Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t.
There’s a technical reason for the missing apostrophe, though, because messing with this very character (’) is part of the technique apparently used by the attackers.
As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection.
This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. 
If only prepared SQL statements were used properly*, this embarrassing incident would have been easily prevented.
And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’ve got. (screenshot)
*properly means strictly constant statement strings and type checked bound parameters, see Roland Bouman’s comment and my answer below.
I will write some other time about prepared statements and database layer security.
In the meanwhile, if you’re a planetary organization and you’re planning to cut the budget for the security training of your web developers staff, please dont… er… do not ;)
1. 12-AUG-2007, 15:20 UTC update:
The main link now says “temporarily unavailable due to scheduled(!) maintenance“, but the other ones should still work.
2. 12-AUG-2007, 17:20 UTC update:
The speeches have been restored as well, but you can still check this screenshot. Moreover, the hole seems not to be patched yet, thus the site could be defaced again at will: not the best order for fixing stuff, is it?
3. 13-AUG-2007, 6.00 UTC update:
U.N. staff put a patch to hide the most obvious vulnerability (the one linked here), but the flaw is still there and could be easily exploited again.
I won’t post any other hint for script kiddies here, but I’m submitting a report to the U.N. IT security staff under the RFPolicy and will keep you posted.