Forgot your password?
typodupeerror
Security

MI5 Website Breached By Hacker 71

Posted by CmdrTaco
from the because-they-can dept.
Jack Spine writes "UK intelligence agency MI5 has admitted that its website security was breached by hacker group Team Elite. A member of the hacker forum posted details of the hack last week, which took advantage of a cross-site scripting vulnerability in the site's Google embedded search. MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously."
This discussion has been archived. No new comments can be posted.

MI5 Website Breached By Hacker

Comments Filter:
  • No doubt we'll find out on uk.misc later.
  • Better headline (Score:2, Informative)

    by BadAnalogyGuy (945258)

    MI5 allows websurfing on critical computers.

    Seriously. How else would you get hit by CSS?

  • meh (Score:5, Informative)

    by Anonymous Coward on Thursday July 30, 2009 @07:55AM (#28880587)
    It's a sort of script-injection vulnerability where you'd have to click on someone else's link to the MI5 site. I suppose it could steal cookies from someone stupid enough to click on a long link from an unknown person, but it's not like the site itself was hacked or anything, which is what "website breached by hacker" strongly implies.
  • simple test (Score:3, Funny)

    by martin-boundary (547041) on Thursday July 30, 2009 @07:56AM (#28880597)

    MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously.

    If a whole bunch of fake Iraq WMD reports start showing up on the net in the next few days, then we'll know if they were really exploited or not...

  • Competence (Score:3, Funny)

    by Wowsers (1151731) on Thursday July 30, 2009 @08:04AM (#28880663) Journal

    I propose the MI5 website team should be known as the "Mostly Incompetent 5" team !?

    • Re: (Score:3, Funny)

      by Iyonesco (1482555)

      It's hardly surprising since the pay at MI5 is abysmal. I requested an information pack during my last year of university but lost interest when I found MI5 was about the worst paying graduate recruiter and especially bad for central London. Given the pay I would imagine that anyone with competence would take a job in the private sector leaving them to scrape up the dregs.

      Still, it was worth requesting the information pack for the entertainment alone because in every one of the pictures all the people wer

      • Re: (Score:3, Funny)

        by SGDarkKnight (253157)

        Yes yes, but your forgetting one important detail, the information pack you requested is the one they show to the public, they dont want everyone to know about the "real" pay options you get that dont have any type of paper trails, just un-sequenced stacked bills handed to you in a brown paper bag that reads "lunch - extra lettuce".

        As for not looking at the camera, i guess thats just habit to them now... knowing when their picture is being taken and all :-)

      • Re:Competence (Score:5, Informative)

        by Shakrai (717556) on Thursday July 30, 2009 @09:15AM (#28881663) Journal

        It's hardly surprising since the pay at MI5 is abysmal. I requested an information pack during my last year of university but lost interest when I found MI5 was about the worst paying graduate recruiter and especially bad for central London

        That's not really that unusual for Governmental agencies. I would imagine that most people who go to work for MI5/CIA/Mossad/etc are not doing it for the money.

        • MI5 is internal security, MI6 is the one most like the CIA/Deuxieme Bureau/KGB.

          Having said that, there was an interesting article recently on the BBC quoting ex MI6 chiefs who mentioned the remarkable amount of help they received for symbolic or no compensation by ordinary people, Britons and foreigners alike, who carried out all sorts of difficult and sometimes dangerous activities voluntarily, sometimes for no more than "a bottle of wine at Christmas". It seems their main motivation was patriotism and/or

        • What makes you think that the incompetence is due to it being a government agency? I've worked at many companies that are so incompetent that I can't figure out how they stay in business. Bureaucracies have their own innate incompetence, whether it's government or not is pretty much irrelevant.
          • by Shakrai (717556)

            Where did I use the word 'incompetence'? I was referring to the disparity in pay that was noted by the GP. I didn't imply or suggest that they were incompetent.

  • A bit misleading ... (Score:5, Informative)

    by crowemojo (841007) on Thursday July 30, 2009 @08:08AM (#28880709)
    I see this and think the word "Hacked" gets thrown around a bit too easily. This is an example of non-persistent (also referred to as reflected) cross site scripting. This means that in order to take advantage of it, they have to convince a target to visit their specially crafted link. To me, "Hacked" sort of implies "They got in!" or "Data was breached!" or other such bad things and that simply isn't the case here.

    So what does this type of XSS do? Mostly embarass people because defacement examples are posted to "look what I can do" forums (which is basically what happened). Think about the attack vector here, they have to get a victim to visit their specific url that includes their attack. How is that done? Malicious email, posting the link to some website or forum and hoping they find it and visit, embedding the link in other sites that have been hacked or something like a banner ad, or whatever. All of these involve the target going out of their way to visit this maliciously crafted url. When you consider that they could still do all these things without XSS and simply host malicious code themselves, all this reflected XSS is doing is making it a bit harder for an end user to spot that this is something non-standard and dangerous.

    Think of it this way, "With reflected XSS, I can send them a link, and if they visit it, I can do bad things to their computer!" but then again, you can do that without XSS too, it just isn't quite as effective. How many users are taking the time to carefully look at a link before clicking on it, checking to make sure it contains the domain name they expect and not just an IP address, or a domain name that is similar, but not quite right, etc. A user who is doing this sort of thing will more likely fall victim to this XSS attack, but most users, who don't scrutinize things at that level, were just as susceptible to a classic phishing/malicious linking attack anyways.
    • by nurb432 (527695)

      I see this and think the word "Hacked" gets thrown around a bit too easily. .

      shhhh they need the ratings.

    • Agreed although a DNS hack could implement the XSS without anyone being any the wiser. However if you can hack DNS who's going to waste their time on XSS anyway?
    • by trifish (826353)

      When you consider that they could still do all these things without XSS and simply host malicious code themselves

      Sure but people are still more likely to click on URL containing a domain name that ends with ".gov.uk".

      • Re: (Score:2, Informative)

        by maxwell demon (590494)

        You mean links like this? http://www.mi5.gov.uk/ [slashdot.org]

        • You mean links like this? http://www.mi5.gov.uk/ [mi5.gov.uk]

          Good thing I am on OSX running Safari.... Hovering the mouse over the rendered text of the link shows me the actual domain I'm going to be vectored to... Gosh wouldn't want to go there.... might be dangerous!

          • Do you mean the tooltip? Slashdot adds a title attribute containing the domain. The title tag exists exactly for the purpose of showing something when you hover. I'd expect any current browser to show the target domain on Slashdot when hovering the link.

            BTW, even if Safari normally shows the link target as tooltip, what does Safari show when you hover over a link with a title tag? The content of the title tag, or the actual linked domain? I can't give such a link, because Slashdot replaces the title tag wit

            • It shows it as a tooltip. So does the Mac OS Mail program. This works for all linked passive content displayed by WebKit.

              It shows more than the domain. It shows the actual domain and path that clicking on the hot-text will request. WebKit has done this since at least Mac OS X 1.2.X

              One place I's like to see it expanded in active content.... I have to watch my cursor very carefully on ad-rich pages to avoid getting whacked by active content. Not that it does anything worse than crash Safari browser

  • by Anonymous Coward

    I'm not sure I'd call exploiting an XSS vulnerability penetrating. Sure, it can be used with a hybridized CSRF attack to penetrate into otherwise restricted areas of a website (although I don't know of such areas on MI5's website), but XSS, in and of itself, is more akin to graffiti than anything else.

    And, btw, I don't consider the social engineering element of XSS to be a particularly bonafide threat. If someone's going to provide all their personal info because the MI5 website, through XSS, asked for it,

  • People tend to confuse hacking with cracking quite often, thanks to the mass media.
  • NSA anyone ? (Score:3, Interesting)

    by C0vardeAn0nim0 (232451) on Thursday July 30, 2009 @08:28AM (#28880941) Journal

    any "l33t hax0r" in the house brave enought to try this shit on the NSA ?

    considering that i never heard of any snafu from those guys, either their pretty good at sevuring their stuff, or incredibly efficient at snuffing anyone who tries it before news get to public.

    sincerely, i don't know which one is the scariest scenario.

    • Re: (Score:3, Informative)

      by gad_zuki! (70830)

      I doubt the NSA cares. Their public websites arent hosted or even maintained by the people who do their cracking. The probably have a hosting service and if the site gets defaced or goes down, its no big deal. Its not exactly sitting on some high security LAN.

      Websites are the low hanging fruit in the hacker community. Its like spray painting my garage. You can be a jerk if you want to, its just not worth it to obsess over protecting said garage.

    • by Memroid (898199)

      any "l33t hax0r" in the house brave enought to try this shit on the NSA ?

      Like 6ish years ago I sent the NSA an example of a similar cross-site bug like this, when they were using ColdFusion for their web server. I could pretty much display anything on their site to a user, given a long link, which is what others are describing this as.

      Unfortunately, now we have things like TinyURL and bit.ly which everyone uses for twitter, which could make them unknowingly spread fake information, or run scripts, which appear to be from trusted domains.

  • Send in the new Bond after them, hackers might think twice after seeing these guys get a few bullets in the back of their heads!

    • by Trouvist (958280)
      I find it difficult to think they will think once, let alone twice, after they each get a few bullets in the back of the head.
      • by Sulphur (1548251)
        In Soviet Russia, it only takes one bullet.
      • If you read my post carefully you would have seen that I thought of that and wrote
        to make sure I was not referring to the original hackers, but others looking unto these ones.

  • by meist3r (1061628) on Thursday July 30, 2009 @08:40AM (#28881133)
    Fort Knox announced today that someone broke in and took a dump on the Gold ... nothing was stolen though.
  • News of hacked public websites of powerful public agencies is titillating but technically insignificant. These sites are usually maintained by the lowest bidder on the cheapest servers with the most scant security. And they generally have no useful information. Boring! On the other hand, cyber warfare is constant and both government and industry networks with valuable information assets are under constant attack. I know this first hand from having had oversight of network security in a major scientific l
  • by tjstork (137384) <todd@bandrowsky.gmail@com> on Thursday July 30, 2009 @10:37AM (#28882917) Homepage Journal

    A hacker's apartment in London was invaded by a gang of unknowns. Nothing was stolen, but his computer was smashed, his books urinated on, and the victim suffered a broken leg, torn elbow tendon, and a few cracked ribs after reportedly being waterboarded in his own kitchen.

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...