UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public. That is the extraordinary claim of The New Humanitarian, which until a few …
Sadly this type of thing is exactly what significant numbers of organisations and companies of all sizes are also doing:
No priority given to IT security, and just try to keep quiet and keep going when something bad happens - fingers crossed it doesn't end too badly.
Legislation tends to be my suggestion to fix this (rather like an MOT on a car, you're not allowed to operate computer systems if they're not regularly checked for safety), but I have no idea how that would work with an organisation like the UN!
We were taking about businesses and organisations, but:
Your home PC can be turned into a dangerous cyber weapon if it's connected to the internet but your IT security management is rubbish. (Most people's is shockingly bad, I suspect you don't do half the stuff NCSC recommends for good business IT security on your home tech).
Ok, one infected device isn't too bad, but a botnet is made up of lots of infected devices and can do a huge amount of damage.
This is what happens now. You'll have read about it.
How do you propose to fix it if not by some kind of health check (with penalties applied)?
The MOT keeps dangerous vehicles off the road, and this prevents accidents. The government does not do the MOT themselves so I'm not sure why you think they'd want the hassle of checking this either?
Perhaps ISPs should be required to detect malicious traffic and block connections where they detect it?
Perhaps if you run their host health checker agent you get a discount (for being less likely to eat up their bandwidth with malicious traffic, with the nice side effect that your devices are not going to be attacking other people's stuff).
NCSC have already suggested blocking certain ports by default. Taking this further, most people don't need their internet connection to allow externally initiated inbound connections at all. Most people don't need much more than a fairly small set of outbound ports. Yet most ISP connections allow any-any. Is that sensible? The evidence overwhelmingly says no.
That penultimate paragraph? Is this just something required by ElReg editorial rules? It wouldn't necessarily be notable once or twice in a moon, but the continual drumbeat here of CIA / NSA / Google coulda done it is demeaning for you and your readers. Or is this the vulture's Tourettes that we're just supposed to overlook?
I mean, TFA says "it could be anyone", so why the penultimate paragraph? Really, why?
They named a list countries known to have highly advanced cyber warfare programmes, it's also known that our Ally act with impunity when it suits them.
What's politics got to do with stating known state actors?
(also strictly speaking the UN office in New York would be fair game since its withing 100 miles of the border.... Just sayin')
Big brother because everyone's watching each other.
Too bad for you. But right now, most of the media keeps amplifying the evidence-free US drumbeat about Huawei. I find it rather relevant to have a reminder that it's the US which is the global leader on spying, on its friends and foes alike, and without any interest in anything close to human rights, not even moral values.
You've got to think more BOFH!
When whoever told you to wait is found in the data centre, with forensics saying the only explanation is he must have been taking a leak against the main bus bar, you've now got plenty of time to patch things as you are bringing all the servers back up.
"blame the users for not doing their security training"
Where's it say they did that? The reference to the lack of security training was from a 2018 audit, before the hack, and is a perfectly legitimate point for a security audit to make, among a number of others.
"Why am I not surprised?"
Because you didn't read what was said or didn't follow it.
You are assuming the UN were paying for a managed service that included patching etc. From my experience with sections of them, they will do everything on the cheap, refuse to take anything but the most basic package, and then complain continually that they're getting exactly what they're paying for and not all the discarded options.
To be honest, I've never had much luck getting SharePoint to share anything in a reasonable, sane manner.
I've not had much luck finding the point in it, either.
(Just look at the links it generates. It's like Microsoft looked at the web and said, "hey, how can we screw this up?")
Massive organisation likely on the target list of pretty much every nation state with cyber capability as well as every terrorist organisation as well as a great number of less moral commercial businesses cannot be bother to patch it's fucking stuff.
Come on FFS.
You've got the most basic threat profile ever-
Who is going to attack us? Absolutely fucking everyone
How good are they? Absolutely the best
Was the decision just to make it easy since they'd get in anyway?
The way most organisations I've had dealings with use SharePoint, you don't need hackers. Access assignment by group, with many users as a result in multiple groups and an open admin account of someone in marketing in several groups so they can work from home. From one unsecured account you can often simply walk through the entire setup. And businesses commonly store sensitive stuff such as network diagrams and pen test reports in that mess.
Incredibly, the organization decided to cover it up without informing those affected nor the public.
It appears less incredible when you recall that the UN;s essentially an organisation of diplomats, many of whom have a long-established culture of disinterest in pettyfogging local bureaucracy and laws about, say, which side of the road you should drive on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
