I Could’ve Got Arrested By The UN By Reporting A Hack

Posted on March 4, 2021April 13, 2021Categories UncategorizedTags , , ,

How the right thing in cyber security could’ve ended with me disappearing…

Written by Planet Zuda Staff

We are starting a new series here, documenting our experiences while helping others and how things can go a bit crazy. Especially when you figure out something concerning one of the biggest societies in the world.

So how did I almost get arrested by the UN? It all started on a sunny day when I searched for a certain hack and the United Nations website came up. As you might know the United Nations has their own legal jurisdiction and operates outside of the normal legal system, which wasn’t really something I wanted to experience from the inside…

I spent the next few months looking for a friend who works for RAND. When he popped back up at weekly bowling, I knew it was the perfect occasion: I told him what I was up to now and asked him how he thought I should report to the UN. He clearly stated the risks and I asked him if he would be willing to bail me out if something went wrong. He chuckled at first, but finally decided to get on board with my plan as he still had contacts in the UN if things went south.

Even though it was really risky I knew reporting this was the right thing to do… So, I called up the United Nations and spoke to, I believe an ambassador of sometype, who was a very smooth talker. The following is the closest we could bring to your eyes about what happened during that phone call…

Me: “Hi, I am calling to tell the UN has been hacked.”

UN:” Well then action will be taken against the person who hacked us and you will be detained”

“Me: I didn’t hack you”

UN:” Well, who did?”

Me: “I don’t know!”

UN:” Then what do you want from me!!!”

Me:” I want to talk to your cyber security department”

UN: “We have an IT guy”

transfers to the IT guy

“Hi, the UN has been hacked”

At this point I was able to use my tech skills and explain how new pages were added to the united nations site and how their old version of Joomla was exploited. The dude was still freaking out, but in an appreciative way by the end of the call.

There is plenty of documentation about their compromises from 2008-2018 and also our other reports in 2018

www.un.org hacked. Notified by Agd_Scorp (zone-h.org)

www.un.org hacked. Notified by Turkz.org (zone-h.org)

www.un.org hacked. Notified by eno7 (zone-h.org)

We hope you enjoy these honest and transparent articles, on what we do and how things actually go, so you can get a glimpse behind the scenes.

Since we strongly believe in good journalism, we are noting that GuardianCosmos refutes what happened claiming he was employed at the United Nations and that is public information. After reviewing his employment status for over the last decade, and not finding any mention of him with the United nations, we have no reason to believe his claims are factual. If they were factual, it would not change what we noted above or what any of our witnesses can attest too.

We find it important due to the refuting of our experience with the U.N that the United Nations has a public record of trying to keep hacks underwraps .

United Nations & Lack Of Cyber Security

Posted on March 7, 2018March 8, 2018Categories cyber security, information securityTags , , , , , ,

Today we will be covering the United Nations hacks that haven’t gotten the level of publicity that they deserve both in this article and on our podcast. In recent years we reported a compromise in the United Nations site and we can say per our experience that calling the United Nations to report their site has been hacked is no pleasant task. Per our experience their initial response was a polite way of saying you may be arrested, but once they realized we didn’t hack them, we just spotted that the site had been hacked we were transferred to the IT guy who seemed to be in a panic. Like any organization, the United Nations should implement  proper cyber security vetting for the code they use. This includes having the code that they currently have in use go through a third party audit and have the security updated. They should also have all their programmers learn secure development practices, and audit all third party code that they use on their website.

So is the United Nations using proper cyber security measures? It doesn’t seem to be the case, since the United Nations hasn’t been hacked just once this year, the most recent known United Nations hack was Feburary 4th, 2018. The United Nations was also hacked several times in January, 2018 as as shown here on January 28th, January 16th, January 15th, January 14th and six times in 2017 just on Open Bug Bounty alone.

These aren’t the only times the United Nations has been hacked and was publicly documented. Zone-h, a site for archiving defaced websites has two archived instances of the United Nations being hacked in 2008 and in 2006.

While the United Nations has been hacked more than anyone would want, it is important to take into consideration the gigantic size of the United Nations site with multiple sub domains. It certainly does not appear that there has been a review of all their code in years. The best solution would be for them to have a full security audit, get rid of old sub-domains they no longer need, and make their code easier to maintain through multiple tools that are available.

Unfortunately, our conclusion based on the public information about the United Nations site right now, is that they are not a safe website per our companies policies of what are acceptable risks. Being hacked for the last 12 years with no significant appearance that we can see of improved cyber security certainly does not seem like a safe website to us, but it is ultimately up to the user to decide the risk level they want to take when using a website.