Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

United Nations vs SQL Injections

CmdrTaco posted more than 7 years ago | from the virtual-security-is-hard-too dept.

Security 144

Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message. This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."

Sorry! There are no comments related to the filter you selected.

Hackers vs The General Assembly (0, Flamebait)

MrNaz (730548) | more than 7 years ago | (#20203639)

Given that Israel is the most flagrant violator of UN resolutions [zmag.org] , perhaps they'll listen to this. Oh crap, this isn't a political site, is it? *Runs away from the pitchfork weilding mods*

And Jews violated more laws under the Nazis, too (0, Insightful)

Anonymous Coward | more than 7 years ago | (#20203921)

Since when was a UN resolution worth more than the paper it was written on?

And let me guess. You supported a coalition of over 30 countries banding together and overthrowing a corrupt despot who not just violated but utterly ignored almost 20 UN resolutions over a period of a decade or so.

Riiiight. Suuure you did.

So, the UN is only important to you when it comes to supporting the genocide of Israel?

Ignorant jackass.

Re:And Jews violated more laws under the Nazis, to (1)

MrNaz (730548) | more than 7 years ago | (#20204115)

Err... chill dude...

Re:And Jews violated more laws under the Nazis, to (2, Insightful)

Dunbal (464142) | more than 7 years ago | (#20204133)

Since when was a UN resolution worth more than the paper it was written on?

      Since no one (cough America) listens to the UN anymore. This is hardly the UN's fault. Just like the league of nations, it has no power to enforce its mandates. Blame the countries that refused to empower the UN.

Re:And Jews violated more laws under the Nazis, to (2, Interesting)

c6gunner (950153) | more than 7 years ago | (#20204813)

Any organization which elects Libya to chair it's "Human Rights Council" automatically loses any right to be taken seriously.

Seriously, is it possible any more to even pretend that the UN is anything but a forum for tinpot dictators and other nameless losers to bitch, complain, and blame the west for all of Earth's problems?

Come to think of it ..... it kinda reminds me of Slashdot, actually ;)

Re:Hackers vs The General Assembly (3, Insightful)

Anonymous Coward | more than 7 years ago | (#20204547)

Shame on you, let me explain why: INFO: As a matter of fact Israel is the only real democracy of the area and is sorrounded by enemy nations for religious matters. The last one is Lebanon (a muppet-state with apparently no powers on its own territory). In lebanon there is a "official" army hitting Palestians refugees and another Islamic army (Hezbolla) which is financed by other nations and likes to advocate the death of israelis and send casual ballistic missiles on "enemy" cities. Palestinians like to detonate on public transport, discos and markets, of course even they have a array of missiles. They are thorn between islamic extremism and extreme terrorism. Iranians one day and the next one are treatening the distruction of Israel. They had a workshop on the allerged Sionist control of the world and are opening working on a Atomic Bomb design with the blessing of the idiotic pacifists of half the world. In this context there you go blaming them for disrespecting all those resolutions that basically say "for the sake of peace let the islamics kill you". So i take that applying the same logic no-one can criticise the USA preventive war on terror which basically is "for the sake of peace we kill them first". Also people tend to forget that with Congo and Sudan it is clear that the ONU it's not doing its job. For your consideration: http://www.youtube.com/watch?v=uhWgZu6tcZU [youtube.com]

Re:Hackers vs The General Assembly (0)

Anonymous Coward | more than 7 years ago | (#20204829)

Yes the Palestinians are way out of line attacking a country that has been killing there people and stealing there land for over 40 years.

I do not agree with attacking civilians. But sometimes its required, in south Africa during the a partied the 'terrorist' organization that Mandela was part of attacked civilians as well as military targets.

Israel is one of the main reasons we have a unstable middle east. although that can be highly debated. If you think what Israel does is in defense you are misinformed and my guess is you are either American or an Israelite. The Palestinians do not just attack 'neighborhoods' they attack jewish settlements on Palestinian land as well and as far as I'm aware people under occupation have a right to fight back.

Israel is not a real democracy its a military nationalist democracy.

That is only jewish people get a say.
The military call a lot of the shots.

I do not agree with a jewish state. I think the idea that jewish people can steal other peoples land because 'god gave it to them' is insane. I would much prefer a secular state.

Re:Hackers vs The General Assembly (2, Insightful)

Hitto (913085) | more than 7 years ago | (#20205357)

I'll bite, anon.
You may have noticed that in all of Israel's neighbors, you would be hard-pressed to find ONE secular state, or even a functioning democracy.
Whereas in Israel, fundamentalist nutjobs do get fined or jailed whenever they stir up trouble. They don't get to evade the law when they excise their daughters, slay victims of rape in "honor killings", lapidate adulterers, etc, etc, etc.

Re:Hackers vs The General Assembly (1, Offtopic)

CannonballHead (842625) | more than 7 years ago | (#20205553)

How familiar are you with middle eastern history? The land that Israel is in now is smaller than the land they had 3500 years ago. They took the land from races that no longer exist. Saying that Israel is "stealing" Palestinian land... well, they aren't; the Palestinians are trying to take Israel's land.

To the point, I might add, that at the moment, Muslims have control of the temple mount... the Hebrew/Jewish temple mount. And they put a mosque on it. They have done numerous things specifically to insult the Jews... for religious reasons. Now, are you going to argue that the Islamic religion is older than the Jewish religion? He lived in the 6th century, AD; Moses lived quite a bit earlier than that. Even secular skeptics will agree that the Old Testament was written before the 6th century AD... I mean, the Jews were persecuted by the Romans, attacked by the Persians, Babylonians, Assyrians... this is ancient history, not 5th century history.

With that in mind, then, and knowing that the Jewish temple was in place long, long before the Islamic religion existed, how is it that Israel is stealing Palestinian lands... when an Islamic mosque sits on top of the Jews' temple mount itself?

To argue that Israel is "stealing" Palestinian land... well, if I squatted on your land and kicked you off, I'm not sure you'd think you were stealing it if you decided to try to take it back.

And again, with that in mind, the way the Islamic countries are fighting Israel is far from humane. Bombings, random missles... well, a previous post summed it up nicely.

But, strangely enough, as previously mentioned... paper from the UN doesn't really seem to affect the Islamic religious militaries. They don't seem to care. I wonder why? Perhaps it's like a mother who just tells his child over and over that "you're gonna get it if you do that again!" ... but the child very quickly learns that he never DOES get it.

Re:Hackers vs The General Assembly (1, Insightful)

Anonymous Coward | more than 7 years ago | (#20205693)

I do not deny that the jews was in that area of land before Islam even existed.

But if the jewish people have the god given right to take the land now owned by someone else because they was there first. A lot of people will have to move out of there own country.

The 3 main ones off the top of my head -

America - native Americans
England - celts
Australia - aborigines.

why ain't we giving them back the land? 2 of the 3 mentioned was within the last 300 to 100 years and even in the last century.

To say they have the right to destroy the government that was in place is insane. They should of done what _any_ civilized society would of done with the situation, immigrated and merged with the current society that was in place.

Re:Hackers vs The General Assembly (1)

CannonballHead (842625) | more than 7 years ago | (#20206269)

But if the jewish people have the god given right to take the land now owned by someone else because they was there first. A lot of people will have to move out of there own country. I believe I entirely left God out of the picture. Partially because you would likely complain that my religion was getting in the way of my politics, or something like that... so I left my religion entirely out of it, and never mentioned God.

why ain't we giving them back the land? 2 of the 3 mentioned was within the last 300 to 100 years and even in the last century. Indeed.. rise and fall of nations apparently is entirely ... well, mostly based on force. Romans, Greeks, Babylonians, Persians, Medes, Turks, English, American...

To say they have the right to destroy the government that was in place is insane. They should of done what _any_ civilized society would of done with the situation, immigrated and merged with the current society that was in place. If I remember correctly, they were given the land of Israel by, in fact, the United Nations in 1948... or, well, they approved at least. I guess Britain technically "owned" it.

So, now that Israel IS in place, can we justify Palestine for continuing to attack them, claiming Israel is on their land?

Basically, both Jews and Muslims claim the "holy land" as their own. So, who do we support, then, or do we just let them blow themselves to bits?

Seems to me that, if the issue IS a religious one, if the issue IS whose holy land it is, we should go with the historically accurate one... and I would argue that, to be historically accurate, we would have to say it belongs to the Jews. They took the land quite a long time ago from races that no longer exist, really.

Re:Hackers vs The General Assembly (1)

shaitand (626655) | more than 7 years ago | (#20206631)

'If I remember correctly, they were given the land of Israel by, in fact, the United Nations in 1948... or, well, they approved at least. I guess Britain technically "owned" it.'

If you ask the British or I'm sure the Jews. If you ask anyone else in the middle east I think you would hear a different story.

'Indeed.. rise and fall of nations apparently is entirely ... well, mostly based on force. Romans, Greeks, Babylonians, Persians, Medes, Turks, English, American...'

No question about it and that only makes sense. After all, a 'nation' is a body that imposes its will upon the peoples of as large an area as possible by threatening to harm them in some way if they don't obey it.

'Basically, both Jews and Muslims claim the "holy land" as their own. So, who do we support, then, or do we just let them blow themselves to bits?'

Sounds like a fairly reasonable choice to me. If a bunch of idiots want to classify themselves based upon some ridiculous mythology they have chosen to believe and further want to attack others who believe in different invisible men then I say let them have at it. I for one am rather annoyed that one of these invisible man worshiping idiots rigged an election and proceeded to embroil my nation into this nonsense.

'Seems to me that, if the issue IS a religious one, if the issue IS whose holy land it is, we should go with the historically accurate one... and I would argue that, to be historically accurate, we would have to say it belongs to the Jews.'

Seems to me that we have clearly established the issue is NOT a religious one and has nothing to do with holy lands. We have established rather soundly that the issue is one of nations and that nations are an issue of force. I say we fail to recognize any government in the middle east until it stabilizes (no matter how many thousands of years that might be), trade with anyone who has money and sell weapons to anyone who has money. As for the invisible men granting holy lands, lets just leave them to the nuts shall we?

Re:Hackers vs The General Assembly (0)

Anonymous Coward | more than 7 years ago | (#20206659)

At the end of the day I do not think 1 type of people is entitled to the 'holy land' Everyone is including Muslims,Christians, Jews and every other on this big blue ball.

Re:Hackers vs The General Assembly (0)

Anonymous Coward | more than 7 years ago | (#20205927)

The Israel apologists dress up the language sometimes, good to see at least one of you is honest in your statement that "might makes right".

Re:Hackers vs The General Assembly (0)

Anonymous Coward | more than 7 years ago | (#20206031)

No islamic country has been fighting against Israel for a long long time. Individuals an extremist groups try to fight Israel, that's a huge difference.

Re:Hackers vs The General Assembly (1)

CannonballHead (842625) | more than 7 years ago | (#20206359)

Only extremist groups? Hm. Was Germany an extermist group? I know, they weren't Islamic. But that wasn't really just an extremist group... admittedly, an "extremist group" ended up in control of the country, but there didn't appear to be a huge outcry by the general populace, either. Maybe there was and I'm not aware of it, of course.

According to Wikipedia [wikipedia.org] , immediately after Israel was independent, the following nations declared war on Israel: Egypt, Lebanon, Syria, Transjordan, and Iraq. After Israel won, ceasefires were signed.

Regarding the Suez canal and the Sinai Peninsula... Israel didn't allow UN people to be on their side. Egypt did. But, not very soon after, wikipedia says.. "On May 19, 1967, Egypt expelled UNEF observers,[17] and deployed 100,000 soldiers in the Sinai Peninsula.[18] It then closed the straits of Tiran to Israeli shipping,[19][20] catapulting the region back to the pre-1956 status quo. On May 30, 1967, Jordan entered into the mutual defense pact between Egypt and Syria. President Nasser declared: "Our basic objective is the destruction of Israel. The Arab people want to fight."[21]"

So, basically, Egypt kicks the UN observers out, deploys soldiers, cancels Israeli shipping, basically starting a war. Jordan and Syria and Egypt combine with this. Nasser says that his nation wants the destruction of Israel. President Nasser, not the president of Jamas or some extremist group.. the president of the nation of Egypt. Israel responded with a preemptive strike, the Six Days' War, and totally beat the Egyptian air force; then they attacked Jordanian, Syrian... AND Iraqi air forces. So, Iraq again. Air force... not extremist groups. This is the air force.

Furthermore, regarding Iraq: "In June, 1981, Israel successfully attacked and destroyed newly built Iraqi nuclear facilities in Operation Opera.
During the Gulf War, Iraq fired 39 missiles into Israel, in the hopes of uniting the Arab world against the coalition which sought to liberate Kuwait. At the behest of the United States, Israel did not respond to this attack in order to prevent a greater outbreak of war.[27]"

Now, technically, it seems mostly terrorist groups. The question is ... how condoning and sympathetic the nations of Syria, Lebanon, Iran, etc, are of groups like Al Quaeda and Hezbollah. Just as people tend to argue that if an American company is openly doing some form of "evil" somewhere in the world and the American government does nothing about it... well, imagine if America had a large terrorist group dedicated to destroying Mexico, and the government didn't seem to care.

What? (3, Funny)

Junior J. Junior III (192702) | more than 7 years ago | (#20203647)

The UN was ineffective due to half-assedly fucking up a security detail? That's un-possible!

Re:What? (2, Funny)

MrNaz (730548) | more than 7 years ago | (#20203659)

Haha UN-possible. *giggles uncontrollably* OK I'm done.

Re:What? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#20204353)

From the article:

If only prepared SQL statements were used properly, this embarrassing incident would have been easily prevented.
And yes, prepared statements are available even in the very obsolete ASP "Classic" + ADODB Microsoft setup they're using. (screenshot)

The UN was ineffective because it relied on Microsoft. Microsoft, btw, is a US company.

Re:What? (3, Insightful)

Atlantis-Rising (857278) | more than 7 years ago | (#20204653)

The exact quote you presented supports the opposite view- it was a failure of administration, not a failure of technology.

Security is hard (1, Interesting)

Anonymous Coward | more than 7 years ago | (#20204695)

In the world of developing high volume web sites in a secure fashion, it is very easy to say "proactive," but very hard to do.

I have worked with many web developers who thought they knew a lot about making web sites secure, and who didn't even know what a SQL Injection vulnerability was. Why didn't they know? Because they had never run across it before. It had not been taught in their school, nor in any of the "how to use Microsoft Visual Studio" training they had.

The "well nobody told me" problem is hard to surmount, and it can have dire consequences. A friend of mine worked at a place where the senior architect explicitly forbade parameterizing SQL queries because he thought it was needless code complexity and a waste of time! I have also seen developers struggle with the .NET event-driven model for web page development, writing very insecure code because they really didn't have their heads around the timing of code execution or the mechanisms behind view state.

One thing that got me a while back was an exploit reported by Microsoft involving a means by which extra information about the web site could be teased out of the http header under some circumstances. Our client followed Microsoft's instructions for tweaking IIS to prevent the attack, and several of our pages started trying to redirect to invalid URLs. Problems like that bug me because of how difficult it is to be aware of them in advance. One has to invest a lot of time in keeping up with the latest news on a wide variety of web-related technologies (just to learn about the problems), and even more time in re-writing your code based on the new knowledge. What was secure yesterday isn't secure today, and designing sites that will remain secure tomorrow requires a very great deal of money, time, and effort to be spent in activities that don't always seem to have a measurable benefit at the time.

So...I can sympathize.

Re:Security is hard (0)

Anonymous Coward | more than 7 years ago | (#20206717)

I agree that in some cases binding query APIs to SQL queries do tend to increase code complexity and are a waste of time.

There is no reason this need be a requirement to construct secure queries in an interpreted web environment.

What we need are **simple** systems that understand some basic context and do the right thing without being explicitly asked to. Its not hard or rocket science.

select * from accounts where login='$form.login'

(Web application): Gee maybe I should check/escape the login form field before executing the query.

Re:What? (1)

Kroc (925275) | more than 7 years ago | (#20205367)

This is the EU, no silly Americanism's here.
It's "De-possible!" :P

Who's next? (0)

Anonymous Coward | more than 7 years ago | (#20205887)

Ten to one, we hear next week that some large repository of Student papers is vulnerable too.

What a lie (0)

Anonymous Coward | more than 7 years ago | (#20203683)

Apparently the UN website is down due to "scheduled maintenance"... A flagrant lie from the most important worldwide organization, a bit shocking really, but surprising?

Re:What a lie (2, Insightful)

sholden (12227) | more than 7 years ago | (#20203739)

Or the standard page when the web monkey flips the "maintenance mode" switch...

Plus I'm sure they scheduled the downtime (for right now) after they noticed the crack.

Nonono! (2, Funny)

Funkcikle (630170) | more than 7 years ago | (#20203687)

It wasn't hacked! Their website clearly states it is down for scheduled maintenance. Honestly, some people need to stop spreading these fake stories!

Re:Nonono! (2, Informative)

Edzor (744072) | more than 7 years ago | (#20203763)

you do realise that the UN website is up? The submitter has just used their default "yeah the website is borked" page http://www.un.org/sg/ [un.org] ?

Re:Nonono! (0)

Anonymous Coward | more than 7 years ago | (#20203783)

....... And there were weapons of mass destruction.

Re:Nonono! (2, Informative)

rvw (755107) | more than 7 years ago | (#20204273)

This one is up: www.un.org [un.org] !

Surprising? (1)

richdun (672214) | more than 7 years ago | (#20203695)

both quite surprising to find in such a high profile site

Are we really that surprised? I thought it was pretty standard that most of the "high profile sites" out there are the ones least likely to understand the importance of keeping their software up to date. It seems like the larger the company/organization/multi-national quasi-governmental agency, the more likely they are to simply buy in to whatever is being promoted by (insert your favorite vendor here), and won't upgrade unless something breaks or they can afford to buy whatever (insert your favorite vendor here) is selling in the quantities and packages they are selling it.

High profile guarantees nothing (0)

Anonymous Coward | more than 7 years ago | (#20203747)

Sometimes they have very stupid policies and habits which lead to errors.

Re:Surprising? (3, Insightful)

LurkerXXX (667952) | more than 7 years ago | (#20203821)

Did you not read the article at all? This had nothing to do with patching the system. It had to do with them hiring someone who never bothered to learn about SQL and security. It had nothing to do with the tools/system used. It had to do with incompetence of the person hired to set it up.

Re:Surprising? (1, Redundant)

John Jorsett (171560) | more than 7 years ago | (#20203955)

What, cronyism, featherbedding, and incompetence at the UN? That's unpossible!

Re:Surprising? (1)

hachete (473378) | more than 7 years ago | (#20205069)

They learnt their lesson well from the US

Re:Surprising? (4, Informative)

drspliff (652992) | more than 7 years ago | (#20203969)

This is pretty much standard for a lot of government organisations, or atleast I've seen it many times myself.

I don't know how to explain it, but a lot of the people I've seen create websites for government or local authority branches are business types lacking on the technical side. Basically the person who the project manager likes most, regardless of reviewing their technical ability on previous sites other than quickly browsing through one or two and going "ohh, thats nice isnt it!".

On one occasion I've seen a company win the contract simply because the paper they sent to the project manager sparkled slightly in the light and was followed up by a long phone call. Their websites were utter trash, but they were very good at making money.

I suspect the same happened here :)

Re:Surprising? (2, Insightful)

LurkerXXX (667952) | more than 7 years ago | (#20204047)

I've seen exactly the same in many many companies where I've been called in to clean up the mess. Hiring of incompetent staff is by no means limited to government.

Re:Surprising? (1)

JW.Axelsen.Sr. (986276) | more than 7 years ago | (#20204687)

I don't know how to explain it
government-type jobs usually go to the lowest bidder, (usually) no matter how much they suck at whatever tasks they're supposed to perform

Re:Surprising? (1)

drspliff (652992) | more than 7 years ago | (#20204751)

Personally I'd say it's more about perception of value, I've seen several contracts approved by management because they check all the boxes and are closer to what the expected budget is, instead of being technically competant and providing what they actually need. Sadly most of the companies that won these contracts were Microsoft shops.

Re:Surprising? (1)

Virgil Tibbs (999791) | more than 7 years ago | (#20204503)

Did you not read the article at all?
You must be new here! ;)

Re:Surprising? (0)

Anonymous Coward | more than 7 years ago | (#20204693)

It had nothing to do with the tools/system used.

Dude, you're on slashdot, don't be reasonable when it's Microsoft technology involved. Obviously it's Microsoft's fault; and they should have updated a working system to run Linux regardless.

Re:Surprising? (0)

Anonymous Coward | more than 7 years ago | (#20205343)

Like pointer arithmetic / manual memory management: Good developers are safe. Fact is: if you allow it, developers will make mistakes: Buffer overflow. Boom! Java doesn't allow pointer arithmetic / manual memory management. Java is safe.

SQL injection is similar: Once you allow embedding user input in SQL statements, some developers will make mistakes. SQL injection. Boom! How to solve it? Don't allow embedding user input. Enforce the use of parameters. Then you are safe. The Java database H2 database engine [h2database.com] supports a feature to enforce using parameters.

Re:Surprising? (1)

FireFlie (850716) | more than 7 years ago | (#20205523)

"SQL injection is similar: Once you allow embedding user input in SQL statements, some developers will make mistakes. SQL injection. Boom! How to solve it? Don't allow embedding user input."
I really hate web programming so I am not very knowledgeable in this particular area, but it was my understanding that most programming languages have libraries which allow a programmer to sanitize user input that will be used in an SQL statement, such as php's mysql_real_escape_string. I'm not saying that this is all that needs to be done, but it seems that a problem like this could be eliminated with a few extra lines. Am I just way off base here?

Re:Surprising? (0)

Anonymous Coward | more than 7 years ago | (#20205939)

And you are aware I'm sure that mysql_real_escape_string is the *3rd* try at a php library that would actually be safe? Php is a horrible example of a language who's writers could get things written safely themselves.

Am I just way off base here?

Yes. Just as are many that depend on unsafe libraries, or others who try to reinvent the wheel again and write their own sanitizing code (which they often also screw up).

Use stored procedures.

Re:Surprising? (1)

TheRaven64 (641858) | more than 7 years ago | (#20206281)

Using something like mysql_real_escape_string is a very bad idea (not least because it means you're using MySQL, but that's another story). If you use it properly, it can work, but like reading input directly into a buffer on the stack, it is incredibly easy to use incorrectly.

Most database APIs have some analogue of printf specifically designed for producing escaped SQL strings. These allow SQL statements to be constructed in a completely safe way. Always use these instead of manually constructing SQL statements, and you will find it very hard to write an SQL injection vulnerability (it's possible, but it takes real anti-skill).

Re:Surprising? (0)

Anonymous Coward | more than 7 years ago | (#20206275)

Oh no! A non-php site was attacked through SQL injection! The horror!!!

Awwwwwwwww.....Sigh. Hear that? It's the collective disappointment of thousands of Slashdot/perl sycophants and php haters missing the chance to irrationally dump on php! Such a pitiful sound. That's what you get for RTFS/A guys... next time just jump right in and start crapping on php, skip the summary and article. You know it will be so much more fun.

Re:Surprising? (1)

foobsr (693224) | more than 7 years ago | (#20203883)

I thought it was pretty standard that most of the "high profile sites" out there are the ones least likely to understand the importance of keeping their software up to date.

Probably also — my bias — because all the persons in charge are so qualified (along the lines: younger than ever, experience > age, always only A++ level grades, superb team-players with ultimate social and leadership capabilities) that they more care about quantum career leaps.

CC.

Is it really a big surprise? (5, Insightful)

background image (1001510) | more than 7 years ago | (#20203707)

This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site.

Maybe it's not such a surprise, considering that

  • they've used MS Word to make their 'down for maintenance' page
  • the code (not including the image) for that one sentence page is > 11k...

Re:Is it really a big surprise? (-1, Troll)

weicco (645927) | more than 7 years ago | (#20203773)

How does MS Word relates to SQL injection? Do you even know what SQL injection is, how one can be triggered and how it can be exploited? I sure do and it has nothing to do with Word or any other office application.

Re:Is it really a big surprise? (0)

Anonymous Coward | more than 7 years ago | (#20203823)

Because it shows that their webadmin is a complete and utter spastic.

Re:Is it really a big surprise? (1)

Nimey (114278) | more than 7 years ago | (#20203827)

If they're clueless enough to use Word to write Web pages, that's evidence that they may be clueless enough to not properly secure their web server.

Re:Is it really a big surprise? (1)

newell98 (539530) | more than 7 years ago | (#20203829)

Not the point. The parent poster was implying that if their web-master is using MS Word to generate an error page with >11k of code then chances are the rest of their technical staff aren't too bright either.

Re:Is it really a big surprise? (1)

background image (1001510) | more than 7 years ago | (#20203835)

Don't be dense. If they're incompetent enough to be building parts of their website with a tool like MS Word, it doesn't seem tremendously far-fetched to me to think that their abilities in other areas--security for example--may be less than stellar.

Re:Is it really a big surprise? (1)

rob1980 (941751) | more than 7 years ago | (#20204025)

Or maybe that page was a quickie that an intern put up until the real developer gets in on Monday.

(Of course, given that this happened in the first place, that isn't entirely likely. heh)

Re:Is it really a big surprise? (3, Insightful)

SplatMan_DK (1035528) | more than 7 years ago | (#20203843)

weicco, I think his point is that an IT organization that uses 11 Kb of rubbish-style HTML code generated in MS Word to write "Down for scheduled maintenance" on a web page is likely to treat their server security issues with the same "professionalism". :-)

- Jesper

Re:Is it really a big surprise? (1)

gad_zuki! (70830) | more than 7 years ago | (#20206069)

Exactly. The UN is acting like many boneheaded companies that have some administrative assistant doing "the webpage" instead of hiring a professional. I'm sure the server was setup by someone's kid too. The real shame here is that there are lots of talented tech workers looking for work. Lowballing only hurts the cheapskates in the end.

A website is hacked. So? (0)

Anonymous Coward | more than 7 years ago | (#20203715)

Why is this shocking or surprising? I've seen countless terrible implementations where some leet web hacker has made terrible security and general data integrity problems because they have no idea how a database should be set up or secured. They apparently don't teach databases well enough in school, and the folks who teach themselves rarely seem to bother trying to learn it right.

U.N.Constitutional (0)

AnyThingButWindows (939158) | more than 7 years ago | (#20203807)

How hard is it, I mean really, to spell U.N.Constitutional? Why is it that people think that the U.N. is some kind of authority over American citizens?

Re:U.N.Constitutional (0, Offtopic)

Anonymous Coward | more than 7 years ago | (#20203919)

I think it's kind of funny how the U.S. is brown-nosing the U.N., now that things aren't going too well in Iraq. "Ohhhhhh.. we broke it, can you fix it, please!"

Our agreements? The struggling Parliament of Man (5, Insightful)

Etherwalk (681268) | more than 7 years ago | (#20204165)

As a nation, the US has made numerous commitments to the UN, and that includes agreements to follow things like the Universal Declaration of Human Rights. When we *agree* to follow International Law, we ought to, don't you think? Especially when we're heavily involved in creating that law in the first place?

The fact is that the UN, while it does have a lot of problems, is also far more effective and dare-I-say-it even important than most people in the US ever give it credit for. It's far from a perfect system, but it's still the best we have. We're one of the rich kids on the playground, and one of the strong kids on the playground, and we don't always enjoy what the student government wants to do--so we turn away from it sometimes. But that doesn't mean that it isn't important, or helpful, or that it doesn't, sometimes, do what's right. And that doesn't mean we shouldn't work with it, sometimes, and give it more credit for what it does and tries to do.

Instead, we tend to discount it. Because sometimes we don't like what it says about us or others in the playground, and because it's politically convenient (and salable) for our leaders to emphasize our strength and autonomy, all of our accomplishments and our not-inconsiderable military and economic muscle, and all of our pride. Some degree of Nationalism isn't a terrible thing, and we do have a lot to be proud of--but we also still have a lot to do, and to accomplish, as a nation and as members of larger world, and pretending the other children on the playground are irrelevant doesn't help us to do those things.

Also, don't you want the Universal Declaration of Human Rights to apply to US Citizens in a US Court or on the streets? The Bill of Rights is getting stretched more thinly every day, and the anti-terrorist effort (though directed in part by well-meaning people) is cutting swaths in our Constitution.

--Me

The subtlest change in New York is something that people don't speak much about but that is in everyone's mind. The city, for the first time in its history, is destructible. A single flight of planes no bigger than a wedge of geese can quickly end this island fantasy, burn the towers, crumble the bridges, turn the underground passages into lethal chambers, cremate the millions. The intimation of mortality is part of New York now: in the sound of jets overhead, in the black headlines of the latest edition.

All dwellers in cities must live with the stubborn fact of annihilation; in New York the fact is somewhat more concentrated because of the concentration of the city itself, and because, of all targets, New York has a certain clear priority. In the mind of whatever perverted dreamer who might loose the lightning, New York must hold a steady, irresistible charm.

It used to be that the Statue of Liberty was the signpost that proclaimed New York and translated it for all the world. Today Liberty shares the role with Death. Along the East River, from the razed slaughterhouses of Turtle Bay, as though in a race with the spectral flight of planes, men are carving out the permanent headquarters of the United Nations -- the greatest housing project of them all. In its stride, New York takes on one more interior city, to shelter, this time, all governments, and to clear the slum called war. ...

This race -- this race between the destroying planes and the struggling Parliament of Man -- it sticks in all our heads. The city at last perfectly illustrates both the universal dilemma and the general solution, this riddle in steel and stone is at once the perfect target and the perfect demonstration of nonviolence, of racial brotherhood, this lofty target scraping the skies and meeting the destroying planes halfway, home of all people and all nations, capital of everything, housing the deliberations by which the planes are to be stayed and their errand forestalled.

-- E.B. White, from "Here Is New York," 1948

Re:Our agreements? The struggling Parliament of Ma (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#20204587)

Well, no. The UN isn't good for anything. The "Universal Declaration of Human Rights" is full of things that aren't in any sense "rights" and can't be provided without destroying rights -- while failing to recognize any of the really important ones. The very existence of the UN is a step in the wrong direction for the freedom and safety of mankind. And the more they're taken seriously, the more fucked we are.

Re:Our agreements? The struggling Parliament of Ma (3, Insightful)

MvD_Moscow (738107) | more than 7 years ago | (#20205881)

You really need to lay off the theory and try living in the real world.

Now let's pretend for a minute that 'positive liberty' is all BS. Let's pretend that the libertarian ideology on liberty is the most moral one. Let's say UN implements your Libertarian Declaration of Human Rights.

Now how will that be a step in the right direction for the freedom and safety of mankind (pretty big words for statement devoid of any arguments)? Do realize that no one will even care about this document, let alone even paying lip service to it's requirements. The vast majority of the earth couldn't give a flying fuck about your rants on positive and negative liberty. Fuck, most of them are so poor that they can't really have a debate on this issue.

Try explaining the dangers of positive liberty to an illiterate African kid. Try telling him that the government should not be building school or hospitals because that means richer people will have to pay more taxes and it increases government involvement in the individual's life. Most people don't care about your Ivory tower rants. People want education and healthcare. People don't want to see their kids dying from something stupid like malaria. People want at least baseline prosperity.

Don't get me wrong, I am not really arguing against libertarian ideology. I am just pointing out that libertarian views on positive liberty issues is a extreme view than is not shared by the majority of the population of our planet. And it doesn't matter whether they are right or wrong.

Okay, forget positive liberty issues. Let's look at social liberalism, you would think there would be more consensus on this one, right? So how are you planning to force all nations on the planet to ratify a document that would essentially legalize the vast majority of illegal drugs (if not all, I guess it depends how hardcore you are about such things, I don't know, I don't really see the point in recreational use of heroin)? Hell, we have troubles legally enforcing the current declaration because many muslim nations like making exceptions (I am beating your wife is right, no? What kind of barbarian would want to ban something like that?), I am not even talking about practical implementation of the current declaration.

The UN isn't about world peace and prosperity and promoting rights. It's about comprising and trying to find a mutually acceptable solution while at the same time trying to advance freedom/prosperity.

I don't even know why I wrote this. You're just a naive little American, with no understanding of the world around him. Your one size fits all attitude is just laughable. It's because of people like you that I don't like libertarians. Libertarians are kind of like communists in a way, flip side of the same coin.

Re:Our agreements? The struggling Parliament of Ma (0)

Anonymous Coward | more than 7 years ago | (#20206293)

I'm not a libertarian and I'm not the GP but, I seriously think we should legalize most illegal drugs.

Why? Because the vast majority of the domestic harms ascribed to illegal drug use actually result from the illegality of drug use. But worse than that, the illegality creates far greater harms in the rest of the world. For example, sick people throughout the world are dying in terrible pain because the most effective, natural analgesic, morphine, is effectively prohibited by anti-drug treaties. (Yes, the richest six countries have adequate supplies; everyone else is fucked. It is ridiculous that we're spending billions to eradicate the poppy growing in Afghanistan when there's such a desperate shortage of morphine. And yes, other countries aren't required to accept the anti-drug treaties, but their trade depends on it.) Or look at the cocaine-related violence in South America. Again, entirely a result of the illegality of drugs and our demand for them. We have ineffective laws intended to protect a few foolish westerners from self-inflicted harm inflicting far greater harm on the rest of the world. I don't see any positive argument for these laws.

I do see the point of recreational heroin use although I've never tried it. But I don't see the point of fucking-over undeveloped countries.

Re:Our agreements? The struggling Parliament of Ma (2, Insightful)

MrSteveSD (801820) | more than 7 years ago | (#20206225)

It's far from a perfect system, but it's still the best we have.


The UN is really a complete affront to democracy. It's effectively a five country dictatorship. You have 5 countries which can veto the will of all the world's countries and they can never be removed from their position on the Security Council. They can also veto the appointment of a UN Secretary General, even if the rest of the world wants that person for the role. It's amazing really that the media do not direct their attention at the UN's completely undemocratic structure rather than just its operational failures (which often stem from that structure).

I mean, what's more outrageous. That some UN officials have been corrupt in the past or that the organisation is itself a dictatorship?

Re:Our agreements? The struggling Parliament of Ma (2, Informative)

HappyUserPerson (954699) | more than 7 years ago | (#20206375)

Also, don't you want the Universal Declaration of Human Rights to apply to US Citizens in a US Court or on the streets?

No way! Our Constitution and Bill of Rights are designed to protect us and our rights! Somehow, I don't think the safety, security, and interests of Americans is high on the priority list of the UN. I would prefer that our courts stick with the Constitution and Bill of Rights that make America's interests top priority.

Re:Our agreements? The struggling Parliament of Ma (2, Informative)

Citizen of Earth (569446) | more than 7 years ago | (#20206769)

is also far more effective and dare-I-say-it even important than most people in the US ever give it credit for

What are the things that you are claiming that the UN is effective at? As far as I can tell, there are only two things: (1) giving hand-outs to the desperately poor, and (2) keeping tinpot dictators in power. One could argue that these together are self-perpetuating.

Waste of an exploit (5, Funny)

JosefAssad (1138611) | more than 7 years ago | (#20203831)

What a waste of an exploit.

I personally would have sneaked in and invented a new UN agency with its own inscrutable and almost-pronounceable acronym, and then sat back and watched.

Just imagine if, halfway down this page [un.org] , you get an entry like this:

UNCRP: Works in field missions to improve standards in accordance with self-determined metrics. Composed of members elected to permanent positions based on a variety of factors subservient to aforementioned goals, assuming goals have been determined prior to agency initiation. Primary work areas include inter-agency provision of UNCRP-related efforts, with the ultimate objective of improving standards, mainly in the field.

One quick email to follow up:

To: secgen@un.org
From: Agency Coordination and Initiation Subcommittee to the Secretariat
Subject: Need traction on UNCRP agency kickstart

Dear sir:

With respect to the newly established UNCRP agency, we respectfully request formal approval of resources. We expect to be operational within 5 years and will submit the initial statement of work within 3 years from approval.

Thank you for providing the momentum to this newly founded agency; we have dedicated much effort to the realization of the UNCRP, as it is conducive to the eradication of, several things in the UN charter.


Regards,


Rolf Wittigersen

And that should be it. Make yourself some popcorn, and watch the headless wonder of a new UN agency being created. At least with the UNCRP, it would be purposeless by design rather than through the diligent work of its employees.

Re:Waste of an exploit (0)

Anonymous Coward | more than 7 years ago | (#20204945)

I think you would be a good 'Yes man' http://en.wikipedia.org/wiki/The_Yes_Men [wikipedia.org]

Re:Waste of an exploit (2, Funny)

eggoeater (704775) | more than 7 years ago | (#20204973)

...missions to improve standards in accordance with self-determined metrics...
....based on a variety of factors subservient to aforementioned goals...
...work areas include inter-agency provision...
...with the ultimate objective of improving standards...
Hey!
I recognize that writing....
You're the CTO/CIO for my company, aren't you??

Re:Waste of an exploit (1)

Jugalator (259273) | more than 7 years ago | (#20205961)

Agreed. Seriously, what's wrong with hackers not even able to type properly? If you saw the thumbnail-sized photo of the defaced site in the article link, you'd know what I'm talking of. It looks like absolute crap. My mom is a better web designer. A 10 year old has better grammar. I don't get it. After going through the work of planning and attacking a site, why are they making sure it looks like an obvious attack? Isn't the point then lost?

Re:Waste of commas (1)

StrahdVZ (1027852) | more than 7 years ago | (#20206145)

Beside the overly zealous use of commas, that would, with all due respect, convince the Secretary General, if he is the recipient, that the email was, in fact, sent by William Shatner, its a great idea!

flash fudvert alert .. (-1, Offtopic)

rs232 (849320) | more than 7 years ago | (#20203905)

In a flash advert immediatly below the story:



STATE GOVERNMENT
SAYS LINUX WAS TOO BIG A RISK


-------

"We can't take big risks with our technology," said
Paul Campbell, former Director of the Illinois
Department of Central Management Services, "State
government needs trusted, tested technology that's
reliable and predictable
,"

FUD + ADVERT == FudVERT ..

Taco, have you no shame .. :)

Must have taken a while to notice ... (-1, Flamebait)

John Jorsett (171560) | more than 7 years ago | (#20203997)

... since accusing the US and Israel of killing children and other people is pretty much the usual UN message.

/ Yes, this says something you disagree with! Mod it down!

Re:Must have taken a while to notice ... (1)

Bottlemaster (449635) | more than 7 years ago | (#20204141)

... since accusing the US and Israel of killing children and other people is pretty much the usual UN message.
Didn't RTFA, huh? The message clearly said that the US and Israel "dont (sic) kill children and other people".

pacifists are such losers (-1, Troll)

tfiedler (732589) | more than 7 years ago | (#20204005)

pacifist are such losers. I hate pacifists, too cowardly to take a stand to save their own skins, too cowardly to speak out against truly evil behavior lest they be required to stand up for their fellow humans. pacifism is intrinsically the domain of the self righteous, soft headed moron never exposed to the reality that life takes work and sacrifice.

that being said, the united nations is a bunch of cowering inept fools.

Re:pacifists are such losers (1, Funny)

Anonymous Coward | more than 7 years ago | (#20204197)

Yeah! And koalas are little bitches! [textfiles.com]

Re:pacifists are such losers (1)

Anonymous Coward | more than 7 years ago | (#20204255)

pacifist are such losers. I hate pacifists, too cowardly to take a stand

Looking through your posting history and finding such gems as, "I say beat the shit out of the jerks, maybe they'll think twice before doing it again," I guess I'd be safe to classify you as a trollish, impotent, angry young man.

But you're right, let's get rid of the "opposition to war or violence as a means for resolving disputes" (American Heritage) that pacifism entails, close down our embassies, withdraw our diplomats, and resolve our differences - without exception - with a good old-fashioned wrestle. My wife volunteers; does yours?

that being said, the united nations is a bunch of cowering inept fools.

Lest you be accused of being "too cowardly to take a stand", should you not be planning a military coup of the UN or something, rather than posting on Slashdot? Only the "soft headed moron" would use words when he has his almighty fists. Onward into battle, tfiddler, for the freedom of our glorious nation rests on your shoulders!

Re:pacifists are such losers (0)

Anonymous Coward | more than 7 years ago | (#20205091)

Wish I had mod points :(

+5 Funny

UN - just another acronym for impotence. (-1, Redundant)

roman_mir (125474) | more than 7 years ago | (#20204019)

Impotent even on such small scale, incompetent management to the max. Should be renamed into United Impotents.

Oh, and any kind of a problem on a project like this is management problem, certainly the hired developers sucked big one, but who hired them and allowed a process in place that never considered these kinds of problems? Managers.

The hole is still open, though... (3, Interesting)

caferace (442) | more than 7 years ago | (#20204035)

Re:The hole is still open, though... (2, Informative)

Jugalator (259273) | more than 7 years ago | (#20205977)

Interesting... And if you're a confused moderator, note that the ending apostrophe is to be part of the URL, but wasn't here due to Slashdot's auto-link generation.

You'll get

ADODB.Recordset.1 error '80004005'

SQLState: 37000
Native Error Code: 8180
SQLState: 37000
Native Error Code: 105
[MERANT][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ''.
[MERANT][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. /apps/news/infocus/sgspeeches/statments_full.asp, line 26

Unsurprising (1)

freyyr890 (1019088) | more than 7 years ago | (#20204065)

This is not unlike an issue I discovered a little while back. An online application suite for schools designed for easy manipulation of databases containing student records was subject to SQL injection using the web interface. The web interface was designed for parents to get an up to date progress report for their child, or for students to select courses without resorting to paperwork.

Well, passing along the escape character (') to the login page returned the following message:
java.sql.SQLException: ORA-01756: quoted string not properly terminated

I played with this a little while, and eventually was able to mine my friend's student number. Figuring I should probably notify someone, I talked to my high school's technical department.

They put me on the line to the staff at the provincial team. I tell them about the problem and suggest that they contact the company that built the software to begin with.

They close the web interface, and contact the developer. Now, four months later, the issue STILL isn't patched on the thousands of other installs across North America. I tried directly contacting the developer, AAL Solutions. No reply. I finally dug up an email for the Independent School implementation of eSIS. It seems that the developer is still working on it. Slowly.

Site is (1)

Dunbal (464142) | more than 7 years ago | (#20204079)

Unavailable due to scheduled maintenance. Heheheh. Also, why is lying always the first reaction? Scheduled my ass. I'm getting fed up of this. Lies everywhere.

Re:Site is (1)

FireFlie (850716) | more than 7 years ago | (#20205683)

Of course it is also a possibility that this is a generic "this page is down" placeholder, and someone just hit a button to remove the offending page as quickly as possible while they contacted someone that could actually do something about it.

Some jive honkeys. (1)

Sitnalta (1051230) | more than 7 years ago | (#20204161)

At first reading, I thought that the UN was defaced by some white people, and the author was just being racist.

Then I imagined that the UN as a society of pimps. This is where I live now. In my mind.

$Fuck3r (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#20204233)

For a m0ment and large Z- keep your Came as a complete that they can hold

Surprising? Not at all.. (1)

madsheep (984404) | more than 7 years ago | (#20204389)

So it coincidence the site is down for scheduled maintenance right now? I suppose this maintenance was scheduled immediately following their defacement?

SQL injection in a high-profile site is not surprising or uncommon. When you work with back end databases, your protection from such an attack is only all the programmers that make up the DB interfaces on your website. This happens often due to laziness, lack of knowledge, or simple mistakes. It's pretty frequent when you have people collaborate on a project as well. One person might be the best security programmer in the world and do 95% of the website. That "other" guy that did 5% of it could eb the reason you just got hacked. Web attacks are becoming more and more common and will continue to rise with Web 2.0 features. Surprising? Not at all... we see this stuff all the time and on more popular sites than un.org (is that really saying much?).

still vulnerable (0)

Anonymous Coward | more than 7 years ago | (#20204489)

FTFA:

As you can easily verify by opening this URL [un.org] , the site is vulnerable to an attack called SQL Injection. This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site.
The statements_full.asp page is STILL injectable and STILL available. I wonder what other pages are also injectable on that domain. I also wonder how fast it will take for someone to makes a javascript form that posts your very own words to the UN site via SQL-injected URLs. -- Anonymous

but is it susceptible to... (0)

Anonymous Coward | more than 7 years ago | (#20204493)

the good ol' hot beef injection?

Re:but is it susceptible to... (0)

Anonymous Coward | more than 7 years ago | (#20206683)

Nah, they weren't rooted, its just a website defacement. :(

United Nations can't catch a break? (0)

Anonymous Coward | more than 7 years ago | (#20204581)

It's bad enough they are known as an ineffective organization. The idea of world government is a great idea but no one is ready for it. I guess it'll take an Extinction Level Event Asteroid Injection to get the nations to get them to cooperate.

USA and Israel (0, Troll)

kwoff (516741) | more than 7 years ago | (#20204783)

That's precious that they're asking USA and Israel "dont kill children and other people". Does it not count if you blow yourself up while doing it? Or do you just have to be muslim to be excluded?

Hardly a surprise (5, Interesting)

Opportunist (166417) | more than 7 years ago | (#20204823)

You'll notice that webpages of governments, political parties and other highly bureaucratic systems are usually quite vulnerable. This is due to a few factors.

First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.

Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.

And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.

Re:Hardly a surprise (2, Insightful)

rtaylor (70602) | more than 7 years ago | (#20204955)

And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.
You often get what you pay for. The population demands low paid government workers then wonders why they get low quality government work completed.

The easiest non-intrusive way (2, Interesting)

michaelhood (667393) | more than 7 years ago | (#20204909)

to check for SQL injection like this on a website is to do something like this:

http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105%20OR%201=1

If they're not using parameter binding and/or properly sanitizing user input, this should return a different record (article in this case) than the original URL. - http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105

Still vulnerable (2, Informative)

Ysangkok (913107) | more than 7 years ago | (#20204963)

Still vulnerable: SQL error [un.org]

Amateurs In the UK they physically take the Server (0)

Anonymous Coward | more than 7 years ago | (#20205823)

The article starts off:-

"A major security alert has been sparked after the theft of a computer database containing thousands of top secret telephone records from police investigations into terrorism and organised crime."

So you think someone hacked the computer and nicked the database.

further down the article:-

"The raid at the high-security head office of Forensic Telecommunication Services Ltd (FTS) at Sevenoaks, Kent, raised fears that vital evidence from undercover investigations may have been lost or have fallen into the wrong hands."

"The stolen computer server - a metal box the size of a large DVD player - contained details of who made calls on mobiles, their exact location and precisely when the calls were made."

FTS said in a statement to The Mail on Sunday last night: "We can confirm that the company was recently the victim of a break-in at one of our premises in Kent.

"As a result, some IT equipment, including a server, were stolen".

"The server, which is security protected, contained administrative data and details of some case files in relation to FTS's forensic work."

http://www.dailymail.co.uk/pages/live/articles/new s/news.html?in_article_id=474788&in_page_id=1770 [dailymail.co.uk]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?