Rik Ferguson, senior security advisor at Trend Micro, wrote on the Countermeasures blog that a group calling itself Anti-Sec exploited the site with a declaration posted to the full-disclosure mailing list.
Ferguson said: “The effect of the attack was to replace many of the hosted images with a single (amusingly titled) image containing the Anti-Sec manifesto. ImageShack was a particularly effective site to target as so many third-party sites use images that are actually hosted on ImageShack.”
The declaration claimed that Anti-Sec is a ‘movement dedicated to the eradication of full-disclosure' and it wanted to give everyone an image of what it was about.
The statement read: “Full-disclosure is the disclosure of exploits publicly - anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services.
“It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.”
ImageShack responded by acknowledging that it was compromised by a hacking group. A statement on the site said: “On July 10th, at approximately 8 pm PST, ImageShack's services were compromised by a hacking group. Within a minute, our security systems had identified suspicious activity. We learned that the group had gained control of how images were being displayed. Before 9 pm PST, normal functionality had been restored to user images. No user data or content was damaged or lost.”
It claimed that only a fraction of the servers were affected, so it was able to isolate and remove the issue very quickly. It also claimed to be actively conducting a full audit of its security measures and was hardening its systems.
“It is Anti-Sec's belief, it seems, that the security industry supports full-disclosure (of things like vulnerabilities that lead to zero-day exploits, for example) because it allows the industry in general to develop scare tactics aimed at generating profits," said Ferguson.
“No mention then of the security industry designing proactive protection mechanisms to help people and businesses avoid serious financial and personal damage? No mention of full-disclosure allowing security organisations to mitigate against attacks before they are exploited in the wild? No mention of organised crime profiting from undisclosed vulnerabilities?
"Even though I'm usually a sucker for a manifesto, this just made me think of the wacky end of the survivalist spectrum, heading for the hills with their tins of beans and their AK-47s (and now SQLi).”
See original article on scmagazineuk.com
ImageShack hit by hacking group
By
Dan Raywood
on Jul 14, 2009 10:22AM
The image-hosting site ImageShack was compromised over the weekend.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Promoted Content
How UniSuper used BiZZdesign to accelerate its digital transformation
Promoted Content
IT’s control over digital infrastructure is slipping, reports The Economist Intelligence Unit
Promoted Content
Do you know where your data sleeps at night?
Promoted Content
Why IT spending should be transformational, not just transactional
Sponsored Whitepapers
Best security practices after rapid Digital Transformation
The CISO View 2021 Survey: Zero Trust and Privileged Access
How and why to backup your Office 365 tenant
ForgeRock for Australia’s Trusted Digital Identity Framework (TDIF)
How engineering has been operating in the dark and what to do about it
