Forgot your password?
typodupeerror
Security Government Politics

United Nations vs SQL Injections 144

Posted by CmdrTaco
from the virtual-security-is-hard-too dept.
Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message. This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."
This discussion has been archived. No new comments can be posted.

United Nations vs SQL Injections

Comments Filter:
  • What? (Score:3, Funny)

    by Junior J. Junior III (192702) on Sunday August 12, 2007 @12:42PM (#20203647) Homepage
    The UN was ineffective due to half-assedly fucking up a security detail? That's un-possible!
    • Re: (Score:2, Funny)

      by MrNaz (730548)
      Haha UN-possible. *giggles uncontrollably* OK I'm done.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      From the article:

      If only prepared SQL statements were used properly, this embarrassing incident would have been easily prevented.
      And yes, prepared statements are available even in the very obsolete ASP "Classic" + ADODB Microsoft setup they're using. (screenshot)

      The UN was ineffective because it relied on Microsoft. Microsoft, btw, is a US company.
    • Security is hard (Score:1, Interesting)

      by Anonymous Coward
      In the world of developing high volume web sites in a secure fashion, it is very easy to say "proactive," but very hard to do.

      I have worked with many web developers who thought they knew a lot about making web sites secure, and who didn't even know what a SQL Injection vulnerability was. Why didn't they know? Because they had never run across it before. It had not been taught in their school, nor in any of the "how to use Microsoft Visual Studio" training they had.

      The "well nobody told me" problem is har
      • by pAnkRat (639452)
        Sorry, but people who charge money for website development (aka. professionals)
        and who claim they don't know what SQL-Injection or Cross Site Scripting is about,
        should get theit development license revoked or something.

        "I don't know" is a very lame excuse, espacialy if they call themselves a pro.

        I know that complete security is near impossible, but basics are still basics.
        This is like a doctor claiming he had until now never heard about steril(?) scalpels and hygiene basics.
        You don't excpet to die from wou
    • Good one, one of my favs is "Hello Super Nintendo Chalmers".

      LOL!
  • Nonono! (Score:3, Funny)

    by Funkcikle (630170) on Sunday August 12, 2007 @12:48PM (#20203687)
    It wasn't hacked! Their website clearly states it is down for scheduled maintenance. Honestly, some people need to stop spreading these fake stories!
  • both quite surprising to find in such a high profile site

    Are we really that surprised? I thought it was pretty standard that most of the "high profile sites" out there are the ones least likely to understand the importance of keeping their software up to date. It seems like the larger the company/organization/multi-national quasi-governmental agency, the more likely they are to simply buy in to whatever is being promoted by (insert your favorite vendor here), and won't upgrade unless something breaks or

    • Re:Surprising? (Score:4, Insightful)

      by LurkerXXX (667952) on Sunday August 12, 2007 @01:06PM (#20203821)
      Did you not read the article at all? This had nothing to do with patching the system. It had to do with them hiring someone who never bothered to learn about SQL and security. It had nothing to do with the tools/system used. It had to do with incompetence of the person hired to set it up.
      • Re: (Score:2, Redundant)

        by John Jorsett (171560)
        What, cronyism, featherbedding, and incompetence at the UN? That's unpossible!
      • Re:Surprising? (Score:5, Informative)

        by drspliff (652992) <harry.roberts@NOSPAM.midnight-labs.org> on Sunday August 12, 2007 @01:25PM (#20203969)
        This is pretty much standard for a lot of government organisations, or atleast I've seen it many times myself.

        I don't know how to explain it, but a lot of the people I've seen create websites for government or local authority branches are business types lacking on the technical side. Basically the person who the project manager likes most, regardless of reviewing their technical ability on previous sites other than quickly browsing through one or two and going "ohh, thats nice isnt it!".

        On one occasion I've seen a company win the contract simply because the paper they sent to the project manager sparkled slightly in the light and was followed up by a long phone call. Their websites were utter trash, but they were very good at making money.

        I suspect the same happened here :)
        • Re: (Score:3, Insightful)

          by LurkerXXX (667952)
          I've seen exactly the same in many many companies where I've been called in to clean up the mess. Hiring of incompetent staff is by no means limited to government.
        • I don't know how to explain it
          government-type jobs usually go to the lowest bidder, (usually) no matter how much they suck at whatever tasks they're supposed to perform
          • by drspliff (652992)
            Personally I'd say it's more about perception of value, I've seen several contracts approved by management because they check all the boxes and are closer to what the expected budget is, instead of being technically competant and providing what they actually need. Sadly most of the companies that won these contracts were Microsoft shops.
        • I've worked in both commercial and government organizations, and stupidity happens in both. If a commercial site messes up, it is just easier for them to hide it because the consequences are usually more localized and they can just pay off parties affected.

          Almost all companies and organizations are cheap and want the most while paying the least. Governments are often not given much money for items outside of their core function, and websites often fall into that classification. Commercial entities do spend
        • by ShakaUVM (157947)
          I don't know how to explain it, but a lot of the people I've seen create websites for government or local authority branches are business types lacking on the technical side. Basically the person who the project manager likes most, regardless of reviewing their technical ability on previous sites other than quickly browsing through one or two and going "ohh, thats nice isnt it!".

          So you're saying that government is all politics, then?
      • Did you not read the article at all?
        You must be new here! ;)
      • Could your please forward your comment to http:/// [http] www.un.org?user=user&pass=pass&query=INSERT%20INTO %20MainTable%VALUES%20('[your comment]').

        Thank you. This could be most helpful.
      • by Qrlx (258924)
        It had to do with incompetence of the person hired to set it up.
        Unless that person falsified their resume, I would place the blame on the incompetence of the person who extended the job offer.

        If you hire someone with no arms to flip burgers, don't blame them when your hamburger stand is a failure. Unless s/he wore prosthetic arms to the interview or something. And even then, you still made a bad hire.
    • by foobsr (693224)
      I thought it was pretty standard that most of the "high profile sites" out there are the ones least likely to understand the importance of keeping their software up to date.

      Probably also — my bias — because all the persons in charge are so qualified (along the lines: younger than ever, experience > age, always only A++ level grades, superb team-players with ultimate social and leadership capabilities) that they more care about quantum career leaps.

      CC.
  • by background image (1001510) on Sunday August 12, 2007 @12:50PM (#20203707)

    This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site.

    Maybe it's not such a surprise, considering that

    • they've used MS Word to make their 'down for maintenance' page
    • the code (not including the image) for that one sentence page is > 11k...
    • by gad_zuki! (70830)
      Exactly. The UN is acting like many boneheaded companies that have some administrative assistant doing "the webpage" instead of hiring a professional. I'm sure the server was setup by someone's kid too. The real shame here is that there are lots of talented tech workers looking for work. Lowballing only hurts the cheapskates in the end.
  • by JosefAssad (1138611) on Sunday August 12, 2007 @01:07PM (#20203831) Homepage
    What a waste of an exploit.

    I personally would have sneaked in and invented a new UN agency with its own inscrutable and almost-pronounceable acronym, and then sat back and watched.

    Just imagine if, halfway down this page [un.org], you get an entry like this:

    UNCRP: Works in field missions to improve standards in accordance with self-determined metrics. Composed of members elected to permanent positions based on a variety of factors subservient to aforementioned goals, assuming goals have been determined prior to agency initiation. Primary work areas include inter-agency provision of UNCRP-related efforts, with the ultimate objective of improving standards, mainly in the field.

    One quick email to follow up:

    To: secgen@un.org
    From: Agency Coordination and Initiation Subcommittee to the Secretariat
    Subject: Need traction on UNCRP agency kickstart

    Dear sir:

    With respect to the newly established UNCRP agency, we respectfully request formal approval of resources. We expect to be operational within 5 years and will submit the initial statement of work within 3 years from approval.

    Thank you for providing the momentum to this newly founded agency; we have dedicated much effort to the realization of the UNCRP, as it is conducive to the eradication of, several things in the UN charter.


    Regards,


    Rolf Wittigersen

    And that should be it. Make yourself some popcorn, and watch the headless wonder of a new UN agency being created. At least with the UNCRP, it would be purposeless by design rather than through the diligent work of its employees.

    • Re: (Score:3, Funny)

      by eggoeater (704775)

      ...missions to improve standards in accordance with self-determined metrics...
      ....based on a variety of factors subservient to aforementioned goals...
      ...work areas include inter-agency provision...
      ...with the ultimate objective of improving standards...
      Hey!
      I recognize that writing....
      You're the CTO/CIO for my company, aren't you??

    • by Jugalator (259273)
      Agreed. Seriously, what's wrong with hackers not even able to type properly? If you saw the thumbnail-sized photo of the defaced site in the article link, you'd know what I'm talking of. It looks like absolute crap. My mom is a better web designer. A 10 year old has better grammar. I don't get it. After going through the work of planning and attacking a site, why are they making sure it looks like an obvious attack? Isn't the point then lost?
    • Beside the overly zealous use of commas, that would, with all due respect, convince the Secretary General, if he is the recipient, that the email was, in fact, sent by William Shatner, its a great idea!
    • by TheLink (130905)
      You're assuming this exploit was the first. How'd you know that it hasn't already been exploited before in secret?

      MS SQL server in some configs can allow people to do all sorts of stuff.
    • Re: (Score:3, Informative)

      by Jugalator (259273)
      Interesting... And if you're a confused moderator, note that the ending apostrophe is to be part of the URL, but wasn't here due to Slashdot's auto-link generation.

      You'll get

      ADODB.Recordset.1 error '80004005'

      SQLState: 37000
      Native Error Code: 8180
      SQLState: 37000
      Native Error Code: 105
      [MERANT][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''.
      [MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. /apps/news/infocus/sgspeeches/statments_full.asp,
  • This is not unlike an issue I discovered a little while back. An online application suite for schools designed for easy manipulation of databases containing student records was subject to SQL injection using the web interface. The web interface was designed for parents to get an up to date progress report for their child, or for students to select courses without resorting to paperwork.

    Well, passing along the escape character (') to the login page returned the following message:
    java.sql.SQLException: O
    • To escape quotes in Oracle, use two quotes (''), so if you used an expression:

      replace(p_input_parm,'''','''''')

      This would replace all single quotes with escaped quotes. With the quotes escaped in Oracle, SQL Injection attacks go nowhere. You should also escape the HTML characters < and > to prevent someone from injecting Javascript into your site. There is a function in Oracles OWA_UTIL package for this.

      • With the quotes escaped in Oracle, SQL Injection attacks go nowhere.

        Not exactly true. Quote-less sql injection is possible, as whitnessed by the numerous successful SQL rape attacks against Coldfusion sites. You just need to pick a URL that has a number inside it, rather than a string. If your parameter is a number, no need to close any quote.

        And, in order to sneak in your own string, use the char(72)%2Bchar(101)%2Bchar(108)%2Bchar(108) %2Bchar(111)%2Bchar(32)%2Bchar(119)%2Bchar(111)%2B char(114)%2Bchar(108)%2Bchar(100)%2Bchar(33) trick.

        Hmm, looks like the only real prot

  • Unavailable due to scheduled maintenance. Heheheh. Also, why is lying always the first reaction? Scheduled my ass. I'm getting fed up of this. Lies everywhere.
    • by FireFlie (850716)
      Of course it is also a possibility that this is a generic "this page is down" placeholder, and someone just hit a button to remove the offending page as quickly as possible while they contacted someone that could actually do something about it.
  • At first reading, I thought that the UN was defaced by some white people, and the author was just being racist.

    Then I imagined that the UN as a society of pimps. This is where I live now. In my mind.
  • So it coincidence the site is down for scheduled maintenance right now? I suppose this maintenance was scheduled immediately following their defacement?

    SQL injection in a high-profile site is not surprising or uncommon. When you work with back end databases, your protection from such an attack is only all the programmers that make up the DB interfaces on your website. This happens often due to laziness, lack of knowledge, or simple mistakes. It's pretty frequent when you have people collaborate on a p
    • by danpsmith (922127)

      That "other" guy that did 5% of it could eb the reason you just got hacked. Web attacks are becoming more and more common and will continue to rise with Web 2.0 features. Surprising? Not at all... we see this stuff all the time and on more popular sites than un.org (is that really saying much?).

      It seems like most of the people talking about AJAX and Web2.0 don't even really know what it is. Ajax isn't any bigger of a security threat than is allowing the users of your website to use get or post on a URL, w

  • Hardly a surprise (Score:5, Interesting)

    by Opportunist (166417) on Sunday August 12, 2007 @03:32PM (#20204823)
    You'll notice that webpages of governments, political parties and other highly bureaucratic systems are usually quite vulnerable. This is due to a few factors.

    First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.

    Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.

    And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.
    • Re: (Score:3, Insightful)

      by rtaylor (70602)

      And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.
      You often get what you pay for. The population demands low paid government workers then wonders why they get low quality government work completed.
  • by michaelhood (667393) on Sunday August 12, 2007 @03:43PM (#20204909)
    to check for SQL injection like this on a website is to do something like this:

    http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105%20OR%201=1

    If they're not using parameter binding and/or properly sanitizing user input, this should return a different record (article in this case) than the original URL. - http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105
  • Still vulnerable (Score:2, Informative)

    by Ysangkok (913107)
    Still vulnerable: SQL error [un.org]
  • Don't worry (Score:2, Funny)

    by owidder (1034780)
    The UNO knows what to do. See my small cartoon: http://geekandpoke.typepad.com/geekandpoke/2007/08 /strong-uno.html [typepad.com] Bye, Oliver
  • While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don't. There's a technical reason for the missing apostrophe, though, because messing with this very character (') is part of the technique apparently used by the attackers.

    There is no stumbling block here. All the hacker had to do would be to escape their own apostrophe. That's the very vulnerability that makes this work.

    '; update speeches set text = 'Don''t try to hack this

  • Representatives from the United States of; DROP TABLE; frown on such SQL Injections
  • 'Cause nothing says, "Pacifist" like vandalizing somebody else's stuff...
    • by inKubus (199753)
      It's definitely in contrast to protesting the UN by throwing a rock through their front door... So yes, they were "peaceful" in their protest. Of course, it might be illegal, but no one was really "hurt" in the process.
      • No one except the network admins who have to make sure everything is fixed. Unless they use open source software, then we know their time is worthless.

Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable. -- Gilb

Working...