Hacked U.N. Web site still at risk?

If you happened to visit the official Web site for United Nations Secretary-General Ban Ki-moon during the weekend, you may have found its signature list of news releases swapped for an antiwar message in red capital letters.

"Hacked By kerem125 M0sted and Gsy That is CyberProtest Hey Ysrail and Usa dont kill children and other people Peace for ever No war" was the line repeating itself over and over on the affected pages, according to published reports and screenshots taken by bloggers. The perpetrators appear to have used a well-known and highly preventable technique called SQL injection, which takes advantage of flawed database programming to activate malicious lines of code.

Hackers apparently exploited security holes in the SQL code at the U.N. secretary-general's main Web site over the weekend.

(Credit: Giorgio Maone, hackademix.net)

The defacements, which affected the front page of the secretary-general's site and pages containing statements by the secretary-general and press conference summaries, occurred sometime early Sunday morning, UN spokesman Alex Cerniglia told CNET News.com on Monday. The sites were "cleaned up" by about 9 a.m. PST on Sunday, he said.

But if you tune into a discussion among security experts at the blog Hackademix, you'll find that the fixes the U.N. has made so far may be little more than window dressing.

In an e-mail message to News.com on Monday morning, Giorgio Maone, an Italian software developer who runs the site, confirmed that "the U.N. staff just deployed a cosmetic patch, which hides it from the most obvious tests, but it cannot prevent an attack."

Maone said he couldn't go into more details than that, out of fear of tipping off the "script kiddies" out there. He said he has alerted the U.N.'s information security department to the continued problems and offered his assistance.

It wasn't immediately clear as of press time how U.N. officials would respond. "We definitely are upgrading security, and we'll continue to look at ways to prevent this from happening," Cerniglia said, adding that the agency welcomes input from security specialists like Maone.

The U.N. is also continuing to investigate the source of the attacks, Cerniglia said. A quick Internet search of the names present in the messages indicates a team of hackers, who appear to have at least some Turkish members and call themselves the "Byond Crew Hack Team," is taking responsibility for the activity.

At the Web site M0sted.org, there's a list of sites that have allegedly been hacked by the group before in the name of "cyberprotest," including Harvard and other universities, Norfolk and Norwich University Hospital in the United Kingdom, and some international Web outposts of Michelin, Toyota and Nestle.

A subset of the U.N.'s environmental arm also appears to be infected even now, though the main Web site shows no signs of distress.