hackademix.net

I’ve been attaching some updates to my United Nations VS SQL Injections article, but this story deserves another clarification post, now.

A few hours ago I’ve been contacted by Ronda Hauben (Telepolis/OMNI), asking if I had any news about the vulnerability and how the agency was handling it.
I answered her just like I answered the inquiry I received from Anne Broache (CNET/News.com) yesterday:

I can confirm the vulnerability is still there.
The U.N. staff just deployed a cosmetic patch to hide the bug from the most obvious tests, but this measure cannot prevent an attack.
I reported this problem to U.N. on Monday morning (8.06 AM UTC), offering cooperation to evaluate and fix it under the provisions of the RFPolicy.

They did not come back to communicate with me yet, but on the other hand the aforementioned policy grants them 5 days to do it.
As I said the site is still vulnerable, but I won’t disclose any other technical detail until this “grace time” is expired.

Shortly after I sent Ronda my reply (around 22.00 UTC), I was about to hit my bed when I decided to check again…
To my surprise, all my U.N. bookmarks landed on 404 (not found) pages, and when I tried the www.un.org home page itself I was welcomed by this message:
(more…)

The United Nations web site [1] has been defaced this morning. (screenshot)

The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines:

Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war
screenshot

While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t.
There’s a technical reason for the missing apostrophe, though, because messing with this very character (’) is part of the technique apparently used by the attackers.
(more…)