The dark side of aggregating tags

An info-graphic on Flickr recounts the cautionary tale of the Conservative Party’s experiment in social media. They aggregated the #cashgordon tag, so that messages from Twitter with this tag would appear on their own site. The disaster that resulted was made possible by three technical errors:

  1. They didn’t filter content: anyone could use Twitter and the hashtag to write whatever text they wanted on the Conservative site.
  2. They didn’t filter out markup: users could style the content of messages how they wanted, e.g. 48 point high and they could embed images of their choice (including spoofs of the Conservative poster campaign).
  3. They didn’t filter out Javascript commands: users could insert a command redirecting the whole site to Labour, Rickroll or porn, which they promptly did.

Code-injection is something any developer should consider when building one of these services, and surely most do, but it’s nice to have a period reminder of what can go wrong when you miss out the necessary one or two lines of code.


Protecting against DDOS attacks

With Distributed Denial of Service attacks very much in the news, I’m very glad to be hosting this guest article by someone who for now wishes to remain anonymous – Martin.

Until a few months ago I had never seen a DDoS attack and I had no idea what can be done about it, if anything at all. Not because I wasn’t interested; I was. But most of the papers on the net that deal with the subject are academically abstract and hardly useful in a concrete “I’m in deep shit, WTF do I do now?” situation. So here’s a very basic list of what you can reasonably do before you get attacked, assuming that you have no reason to expect an attack: Read the rest of this entry »

The Holy Grail of Infosecurity

Monty Python and The Holy Grail is, as well as being one of the finest comedy films of all time, also rich in security management concepts, and scenarios from which any ITSec team can learn, apparently. 

A recent article on the British Computer Society website takes a closer look at some of these situations, and how the lessons can help corporate IT teams to address common security issues and smooth security management.