United Nations vs SQL Injections 144
Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message.
This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
You may have noticed that in all of Israel's neighbors, you would be hard-pressed to find ONE secular state, or even a functioning democracy.
Whereas in Israel, fundamentalist nutjobs do get fined or jailed whenever they stir up trouble. They don't get to evade the law when they excise their daughters, slay victims of rape in "honor killings", lapidate adulterers, etc, etc, etc.
Re: (Score:1, Offtopic)
To the point, I might add, that at the moment, Muslims have control of the temple mount... the Hebrew/Jewish temple mount. And they put a mosque on it. They have done numerous things specifically to i
Re: (Score:1, Insightful)
But if the jewish people have the god given right to take the land now owned by someone else because they was there first. A lot of people will have to move out of there own country.
The 3 main ones off the top of my head -
America - native Americans
England - celts
Australia - aborigines.
why ain't we giving them back the land? 2 of the 3 mentioned was within the last 300 to 100 years and even in the last century.
To say they have th
Re: (Score:1)
But if the jewish people have the god given right to take the land now owned by someone else because they was there first. A lot of people will have to move out of there own country. I believe I entirely left God out of the picture. Partially because you would likely complain that my religion was getting in the way of my politics, or something like that... so I left my religion entirely out of it, and never mentioned God.
why ain't we giving them back the land? 2 of the 3 mentioned was within the last 30
Re: (Score:2)
If you ask the British or I'm sure the Jews. If you ask anyone else in the middle east I think you would hear a different story.
'Indeed.. rise and fall of nations apparently is entirely
No question about it and that only makes
The heart of the matter... (Score:2, Funny)
At the heart of the problem is that Muslims and Christians both desperately want to be Jews. They, too, want the 'special deal' with 'god' that the Jews got.
But the Jews don't want someone not born a Jew (or who went thru a *very* special process of conversion) to share in Jewness. The Jews want neither Muslims nor Christians to be Jews.
This 'Holy land' is holy t
Re: (Score:1)
Re: (Score:1)
Presuming you're not pro-Israel by default (in which case I'll never convince you), I'd just like to point out that it just is not true that the land now called "Israel" was most certainly NOT purely vacant prior to 1948, as you seem to believe. The land was populated, but since 1948 there have been incremental displacements of the local population, inch by inch, year by year. Just look at the current building of the wall. It
Re: (Score:1)
Only extremist groups? Hm. Was Germany an extermist group? I know, they weren't Islamic. But that wasn't really just an extremist group... admittedly, an "extremist group" ended up in control of the country, but there didn't appear to be a huge outcry by the general populace, either. Maybe there was and I'm not aware of it, of course.
According to Wikipedia [wikipedia.org], immediately after Israel was independent, the following nations declared war on Israel: Egypt, Lebanon, Syria, Transjordan, and Iraq. After Isra
Re:And Jews violated more laws under the Nazis, to (Score:1)
Re:And Jews violated more laws under the Nazis, to (Score:3, Insightful)
Since no one (cough America) listens to the UN anymore. This is hardly the UN's fault. Just like the league of nations, it has no power to enforce its mandates. Blame the countries that refused to empower the UN.
Re: (Score:2, Interesting)
Seriously, is it possible any more to even pretend that the UN is anything but a forum for tinpot dictators and other nameless losers to bitch, complain, and blame the west for all of Earth's problems?
Come to think of it
Re: (Score:1)
Yea, because the third world is responsible for global warming, sweatshopped labour, "pre-emptive" wars and capitalistic plutocracy. Get over yourself, if you think the west's natural position is at the top of the human pecking order. If you had any perspective at all you'd know that history has shown again and again that any empire or civilization that seeks to place itself above others will eventually be pulled out of privilege, or die due to the inherent instabi
Re: (Score:2)
Re:And Jews violated more laws under the Nazis, to (Score:4, Insightful)
All the rest of it is just gravy.
Re: (Score:2)
Which is a nice idea, as long as you only allow rational and influential nations a seat at the table.
What the UN has actually turned into is the equivalent of raiding your town jail and local loony-bin to find members for your town council. While the concept of "equal representation" might seem noble, in these cases it fails horribly.
We (the "western"
Re: (Score:2)
What? (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:1, Insightful)
The UN was ineffective because it relied on Microsoft. Microsoft, btw, is a US company.
Re:What? (Score:4, Insightful)
Security is hard (Score:1, Interesting)
I have worked with many web developers who thought they knew a lot about making web sites secure, and who didn't even know what a SQL Injection vulnerability was. Why didn't they know? Because they had never run across it before. It had not been taught in their school, nor in any of the "how to use Microsoft Visual Studio" training they had.
The "well nobody told me" problem is har
Re: (Score:1)
and who claim they don't know what SQL-Injection or Cross Site Scripting is about,
should get theit development license revoked or something.
"I don't know" is a very lame excuse, espacialy if they call themselves a pro.
I know that complete security is near impossible, but basics are still basics.
This is like a doctor claiming he had until now never heard about steril(?) scalpels and hygiene basics.
You don't excpet to die from wou
Ralf-isms (Score:1)
LOL!
Re: (Score:3, Insightful)
Plus I'm sure they scheduled the downtime (for right now) after they noticed the crack.
Nonono! (Score:3, Funny)
Re: (Score:2, Informative)
Re: (Score:1)
The UN website is up, but the page with the Secretary-General's speeches is currently down.s ID=130&Body=xxxxxx&Body1= [un.org].
The URL for the actual speech site (bypassing the maintenance page) is http://www.un.org/apps/news/infocusRel.asp?infocu
Re: (Score:3, Informative)
Surprising? (Score:2)
both quite surprising to find in such a high profile site
Are we really that surprised? I thought it was pretty standard that most of the "high profile sites" out there are the ones least likely to understand the importance of keeping their software up to date. It seems like the larger the company/organization/multi-national quasi-governmental agency, the more likely they are to simply buy in to whatever is being promoted by (insert your favorite vendor here), and won't upgrade unless something breaks or
Re:Surprising? (Score:4, Insightful)
Re: (Score:2, Redundant)
Re: (Score:2)
Re:Surprising? (Score:5, Informative)
I don't know how to explain it, but a lot of the people I've seen create websites for government or local authority branches are business types lacking on the technical side. Basically the person who the project manager likes most, regardless of reviewing their technical ability on previous sites other than quickly browsing through one or two and going "ohh, thats nice isnt it!".
On one occasion I've seen a company win the contract simply because the paper they sent to the project manager sparkled slightly in the light and was followed up by a long phone call. Their websites were utter trash, but they were very good at making money.
I suspect the same happened here
Re: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:1)
Stupidity is NOT just in Gov't (Score:2)
Almost all companies and organizations are cheap and want the most while paying the least. Governments are often not given much money for items outside of their core function, and websites often fall into that classification. Commercial entities do spend
Re: (Score:2)
So you're saying that government is all politics, then?
Re: (Score:1)
Re: (Score:1)
Thank you. This could be most helpful.
Re: (Score:2)
Unless that person falsified their resume, I would place the blame on the incompetence of the person who extended the job offer.
If you hire someone with no arms to flip burgers, don't blame them when your hamburger stand is a failure. Unless s/he wore prosthetic arms to the interview or something. And even then, you still made a bad hire.
Re: (Score:1)
I really hate web programming so I am not very knowledgeable in this particular area, but it was my understanding that most programming languages have libraries which allow a programmer to sanitize user input that will be used in an SQL statement, such as php's mysql_real_escape_string. I'm not saying that this is all
Re: (Score:2)
Most database APIs have some analogue of printf specifically designed for producing escaped SQL strings. These allow SQL statements to be constructed in a completely safe way. Always use these instead of manually constructing SQ
Re: (Score:2)
Or use a programming language that's a lot better designed. Sheesh.
Think about it: first came mysql_escape_string, then they screwed that up, next came: mysql_real_escape_string.
Whereas in properly designed languages:
1) They don't screw up so often.
2) And usually when they do, they fix the bits they screw up, and you don't have to change a single line of
Re: (Score:1)
Probably also — my bias — because all the persons in charge are so qualified (along the lines: younger than ever, experience > age, always only A++ level grades, superb team-players with ultimate social and leadership capabilities) that they more care about quantum career leaps.
CC.
Is it really a big surprise? (Score:5, Insightful)
Maybe it's not such a surprise, considering that
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Don't be dense. If they're incompetent enough to be building parts of their website with a tool like MS Word, it doesn't seem tremendously far-fetched to me to think that their abilities in other areas--security for example--may be less than stellar.
Re: (Score:2)
(Of course, given that this happened in the first place, that isn't entirely likely. heh)
Re:Is it really a big surprise? (Score:4, Insightful)
- Jesper
I would like... (Score:1)
Waste of an exploit (Score:5, Funny)
I personally would have sneaked in and invented a new UN agency with its own inscrutable and almost-pronounceable acronym, and then sat back and watched.
Just imagine if, halfway down this page [un.org], you get an entry like this:
UNCRP: Works in field missions to improve standards in accordance with self-determined metrics. Composed of members elected to permanent positions based on a variety of factors subservient to aforementioned goals, assuming goals have been determined prior to agency initiation. Primary work areas include inter-agency provision of UNCRP-related efforts, with the ultimate objective of improving standards, mainly in the field.
One quick email to follow up:
To: secgen@un.org
From: Agency Coordination and Initiation Subcommittee to the Secretariat
Subject: Need traction on UNCRP agency kickstart
Dear sir:
With respect to the newly established UNCRP agency, we respectfully request formal approval of resources. We expect to be operational within 5 years and will submit the initial statement of work within 3 years from approval.
Thank you for providing the momentum to this newly founded agency; we have dedicated much effort to the realization of the UNCRP, as it is conducive to the eradication of, several things in the UN charter.
Regards,
Rolf Wittigersen
And that should be it. Make yourself some popcorn, and watch the headless wonder of a new UN agency being created. At least with the UNCRP, it would be purposeless by design rather than through the diligent work of its employees.
Re: (Score:3, Funny)
I recognize that writing....
You're the CTO/CIO for my company, aren't you??
Re: (Score:2)
Re:Waste of commas (Score:1)
Re: (Score:2)
MS SQL server in some configs can allow people to do all sorts of stuff.
SQL Injection and Blind SQL Injection Info (Score:3, Insightful)
http://www.cgisecurity.com/questions/blindsql.sht
Many other papers on the subject
http://www.cgisecurity.com/development/sql.shtml [cgisecurity.com]
The hole is still open, though... (Score:3, Interesting)
Re: (Score:3, Informative)
You'll get
ADODB.Recordset.1 error '80004005'
SQLState: 37000
Native Error Code: 8180
SQLState: 37000
Native Error Code: 105
[MERANT][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''.
[MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
Unsurprising (Score:1)
Well, passing along the escape character (') to the login page returned the following message:
java.sql.SQLException: O
Re: (Score:1)
To escape quotes in Oracle, use two quotes (''), so if you used an expression:
replace(p_input_parm,'''','''''')
This would replace all single quotes with escaped quotes. With the quotes escaped in Oracle, SQL Injection attacks go nowhere. You should also escape the HTML characters < and > to prevent someone from injecting Javascript into your site. There is a function in Oracles OWA_UTIL package for this.
Re: (Score:2)
With the quotes escaped in Oracle, SQL Injection attacks go nowhere.
Not exactly true. Quote-less sql injection is possible, as whitnessed by the numerous successful SQL rape attacks against Coldfusion sites. You just need to pick a URL that has a number inside it, rather than a string. If your parameter is a number, no need to close any quote.
And, in order to sneak in your own string, use the char(72)%2Bchar(101)%2Bchar(108)%2Bchar(108) %2Bchar(111)%2Bchar(32)%2Bchar(119)%2Bchar(111)%2B char(114)%2Bchar(108)%2Bchar(100)%2Bchar(33) trick.
Hmm, looks like the only real prot
Site is (Score:2)
Re: (Score:1)
Some jive honkeys. (Score:1)
Then I imagined that the UN as a society of pimps. This is where I live now. In my mind.
Surprising? Not at all.. (Score:2)
SQL injection in a high-profile site is not surprising or uncommon. When you work with back end databases, your protection from such an attack is only all the programmers that make up the DB interfaces on your website. This happens often due to laziness, lack of knowledge, or simple mistakes. It's pretty frequent when you have people collaborate on a p
Re: (Score:2)
It seems like most of the people talking about AJAX and Web2.0 don't even really know what it is. Ajax isn't any bigger of a security threat than is allowing the users of your website to use get or post on a URL, w
Hardly a surprise (Score:5, Interesting)
First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.
Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.
And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.
Re: (Score:3, Insightful)
The easiest non-intrusive way (Score:3, Interesting)
http://www.un.org/apps/news/infocus/sgspeeches/st
If they're not using parameter binding and/or properly sanitizing user input, this should return a different record (article in this case) than the original URL. - http://www.un.org/apps/news/infocus/sgspeeches/st
Still vulnerable (Score:2, Informative)
Don't worry (Score:2, Funny)
Author doesn't know much either... (Score:2)
There is no stumbling block here. All the hacker had to do would be to escape their own apostrophe. That's the very vulnerability that makes this work.
'; update speeches set text = 'Don''t try to hack this
SQL Injection (Score:1)
Pacifists, eh? (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Our agreements? The struggling Parliament of Man (Score:5, Insightful)
The fact is that the UN, while it does have a lot of problems, is also far more effective and dare-I-say-it even important than most people in the US ever give it credit for. It's far from a perfect system, but it's still the best we have. We're one of the rich kids on the playground, and one of the strong kids on the playground, and we don't always enjoy what the student government wants to do--so we turn away from it sometimes. But that doesn't mean that it isn't important, or helpful, or that it doesn't, sometimes, do what's right. And that doesn't mean we shouldn't work with it, sometimes, and give it more credit for what it does and tries to do.
Instead, we tend to discount it. Because sometimes we don't like what it says about us or others in the playground, and because it's politically convenient (and salable) for our leaders to emphasize our strength and autonomy, all of our accomplishments and our not-inconsiderable military and economic muscle, and all of our pride. Some degree of Nationalism isn't a terrible thing, and we do have a lot to be proud of--but we also still have a lot to do, and to accomplish, as a nation and as members of larger world, and pretending the other children on the playground are irrelevant doesn't help us to do those things.
Also, don't you want the Universal Declaration of Human Rights to apply to US Citizens in a US Court or on the streets? The Bill of Rights is getting stretched more thinly every day, and the anti-terrorist effort (though directed in part by well-meaning people) is cutting swaths in our Constitution.
--Me
The subtlest change in New York is something that people don't speak much about but that is in everyone's mind. The city, for the first time in its history, is destructible. A single flight of planes no bigger than a wedge of geese can quickly end this island fantasy, burn the towers, crumble the bridges, turn the underground passages into lethal chambers, cremate the millions. The intimation of mortality is part of New York now: in the sound of jets overhead, in the black headlines of the latest edition.
All dwellers in cities must live with the stubborn fact of annihilation; in New York the fact is somewhat more concentrated because of the concentration of the city itself, and because, of all targets, New York has a certain clear priority. In the mind of whatever perverted dreamer who might loose the lightning, New York must hold a steady, irresistible charm.
It used to be that the Statue of Liberty was the signpost that proclaimed New York and translated it for all the world. Today Liberty shares the role with Death. Along the East River, from the razed slaughterhouses of Turtle Bay, as though in a race with the spectral flight of planes, men are carving out the permanent headquarters of the United Nations -- the greatest housing project of them all. In its stride, New York takes on one more interior city, to shelter, this time, all governments, and to clear the slum called war.
This race -- this race between the destroying planes and the struggling Parliament of Man -- it sticks in all our heads. The city at last perfectly illustrates both the universal dilemma and the general solution, this riddle in steel and stone is at once the perfect target and the perfect demonstration of nonviolence, of racial brotherhood, this lofty target scraping the skies and meeting the destroying planes halfway, home of all people and all nations, capital of everything, housing the deliberations by which the planes are to be stayed and their errand forestalled.
-- E.B. White, from "Here Is New York," 1948
Re:Our agreements? The struggling Parliament of Ma (Score:3, Insightful)
It's far from a perfect system, but it's still the best we have.
The UN is really a complete affront to democracy. It's effectively a five country dictatorship. You have 5 countries which can veto the will of all the world's countries and they can never be removed from their position on the Security Council. They can also veto the appointment of a UN Secretary General, even if the rest of the world wants that person for the role. It's amazing really that the media do not direct their attention at the UN's completely undemocratic structure rather than just its operati
Re:Our agreements? The struggling Parliament of Ma (Score:3, Informative)
What are the things that you are claiming that the UN is effective at? As far as I can tell, there are only two things: (1) giving hand-outs to the desperately poor, and (2) keeping tinpot dictators in power. One could argue that these together are self-perpetuating.
Re:Our agreements? The struggling Parliament of Ma (Score:3, Informative)
I doubt that very much. The UN couldn't pour sand of a boot even with instructions written on the heel.
How long has the genocide in Darfur been going on? Last I heard, the UN issued a proclamation that said basically, "stop or we'll say top again". How about those times the UN security forces allowed militants and war lords to drive right past them and kill the civilians they were supposed to be protecting? How abou
Re:Our agreements? The struggling Parliament of Ma (Score:2)
The UN tends to keep the various powers, especially European and Russian, but also China and Japan, tied up in red tape so they are less inclined to engage in world wars. It also sets up a standard system whereby brutal third world dictators can demand and receive handouts
Re: (Score:3, Insightful)
Now let's pretend for a minute that 'positive liberty' is all BS. Let's pretend that the libertarian ideology on liberty is the most moral one. Let's say UN implements your Libertarian Declaration of Human Rights.
Now how will that be a step in the right direction for the freedom and safety of mankind (pretty big words for statement devoid of any arguments)? Do realize that no one will even care about this document, let alone even paying
Re: (Score:1)
And when you are outside the borders of the United States, you can be damn sure that your government supported by your courts, constitution and bill of rights will consider you substantially less valuable than its international trade agreements.
Re: (Score:1, Funny)
Re: (Score:1)
Looking through your posting history and finding such gems as, "I say beat the shit out of the jerks, maybe they'll think twice before doing it again," I guess I'd be safe to classify you as a trollish, impotent, angry young man.
But you're right, let's get rid of the "opposition to war or violence as a means for resolving disputes" (American Heritage) that pacifism entails, close down our embassies, withdraw our diplomats, and resolve o
Re: (Score:1)
Re: (Score:2)
I don't know why so many people seem to think that putting all your eggs in one basket is at all wise.
Re: (Score:2)
Then if some country gets really crappy, people move elsewhere.
After all if you look at the proliferation of crappy country governments, why should most people want to risk a crappy world government? Like how are you going to choose the world government? The same way the crappy country govs were chosen?
Like how stupid is th
Re: (Score:1)
My article was modded as a Troll. Again. It's been years since I was able to moderate. Oh, well.
But FWIW, I think it's legitimate to point out that it's not only the USA and Israel doing the killing. The hack's statement was hypocritical. You never see hacks urging extremists to stop the terror.