Feeds

MI5 website vuln builds mountain out of molehill

Team Elite: Mission Implausible

Intelligent flash storage arrays

Hackers have uncovered information security shortcomings involving MI5's website, even though the problem is nowhere near as severe as one tabloid paper claims.

A breathless Daily Express "exclusive" on Thursday claimed the breach created a possible means for hackers to attack the computers of surfers visiting the security service's website and steal information. It's highly unlikely that confidential data held by the security service itself was exposed by the attack, even the Daily Express concedes.

In any case the flaw has now been resolved, so visitors are no longer at risk.

The Daily Express claims the MI5 attack was carried out by a hacking crew called "Team Elite", who are also reportedly responsible for attacks against the World Health Organisation’s website (as earlier reported by SoftPedia in greater depth here).

Team Elite, which notified MI5 about the problem, explains that MI5's search engine is vulnerable to XSS (cross-site scripting) and iFrame Injection attacks. Screenshots produced by the group suggest hackers could have used the now-patched flaw to present content under their control in frames that would appear (on cursory inspection, at least) to originate from MI5 itself.

The problem, such as it was, arose because the search form on MI5's website allowed code to pass as a search string, creating a code injection risk. XSSed, which maintains an archive of cross-site scripting bugs, reposts similar flaws also involved the search engine of the security service's website but dating from September 2007.

Team Elite published its advisory more than a week ago, on 21 July. Some of the more excitable coverage on Thursday sparked off but far from limited to the Daily Express, suggested the MI5's website was hacked into and that the nation's cybersecurity or perhaps even national security was imperiled as a result.

The truth is far more mundane.

Graham Cluley, senior technology consultant at Sophos, said it was "implausible" for MI5 to hold any sensitive data on systems connected to a public facing website, still less that confidential information would be unencrypted. Although the vulnerability on MI5's website is "highly unlikely to have compromised classified information", it still ought to serve as a wake-up call for sys admins - as Sophos notes, the majority of web-based malware attacks are these days launched from legitimate websites. ®

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.