The Register® — Biting the hand that feeds IT

Feeds

MI5 website vuln builds mountain out of molehill

Team Elite: Mission Implausible

By John Leyden, 30th July 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Hackers have uncovered information security shortcomings involving MI5's website, even though the problem is nowhere near as severe as one tabloid paper claims.

A breathless Daily Express "exclusive" on Thursday claimed the breach created a possible means for hackers to attack the computers of surfers visiting the security service's website and steal information. It's highly unlikely that confidential data held by the security service itself was exposed by the attack, even the Daily Express concedes.

In any case the flaw has now been resolved, so visitors are no longer at risk.

The Daily Express claims the MI5 attack was carried out by a hacking crew called "Team Elite", who are also reportedly responsible for attacks against the World Health Organisation’s website (as earlier reported by SoftPedia in greater depth here).

Team Elite, which notified MI5 about the problem, explains that MI5's search engine is vulnerable to XSS (cross-site scripting) and iFrame Injection attacks. Screenshots produced by the group suggest hackers could have used the now-patched flaw to present content under their control in frames that would appear (on cursory inspection, at least) to originate from MI5 itself.

The problem, such as it was, arose because the search form on MI5's website allowed code to pass as a search string, creating a code injection risk. XSSed, which maintains an archive of cross-site scripting bugs, reposts similar flaws also involved the search engine of the security service's website but dating from September 2007.

Team Elite published its advisory more than a week ago, on 21 July. Some of the more excitable coverage on Thursday sparked off but far from limited to the Daily Express, suggested the MI5's website was hacked into and that the nation's cybersecurity or perhaps even national security was imperiled as a result.

The truth is far more mundane.

Graham Cluley, senior technology consultant at Sophos, said it was "implausible" for MI5 to hold any sensitive data on systems connected to a public facing website, still less that confidential information would be unencrypted. Although the vulnerability on MI5's website is "highly unlikely to have compromised classified information", it still ought to serve as a wake-up call for sys admins - as Sophos notes, the majority of web-based malware attacks are these days launched from legitimate websites. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (8)
Latest Comments
amanfromMars 1

What do we think Intelligence Services should be doing for Us All?

"Sorry, I read that and immediately wondered why, if that were so, terrorists would bother hacking in. To check their names were spelled correctly? To update their details for a change of address? To find a few like-minded mates for a trip to the pub?" ..... By TeeCee Posted Friday 31st July 2009 11:09 GMT

TeeCee,

What the Northern Ireland "Troubles" have Proven without a Shadow of Doubt, is that the Quantum Leap from Terrorism to New Model Statesmanship is a Rapid and Humbling One, but well within the Capacity of Common Sense Mankind. It is Novel though and therefore one can always Expect Unexpected Surprises/Pleasant Presents for Future Perfect Use.

It is always a Folly to Misunderestimate Paddy and Highlander Celts for they Possess Ancient Wisdoms passed down through the Genes .... and just a Few Simple Significant Shared Facts Trigger that Deep Searching Flow of Greater Knowledge.

And you may like to Ponder on what Spooky Intelligence Service Provides Us with that Knowledge/Shared Information?

0
0
TeeCee

@iNPUt

Sorry, I read that and immediately wondered why, if that were so, terrorists would bother hacking in. To check their names were spelled correctly? To update their details for a change of address? To find a few like-minded mates for a trip to the pub?

0
0
Anonymous Coward

Fake info sent from MI5 website?

Oh no, does that mean the pictures of a nekkid Miss Moneypenny I purchased the other day weren't real?

(Damn, better not use those plans for the Secret SuperWeapon of Never-Ending Power in my Plans for Global Domination then... now, where was that "Evil Overlord website again?)

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
124
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
57
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13