UN's Hacked Website Is Restored but Still Vulnerable, Online Engagement Should Increase

Byline: Matthew Russell Lee of Inner City Press at the UN: Hack Analysis

UNITED NATIONS, August 12, updated August 13 -- The UN's website was hacked over the weekend, and spokesmen say that steps will be taken to avoid it in the future. But online experts say the UN's site remains as vulnerable as before. And as of August 13, one seeming UN Environment Program web page remains hacked -- click here to view. Inner City Press has asked UNEP to confirm this is its site but for now without response.

            On the morning of August 12, just after 9 a.m. New York time, the speeches of Ban Ki-moon were replaced by an admonition to "Ysrail" and the United States -- "dont kill children and other people." Before the UN caught on to the hack, the news went out worldwide, complete with screenshots and a critique of the UN's web security.

            Inner City Press e-mailed questions to two UN spokesmen, who each to their credit responded. First:

Subj: Re: Press questions re apparent hacking of OSSG website

From: [Alex Cerniglia at] un.org

To:[Matthew Russell Lee at] Inner City Press

Date: 8/12/2007 3:52:16 PM Eastern Standard Time

Matthew, We are aware of the hacking that took place this morning.  We are very concerned that this happened and are investigating.  At this time, we do not have any comment on who is responsible for doing this.

            This spokesman was later quoted by Agence France Presse.

Screenshot of the hack, see "Latest Speeches"

   Then:

Subj: Re: Press questions re apparent hacking of OSSG website, thanks

From: [Associate Spokesman at] un.org

To: Inner City Press

Date: 8/12/2007 9:23:52 PM Eastern Standard Time

   Yes, the site was hacked, but it was repaired over the course of Sunday morning, and we are reviewing to ensure that the security of our internet services will be improved. We have no information on who was responsible.

            But online skeptics note that the same hack could be repeated tomorrow, and that the UN is using outdated protocols:

"you can still check the screenshot. Moreover, the hole seems not to be patched yet, thus the site could be defaced again at will: not the best order for fixing stuff, is it? While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don't. There's a technical reason for the missing apostrophe, though, because messing with this very character (') is part of the technique apparently used by the attackers. As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection. This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. If only prepared SQL statements were used properly, this embarrassing incident would have been easily prevented. And yes, prepared statements are available even in the very obsolete ASP "Classic" + ADODB Microsoft setup they're using."

    This is ironic, given that the UN Communications Group, at its June 21-22 meeting in Madrid, spoke at length about its desire to go high-tech -- while also discussing trying to exclude bloggers in the future, click here for that.

            The solution should not be for the UN to become a fortress, but increase and improve its online presence and expertise, as well as its transparency. We'll see.

* * *

Click here for a Reuters AlertNet piece by this correspondent about the Somali National Reconciliation Congress, and the UN's $200,000 contribution from an undefined trust fund.

Feedback: Editorial [at] innercitypress.com

Search WWW Search innercitypress.com

Other, earlier Inner City Press are listed here, and some are available in the ProQuest service.

            Copyright 2006-07 Inner City Press, Inc. To request reprint or other permission, e-contact Editorial [at] innercitypress.com -