[ISN] Howard 'hacker' pleads innocence

From: InfoSec News (alerts@private)
Date: Wed Oct 10 2007 - 22:16:15 PDT


http://www.zdnet.com.au/news/security/soa/Howard-hacker-pleads-innocence/0,130061744,339282729,00.htm

By Liam Tung
ZDNet Australia
11 October 2007

The so-called "Howard hacker" told ZDNet Australia that he is innocent 
of defacing the Liberal Party Web site.

Brett Soric, a local security and computer enthusiast, was reported to 
the Australian Federal Police after he created a script that exploited a 
common flaw in Labor and Liberal's official Web sites. Soric claimed he 
hasn't done anything wrong.

"So far I've been assuming that the police will understand what's 
happened before trying to find me," Soric, the so-called "hacker" told 
ZDNet Australia in an e-mail interview today.

ZDNet Australia on Tuesday reported that cross-site scripting (XSS) 
vulnerabilities found in the Web sites of both major political parties 
allowed the public, via a Web site created by Soric, to insert comments 
that appear to be generated by the Liberal and Labor parties.

Soric said he only posted the example referred to in the ZDNet Australia 
story, which showed John Howard saying: "I want to suck your blood", as 
an example.

By Wednesday, other media outlets had incorrectly reported that the 
Liberal's official Web site had been "hacked", after receiving a 
separate link which displayed a page from liberal.org.au that read: 
"John Howard says: I like to suck dick".

"Someone else posted the 'I like to suck dick' [comment]," Soric said.

The script that allowed people to insert their own comments on the 
Liberal's Web site has now been removed and replaced with the message: 
"This website does not, nor did it ever, 'hack' either party's site. Get 
a clue before you run around screaming HACKER. Happy now? Go talk to a 
security expert, and ask them about XSS exploits."

A Liberal spokesperson said the media outlets that reported the "John 
Howard says" quote were the victims of a "hoax", while an ALP 
spokesperson told the press the security flaw exploited in its site was 
a "reflected XSS" vulnerability -- that is, one which did not affect the 
ALP's servers.

ALP chief information officer, Dennis Potter, told ZDNet Australia that 
only a user who clicks on a specially crafted link would see the result, 
and the issue does not constitute a hack.

AFP agent Nigel Phair -- who earlier this week said Australian 
organisations tend to "sweep security breaches under the carpet" -- 
defined hacking as "gaining unauthorised access to a computer or 
computer network".

Soric explained: "It is not a 'hack' because the script did not break 
into their servers [and] did not modify any pages on their site. The 
only way to have seen any of the results was to click a [crafted] link."

Soric, who claims to have developed the script "just to see if I could 
write the Javascript to do it", said he was motivated after reading 
about the government's NetAlert filter.

"News of the NetAlert filter was what motivated me to look through the 
Liberal's site in the first place, as I feel very strongly about 
Internet censorship, even if at the moment it's only being used to stop 
children looking up porn and terrorism sites," said Soric.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Oct 10 2007 - 22:50:18 PDT