Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Security IT Your Rights Online

Attackers Leak UN Usernames and Passwords 48

Posted by Unknown Lamer
from the senate-of-world-corruption dept.
Orome1 writes "A group of hackers that go by the name of 'Teamp0ison' has apparently compromised one (or more) of UN's servers and dumped over 1000 email addresses, usernames, and passwords of their staff." The BBC has a bit more, including a denial that anything of value was compromised.
This discussion has been archived. No new comments can be posted.

Attackers Leak UN Usernames and Passwords

Comments Filter:
  • by suso (153703) * on Wednesday November 30, 2011 @01:12PM (#38216676) Homepage Journal

    1000+, I don't think so:

    grep Password united_nations_hacked_by_trick_-_teamp0ison.txt | grep -v 000 | wc -l
    584

    I'm excluding the 000 passwords as being their actual passwords.

    grep Password united_nations_hacked_by_trick_-_teamp0ison.txt | grep -v 000 | awk '{ if (length($4) < 6) { print $4; }
    131

    That's 131 of the passwords are less than 6 characters. I'm guessing these passwords are very old, before better security measures were put in place.

  • As usual... (Score:4, Insightful)

    by ackthpt (218170) on Wednesday November 30, 2011 @01:12PM (#38216682) Homepage Journal

    It's more a story of bad security practices than brilliant exploits by 12 year olds.

    • It's more a story of bad security practices than brilliant exploits by 12 year olds.

      That _is_ the entire story. Nobody is saying that XYZ 1337 hacker group is evil and needs to be stopped. The security community is saying that it is about time that large organizations take security seriously.

      • It's more a story of bad security practices than brilliant exploits by 12 year olds.

        That _is_ the entire story. Nobody is saying that XYZ 1337 hacker group is evil and needs to be stopped. The security community is saying that it is about time that large organizations take security seriously.

        This is the UN we're talking about. They don't take anything seriously except themselves. And it's reciprocal for the rest of us.

  • by bengoerz (581218) on Wednesday November 30, 2011 @01:14PM (#38216730)
    Judging by some of it's past inactions, it is arguable that 1,000+ UN accounts do not comprise anything of value.
    • by ackthpt (218170)

      Judging by some of it's past inactions, it is arguable that 1,000+ UN accounts do not comprise anything of value.

      and while you're cleaning up the men's room on the east end of the 4th floor, see what you can do about that smell Ahmadinejad left behind - someone should warn him about eating street cooking.

      Ah, yes. Stuff of critical world import! This stuff is gold!

      • by forkfail (228161)

        Isn't inaction the whole point?

        It's action that's the problem. Action leads to escalation, which eventually, leads to nukes if left unchecked.

        Inaction - having a governor on things - may not always produce the world you want, but it keeps this one from death by atomic fire and nuclear winter.

        • by Baloroth (2370816)

          Inactions of dictators and governments, are usually a good thing. Not so for an organization that is supposed to hold dictators and governments back. Then it only makes things worse, because actions cease to have consequences, especially if the governments of the world rely on the UN to resolve the situation, which they often do. Well, except Israel, and the US for the past few years. Israel wouldn't exist anymore if it relied on the UN.

          • by forkfail (228161)

            I'd propose that they do hold the dictators and governments back by having their representatives sit around and talk and talk and talk and do nothing else.

            Sure, that means that the UN itself isn't taking action, but if that's the price we pay to not have a nuclear war, I'm absolutely good with paying it.

            • by Obfuscant (592200)

              I'd propose that they do hold the dictators and governments back by having their representatives sit around and talk and talk and talk and do nothing else.

              I'm not clear from the way you said this whether you are proposing that they do this in the future, or that you are proposing that the idea is they are doing this already.

              Either way, having representatives sit around and talk and talk and talk does absolutely nothing to stop a dictator or other government from doing anything. The representatives of dicatators only job is to sit around and talk and talk and talk trying to delay any action against the dictator, which frees the bad guys up to do what they wa

  • It's not clear whether the passwords are plaintext, un-salted hashes, or salted hashes. plaintext and un-salted would be pretty bad. If the passwords have a long random salt, they would resist rainbow-table attacks, I think?

    • by Smallpond (221300)

      Actually, it is pretty clear they are plaintext since the file is linked to the article.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      http://pastebin.com/FEcE9WzJ [pastebin.com]

      Look plaintext to me, but also look old.

      • by tqk (413719)

        Look plaintext to me, but also look old.

        And a whole lot of stupid:

        Email Address -: loh333@aemail4u.com
        Password -: loh333
        Username -: loh333

        Email Address -: c.inayatullah@undp.org
        Password -: inayat
        Username -: Inayat

        Email Address -: hamed.mobarek@undp.org
        Password -: hm
        Username -: Hamed 9

        Email Address -: seyhan.aydinligil@undp.org
        Password -: seyhan
        Username -: seyhan

        Email Address -: maryanne.kelly@ons.gov.uk
        Password -: 000
        Username -: Maryanne Kelly


        ... I could (probably) go on. It looks like they mostly assumed a UN login ID was pretty

  • by Hentes (2461350) on Wednesday November 30, 2011 @01:16PM (#38216758)

    Quick, someone log in with all of them, and announce World Peace!

    • by Anonymous Coward

      Riiight... cause that would change everything.

      Log in there and install as many backdoors as you possibly can! Loggers, rootkits, whatever you can!
      Let us watch those fuckers!
      Privacy is for private people. Governments must be open. Otherwise they are illegitimate. Never the other way around.

      (Or just give them CarrierIQ phones and at best also infiltrate CIQ.)

  • by demonbug (309515) on Wednesday November 30, 2011 @01:42PM (#38217076) Journal

    If there is one thing that will result in the UN stepping in to places like Darfur, Rwanda, and Yugoslavia, clearly it is having email accounts and login credentials spread around. If only T3amP01s0n had been around in the 1940s they could have... um... published UN mailing addresses and lock combinations to prevent the creation of Israel and the disposition of the Palestinian people (? - did they mean dispossession, or do they mean that the UN creating Israel is responsible for Palestinians' bad dispositions?). Thank god for groups like TEAmpoiSON who are working to make the world a better place through releasing such incriminating information on a truly evil organization - clearly a blow for freedom!

    I just don't understand the thinking behind actions like this, especially with respect to the groups stated reasons. The UN failed to step in to prevent genocide(s), so we are going to try to harm, embarrass, or destroy the institution... because then, there wouldn't be an institution failing to act in such circumstances, which is clearly a better alternative! And also, Israel!!

  • I can't honestly comprehend what the use of hacking the UN is. First, it can do little except what the majority of nations or the Security Council tells it to do, and of that, there is not much. Second, agree with it or not, it is what it is. Hacking it, shaming it, or protesting it doesn't do anything but make it even less effective.

    It's not as though they can change, as they have no real power to begin with. And it's not as though there is an alternative. For instance, we might think doing away with l

  • heart of the beast (Score:5, Informative)

    by xeno (2667) on Wednesday November 30, 2011 @02:00PM (#38217302)

    I used to work for a UN agency and spent a year specifically working on governance reform for IT. The idea that "the" UN has email systems is kind of funny. While some agencies have well-designed, well-run, consolidated communications & IT systems, those are more the exception than the rule. By and large, each agency has multiple divisions or programmes that run their own IT systems with little to no effective oversight. Disparate systems and dependence on abandonware are prevalent. Governance & policies are (*ahem*) lacking in most cases, and enforcement is by and large nonexistent. Tell a Deputy Director that he has to have a password of more than four characters or change it more than once a year? Good luck with that.
    There is simply no framework or middle ground for getting an agency or multiple agencies to adopt best practices when their reality vacillates wildly between disasters/getting shot at/real work one day, and political fights/internal corruption/not having enough money to run simple services on the next. While seeing this on pastebin is disappointing, it's not the least bit surprising. It falls more in the category of "someone noticed the door was hanging open and put some mild effort into it" rather than "1337 h@xx0r broke into a fortress."
    The sad part is that the likely outcome of this event is a long series of dreary Euro-proper weekly meetings at UNDP and other agencies, eventually resulting in a task force of a dozen people at the Secretariat charged with defining what "fix" means, followed by a slew of small teams at each affected agency to work on the perceived ICT policy, operation, and configuration problems. But no authority will be given to those teams to mandate changes to their respective ICT Chiefs. In 6-9 months a series of changes to security controls will be recommended, but they'll be overridden, redirected, and mangled by their respective IT orgs; in all probability the money & effort will be unrecognizable and the effects negligible. It's like The Office without the slightest hint of humor.

  • As this xkcd [xkcd.com] does a great job of explaining.
  • PWD: Change

  • Hiring lusers, with nepotism and cronyism being the dominant hiring criteria for IT staff in the US government as I'm sure is also the case with the UN! It's a miracle this doesn't happen more often.

    I have some direct knowledge of this.

Dennis Ritchie is twice as bright as Steve Jobs, and only half wrong. -- Jim Gettys

Working...