Today we will be covering the United Nations hacks that haven’t gotten the level of publicity that they deserve both in this article and on our podcast. In recent years we reported a compromise in the United Nations site and we can say per our experience that calling the United Nations to report their site has been hacked is no pleasant task. Per our experience their initial response was a polite way of saying you may be arrested, but once they realized we didn’t hack them, we just spotted that the site had been hacked we were transferred to the IT guy who seemed to be in a panic. Like any organization, the United Nations should implement proper cyber security vetting for the code they use. This includes having the code that they currently have in use go through a third party audit and have the security updated. They should also have all their programmers learn secure development practices, and audit all third party code that they use on their website.
So is the United Nations using proper cyber security measures? It doesn’t seem to be the case, since the United Nations hasn’t been hacked just once this year, the most recent known United Nations hack was Feburary 4th, 2018. The United Nations was also hacked several times in January, 2018 as as shown here on January 28th, January 16th, January 15th, January 14th and six times in 2017 just on Open Bug Bounty alone.
These aren’t the only times the United Nations has been hacked and was publicly documented. Zone-h, a site for archiving defaced websites has two archived instances of the United Nations being hacked in 2008 and in 2006.
While the United Nations has been hacked more than anyone would want, it is important to take into consideration the gigantic size of the United Nations site with multiple sub domains. It certainly does not appear that there has been a review of all their code in years. The best solution would be for them to have a full security audit, get rid of old sub-domains they no longer need, and make their code easier to maintain through multiple tools that are available.
Unfortunately, our conclusion based on the public information about the United Nations site right now, is that they are not a safe website per our companies policies of what are acceptable risks. Being hacked for the last 12 years with no significant appearance that we can see of improved cyber security certainly does not seem like a safe website to us, but it is ultimately up to the user to decide the risk level they want to take when using a website.