Slashdot Mirror
MI5 Website Breached By Hacker
Jack Spine writes "UK intelligence agency MI5 has admitted that its website security was breached by hacker group Team Elite. A member of the hacker forum posted details of the hack last week, which took advantage of a cross-site scripting vulnerability in the site's Google embedded search. MI5 admitted the breach on Wednesday, but said that the flaw had not been exploited maliciously."
No doubt we'll find out on uk.misc later.
"Absorbing your worst..."
MI5 allows websurfing on critical computers.
Seriously. How else would you get hit by CSS?
It's a sort of script-injection vulnerability where you'd have to click on someone else's link to the MI5 site. I suppose it could steal cookies from someone stupid enough to click on a long link from an unknown person, but it's not like the site itself was hacked or anything, which is what "website breached by hacker" strongly implies.
If a whole bunch of fake Iraq WMD reports start showing up on the net in the next few days, then we'll know if they were really exploited or not...
How many time will MI5 take to kill the guy that made this? ihih
I propose the MI5 website team should be known as the "Mostly Incompetent 5" team !?
Take Nobody's Word For It.
I see this and think the word "Hacked" gets thrown around a bit too easily. This is an example of non-persistent (also referred to as reflected) cross site scripting. This means that in order to take advantage of it, they have to convince a target to visit their specially crafted link. To me, "Hacked" sort of implies "They got in!" or "Data was breached!" or other such bad things and that simply isn't the case here.
So what does this type of XSS do? Mostly embarass people because defacement examples are posted to "look what I can do" forums (which is basically what happened). Think about the attack vector here, they have to get a victim to visit their specific url that includes their attack. How is that done? Malicious email, posting the link to some website or forum and hoping they find it and visit, embedding the link in other sites that have been hacked or something like a banner ad, or whatever. All of these involve the target going out of their way to visit this maliciously crafted url. When you consider that they could still do all these things without XSS and simply host malicious code themselves, all this reflected XSS is doing is making it a bit harder for an end user to spot that this is something non-standard and dangerous.
Think of it this way, "With reflected XSS, I can send them a link, and if they visit it, I can do bad things to their computer!" but then again, you can do that without XSS too, it just isn't quite as effective. How many users are taking the time to carefully look at a link before clicking on it, checking to make sure it contains the domain name they expect and not just an IP address, or a domain name that is similar, but not quite right, etc. A user who is doing this sort of thing will more likely fall victim to this XSS attack, but most users, who don't scrutinize things at that level, were just as susceptible to a classic phishing/malicious linking attack anyways.
I'm not sure I'd call exploiting an XSS vulnerability penetrating. Sure, it can be used with a hybridized CSRF attack to penetrate into otherwise restricted areas of a website (although I don't know of such areas on MI5's website), but XSS, in and of itself, is more akin to graffiti than anything else.
And, btw, I don't consider the social engineering element of XSS to be a particularly bonafide threat. If someone's going to provide all their personal info because the MI5 website, through XSS, asked for it, what's to stop them from doing it for some MI5 look-alike domain? <sarcasm>mi5verify.co.uk is asking for my info? Only MI5 could have MI5 in their domain!!!
People tend to confuse hacking with cracking quite often, thanks to the mass media.
[ irc.p2p-network.net -> #zomgwtfbbq ][ http://zomgwtfbbq.info ]
HOLY SHIT Neo finally got his ass off the matrix-plug and joined Team Elite to "hack" websites by adding scripts to the URL!
Seriously, I would NEVER call anything XSS unless the script was actually inserted into the page so others don't have to follow maliciously crafted gay links. How could they ever abuse this "hack" anyway? "Hey man check the MI5 website by following my link here, it's a really cool governmental agency really. Please click!"
Also congrats to them for learning HTML 3 for building the Team Elite forum.
The Mythbusters crew know Jamie hates getting hacked more than he hates people leaving the lights on.
any "l33t hax0r" in the house brave enought to try this shit on the NSA ?
considering that i never heard of any snafu from those guys, either their pretty good at sevuring their stuff, or incredibly efficient at snuffing anyone who tries it before news get to public.
sincerely, i don't know which one is the scariest scenario.
What ? Me, worry ?
If you run anything but a trivial, static page web site, you need to expect to be hacked and have measures in-place to quickly recover the site and any data on it. A complex web site may appear to be secure for today or for years, but eventually, a backdoor/crack WILL be found. The board of directors at our company has been briefed that this is expected and planned for as part of our security.
My company runs a Joomla web site. We expect to be hacked in the future. We perform JFS snapshots every 15 minutes and currently maintain nightly off-site backups for the last 90 days. These are not JFS-send replication backups. WHEN we are hacked - and it is WHEN - we'll be able to recover anywhere very quickly with just a redirected DNS (24 hour updates).
Are your company external sites protected to that level? Is there an expectation in your C-Suites that this will be the recovery plan and being down for 24 hours is expected?
BTW, it doesn't matter if you run Solaris, Windows, Linux, NetBSD, FreeBSD, or some embedded OS - you will be hacked. If you run a web server on a Mac - well, you've already been hacked and lost all your data like these geniuses http://tech.slashdot.org/article.pl?sid=09/02/20/1543208
Send in the new Bond after them, hackers might think twice after seeing these guys get a few bullets in the back of their heads!
... apparently the hackers used jailbroken iPhones ;-)
http://apple.slashdot.org/story/09/07/29/1440233/Apple-Says-iPhone-Jailbreaking-Could-Hurt-Cell-Towers
Roberto
Fort Knox announced today that someone broke in and took a dump on the Gold ... nothing was stolen though.
News of hacked public websites of powerful public agencies is titillating but technically insignificant. These sites are usually maintained by the lowest bidder on the cheapest servers with the most scant security. And they generally have no useful information. Boring! On the other hand, cyber warfare is constant and both government and industry networks with valuable information assets are under constant attack. I know this first hand from having had oversight of network security in a major scientific lab several years ago. Little or nothing is reported either in the way of successful penetrations and damage or attacks thwarted. That is the frontier people, where there is not only action with major consequences but hard computer and network science happening every day.
There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann
I believe his number is 1337.
Winkey shortcut mapping for 64bit windows. WinKeyPlus
Man.. James Bond villains are getting a lot nerdier.
Somebody beat you to this conclusion.
And this is why, as a comic once said, "you can't fix stupid". Do people honestly believe honeypots don't exist anymore, that there are no consequences. Nothing is anonymous. Most of the slashdotters out there are too young to understand that just because authorities don't arrest you an the first sign of cracking doesn't mean they aren't watching you. You see that how they build a case. Do you honestly believe it's only traffic cops sitting behind a computer? Understand this, once you are legally labeled a terrorist you have no rights.
A hacker's apartment in London was invaded by a gang of unknowns. Nothing was stolen, but his computer was smashed, his books urinated on, and the victim suffered a broken leg, torn elbow tendon, and a few cracked ribs after reportedly being waterboarded in his own kitchen.
This is my sig.
This is not a hack. TE is soft yo!
What is the difference between MI5 "frustrate" and CIA "combat" ?
Please forgive me if I've misinterpreted these statements. But the "About us" section of MI5 states the main "corporate aim" is to
"frustrate terrorism..."
http://www.mi5.gov.uk/output/about-us.html
Yes I understand counterintelligence is primarily based in "frustrating" your enemy. Anyone could succeed with that directive. And it also comes across has a bit shallow. Shouldn't they have a legal and protective goal of stopping terrorism?
this is just an off the cuff remark and I might not understand the significance of such a MI5 goal. please enlighten me. Im not an expert on intelligence work. But these kind of goals drive the whole organization, and what the organization is expected to achieve.
Since I'm curious kind of person I looked for a similar USA goal to compare. (I'm American so I quickly searched to see what the CIA "aims" are.)
The CIA website had this answer:
" 8. What is the CIA's role in combating international terrorism?
The CIA supports the overall US government effort to combat international terrorism by collecting, analyzing, and disseminating intelligence on foreign terrorist groups and individuals. The CIA also works with friendly foreign governments and shares pertinent information with them. "
"...combat ... terrorism..." seems like a substantial goal with depth. Obviously there is a strong meaning for combat. - actively fight against - and that leads us into preemptive attacks.
Some social thinkers would say we need to work with terrorism elements by injecting love to replace the hate.(I agree) But there are times we must combat terrorism as they steadfastly reject love. That seems like the appropriate time for preemptive action, as they have already killed and we must defend ourselves.
Of course we are not perfect, and some will take advantage of the logical conclusions mentioned above to justify other evil interests and agendas to preemptively attack those that stand in the way of USA goals. Thats why we need good men and women in government to stop greedy interest and support justice and liberty for all.
True Christians have the perfect foundation of grace, mercy, justice and liberty for all to help that lofty goal of being a good neighbor. That is the kind of heart needed to stop unwarranted preemptive attacks. I do believe defense includes elements of preemptive attacks. But this must must not be our ideological goal for success.
I'm a Christian and hope the Christian foundations of the United States of America is honored for the contribution of integrity and love that helps the world embrace truth fighting for liberty of all faiths. Many argue whether the USA really has liberty. Compare the liberty many world societies have produced. Then compare the real life liberty the UK and USA have achieved.
Why is it we forget fascist, nazi, communist etc societies filled with cruel bondage and lies. (not to mention hate filled terrorism based societies that have little freedom) Because we don't understand history, or we haven't had the opportunity to learn history.
another interesting word study. Twenty five years ago they changed many Jr. High school "History" classes into "Social studies". Lessening the focus on teaching history.
There was (and still is) a diminished focus on historical teachings in U.S. education systems. Is it a surprise new adults of this generation have little understanding of the past.
Gabriel