UN Website Administrators Neglect Security Flaw

Robert Graham, Security Researcher at Erata Security, the expert behind the discovery of the security flaw in an attack against the United Nations website back in 2007, reported via a blog posting that security admins for the UN site had left the flaw unresolved, as reported by SoftPedia on August 17, 2009.

Apparently, the UN website has been vulnerable to enormous SQL injection attacks since 2007 and as a proof Graham provided a screenshot of the same.

In August 2007, three attackers had hacked the UN site and substituted the speech of Ban Ki-Mon Secretary General of UN with a pacifist statement of the invaders. The hackers, at that time, used the simple technique of SQL injection to achieve their purpose, as Graham later demonstrated how from a web browser's URL, parameters could be introduced into the ASP component.

Graham posted that there emerged two lessons from the incident. The first related to the fact that irrespective of the extent of simplicity associated with the vulnerability's solution, organizations such as the United Nations could not provide it. In spite of the fact that an intern of a high-school could repair the vulnerability within 5-minutes, bureaucratic procedures implied that the UN must expend numerous dollars towards fixing the flaw, Graham explained.

The second message was that it wasn't too expensive not to repair the vulnerability. The UN could sustain even while the problem remained via repeated clean up sessions whenever a hack occurred, Graham wrote, blaming admins of UN website of sluggishness and non-professionalism.

Both the lessons implied that it was less costly for the UN to clean their site post every hack than eliminating the bug, at least the organization's management felt so, Graham wrote on his blog.

Besides, the researcher believes that SQL injection bugs are widespread on the net, particularly on high-profile websites. According to him, while making a presentation, he could search a totally fresh website, which he could show as susceptible to SQL injection that works by combining data and code and then sending that data to the target website which could subsequently be compromised.

Related article: UNH Launches Cyber Threat Calculator

» SPAMfighter News - 9/4/2009