14 DAY TRIAL // A group of cyber hacktivists, whose declared goal is to put an end to vulnerability full disclosure practices, hacked into servers belonging to the popular free image hosting service ImageShack. The perpetrators modified the settings in order to display their manifesto instead of the hosted images.
ImageShack is one of the largest providers of free media hosting and is used by hundreds of thousands of websites. The service runs on some 450 32 or 64 bit Linux servers, organized in a cluster. The website is serving over 2.5 million images on a daily basis.
According to an official statement, multiple ImageShack servers were compromised during the evening of July 10 and the attack lasted for about an hour. "No user data or content was damaged or lost," the site's support team announces. The hackers did, however, mess with the image-serving application, which they modified to display their own message instead. "We learned that the group had gained control of how images were being displayed," it is specified.
"Anti-sec. We're a movement dedicated to eradication of full-disclosure," the hacktivists write in their manifesto. Furthermore, they go on to explain that full disclosure is unethically used by the entire security industry to scare companies into acquiring various products and services. The argument they use is that the full disclosure of vulnerabilities leads to script kiddies exploiting websites.
"It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform," the anti-sec group explains, before launching a warning stressing that, "If you own a security blog, exploit publication website or you distribute any exploits... 'you are a target and you will be rm'd [removed]. Only a matter of time."
Of course, things are never that simple and there are always two sides to a coin. Rik Ferguson, solutions architect at Trend Micro, outlines this very well. "No mention then of the security industry designing proactive protection mechanisms to help people and businesses avoid serious financial and personal damage? No mention of full-disclosure allowing security organisations to mitigate against attacks before they are exploited in the wild? No mention of organised crime profiting from undisclosed vulnerabilities?" he rhetorically asks.
It is not yet clear how the servers were compromised, however, it is worth mentioning that the "anti-sec" group is at the center of the recent rumors about an undisclosed 0-day OpenSSH vulnerability being exploited in some other similar attacks. Much of the rumors have been dismissed so far as FUD and researchers from the SANS Internet Storm Center say that the attacks were most likely performed by brute-forcing SSH accounts, followed by jail escape through local privilege escalation.
