Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Attackers Leak UN Usernames and Passwords

Comments Filter:
  • by suso (153703) * on Wednesday November 30, 2011 @02:12PM (#38216676) Homepage Journal

    1000+, I don't think so:

    grep Password united_nations_hacked_by_trick_-_teamp0ison.txt | grep -v 000 | wc -l
    584

    I'm excluding the 000 passwords as being their actual passwords.

    grep Password united_nations_hacked_by_trick_-_teamp0ison.txt | grep -v 000 | awk '{ if (length($4) < 6) { print $4; }
    131

    That's 131 of the passwords are less than 6 characters. I'm guessing these passwords are very old, before better security measures were put in place.

  • by Anonymous Coward on Wednesday November 30, 2011 @02:22PM (#38216836)

    http://pastebin.com/FEcE9WzJ [pastebin.com]

    Look plaintext to me, but also look old.

  • by MacGyver2210 (1053110) on Wednesday November 30, 2011 @02:53PM (#38217208)

    Google "UN Internal Use Only" and "UN Confidential" and you will probably find at least a few documents that you shouldn't.

  • heart of the beast (Score:5, Informative)

    by xeno (2667) on Wednesday November 30, 2011 @03:00PM (#38217302)

    I used to work for a UN agency and spent a year specifically working on governance reform for IT. The idea that "the" UN has email systems is kind of funny. While some agencies have well-designed, well-run, consolidated communications & IT systems, those are more the exception than the rule. By and large, each agency has multiple divisions or programmes that run their own IT systems with little to no effective oversight. Disparate systems and dependence on abandonware are prevalent. Governance & policies are (*ahem*) lacking in most cases, and enforcement is by and large nonexistent. Tell a Deputy Director that he has to have a password of more than four characters or change it more than once a year? Good luck with that.
    There is simply no framework or middle ground for getting an agency or multiple agencies to adopt best practices when their reality vacillates wildly between disasters/getting shot at/real work one day, and political fights/internal corruption/not having enough money to run simple services on the next. While seeing this on pastebin is disappointing, it's not the least bit surprising. It falls more in the category of "someone noticed the door was hanging open and put some mild effort into it" rather than "1337 h@xx0r broke into a fortress."
    The sad part is that the likely outcome of this event is a long series of dreary Euro-proper weekly meetings at UNDP and other agencies, eventually resulting in a task force of a dozen people at the Secretariat charged with defining what "fix" means, followed by a slew of small teams at each affected agency to work on the perceived ICT policy, operation, and configuration problems. But no authority will be given to those teams to mandate changes to their respective ICT Chiefs. In 6-9 months a series of changes to security controls will be recommended, but they'll be overridden, redirected, and mangled by their respective IT orgs; in all probability the money & effort will be unrecognizable and the effects negligible. It's like The Office without the slightest hint of humor.

Real Users never know what they want, but they always know when your program doesn't deliver it.

Working...