UN Admins Leave Vulnerability Unfixed

Robert Graham, expert at Erata Security, the person who was first to find the vulnerability behind the UN website attack in 2007, reported on his blog that United Nations security admins failed to fix the problem. The UN website is still as vulnerable as it was two years ago to massive SQL injection as it can be seen from the attached screenshot.

In August 2007, three hackers defaced the United Nations website, while replacing the Secretary-General Ban Ki-Mon's speech with their own pacifist statement. They were able to do this with a simple SQL injection technique, as Mr. Graham later proved that parameters could be added to the ASP container from the browser link.

In a statement on his blog, Robert Graham said, “There are a couple lessons here. The first is that no matter how simple the fix, organizations like the UN cannot do it. Despite the fact a high-school intern can fix the bug in 5-minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug.”

He also added, “The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack,“ accusing United Nations website admins of laziness and unprofessionalism.

These actions may be explained by the fact that a simple bug fix inside a complex and massive organization like the UN could spell mountains of paperwork for any IT manager, which could always be vetoed by a superior manager that wouldn't understand its importance or costs.

Security fixes in organizations that don't have a tradition in hack-proofing or don't own a security department could easily escalate costs because of third-party companies, outsourcing costs, external consultants, extended timelines and more.

Another explanation may be the fact that the United Nations website contains only news, articles and statements, without any financial or sensitive data. This automatically will not justify security costs, being easier and much cheaper to clean up after an attack than to prevent it. This also made the website an unattractive target for hackers, until now no other attack being recorded for the UN website.