|
| |
The ALP's Federal Campaign 2007
“As always, victory finds a hundred fathers but defeat is an orphan”.
Since there were around 100 people in the ALP's Federal Campaign Headquarters
(CHQ), and Dr Dennis Perry was among them, he'll claim his small part in the Victory.
While the above quotation was popularised by President Kennedy (after the Bay of Pigs
incident), it appears in the writings of Count Gian Galeazzo Ciano, Musselini's son-in-law, and Tacitus 56-117AD expressed a similar
sentiment: inquissima haec bellorum condicio est: prospera omnes sibi indicant, aduersa uni imputantur. "It is the singularly unfair peculiarity of
war that the credit of success is claimed by all, while a
disaster is attributed to one alone." Since these are both translations, who
knows what what was really said? However, you get the drift, there
is a martial theme, and election campaigns can be bruising and exhausting
encounters.
At CHQ, Dennis had responsibility for building the Information and
Communications Technology (ICT) infrastructure, which took much of 2007, as well as responsibility for the ALP's Internet Services Centre (ISC). The ISC
hosted the Kevin07, ALP.ORG.AU and Howardfacts websites, and they
all played their part in the overall web strategy. There's a lot to tell about
the ICT and ISC, but that's for another time and another place.
One amusing incident, was the security theatre that played out in the early days
of Campaign07. Liam Tung, a ZDNet journalist and Mahesh Sharma, a journalist from the Australian, both publicised the fact that the
campaign websites of the Liberals, the ALP, and the Democrats for that matter, had been defaced, and had an image to show the hacked sites.
Well ... the vulnerability was a reflected cross-site scripting (XSS) security
issue. For more information, see:
http://www.owasp.org/index.php/Top_10_2007-A1
In a nutshell, only the person defacing the site, through a script insertion, can
see the defacement.
Mahesh was particularly concerned, and sent a message to the ALP Web Editor:
My name’s Mahesh Sharma, I’m a reporter for The Australian. How are you?
I’ve discovered a website that lets anyone post messages on the official ALP
site, and wanted to ask you a couple of questions about it.
The site http://bur.st/~bsoric/ allows visitors to post messages that “deface”
the ALP’s websites.
Are you aware of this website?
In these forums, http://sla.ckers.org/forum/read.php?3,14515
the author of the site said that both parties closed the vulnerability, but they
fixed it so the “defacer” could still allow messages to be posted. What was the
vulnerability on your site and how was it fixed?
Is this symptomatic of a larger security issue for the ALP website?
What are the chances of this happening again?
How did this happen in the first place?
What are you doing to prevent this from happening again in the future?"
And guess who also had the same security issue.
That's right, ZDNet and the
Australian. As the screen shots in the Image gallery below
illustrate. Both Liam and Mahesh were notified, but not before Dennis had
"defaced" their sites.
In an interesting twist, the publicity from the articles on ZDNet and the
Australian caused IBM to come calling. IBM had just purchased
Watchfire and were keen to promote the product.
Dennis thanked them for their offer of help, and said that while the ALP had
addressed the issue, IBM should perhaps approach ZDNet and the
Australian, who were much bigger companies in need of security assistance.
Security is not an issue to be taken lightly,and XSS should be protected
against. A CISSP is the last person who should make light of the issue.
Input data should be checked and validated, and there is no excuse for not
taking care in this area. However, people living in glass houses ...
The Coalition Government at the time added to the theatre by threatening dire
consequences for hackers defacing political websites.
http://www.news.com.au/story/0,23599,22561539-5012863,00.html
And so it
goes ...
Note: The bur.st site was taken down, but the sla.ckers forum still carries the relevant posts
| |
|
