The mainstream media like the Mail on Sunday, and The Sun, quoting the Conservative party spokesman and former military officer Patrick Mercer MP, have pointed out the embarrassing spelling mistakes made on the Secret Intelligence Service MI6 website
Frank, a security officer, might have been expected to know there aren't three Ls in patrollling while, elsewhere, drivers taken on for chauffering duties (as opposed to chauffeuring) will be carrying out saftely checks and graduates can expect to have a great carees after joinging the service.
Other spelling mistakes include apppointed, negotations and crtical.
But the most shocking mistake comes in the introduction, where MI6 cannot even get 'instability' right, listing 'regional instablity'
Very embarassing, but surely this is less serious than the reported MI5 Security Service website which had a Cross Site Scripting vulnerability last week ?
Vulnerable to cross-site scripting attacks
By Lucian Constantin, Web News Editor
22nd of July 2009, 11:33 GMT
The cross-site scripting flaws were reported by a member of a group of programmers and security enthusiasts calling themselves Team Elite. Going by the online handle of [-TE-]-Neo, the grey hat hacker posted screenshots of several proof-of-concept XSS attacks against the two websites.
Cross-site scripting, or XSS, is a type of vulnerability that facilitates injecting rogue code into otherwise legit Web pages. Such flaws generally result from failure to properly validate user input into forms and can have different levels of impact, with persistent or Type 2 XSS being the most severe.
It is worth noting that, in the case of the MI5 and WHO websites, the cross-site weaknesses are non-persistent, or Type 1, and can only be exploited by opening malformed URLs. However, this does not mean that they are not dangerous.
Non-persistent XSS vulnerabilities can be used to significantly increase the credibility of phishing or malware-distribution campaigns. Instead of having to trick a user into visiting a fake page hosted on a dubious domain, the attacker can link to a vulnerable page on the legit domain directly.
The weakness in the MI5 website is located in the search form, which allows passing code as a search string. This can be used to inject a rogue IFrame into the page, which can, in turn, load more malicious code from a third-party domain via its src= attribute.
According to the hacker, the administrators of both websites have been notified, but, at the time of writing this article, the MI5 site was still vulnerable.
Why is this lack of a quick response from MI5 not a surprise ?
The stupid "shoot the messenger" attitude to those who try to report vulnerabilities, so prevalent in Whitehall, must have contributed to this unprofessional mistake, which very seriously damages the Security Service's brand credibility, as supposed "cyber terror / cyber warfare" defence trusted advisors.
Will the Intelligence and Security Committee or the new Office of Cyber Security bother to look into this incident, which reveals that proper website security management procedures, are still not being followed, even after the MI5 website notification email debacle ?
We doubt it.