back to article UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public. That is the extraordinary claim of The New Humanitarian, which until a few …

  1. Doctor Syntax Silver badge

    What's 4% of the UN's annual turnover?

    1. macjules Silver badge

      There will be extra chuggers out on London’s streets tonight begging you to donate to the UN.

  2. davenewman

    GDPR breach

    Did they report it to the Austrian data protection commissioner? As it affects EU citizens, even international organisations are subject to GDPR.

    1. kierenmccarthy

      Re: GDPR breach

      The UN has complete immunity. Special case.

    2. Anonymous Coward
      Anonymous Coward

      Re: GDPR breach

      When has the UN shown competence at anything?

  3. RobinCM

    Sadly this type of thing is exactly what significant numbers of organisations and companies of all sizes are also doing:

    No priority given to IT security, and just try to keep quiet and keep going when something bad happens - fingers crossed it doesn't end too badly.

    Legislation tends to be my suggestion to fix this (rather like an MOT on a car, you're not allowed to operate computer systems if they're not regularly checked for safety), but I have no idea how that would work with an organisation like the UN!

    1. veti Silver badge

      So, your suggestion is that I should be required to have an annual audit on my home PC? At my expense, presumably?

      Yeah, thanks, but no thanks.

      1. kmedcalf

        "Checklist Security" has been proven to be ineffective. You do not need to fill out a checklist, merely do a risk assessment and then mitigate that risk to acceptable levels.

        1. Tom Paine Silver badge

          Of course, there's no point telling people to do so unless there are consequences for flouting the rules, which necessarily means a national security audit organisation. Run by me... controlling thousands of Box Inspectors... ruling the nation with an iron fist... hey I like the sound of this!!

          Maybe a uniform along these lines? >> https://pbs.twimg.com/media/DmThM_bXoAEkWTm?format=jpg&name=240x240

      2. RobinCM

        We were taking about businesses and organisations, but:

        Your home PC can be turned into a dangerous cyber weapon if it's connected to the internet but your IT security management is rubbish. (Most people's is shockingly bad, I suspect you don't do half the stuff NCSC recommends for good business IT security on your home tech).

        Ok, one infected device isn't too bad, but a botnet is made up of lots of infected devices and can do a huge amount of damage.

        This is what happens now. You'll have read about it.

        How do you propose to fix it if not by some kind of health check (with penalties applied)?

        The MOT keeps dangerous vehicles off the road, and this prevents accidents. The government does not do the MOT themselves so I'm not sure why you think they'd want the hassle of checking this either?

        Perhaps ISPs should be required to detect malicious traffic and block connections where they detect it?

        Perhaps if you run their host health checker agent you get a discount (for being less likely to eat up their bandwidth with malicious traffic, with the nice side effect that your devices are not going to be attacking other people's stuff).

        NCSC have already suggested blocking certain ports by default. Taking this further, most people don't need their internet connection to allow externally initiated inbound connections at all. Most people don't need much more than a fairly small set of outbound ports. Yet most ISP connections allow any-any. Is that sensible? The evidence overwhelmingly says no.

    2. iron Silver badge

      No way any government approved moron is getting to install mandated spyware on check my computers for porn safety on a regular basis.

  4. elDog

    Legislations not a bad long-term, but it doesn't help when the jewels have already been heisted

    And legislators are painfully stupid. And lobbyists are horribly efficient at writing legislation.

    The crims will always be ahead of the cops. If you have jewels, take care of them yourself.

  5. sanmigueelbeer Silver badge

    In the meantime, over in the US ...

    A DOD contractor suffers ransomware infection

    1. Tom Paine Silver badge

      Re: In the meantime, over in the US ...

      "Just another day in the acid nation..."

  6. Anonymous Coward
    Anonymous Coward

    Rigidly de rigueur

    That penultimate paragraph? Is this just something required by ElReg editorial rules? It wouldn't necessarily be notable once or twice in a moon, but the continual drumbeat here of CIA / NSA / Google coulda done it is demeaning for you and your readers. Or is this the vulture's Tourettes that we're just supposed to overlook?

    I mean, TFA says "it could be anyone", so why the penultimate paragraph? Really, why?

    1. TheMeerkat

      Re: Rigidly de rigueur

      The authors of the text on this site are clearly not professional enough to realise that if you write about technology it is advisable to keep your politics to yourself.

      It just tells me their journalism skills are of low quality.

      1. Sgt_Oddball Silver badge
        Big Brother

        Re: Rigidly de rigueur

        They named a list countries known to have highly advanced cyber warfare programmes, it's also known that our Ally act with impunity when it suits them.

        What's politics got to do with stating known state actors?

        (also strictly speaking the UN office in New York would be fair game since its withing 100 miles of the border.... Just sayin')

        Big brother because everyone's watching each other.

        1. BebopWeBop Silver badge
          Headmaster

          Re: Rigidly de rigueur

          It is not as if Western counties have not been caught trying to bug UN comms in the past is it?

      2. Anonymous Coward
        Anonymous Coward

        Re: Rigidly de rigueur

        > It just tells me their journalism skills are of low quality.

        But their clickbait skills are right up there.

    2. Anonymous Coward
      Anonymous Coward

      Re: Rigidly de rigueur

      Too bad for you. But right now, most of the media keeps amplifying the evidence-free US drumbeat about Huawei. I find it rather relevant to have a reminder that it's the US which is the global leader on spying, on its friends and foes alike, and without any interest in anything close to human rights, not even moral values.

      1. Tom Paine Silver badge
        Flame

        Re: Rigidly de rigueur

        It's not evidence-free, though, is it? https://www.theregister.co.uk/Tag/huawei

        1. Alister Silver badge

          Re: Rigidly de rigueur

          Repeatedly shouting loudly does not constitute evidence.

    3. iron Silver badge

      Re: Rigidly de rigueur

      When the CIA / NSA / Google stop spying on everyone it can stop. Until then, if you don't like it you're welcome to go read Fox News and Bloomberg instead.

  7. mr_souter_Working

    so much fail

    obviously no proper auditing and monitoring, in addition to no proper patching of the environment.

    Probably due to a lack of staff that know what they are doing.

    this goes in the list of incidents I refer to whenever someone asks me why we need to patch every single month.

    1. phuzz Silver badge

      Re: so much fail

      Wait someone listens to you?

      In most of the jobs I've had, the response to "We need to patch this system" is "We can't afford downtime right now, that will have to wait".

      Unsurprisingly, nothing ever gets patched.

      1. druck Silver badge
        Facepalm

        Re: so much fail

        You've got to think more BOFH!

        When whoever told you to wait is found in the data centre, with forensics saying the only explanation is he must have been taking a leak against the main bus bar, you've now got plenty of time to patch things as you are bringing all the servers back up.

        1. phuzz Silver badge

          Re: so much fail

          I can neither confirm nor deny that I did that just the other days with a failing UPS...

  8. herman Silver badge
    Facepalm

    So, the IT Hacks put a SharePoint server on the public internet and then they are hacked off and blame the users for not doing their security training, when the SharePoint server suffers a remote exploit that had nothing to do with the users. Why am I not surprised?

    1. Just Enough Silver badge

      Not what happened

      "blame the users for not doing their security training"

      Where's it say they did that? The reference to the lack of security training was from a 2018 audit, before the hack, and is a perfectly legitimate point for a security audit to make, among a number of others.

      "Why am I not surprised?"

      Because you didn't read what was said or didn't follow it.

  9. Anonymous Coward
    Anonymous Coward

    "yet the UN had failed to apply it."

    Above, it says it was all outsourced. So it's not the UN which failed to apply it, it's their provider. Now, I'd very much like this provider to be named. Why is that still kept under cover?

    1. Anonymous Coward
      Anonymous Coward

      Re: "yet the UN had failed to apply it."

      You are assuming the UN were paying for a managed service that included patching etc. From my experience with sections of them, they will do everything on the cheap, refuse to take anything but the most basic package, and then complain continually that they're getting exactly what they're paying for and not all the discarded options.

    2. Anonymous Coward
      Anonymous Coward

      Re: "yet the UN had failed to apply it."

      Outsourcing services does not outsource responsibility....

      Even if the organisation pretends it does.

      1. Tom Paine Silver badge

        Re: "yet the UN had failed to apply it."

        That gap between management's perception and that of customers, shareholders, the press. general public etc is where a lot of people are sailing their boats through, loaded to the gunwales with vast piles of cash.

    3. Mike 137 Silver badge

      Re: "yet the UN had failed to apply it."

      Unfortunately, if you outsource you're still responsible for performance. The alternative - "fire and forget outsourcing" - although common (witness all the wide open AWS buckets), isn't fit for purpose.

  10. Anonymous Coward
    Anonymous Coward

    What part of ....

    ...."share" in SharePoint don't you understand!!!!!

    1. BebopWeBop Silver badge
      Facepalm

      Re: What part of ....

      The UN - committed to an 'Open Information' policy.....

    2. Michael Wojcik Silver badge

      Re: What part of ....

      To be honest, I've never had much luck getting SharePoint to share anything in a reasonable, sane manner.

      I've not had much luck finding the point in it, either.

      (Just look at the links it generates. It's like Microsoft looked at the web and said, "hey, how can we screw this up?")

  11. 2+2=5 Silver badge
    Happy

    TITSUP

    Total Inability To Secure UN's 'Puters?

  12. MrKrotos

    TITSUP

    Total Inability To Secure User's Privates?

  13. 0laf Silver badge
    Mushroom

    Massive organisation likely on the target list of pretty much every nation state with cyber capability as well as every terrorist organisation as well as a great number of less moral commercial businesses cannot be bother to patch it's fucking stuff.

    Come on FFS.

    You've got the most basic threat profile ever-

    Who is going to attack us? Absolutely fucking everyone

    How good are they? Absolutely the best

    Was the decision just to make it easy since they'd get in anyway?

  14. Anonymous Coward
    Anonymous Coward

    North Korea

    Process of elimination, all the other state actors are members of the UN and entitled to the information while North Korea is still at war with the UN.

  15. Mike 137 Silver badge

    SharePoint shafting

    The way most organisations I've had dealings with use SharePoint, you don't need hackers. Access assignment by group, with many users as a result in multiple groups and an open admin account of someone in marketing in several groups so they can work from home. From one unsecured account you can often simply walk through the entire setup. And businesses commonly store sensitive stuff such as network diagrams and pen test reports in that mess.

  16. adam payne Silver badge

    I don't know which is worse the security audits telling you to get your house in order or the cover up.

    1. Tom Paine Silver badge

      I can help here: the cover-up is worse, much much worse. Everyone has shitty audit reports listing dozens or hundreds of ways the org could be compromised, these days -- well everyone except orgs to small to bother spending money on sec audits or testing.

  17. Tom Paine Silver badge

    "Incredibly,..."

    Incredibly, the organization decided to cover it up without informing those affected nor the public.

    It appears less incredible when you recall that the UN;s essentially an organisation of diplomats, many of whom have a long-established culture of disinterest in pettyfogging local bureaucracy and laws about, say, which side of the road you should drive on.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020