Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

United Nations vs SQL Injections

Posted by CmdrTaco on Sun Aug 12, 2007 11:39 AM
from the virtual-security-is-hard-too dept.
Security Government Politics
Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message. This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."
+ -
story

Related Stories

Submission: United Nations VS SQL Injections by Giorgio Maone (913745)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

United Nations vs SQL Injections 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • What? (Score:3, Funny)

    by Junior J. Junior III (192702) on Sunday August 12 2007, @11:42AM (#20203647) Homepage
    The UN was ineffective due to half-assedly fucking up a security detail? That's un-possible!

  • Nonono! (Score:3, Funny)

    by Funkcikle (630170) on Sunday August 12 2007, @11:48AM (#20203687)
    It wasn't hacked! Their website clearly states it is down for scheduled maintenance. Honestly, some people need to stop spreading these fake stories!

  • both quite surprising to find in such a high profile site

    Are we really that surprised? I thought it was pretty standard that most of the "high profile sites" out there are the ones least likely to understand the importance of keeping their software up to date. It seems like the larger the company/organization/multi-national quasi-governmental agency, the more likely they are to simply buy in to whatever is being promoted by (insert your favorite vendor here), and won't upgrade unless something breaks or

    • Re:Surprising? (Score:4, Insightful)

      by LurkerXXX (667952) on Sunday August 12 2007, @12:06PM (#20203821)
      Did you not read the article at all? This had nothing to do with patching the system. It had to do with them hiring someone who never bothered to learn about SQL and security. It had nothing to do with the tools/system used. It had to do with incompetence of the person hired to set it up.
      • What, cronyism, featherbedding, and incompetence at the UN? That's unpossible!

      • Re:Surprising? (Score:5, Informative)

        by drspliff (652992) <harry...roberts@@@midnight-labs...org> on Sunday August 12 2007, @12:25PM (#20203969) Homepage
        This is pretty much standard for a lot of government organisations, or atleast I've seen it many times myself.

        I don't know how to explain it, but a lot of the people I've seen create websites for government or local authority branches are business types lacking on the technical side. Basically the person who the project manager likes most, regardless of reviewing their technical ability on previous sites other than quickly browsing through one or two and going "ohh, thats nice isnt it!".

        On one occasion I've seen a company win the contract simply because the paper they sent to the project manager sparkled slightly in the light and was followed up by a long phone call. Their websites were utter trash, but they were very good at making money.

        I suspect the same happened here :)

        • Re: (Score:3, Insightful)

          by LurkerXXX (667952)
          I've seen exactly the same in many many companies where I've been called in to clean up the mess. Hiring of incompetent staff is by no means limited to government.
        • I've worked in both commercial and government organizations, and stupidity happens in both. If a commercial site messes up, it is just easier for them to hide it because the consequences are usually more localized and they can just pay off parties affected.

          Almost all companies and organizations are cheap and want the most while paying the least. Governments are often not given much money for items outside of their core function, and websites often fall into that classification. Commercial entities do spend
        • I don't know how to explain it, but a lot of the people I've seen create websites for government or local authority branches are business types lacking on the technical side. Basically the person who the project manager likes most, regardless of reviewing their technical ability on previous sites other than quickly browsing through one or two and going "ohh, thats nice isnt it!".

          So you're saying that government is all politics, then?
          • Using something like mysql_real_escape_string is a very bad idea (not least because it means you're using MySQL, but that's another story). If you use it properly, it can work, but like reading input directly into a buffer on the stack, it is incredibly easy to use incorrectly.

            Most database APIs have some analogue of printf specifically designed for producing escaped SQL strings. These allow SQL statements to be constructed in a completely safe way. Always use these instead of manually constructing SQ

  • Is it really a big surprise? (Score:5, Insightful)

    by background image (1001510) on Sunday August 12 2007, @11:50AM (#20203707)

    This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site.

    Maybe it's not such a surprise, considering that

    • they've used MS Word to make their 'down for maintenance' page
    • the code (not including the image) for that one sentence page is > 11k...
    • Exactly. The UN is acting like many boneheaded companies that have some administrative assistant doing "the webpage" instead of hiring a professional. I'm sure the server was setup by someone's kid too. The real shame here is that there are lots of talented tech workers looking for work. Lowballing only hurts the cheapskates in the end.
      • If they're clueless enough to use Word to write Web pages, that's evidence that they may be clueless enough to not properly secure their web server.

      • Re:Is it really a big surprise? (Score:4, Insightful)

        by SplatMan_DK (1035528) on Sunday August 12 2007, @12:08PM (#20203843) Homepage Journal
        weicco, I think his point is that an IT organization that uses 11 Kb of rubbish-style HTML code generated in MS Word to write "Down for scheduled maintenance" on a web page is likely to treat their server security issues with the same "professionalism". :-)

        - Jesper
        • Or maybe that page was a quickie that an intern put up until the real developer gets in on Monday.

          (Of course, given that this happened in the first place, that isn't entirely likely. heh)

  • Waste of an exploit (Score:5, Funny)

    by JosefAssad (1138611) on Sunday August 12 2007, @12:07PM (#20203831) Homepage
    What a waste of an exploit.

    I personally would have sneaked in and invented a new UN agency with its own inscrutable and almost-pronounceable acronym, and then sat back and watched.

    Just imagine if, halfway down this page [un.org], you get an entry like this:

    UNCRP: Works in field missions to improve standards in accordance with self-determined metrics. Composed of members elected to permanent positions based on a variety of factors subservient to aforementioned goals, assuming goals have been determined prior to agency initiation. Primary work areas include inter-agency provision of UNCRP-related efforts, with the ultimate objective of improving standards, mainly in the field.

    One quick email to follow up:

    To: secgen@un.org
    From: Agency Coordination and Initiation Subcommittee to the Secretariat
    Subject: Need traction on UNCRP agency kickstart

    Dear sir:

    With respect to the newly established UNCRP agency, we respectfully request formal approval of resources. We expect to be operational within 5 years and will submit the initial statement of work within 3 years from approval.

    Thank you for providing the momentum to this newly founded agency; we have dedicated much effort to the realization of the UNCRP, as it is conducive to the eradication of, several things in the UN charter.


    Regards,


    Rolf Wittigersen

    And that should be it. Make yourself some popcorn, and watch the headless wonder of a new UN agency being created. At least with the UNCRP, it would be purposeless by design rather than through the diligent work of its employees.

    • ...missions to improve standards in accordance with self-determined metrics...
      ....based on a variety of factors subservient to aforementioned goals...
      ...work areas include inter-agency provision...
      ...with the ultimate objective of improving standards...
      Hey!
      I recognize that writing....
      You're the CTO/CIO for my company, aren't you??

    • Agreed. Seriously, what's wrong with hackers not even able to type properly? If you saw the thumbnail-sized photo of the defaced site in the article link, you'd know what I'm talking of. It looks like absolute crap. My mom is a better web designer. A 10 year old has better grammar. I don't get it. After going through the work of planning and attacking a site, why are they making sure it looks like an obvious attack? Isn't the point then lost?

    • Re: (Score:3, Informative)

      by Jugalator (259273)
      Interesting... And if you're a confused moderator, note that the ending apostrophe is to be part of the URL, but wasn't here due to Slashdot's auto-link generation.

      You'll get

      ADODB.Recordset.1 error '80004005'

      SQLState: 37000
      Native Error Code: 8180
      SQLState: 37000
      Native Error Code: 105
      [MERANT][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''.
      [MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. /apps/news/infocus/sgspeeches/statments_full.asp,
  • Unavailable due to scheduled maintenance. Heheheh. Also, why is lying always the first reaction? Scheduled my ass. I'm getting fed up of this. Lies everywhere.
  • So it coincidence the site is down for scheduled maintenance right now? I suppose this maintenance was scheduled immediately following their defacement?

    SQL injection in a high-profile site is not surprising or uncommon. When you work with back end databases, your protection from such an attack is only all the programmers that make up the DB interfaces on your website. This happens often due to laziness, lack of knowledge, or simple mistakes. It's pretty frequent when you have people collaborate on a p

  • Hardly a surprise (Score:5, Interesting)

    by Opportunist (166417) on Sunday August 12 2007, @02:32PM (#20204823)
    You'll notice that webpages of governments, political parties and other highly bureaucratic systems are usually quite vulnerable. This is due to a few factors.

    First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.

    Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.

    And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.

    • Re: (Score:3, Insightful)

      by rtaylor (70602)

      And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.
      You often get what you pay for. The population demands low paid government workers then wonders why they get low quality government work completed.

  • The easiest non-intrusive way (Score:3, Interesting)

    by michaelhood (667393) on Sunday August 12 2007, @02:43PM (#20204909)
    to check for SQL injection like this on a website is to do something like this:

    http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105%20OR%201=1

    If they're not using parameter binding and/or properly sanitizing user input, this should return a different record (article in this case) than the original URL. - http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105
  • Still vulnerable: SQL error [un.org]
  • The UNO knows what to do. See my small cartoon: http://geekandpoke.typepad.com/geekandpoke/2007/08 /strong-uno.html [typepad.com] Bye, Oliver

  • While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don't. There's a technical reason for the missing apostrophe, though, because messing with this very character (') is part of the technique apparently used by the attackers.

    There is no stumbling block here. All the hacker had to do would be to escape their own apostrophe. That's the very vulnerability that makes this work.

    '; update speeches set text = 'Don''t try to hack this

    • Re: (Score:3, Insightful)

      by sholden (12227)
      Or the standard page when the web monkey flips the "maintenance mode" switch...

      Plus I'm sure they scheduled the downtime (for right now) after they noticed the crack.

    • Re: (Score:3, Insightful)

      by Anonymous Coward
      Shame on you, let me explain why: INFO: As a matter of fact Israel is the only real democracy of the area and is sorrounded by enemy nations for religious matters. The last one is Lebanon (a muppet-state with apparently no powers on its own territory). In lebanon there is a "official" army hitting Palestians refugees and another Islamic army (Hezbolla) which is financed by other nations and likes to advocate the death of israelis and send casual ballistic missiles on "enemy" cities. Palestinians like to de

        • Re: (Score:2, Insightful)

          by Hitto (913085)
          I'll bite, anon.
          You may have noticed that in all of Israel's neighbors, you would be hard-pressed to find ONE secular state, or even a functioning democracy.
          Whereas in Israel, fundamentalist nutjobs do get fined or jailed whenever they stir up trouble. They don't get to evade the law when they excise their daughters, slay victims of rape in "honor killings", lapidate adulterers, etc, etc, etc.
              • 'If I remember correctly, they were given the land of Israel by, in fact, the United Nations in 1948... or, well, they approved at least. I guess Britain technically "owned" it.'

                If you ask the British or I'm sure the Jews. If you ask anyone else in the middle east I think you would hear a different story.

                'Indeed.. rise and fall of nations apparently is entirely ... well, mostly based on force. Romans, Greeks, Babylonians, Persians, Medes, Turks, English, American...'

                No question about it and that only makes
                • 'Basically, both Jews and Muslims claim the "holy land" as their own. So, who do we support, then, or do we just let them blow themselves to bits?'

                  At the heart of the problem is that Muslims and Christians both desperately want to be Jews. They, too, want the 'special deal' with 'god' that the Jews got.

                  But the Jews don't want someone not born a Jew (or who went thru a *very* special process of conversion) to share in Jewness. The Jews want neither Muslims nor Christians to be Jews.

                  This 'Holy land' is holy t
      • Since when was a UN resolution worth more than the paper it was written on?

              Since no one (cough America) listens to the UN anymore. This is hardly the UN's fault. Just like the league of nations, it has no power to enforce its mandates. Blame the countries that refused to empower the UN.

        • Re: (Score:2, Interesting)

          by c6gunner (950153)
          Any organization which elects Libya to chair it's "Human Rights Council" automatically loses any right to be taken seriously.

          Seriously, is it possible any more to even pretend that the UN is anything but a forum for tinpot dictators and other nameless losers to bitch, complain, and blame the west for all of Earth's problems?

          Come to think of it ..... it kinda reminds me of Slashdot, actually ;)

          • Seriously, is it possible any more to even pretend that the UN is anything but a forum for tinpot dictators and other nameless losers to bitch, complain, and blame the west for all of Earth's problems?
            That's, ah, er, the point of the United Nations. Avoid World War III by making a place where every nation can come and bitch to the rest of the world.

            All the rest of it is just gravy.
          • Libya chaired the Commission on Human Rights, not the Human Rights Council. The Human Rights Council is in fact the successor to the now-defunct Commission on Human Rights; it was created to address the failures of the UNCHR, and Libya's tenure as chair was part of the impetus for the creation of the new body. Although the UNHRC has not fared much better, it is nonetheless wise not to ignore actual facts in favor of needless polemics.

    • ... since accusing the US and Israel of killing children and other people is pretty much the usual UN message.
      Didn't RTFA, huh? The message clearly said that the US and Israel "dont (sic) kill children and other people".

    • Our agreements? The struggling Parliament of Man (Score:5, Insightful)

      by Etherwalk (681268) on Sunday August 12 2007, @12:50PM (#20204165) Homepage
      As a nation, the US has made numerous commitments to the UN, and that includes agreements to follow things like the Universal Declaration of Human Rights. When we *agree* to follow International Law, we ought to, don't you think? Especially when we're heavily involved in creating that law in the first place?

      The fact is that the UN, while it does have a lot of problems, is also far more effective and dare-I-say-it even important than most people in the US ever give it credit for. It's far from a perfect system, but it's still the best we have. We're one of the rich kids on the playground, and one of the strong kids on the playground, and we don't always enjoy what the student government wants to do--so we turn away from it sometimes. But that doesn't mean that it isn't important, or helpful, or that it doesn't, sometimes, do what's right. And that doesn't mean we shouldn't work with it, sometimes, and give it more credit for what it does and tries to do.

      Instead, we tend to discount it. Because sometimes we don't like what it says about us or others in the playground, and because it's politically convenient (and salable) for our leaders to emphasize our strength and autonomy, all of our accomplishments and our not-inconsiderable military and economic muscle, and all of our pride. Some degree of Nationalism isn't a terrible thing, and we do have a lot to be proud of--but we also still have a lot to do, and to accomplish, as a nation and as members of larger world, and pretending the other children on the playground are irrelevant doesn't help us to do those things.

      Also, don't you want the Universal Declaration of Human Rights to apply to US Citizens in a US Court or on the streets? The Bill of Rights is getting stretched more thinly every day, and the anti-terrorist effort (though directed in part by well-meaning people) is cutting swaths in our Constitution.

      --Me

      The subtlest change in New York is something that people don't speak much about but that is in everyone's mind. The city, for the first time in its history, is destructible. A single flight of planes no bigger than a wedge of geese can quickly end this island fantasy, burn the towers, crumble the bridges, turn the underground passages into lethal chambers, cremate the millions. The intimation of mortality is part of New York now: in the sound of jets overhead, in the black headlines of the latest edition.

      All dwellers in cities must live with the stubborn fact of annihilation; in New York the fact is somewhat more concentrated because of the concentration of the city itself, and because, of all targets, New York has a certain clear priority. In the mind of whatever perverted dreamer who might loose the lightning, New York must hold a steady, irresistible charm.

      It used to be that the Statue of Liberty was the signpost that proclaimed New York and translated it for all the world. Today Liberty shares the role with Death. Along the East River, from the razed slaughterhouses of Turtle Bay, as though in a race with the spectral flight of planes, men are carving out the permanent headquarters of the United Nations -- the greatest housing project of them all. In its stride, New York takes on one more interior city, to shelter, this time, all governments, and to clear the slum called war. ...

      This race -- this race between the destroying planes and the struggling Parliament of Man -- it sticks in all our heads. The city at last perfectly illustrates both the universal dilemma and the general solution, this riddle in steel and stone is at once the perfect target and the perfect demonstration of nonviolence, of racial brotherhood, this lofty target scraping the skies and meeting the destroying planes halfway, home of all people and all nations, capital of everything, housing the deliberations by which the planes are to be stayed and their errand forestalled.

      -- E.B. White, from "Here Is New York," 1948

      • It's far from a perfect system, but it's still the best we have.

        The UN is really a complete affront to democracy. It's effectively a five country dictatorship. You have 5 countries which can veto the will of all the world's countries and they can never be removed from their position on the Security Council. They can also veto the appointment of a UN Secretary General, even if the rest of the world wants that person for the role. It's amazing really that the media do not direct their attention at the UN's completely undemocratic structure rather than just its operati

      • is also far more effective and dare-I-say-it even important than most people in the US ever give it credit for

        What are the things that you are claiming that the UN is effective at? As far as I can tell, there are only two things: (1) giving hand-outs to the desperately poor, and (2) keeping tinpot dictators in power. One could argue that these together are self-perpetuating.

      • The fact is that the UN, while it does have a lot of problems, is also far more effective

        I doubt that very much. The UN couldn't pour sand of a boot even with instructions written on the heel.

        How long has the genocide in Darfur been going on? Last I heard, the UN issued a proclamation that said basically, "stop or we'll say top again". How about those times the UN security forces allowed militants and war lords to drive right past them and kill the civilians they were supposed to be protecting? How abou

        • Re: (Score:3, Insightful)

          by MvD_Moscow (738107)
          You really need to lay off the theory and try living in the real world.

          Now let's pretend for a minute that 'positive liberty' is all BS. Let's pretend that the libertarian ideology on liberty is the most moral one. Let's say UN implements your Libertarian Declaration of Human Rights.

          Now how will that be a step in the right direction for the freedom and safety of mankind (pretty big words for statement devoid of any arguments)? Do realize that no one will even care about this document, let alone even paying

    • The idea of world government is a great idea but no one is ready for it.

      I don't know why so many people seem to think that putting all your eggs in one basket is at all wise.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.