http://www.zdnet.com.au/news/security/soa/Howard-hacker-pleads-innocence/0,130061744,339282729,00.htm By Liam Tung ZDNet Australia 11 October 2007 The so-called "Howard hacker" told ZDNet Australia that he is innocent of defacing the Liberal Party Web site. Brett Soric, a local security and computer enthusiast, was reported to the Australian Federal Police after he created a script that exploited a common flaw in Labor and Liberal's official Web sites. Soric claimed he hasn't done anything wrong. "So far I've been assuming that the police will understand what's happened before trying to find me," Soric, the so-called "hacker" told ZDNet Australia in an e-mail interview today. ZDNet Australia on Tuesday reported that cross-site scripting (XSS) vulnerabilities found in the Web sites of both major political parties allowed the public, via a Web site created by Soric, to insert comments that appear to be generated by the Liberal and Labor parties. Soric said he only posted the example referred to in the ZDNet Australia story, which showed John Howard saying: "I want to suck your blood", as an example. By Wednesday, other media outlets had incorrectly reported that the Liberal's official Web site had been "hacked", after receiving a separate link which displayed a page from liberal.org.au that read: "John Howard says: I like to suck dick". "Someone else posted the 'I like to suck dick' [comment]," Soric said. The script that allowed people to insert their own comments on the Liberal's Web site has now been removed and replaced with the message: "This website does not, nor did it ever, 'hack' either party's site. Get a clue before you run around screaming HACKER. Happy now? Go talk to a security expert, and ask them about XSS exploits." A Liberal spokesperson said the media outlets that reported the "John Howard says" quote were the victims of a "hoax", while an ALP spokesperson told the press the security flaw exploited in its site was a "reflected XSS" vulnerability -- that is, one which did not affect the ALP's servers. ALP chief information officer, Dennis Potter, told ZDNet Australia that only a user who clicks on a specially crafted link would see the result, and the issue does not constitute a hack. AFP agent Nigel Phair -- who earlier this week said Australian organisations tend to "sweep security breaches under the carpet" -- defined hacking as "gaining unauthorised access to a computer or computer network". Soric explained: "It is not a 'hack' because the script did not break into their servers [and] did not modify any pages on their site. The only way to have seen any of the results was to click a [crafted] link." Soric, who claims to have developed the script "just to see if I could write the Javascript to do it", said he was motivated after reading about the government's NetAlert filter. "News of the NetAlert filter was what motivated me to look through the Liberal's site in the first place, as I feel very strongly about Internet censorship, even if at the moment it's only being used to stop children looking up porn and terrorism sites," said Soric. __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Wed Oct 10 2007 - 22:50:18 PDT