Wednesday, August 12, 2009
UN's website still vulnerable after 2 years
Two years ago today, I blogged about a defacement of the UN.org website. I noted that while they removed the defaced webpages, they had not yet fixed the vulnerability.
I checked today, and they STILL haven’t fixed the SQL injection vulnerability that led to their defacement. Hackers can still deface their website at will. Just put a quote in the ASP parameter and off you go, such as http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=10'5.
There are a couple lessons here. The first is that no matter how simple the fix, organizations like the UN cannot do it. Despite the fact a high-school intern can fix the bug in 5-minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug. A project manager needs to coordinate with external consultants. They need to plan the timeline of the change, and verify it works. They need to get agreement from various levels of management who don’t understand cybersecurity and are likely to veto the change.
The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack. The site only contains articles, it contains nothing else interesting (like private financial information). Even with such a simple and obvious vulnerability, they are unlikely to get hacked more than once or twice a year (indeed, it appears they haven’t gotten hacked for the last two years).
Together, both these things means that it’s cheaper for the UN to cleanup after each break-in rather than fix the vulnerability. At least, this is what their management feels.