hands it will be a big issue. The
UN techs guys said it’s not related to un.org
and that it’s some agency website or server. I can confirm they are wrong as you will see these 2 networks are from the un.org.
I have access to a lot of PCs and if they don’t contact me I will publish everything online.
Note. The screenshots are a small part of the proof provided by the hacker to show that he gained access to the UN sites.
The names of the sites will not be disclosed in order to avoid encouraging other hackers to breach them.