"Exploiting The Potential Of Wikis" Workshop
Risk Management Page For Web Site

About This Page

This page provides details of risk assessment of the technologies used on this Web site. The page will also document the experiences gained.

Risk Assessment

The Web site makes use of the following third party services:

• Use of RSS to HTML conversion tools from http://www.rss-info.com/: A third party service which converts RSS to HTML and embeds this in a Web page has been used. This service was used in order to gain experience in use of a diversity of approaches, in order to support UKOLN's role as a technology adviser to its communities. However due to limitations it was replace by a local service.
• Use of an externally-hosted Wiki from http://www.wetpaint.com/: A third party Wiki service will be been used at the event. This service will be used in order to allow participants to gain experience in use of such a Wiki. Background information on this service is documented in Wikipedia.
• Use of a chat facility from http://www.gabbly.com/: A third party service which provides a simple chat facility which can be embeded in a Web page has been used. This service is being used in order to gain experience in use of a diversity of approaches, in order to support UKOLN's role as a technology adviser to its communities.

Experiences

10 Oct 2006

On 21 October 2006 information about the discussion groups held on this Web site was copied to the Wetpaint Wiki. Problems were encountered when trying to save the Wiki page. It was subsequently discovered that it was possible to save the page if ASCII text was copied to the Wiki, rather than formatted HTML. This seems to be a bug/feature of the Wetpaint software, which is not of critical importance. This bug should be reported to Wetpaint.

10 Oct 2006

At 15.26 on 10 October 2006 we received an email from a member of the Web management community informing UKOLN that the RSS to HTML conversion service had been hacked. The service was removed from the Web site and replaced by a message giving details on the problem. Later the same day the service was replaced by use of an in-house conversion service. It was also noted later the same day that the attack on the http://www.rss-info.com/ service appeared to have been fixed.

Discussion

The problem experienced on 10 October 2006 appeared to have been with the rss-info.com RSS include service (which is based on PHP) In order to clarify exactly what the problem was and to learn lessons for the future, further inquiries were made.

Further investigation revealed that the www.rss-info.com service Web site states that the service is "a project of the Austrian internet company Chromos Internet Solutions (website in german only). Chromos, based in the little town Neumarkt near Salzburg, is specialised on realising complex, database-driven online applications based on PHP and mySQL."

An email enquiry was sent to the company at 11.03 on 11 October 2006. At 14.00 on the same day the following response was received:

Hi,
thanks for your inquiry. The presumed hacker attack was in fact only a billing problem. The credit card used to pay for this webhost passed its validity date. Unfortunately the mail address related with this service is normally read by an employee who is on vacation now and the provider suspended the service after sending two "past due" mails.
The downtime lasted a few hours and we paid hosting fees for 48 months upfront now to avoid similar accidents during the next years :)
FYI: rss-info.com serves about 100.000 feed impressions per day right now, raising monthly. There is a short message describing the problem in the the news section on the front page.
Regards,
Adi Dax
www.rss-info.com

The company also provided an announcement about this incident on their home page.

Lessons

This incident has provided a useful opportunity to reflect on some of the potential problems which may be encountered in using third party services, and of ways of addressing such potential problems.

It should also be noted that this particular incident was due to an administrative and not a technical problem. This problem could occur if there was a failure to renew a domain name for an in-house Web site. So this particular incident is not necessarily a result of use of a third party-service.

Avoiding The Specific Problem

Organisations should have quality assurance procedures in place which will ensure that invoices for domain names are paid promptly. For example UKOLN paid for the domain name registration for its Exploit Interactive and Cultivate Interactive services for a period of ten years, to avoid the problems of failure to pay due to staff holidays, absences, etc. for this period of time.

Spotting This Specific Problem

As well as ensuring this particular problem doesn't occur within one's institution it is also desirable to seek to minimise the chances that this problem will occur with use of third party services.

Useful Tools

One approach would be to make use of tools which can help give a picture of the third party service. For example the Whois service will provide information on domain name registration details (including details of payment dates) and the Netcraft service can provide information on the Web server software, uptime, etc. Examples of use of these services for the rss-info.com service are available below:

• Whois
• Netcraft

Non-Technical Approaches

Non-technical approaches to minimising the chances of problems occurring with use of third party services include emailing the company to gain a better understanding of the company or organisation and finding our more from their Web sites or other Web sites, mailing lists, etc.

Engagement with and support from the community can also be useful. In this particular case, a member of the UK Web community promptly informed us when this problem was spotted.

The risks can also be minimised by making use of a valuable third party service only when the service is needed and switching off the service afterwards.

Another approach to minimising such risks are to pay for use of a third party service. In such cases there will bde a contractual agreement with the company and if problems do occur, it may be possible to take the company to court. Related to this apoproach would be to make use of third party services from well-established companies such as Yahoo! and Google. Such companies may be more likely to have internal procedures in place to avoid problems such as the one described above.

The risks can be avoided by avoiding use of third party services completely. This approach has its own risks: there are resource costs of needing to develop or deploy services in-house, the risks of failing to provide useful services to the user community, etc.

Conclusions

In the longer term there will be a need for a more formal approach to minimising risks in the use of external services (e.g. digital signatures for servers, etc.) In the interim a lighter weight approach along the lines described above may prove useful.