South East Asia is well known as a hot bed of political hacking. This latest attack is covered in the linked article.
A ring of Indonesian hackers on Monday claimed to have attacked a list of more than 120 Web sites as retribution for Malaysia’s alleged theft of Indonesian cultural items and abuse of migrant workers.
A statement was posted on a Blogspot blog titled “Terselubung” saying that a number of Malaysian Web sites had been hacked and defaced to “celebrate” Malaysia’s Independence Day, which fell on Monday August 31.
“Today, August 31, 2009, an uncreative country, a country who likes to steal Indonesian culture, a country whose citizen is the mastermind of bombings in Indonesia, a country who has tortured many of our sisters — the migrant workers who worked there, a country who abused our national anthem, a country who harassed Indonesia on the Internet, a country that has stolen Sipadan and Ligitan islands, a country which has trespassed our water illegally, a country which received their independence from Britain, is celebrating its anniversary,” the Web site stated.
Indonesian Hackers Launch Independence Day Attack on Malaysian Web Sites
August 2007 the UN.org website was hacked by activists. It turns out that after 2 years the website is still vulnerable. This is unfortunate, as far as we know the only damage in the previous hack was a defacement. The page was changed and a message was placed on the site by the hackers.
The fact the UN.org has not deemed it important enough to fix, shows little understanding of the need for good security. This is not an elite hack, the vulnerability is a simple SQL Injection that could lead to more than a defacement.
Attackers could potentially use this to take control over the server, and then capture logins. As often is the case logins are reused so the potential is there for capturing login information to more important systems within the UN system.
The page could be defaced with injected malware. This would put thousands of visitors to the un.org at risk of there own systems being compromised. The database that houses the website may contain other databases containing logins, or personal details and other sensitive information.
Dear UN.org,
Please fix your web site, it would not cost much – and then have your security reviewed for further problems. Our partner site HackerTarget.com would be willing to do a full assessment for free.
Regards,
Peter
IronCove.net
Update I have just tested the simple injection test putting a extra quote at the end of the url mentioned in the linked article and the problem appears to have been fixed. Lets hope they go to the trouble for a full security review.
UN.org still vulnerable
We have pointed out the great work of Tactical Technology Collective and Frontline Defenders (NGO-in-a-box) in the past, either way this article is a great reminder and provides some good linkage to the excellent work being done by these guys.
A post which could just as easily be titled “how to try and keep the Sudanese Government (or insert other oppressive regime) from reading everything on your computer.” As they are sometimes wont to do, especially when expelling large numbers of NGOs.
An anonymous aid worker who was recently expelled from Sudan described the following:
“Government officials quickly arrived at the office, confiscating all our assets – our phones and computers to start with…At the airport, National Security were waiting for us. They searched through all of our bags. They took – stole – all kinds of personal items: cameras, iPods, our own computers with hundreds of photos of our lives and friends in Darfur.”
http://security.ngoinabox.org/
Securing Sensitive Information and Communications in the Field
The International Development Research Centre (IDRC) has hosted a meeting where Rafal Rohozinski has highlighted the need for Information Security within NGO and Nonprofit organisations.
State-sponsored attacks that block websites and shut down mobile phone networks are increasingly being used to “disrupt the work of civil society at times when their input could be critical to political or social processes,” Rafal Rohozinski told a public meeting at the International Development Research Centre (IDRC).
Well-meaning groups working in the developing world also risk endangering the very individuals and communities they seek to help if they fail to get up to speed on information security in the digital era, he says.
At first glance, electronic spying might appear to be a cloak and dagger realm of little relevance to groups working in the field of international development. “Yet cyber security and cyber espionage have far-reaching implications for our work,” Rohozinski says.
In the past, traditional “signals intelligence” focused on intercepting communications — whether sent by telex, fax, phone, or mail — as they were in transit to their intended recipients. But the Internet has changed all that. Information can now be retrieved at source before it moves anywhere, and the cost of collecting it — using low-tech tools available to anyone — is minimal. It is now easy and cheap to vacuum up information, Rohozinski says — “and NGOs are more of a target than they were 15 years ago.”
Groups that collect data on vulnerable communities risk putting them in greater danger if the information is stolen, he says. Even seemingly benign documents, such as lists of meeting participants, could have strategic importance in the wrong hands.
“It’s important to recognize that as NGOs, particularly those that work with communities at risk, you are collecting information of a personal nature, which can be put to uses that are very different — in fact, antithetical — to the reasons you collect it,” Rohozinski says.
“There has to be discipline about what information you collect and how you hold and communicate it. But most NGOs and research organizations are poorly versed in information security — the level of awareness is abysmally low. Commercial off-the-shelf software won’t thwart this kind of attack.”
Oneworld Linked article – Civil Society Must Get Up to Speed on Cyber Security
