By Liam Tung
11 October 2007
The so-called "Howard hacker" told ZDNet Australia that he is innocent
of defacing the Liberal Party Web site.
Brett Soric, a local security and computer enthusiast, was reported to
the Australian Federal Police after he created a script that exploited a
common flaw in Labor and Liberal's official Web sites. Soric claimed he
hasn't done anything wrong.
"So far I've been assuming that the police will understand what's
happened before trying to find me," Soric, the so-called "hacker" told
ZDNet Australia in an e-mail interview today.
ZDNet Australia on Tuesday reported that cross-site scripting (XSS)
vulnerabilities found in the Web sites of both major political parties
allowed the public, via a Web site created by Soric, to insert comments
that appear to be generated by the Liberal and Labor parties.
Soric said he only posted the example referred to in the ZDNet Australia
story, which showed John Howard saying: "I want to suck your blood", as
By Wednesday, other media outlets had incorrectly reported that the
Liberal's official Web site had been "hacked", after receiving a
separate link which displayed a page from liberal.org.au that read:
"John Howard says: I like to suck dick".
"Someone else posted the 'I like to suck dick' [comment]," Soric said.
The script that allowed people to insert their own comments on the
Liberal's Web site has now been removed and replaced with the message:
"This website does not, nor did it ever, 'hack' either party's site. Get
a clue before you run around screaming HACKER. Happy now? Go talk to a
security expert, and ask them about XSS exploits."
A Liberal spokesperson said the media outlets that reported the "John
Howard says" quote were the victims of a "hoax", while an ALP
spokesperson told the press the security flaw exploited in its site was
a "reflected XSS" vulnerability -- that is, one which did not affect the
ALP chief information officer, Dennis Potter, told ZDNet Australia that
only a user who clicks on a specially crafted link would see the result,
and the issue does not constitute a hack.
AFP agent Nigel Phair -- who earlier this week said Australian
organisations tend to "sweep security breaches under the carpet" --
defined hacking as "gaining unauthorised access to a computer or
Soric explained: "It is not a 'hack' because the script did not break
into their servers [and] did not modify any pages on their site. The
only way to have seen any of the results was to click a [crafted] link."
Soric, who claims to have developed the script "just to see if I could
about the government's NetAlert filter.
"News of the NetAlert filter was what motivated me to look through the
Liberal's site in the first place, as I feel very strongly about
Internet censorship, even if at the moment it's only being used to stop
children looking up porn and terrorism sites," said Soric.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com