recommended reading

Hackers target U.N., World Bank personnel

This story has been updated.

A new hacker group on Tuesday claimed to have leaked the email addresses and passwords of more than 100 individuals at the United Nations.

Referring to the U.N. as a "senate for global corruption," the so-called TeaMp0isoN hacktivists apparently were avenging what they view as inaction during the breakup of Yugoslavia, displacement of Palestinians in allowing the creation of Israel and other "atrocities" committed by the international body.

The data dump purportedly posted by the group alludes to weak security at the U.N., but stops short of detailing how it infiltrated the organization's computers, saying, "We will let the so-called 'secutiy experts' over at the U.N. figure that out."

The alleged breach is the latest in a string of government-related email exploits, including the unauthorized disclosure of online credentials belonging to personnel at the Justice Department, Arizona Department of Public Safety, Defense Department and government security firm HBGary.

Most of the email addresses listed in Tuesday's leak appeared to belong to staff at the United Nations Development Program. The data was housed in an older system and may be outdated, according to U.N. officials.

"UNDP is in the process of validating this claim," spokeswoman Sausan Ghosheh said. "Preliminary results indicate that our current server, including our undp.org website, has not been compromised. They have compromised an old server, which contains old data."

She added that the agency is working to close any vulnerabilities on its website. Later in the day, Ghosheh said the UN had located the compromised server -- a 2007 system -- and taken it offline. The server did not contain any active passwords for the accounts listed.

TeaMp0isoN's list also included some user accounts at the World Food Program, UNESCO -- U.N. Educational, Scientific and Cultural Organization, UNICEF, U.N. Population Fund, and World Health Organization.

A few individuals with email addresses at the World Bank, which is not part of the U.N., were targeted as well.

Aligning itself with the Occupy Wall Street movement, TeaMp0isoN recently threatened to join hacker group Anonymous in taking down the financial sector through a digital attack dubbed "Robin Hood." A message from TeaMp0isoN on Twitter stated Tuesday's penetration is unrelated to that operation, which "is yet to come."

Roger Cressey, a top cybersecurity and counterterrorism official during the Clinton and Bush administrations, said the incident points to human error on the part of individuals at the UN.

"This has less to do with technology and more to do with people," said Cressey, who served as chief of staff for the President's Critical Infrastructure Protection Board after the Sept. 11 terrorist attacks. "Nine times out of ten, when there is identity theft the people to blame are those that did not practice proper security," by, for example, enforcing password policies.

Once outsiders sneak into a network, it is fairly easy to wreak havoc or extract data, he added. "Email theft and password theft is not that sophisticated but it's prevalent," said Cressey, now an executive at the consulting firm Booz Allen Hamilton. He should know. Earlier this year, Anonymous claimed responsibility for pilfering U.S. military email addresses from the company.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.