Do we really want to put the ITU in charge of cybersecurity?

By EDRi · November 28, 2012

Today, the German news site Golem published an article revealing that the ITU left the access to its newslog as good as unprotected. Is this really the institution that should be regulating the internet and be in charge of cybersecurity for the entire world?

The following text is a translation of an article on the website:

ITU failed to implement security on its blog

There are insecure passwords and those that offer even less protection: The International Telecommunication Union protected its blog with the username “admin” and “admin” as the password. Yesterday, a German blogger has brought this to the UN agency’s attention.


Username: admin Password: admin. Only the most inexperienced users do not change the default settings for the administrative access of a blog. A German blogger discovered that the International Telecommunication Union (ITU) used these insecure settings on its blog.

We tried it out and could theoretically have changed all the settings of the UN blog – including the visibility of blog posts, the deactivation of comments and e-mail address for notifications. Even the deletion of blog entries, complete takeover of the blog, posting links to malware sites or the installation of malicious code would have been possible.

The blogger has informed the UN via e-mail about its inadequate password. The password was changed by the ITU last night.

The International Telecommunication Union, based in Geneva, is a specialised agency of the UN. It is responsible for the planning and coordination of telecommunications networks and services worldwide.

Experts on password security from SplashData have analysed millions of passwords worldwide and published a list of the worst passwords a few weeks ago – “admin” was not in the list. The first prize was won by “password”, followed by “123456” and “12345678”.