ImageShack hit by hacking group who call for an end to full-disclosure
Rik Ferguson, senior security advisor at Trend Micro, wrote on the Countermeasures blog that a group calling itself Anti-Sec exploited the site with a declaration posted to the full-disclosure mailing list.
Ferguson said: “The effect of the attack was to replace many of the hosted images with a single (amusingly titled) image containing the Anti-Sec manifesto. ImageShack was a particularly effective site to target as so many third-party sites use images that are actually hosted on ImageShack.”
The declaration claimed that Anti-Sec is a ‘movement dedicated to the eradication of full-disclosure' and it wanted to give everyone an image of what it was about.
The statement read: “Full-disclosure is the disclosure of exploits publicly - anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services.
“It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.”
ImageShack responded by acknowledging that it was compromised by a hacking group. A statement on the site said: “On July 10th, at approximately 8 pm PST, ImageShack's services were compromised by a hacking group. Within a minute, our security systems had identified suspicious activity. We learned that the group had gained control of how images were being displayed. Before 9 pm PST, normal functionality had been restored to user images. No user data or content was damaged or lost.”
It claimed that only a fraction of the servers were affected, so it was able to isolate and remove the issue very quickly. It also claimed to be actively conducting a full audit of its security measures and was hardening its systems.
“It is Anti-Sec's belief, it seems, that the security industry supports full-disclosure (of things like vulnerabilities that lead to zero-day exploits, for example) because it allows the industry in general to develop scare tactics aimed at generating profits," said Ferguson.
“No mention then of the security industry designing proactive protection mechanisms to help people and businesses avoid serious financial and personal damage? No mention of full-disclosure allowing security organisations to mitigate against attacks before they are exploited in the wild? No mention of organised crime profiting from undisclosed vulnerabilities?
"Even though I'm usually a sucker for a manifesto, this just made me think of the wacky end of the survivalist spectrum, heading for the hills with their tins of beans and their AK-47s (and now SQLi).”