Wednesday, August 12, 2009

UN's website still vulnerable after 2 years

Two years ago today, I blogged about a defacement of the website. I noted that while they removed the defaced webpages, they had not yet fixed the vulnerability.

I checked today, and they STILL haven’t fixed the SQL injection vulnerability that led to their defacement. Hackers can still deface their website at will. Just put a quote in the ASP parameter and off you go, such as'5.

There are a couple lessons here. The first is that no matter how simple the fix, organizations like the UN cannot do it. Despite the fact a high-school intern can fix the bug in 5-minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug. A project manager needs to coordinate with external consultants. They need to plan the timeline of the change, and verify it works. They need to get agreement from various levels of management who don’t understand cybersecurity and are likely to veto the change.

The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack. The site only contains articles, it contains nothing else interesting (like private financial information). Even with such a simple and obvious vulnerability, they are unlikely to get hacked more than once or twice a year (indeed, it appears they haven’t gotten hacked for the last two years).

Together, both these things means that it’s cheaper for the UN to cleanup after each break-in rather than fix the vulnerability. At least, this is what their management feels.


raveendran nair said...

Security issues is unresolve matters but then the organisation should not be in dormant. More proactive strategy needed to counter the issues.

CG said...

meh, just throw a WAF in front of it. that solves all.

George said...

The UN won't do anything about it until someone uses the site to start hosting malware or they continuously deface the site. Until it becomes a major source of embarrassment for them, they won't do a thing to close it.