United Nations vs SQL Injections 144
Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message.
This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."
The hole is still open, though... (Score:3, Interesting)
Security is hard (Score:1, Interesting)
I have worked with many web developers who thought they knew a lot about making web sites secure, and who didn't even know what a SQL Injection vulnerability was. Why didn't they know? Because they had never run across it before. It had not been taught in their school, nor in any of the "how to use Microsoft Visual Studio" training they had.
The "well nobody told me" problem is hard to surmount, and it can have dire consequences. A friend of mine worked at a place where the senior architect explicitly forbade parameterizing SQL queries because he thought it was needless code complexity and a waste of time! I have also seen developers struggle with the
One thing that got me a while back was an exploit reported by Microsoft involving a means by which extra information about the web site could be teased out of the http header under some circumstances. Our client followed Microsoft's instructions for tweaking IIS to prevent the attack, and several of our pages started trying to redirect to invalid URLs. Problems like that bug me because of how difficult it is to be aware of them in advance. One has to invest a lot of time in keeping up with the latest news on a wide variety of web-related technologies (just to learn about the problems), and even more time in re-writing your code based on the new knowledge. What was secure yesterday isn't secure today, and designing sites that will remain secure tomorrow requires a very great deal of money, time, and effort to be spent in activities that don't always seem to have a measurable benefit at the time.
So...I can sympathize.
Re:And Jews violated more laws under the Nazis, to (Score:2, Interesting)
Seriously, is it possible any more to even pretend that the UN is anything but a forum for tinpot dictators and other nameless losers to bitch, complain, and blame the west for all of Earth's problems?
Come to think of it
Hardly a surprise (Score:5, Interesting)
First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.
Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.
And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.
The easiest non-intrusive way (Score:3, Interesting)
http://www.un.org/apps/news/infocus/sgspeeches/st
If they're not using parameter binding and/or properly sanitizing user input, this should return a different record (article in this case) than the original URL. - http://www.un.org/apps/news/infocus/sgspeeches/st