Experts Insight On UN’s Environmental Program Breach-100K+ Employee Records Leaked

A data breach has been discovered in the United Nations which exposed over 100k of UNEP’s staff records. Researchers with Sakura Samurai, an ethical hacking and research group, discovered the records were accessible through the UN’s Vulnerability Disclosure Program. The data accessible included administrator database credentials, employee ID’s, name’s, travel justifications, start and end dates, as well as their HR demographic data. 

Experts Comments

January 12, 2021
Martin Jartelius
CSO
Outpost24

Usually when you talk about hacking, you talk about vulnerabilities, which are flaws in software, and we talk about configurations or the human element. In this case, the flaws we see are all related to users configuring those servers leaving files exposed and software misconfigured. Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems. With access to some of the indicated

.....Read More

Usually when you talk about hacking, you talk about vulnerabilities, which are flaws in software, and we talk about configurations or the human element. In this case, the flaws we see are all related to users configuring those servers leaving files exposed and software misconfigured. Those are flaws in usage, not flaws in software. It is in parts further concerning as those systems were internet exposed, and in turn, held credentials for other systems. With access to some of the indicated information and the simplicity of the breach, attackers may well have access to this information. It is one of the basic controls any experienced analyst performs against a system they are auditing, yet it is still surprisingly often a rewarding path to take provided the attack surface is sufficiently large, such as a full organization.

  Read Less
January 12, 2021
Javvad Malik
Security Awareness Advocate
KnowBe4

It's easy for organisations, especially global ones, to have data spread out across various systems and platforms. Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key. 

 

While many technologies and processes exist to help secure organisations to prevent these kinds of issues, it is essential that organisations cultivate a culture of security so that everyone is aware

.....Read More

It's easy for organisations, especially global ones, to have data spread out across various systems and platforms. Keeping track of all these disparate systems can be challenging enough, and ensuring the right security settings are applied and that credentials are appropriately managed is key. 

 

While many technologies and processes exist to help secure organisations to prevent these kinds of issues, it is essential that organisations cultivate a culture of security so that everyone is aware of the role they have to play in securing the organisation as it's not something a security department can do on their own.

  Read Less
January 12, 2021
Jonathan Knudsen
Senior Security Strategist
Synopsys

Software is the critical infrastructure that supports organisations of all types. Cybersecurity is important for every organisation, whether they know it or not. 

 

The recent vulnerability found in the United Nations technology infrastructure shows just how easy it is to accidentally expose a large volume of sensitive data. Like any other organisation, the UN needs a top-down approach to cybersecurity, with defined policies for protecting assets and established processes for publishing

.....Read More

Software is the critical infrastructure that supports organisations of all types. Cybersecurity is important for every organisation, whether they know it or not. 

 

The recent vulnerability found in the United Nations technology infrastructure shows just how easy it is to accidentally expose a large volume of sensitive data. Like any other organisation, the UN needs a top-down approach to cybersecurity, with defined policies for protecting assets and established processes for publishing software. 

 

In this case, the United Nations’ Vulnerability Disclosure Program worked exactly as it should; security researchers located a dangerous vulnerability and the United Nations was able to fix it to prevent any further exploitation. This is a good outcome, but a better path forward would be a proactive approach, in which processes would be put in place to prevent such a vulnerability from ever being exposed in the first place. 

 

A proactive, positive approach to cybersecurity is the best way for organisations to reduce risk and protect their assets.

  Read Less
January 12, 2021
Chris Hauk
Consumer Privacy Champion
Pixel Privacy

As it appears likely that bad actors have likely accessed the UN data, UN staff will need to be aware that the bad guys will likely use the information gained in the breach to attempt to use a bit of social engineering to obtain more information or to launch attacks on UN servers. Bad actors may send emails or text messages leveraging the information they have, in order to appear to be legitimate communications from other employees or supervisors.”

January 12, 2021
Paul Bischoff
Privacy Advocate
Comparitech

Exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal. Last year, our research team set up a honeypot Github repos containing access credentials to some dummy AWS servers. It took hackers just one minute to find the credentials and break into our honeypot servers. So it's very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for

.....Read More

Exposing credentials in public Github repositories is a common developer oversight, and cybercriminals routinely scan Github for exposed credentials to steal. Last year, our research team set up a honeypot Github repos containing access credentials to some dummy AWS servers. It took hackers just one minute to find the credentials and break into our honeypot servers. So it's very likely that cybercriminals accessed the UNEP data before researchers. Developers need to scan their code for credentials before committing it to Github. For additional security, they can avoid creating an access key for the root user, use temporary security credentials instead of long-term access keys, properly configure IAM users, rotate keys periodically, and remove unused keys.

 

UN staff should be on the lookout for targteted phishing and scam messages from fraudsters posing as UNEP employees or administrators. Always verify the sender of an email or other message before responding. Never click on links or attachments in unsolicited emails and messages.

  Read Less
January 12, 2021
Chloé Messdaghi
VP of Strategy
Point3 Security

Our applause to Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted.

 

Also, it wasn’t well known that the UN has a vulnerability disclosure policy, and that’s ironic as these types of organizations are the ones that need it the most. The process the researchers faced could

.....Read More

Our applause to Sakura Samurai’s team – what they did was worthy of it! This was successful because the UN’s vulnerability disclosure policy was transparent – that’s why they decided to look for the vulnerabilities. There was a sense of trust that they would be recognized, not persecuted.

 

Also, it wasn’t well known that the UN has a vulnerability disclosure policy, and that’s ironic as these types of organizations are the ones that need it the most. The process the researchers faced could have been a bit more transparent. When a researcher reports something, the organization’s contact person needs to know who to direct the information to in order to immediately get the ball rolling – otherwise it slows down the process. An automated ticketing process isn’t appropriate for vulnerability disclosure input.

 

But as soon as these researchers did get direct contact, they were met with people who probably didn’t understand the problem but did fully realized the importance of fixing it immediately. These researchers have enormous respect for those at the UN who handled this matter.   

 

Also, Sakura Samurai made sure NOT to disclose anything until the problem was patched, in order to sustain and support the UN’s compliance with GDPR regulations. 

 

This is a good example of how vulnerability disclosure policies work, and the value of working closely with independent researchers, i.e., hackers.

  Read Less
January 12, 2021
Saryu Nayyar
CEO
Gurucul

Ethical Hacking group Sakura Samurai's exposure of the United Nations Environment Program's git repositories is another classic example of the consequences of an unintentional misconfiguration.  Fortunately, the UN's IT team reacted quickly to close the hole, but it is likely that threat actors had already discovered the vulnerable data and acquired it themselves.

 

This shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration, and

.....Read More

Ethical Hacking group Sakura Samurai's exposure of the United Nations Environment Program's git repositories is another classic example of the consequences of an unintentional misconfiguration.  Fortunately, the UN's IT team reacted quickly to close the hole, but it is likely that threat actors had already discovered the vulnerable data and acquired it themselves.

 

This shows that even multinationals with mature cybersecurity practices are not immune to this kind of misconfiguration, and points out the need for regular configuration reviews along with a full security stack that includes security analytics to identify and remediate these vulnerabilities before threat actors can discover them.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.