The mainstream media like the Mail on Sunday, and The Sun, quoting the Conservative party spokesman and former military officer Patrick Mercer MP, have pointed out the embarrassing spelling mistakes made on the Secret Intelligence Service MI6 website
Frank, a security officer, might have been expected to know there aren't three Ls in patrollling while, elsewhere, drivers taken on for chauffering duties (as opposed to chauffeuring) will be carrying out saftely checks and graduates can expect to have a great carees after joinging the service.
Other spelling mistakes include apppointed, negotations and crtical.
But the most shocking mistake comes in the introduction, where MI6 cannot even get 'instability' right, listing 'regional instablity'
Very embarassing, but surely this is less serious than the reported MI5 Security Service website which had a Cross Site Scripting vulnerability last week ?
MI5 and WHO Websites Compromised
Vulnerable to cross-site scripting attacks
By Lucian Constantin, Web News Editor
22nd of July 2009, 11:33 GMT
Websites belonging to UK's national security agency, the MI5 (Military Intelligence, Section 5) and the World Health Organization (WHO) have been found vulnerable to cross-site scripting attacks. The weaknesses allow attackers to inject rogue IFrames, prompt JavaScript alerts or redirect visitors to other potentially malicious Web pages.
The cross-site scripting flaws were reported by a member of a group of programmers and security enthusiasts calling themselves Team Elite. Going by the online handle of [-TE-]-Neo, the grey hat hacker posted screenshots of several proof-of-concept XSS attacks against the two websites.
Cross-site scripting, or XSS, is a type of vulnerability that facilitates injecting rogue code into otherwise legit Web pages. Such flaws generally result from failure to properly validate user input into forms and can have different levels of impact, with persistent or Type 2 XSS being the most severe.
It is worth noting that, in the case of the MI5 and WHO websites, the cross-site weaknesses are non-persistent, or Type 1, and can only be exploited by opening malformed URLs. However, this does not mean that they are not dangerous.
Non-persistent XSS vulnerabilities can be used to significantly increase the credibility of phishing or malware-distribution campaigns. Instead of having to trick a user into visiting a fake page hosted on a dubious domain, the attacker can link to a vulnerable page on the legit domain directly.
The weakness in the MI5 website is located in the search form, which allows passing code as a search string. This can be used to inject a rogue IFrame into the page, which can, in turn, load more malicious code from a third-party domain via its src= attribute.
[...]
According to the hacker, the administrators of both websites have been notified, but, at the time of writing this article, the MI5 site was still vulnerable.
Why is this lack of a quick response from MI5 not a surprise ?
The stupid "shoot the messenger" attitude to those who try to report vulnerabilities, so prevalent in Whitehall, must have contributed to this unprofessional mistake, which very seriously damages the Security Service's brand credibility, as supposed "cyber terror / cyber warfare" defence trusted advisors.
Will the Intelligence and Security Committee or the new Office of Cyber Security bother to look into this incident, which reveals that proper website security management procedures, are still not being followed, even after the MI5 website notification email debacle ?
We doubt it.
Two daily newspapers have misreported this story. and they seem to have dragged out an innappropriate quote from Patrick Mercer MP, the Conservative Opposition spokesman on Terrorism etc.
The Daily Express:
and also The Daily Telegraph
Both of thse reports are innaccurate, in that what was demonstrated last week was a Cross Site Scripting vulnerability in the MI5 website search script, which might have posed a risk to website visitors, not a breach of the actual website, nor of any internal MI5 systems.
The comments made by various computer security company spokesmen are correct - this vulnerability should have easily been picked up during regular website security vulnerability auditing - something which is obviously not working.
This is a management failure by the senior civil servants who are supposed to be managing their sub-contractors properly.
Blaming the "hackers" who discovered that this website was potentially vulnerable, and who posted harmless "proof of concept" web code publicaly, and who tried to inform the website administrators, is the wrong "shoot the messenger" response, both from Whitehall, and from the tabloid and broadsheet newspaper media.
Dismissing the incident as "minor", even if that is true, is also not a good enough response from MI5 the Security Service, given their role as trusted advisors regarding "cyber terror / cyber warfare" defence and the Critical National Infrastructure etc.