|
| Recent
Articles |
Senator Asks Web For Legislation Help
Something very cool is happening. Something historic. For the first time in American history the people are being directly consulted about legislation, and it's being done via the Internet. For four nights, beginning Tuesday...
Search Isn't Finding Candidate Stands On Issues
Though it is estimated 42 percent of voters use the Internet to find information about Presidential candidates, those voters are not being served as well as they could be. Only television has a broader reach with voters...
EU Reviewing All Search Engines
Information about users takes a bigger step in the EU as they decide that they need to review the data protection and retention policies of all the search engines.
NY Politicians Argue Over Google Earth
New York politicians appear to be at odds over just how dangerous Google Earth might be; Assemblyman Mike Gianaris is asking Google to blur out images of "sensitive" sites, while Mayor Michael Bloomberg feels such...
SEO Firm Banned For Life By FTC
Netvertise, Inc. and owner Elliot Krasnow were banned for life from promoting or selling franchises or business opportunities by the Federal Trade Commission. The FTC alleges the company violated federal law by selling...
Blogger Anti-SLAPP Case Angers Munchkin Man
That "Left," the code-named blogger behind StockLemon.com (which is now CitronResearch) doesn't have many friends in the financial world isn't what's important. What is important that Left becomes...
|
|
|
|
08.14.07
UN Site Is Hacked
 By Dan Morrill
The United Nations web site was hacked over the weekend, and was hacked very well by a group that used a common SQL injection escape ' in the code allowing them to put up anti war notes all over the web site.
The interesting part is that in the News.com article here, the person who runs the UN states:
But if you tune into a discussion among security experts at the blog Hackademix, you'll find that the fixes the U.N. has made so far may be little more than window dressing. In an e-mail message to News.com on Monday morning, Giorgio Maone, an Italian software developer who runs the site, confirmed that "the U.N. staff just deployed a cosmetic patch, which hides it from the most obvious tests, but it cannot prevent an attack." Source: News.com
Realistically, the UN needs a better information security group if all they can do is apply a cosmetic patch. They need even more help if they do not know how to fix this kind of problem because the attack has been around a very long time.
The approach that companies take in confirming that their code is hacker safe is very important, and it is regrettable that the United Nations, a group responsible for a great many things, does not have enough money to go through and validate their web site code, or the underlying SQL behind that code.
There are very simple tests that can be run, and there is very inexpensive software that will run those tests for you. Most larger companies that want to make sure their web sites are not hacked will run these kinds of tests. It is unrealistic to think that the UN can not afford 30K for the software, and 120K a year (including benefits, taxes, training) for an employee to run those tests across the UN web infrastructure, and work with the developers to fix the issues.
While interesting, it shows a lack of approach at the UN that while regrettable, is common, common everywhere. While security is not a core competency at many companies, there are some really good vendors out there that do great work, and will back up that work. Maybe someone at the UN needs to start shopping for someone to help them with their information security.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
