| UN Leak Says Hack Did Not Get Staff
Info But Right Defenders Be Damned Under
Guterres
By Matthew
Russell Lee, Exclusive, Patreon
BBC
- Guardian
UK - Honduras
- CJR -
PFT
UN GATE, Feb 15 –
Amid the flurry of interest in
the UN covering up having been
hacked, Inner City Press
noted that the UN has in
the past not waited to cover
up a hack but instead straight
up gave information about
activists to China - and at
least one of the activists was
killed.
Then the retaliation
began, against the
whistleblower and against
Inner City Press which
reported on it. On
February 6, Inner City Press
exclusively reported a leak
but Cybersecurity chief Brau
about the hack, below, that
the UN internally says could
easily have been prevented. So
who will be held accountable?
It should be the king of
impunity, Antonio Guterres.
This is
especially true as the hack is
said by staff to have put the
UN Pension Fund at risk. Now
there, from Vienna: "Dear
UNOV/UNODC
colleagues, You
may have seen recent press
reports about a cybersecurity
incident in August 2019, in
which an external attacker
gained access to servers run
by UNOV, UNOG and OHCHR.
At UNOV/UNODC, the attacker
gained entry via a server via
an unpatched software
vulnerability, then used that
access to traverse other
servers in Vienna as a path to
Geneva-based networks.
The attacked server was
removed from service
immediately, and other
potentially involved services
and accounts were
suspended. The analysis
of firewalls, logs, and other
evidence did not indicate that
any UNOV / UNODC data was
stolen or
“exfiltrated”.
Subsequent
analysis indicated that UNOV /
UNODC data was not the target
of the external attacker.
Nevertheless it was clear that
a vulnerable server here was
the entry point. This was
unacceptable, and resulted in
a significant review of server
patching and overall
cybersecurity preparation,
including independent testing
to identify any other
vulnerabilities or risks on
internet-facing
services. A follow-up
action recommended by experts
required all HQ staff to
re-set their passwords; as you
may recall, that instruction
was sent, noting that the
password action was “needed to
eliminate some security
vulnerabilities”.
We take such
incidents very
seriously. During the
August 2019 incident, the IT
team at UNOV/UNODC was
in direct and frequent
communication with affected
business partners, OICT in New
York, and our colleagues at
the other UN entities.
We assessed the risks and
effects of the incident in
determining who was affected
and who should be
notified. We are
confident that no staff
personal information was
taken. Unfortunately this
attack is unlikely to be the
last attempt on our
cybersecurity, but I assure
you that we remain committed
to keeping you informed and
your information
protected. Best
regards, Dennis
Thatchaichawalit Deputy
Director-General of UNOV and
Director, Division for
Management United Nations
Office at Vienna and United
Nations Office on Drugs and
Crime."
Some other
coverage: I,
II,
III.
Here is the first
UN leak to Inner City Press,
more forthcoming: "From:
Thomas Braun braunt [at] un
[dot] org
Sent: Wednesday,
February 5, 2020 10:34:19 PM
Subject: Reported
cybersecurity
incident [to all
ICT Managers, Information
Security Focal Points and
BRMs/TSAs]
Dear
colleagues, I
assume that you are all aware
of last week’s press reports
about a cybersecurity incident
affecting UNOV, UNOG and
OHCHR. The response to
the incident was managed the
affected offices, with UNOG /
RTC-Europe taking a
coordination role, but I want
to provide a very brief
summary and share some key
lessons.
The incident
began with the compromise of a
server in UNODC that was
missing a critical security
update. From there the
attackers gained access to,
and compromised further
servers and infrastructure
components of the network in
both UNOV/UNODC and
UNOG. The compromise was
detected several weeks later
at OHCHR. Containment,
and other incident response
measures were initiated
immediately after the incident
was
detected.
As soon as it
became apparent that accounts
from the UNOV were implicated,
OICT was informed as well, and
we provided support with the
forensic analysis and detailed
instructions for the required
recovery steps. While
the exact extent of the damage
is unknown, with respect to
UNOG and UNOV the incident was
determined serious, and the
recovery required the
rebuilding of core
infrastructure components and
resetting of
passwords.
As publicly
reported, the initially
compromised server was a
SharePoint on-premises
server. However, the
reason it was compromised a
procedural failure to install
a critical security update,
there is no inherent security
weakness or issue specific to
that technology.
With respect to key lessons,
the incident highlights the
importance of compliance with
established information
security and ICT operational
policies:
1.
The initial compromise could
have been easily prevented if
the relevant security update
had been applied.
Microsoft publishes security
updates on the second Tuesday
of every month and the OICT
Cybersecurity Service releases
advisories for these and other
security updates. These
advisories are distributed by
email, and are also published
in the CyberSec Advisory
channel in Teams. The Teams
channel is accessible to all
users in the UN Secretariat,
please let me know if you want
to be added to the email
group.
2.
The initial compromise could
have been contained, if it had
been detected and responded to
in a more timely manner. An
intrusion detection system has
been deployed in some
locations, and it is essential
that all alerts are followed
up on as soon they are
received. In addition, logs of
critical systems should be
reviewed to detect anomalous
or suspicious activity. Once
an incident has been detected
or reported the OICT
Cybersecurity Service can
provide assistance and
instructions to ensure a
timely containment and
mitigation of underlying
risks.
3.
The spread of the intrusion
both within and between
locations could have been
mitigated if adequate network
segmentation had been
implemented. The need to
segment the historically
“flat” network architecture
had been included in the
ten-point action plan (2013),
and the lack of network
segmentation is a common root
cause in the large scale
incidents that affected the
Secretariat in recent
years.
Unfortunately, attacks like
the one that lead to this
incident are very common, and
we will continue to see such
breaches unless we
significantly improve
compliance in these
areas. I hope this
incident serves as a wake-up
call.
Best,
Thomas P. Braun
Chief, Cybersecurity Section
Office of Information and
Communications Technology
United Nations
UNHQ FF-0776 Phone: +1.917 367
2671 | Mobile: +1.917 324
1047"
In 2018,
just before being ousted from
the UN by Guterres and UN Lt
Ronald E. Dobbins, Stephane
Dujarric and now Melissa
Fleming, Inner City Press
published this,
and later in 2019 from the UN
Gate, this
and this.
The quotedd David
Kaye - after wanly raising to
the UN questions abou its
ouster of Inner City Press,
what follow up did he
do?
The explanation
of all of this shameful
lassitude is that those few
who want to cover and enter
the UN will do anything for
access, and when they see that
a vindictive access controller
like Antonio Guterres will not
change position, they just let
the issues go.
Profiles in
Cowardice, and the continuing
decline of the UN. We'll have
more on this.
***
Your
support means a lot. As little as $5 a month
helps keep us going and grants you access to
exclusive bonus material on our Patreon
page. Click
here to become a patron.
Feedback:
Editorial [at] innercitypress.com
SDNY Press Room 480, front cubicle
500 Pearl Street, NY NY 10007 USA
Mail: Box 20047, Dag
Hammarskjold Station NY NY 10017
Reporter's mobile (and weekends):
718-716-3540
Other, earlier Inner City Press are
listed here,
and some are available in the ProQuest
service, and now on Lexis-Nexis.
Copyright 2006-2020 Inner City
Press, Inc. To request reprint or other
permission, e-contact Editorial [at]
innercitypress.com for
|
,
