ImageShack hacked by anti-full disclosure movement

ImageShack hacked by anti-full disclosure movement

Summary: During the weekend, ImageShack, among the Web's top ten most popular free image hosting services got compromised, with the millions of images hosted on it redirected to a single one explaining why it was hacked.The anti-sec group responsible for the compromise describes itself as a "movement dedicated to the eradication of full-disclosure", has also threatened web sites and communities publishing exploits in a full-disclosure fashion.

SHARE:
19

During the weekend, ImageShack, among the Web's top ten most popular free image hosting services got compromised, with the millions of images hosted on it redirected to a single one explaining why it was hacked.

The anti-sec group responsible for the compromise describes itself as a "movement dedicated to the eradication of full-disclosure", has also threatened web sites and communities publishing exploits in a full-disclosure fashion.

The message left in the form of an image reads:

"Full-disclosure is the disclosure of exploits publicly - anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.

Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable."

Whereas this radical -- and illegal -- approach of spreading a philosophy aims to put the spotlight on the full disclosure debate for yet another time, things have greatly changed during the past couple of years, potentially rendering their efforts pointless, at least from the perspective of using zero day exploits for committing cybercrime. The very notion that the well known exploits-repository web sites are the original point of publication for a particular exploit is naive. Case in point - the recent thought to be "zero day" Video ActiveX Control flaw, has been reported to Microsoft over an year ago, but it became an inseparable part of a Chinese-based malware campaign earlier this month.

Moreover, not only did vulnerability markets and market approaches to software vulnerability disclosure greatly improved, but also, the active OTC (over-the-counter) market for vulnerabilities has once again proved that what's a zero day flaw for some, is last month's zero day used by a particular cybercriminal in targeted malware attacks.

The anti-sec group also makes a statement in respect to the "script kiddies who copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of." Shouldn't this also be the practice of the people responsible for the security of a particular web property as well, and if exploitation is possible, a patch or alternative mitigation strategy applied as soon as possible? Who's to blame in this case, the lack of self-awareness on behalf of the affected sites ending up as the "low hanging fruit", or the site providing the service that inevitably improves the effectiveness of ethical penetration testing tools if used at the first place?

Ironically, cybecriminals do not need zero day exploits in order to continue efficiently infecting users of compromised web sites due to a simple fact - the end user's host is already using a multitude of outdated and easily exploitable applications, patches for which are available, but haven't been applied. Take Conficker for instance, even through an out-of-band patch was released, a huge percentage of hosts remained unpatched for months to come. The web malware exploitation kits currently in circulating, rely on anything else but zero days in order to successfully infect end users, since their authors embraced a simple fact - that diversification of the exploits set in popular applications increases the probability of infection.

What do you think? Is this one of those black and white situations where full-disclosure should be replaced with responsible disclosure, or is full-disclosure in fact serving the community, especially considering the fact that cybercriminals are efficiently infecting hosts by exploiting already patched and outdated flaws and do not necessarily need a zero day to do so?

Talkback.

Topics: Browser, Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • ImageShack should have used Linux

    as this would be a non-issue.
    GuidingLight
    • You should have.......

      made a real post, as this post is also a non issue.
      linux for me
      • You should have.......

        made a real response, as this response is also a non issue.
        Wintel BSOD
    • If that were true, the world would be using it

      But Linux is just as vulnerable as ANY other operating system. Google "Linux vulnerabilities" if you don't believe...
      "July 02, 2009 linux, linux-source-2.6.15 vulnerabilities CVE-2009-1072, CVE-2009-1184, CVE-2009-1192, CVE-2009-1242, CVE-2009-1265, CVE-2009-1336, CVE-2009-1337, CVE-2009-1338, CVE-2009-1360, CVE-2009-1385, CVE-2009-1439, CVE-2009-1630, CVE-2009-1633, CVE-2009-1914, CVE-2009-1961"
      "Some Linux fans are tired of reading reports and articles about viruses and attacks for the Linux operating system that would be as bad as malware for Windows if the open source OS was most popular."
      "A vulnerability has been identified in Linux Kernel, which could be exploited by malicious users to bypass security restrictions."
      http://secunia.com/advisories/product/2719/
      ...and so on, and so on, and so on. So guidinglight, before posting absolute rubbish, you may want to do a little research. You and your beloved Linux would look a lot less stupid!
      Lovs2look
      • Next time maybe you should do your research

        It's very deceptive to compare Linux and Windows Exploits by merely claiming their are lots of exploits for Linux without first defining the various types of exploits and the risks associated with each type exploits. Not all exploits pose the same risks and this is where Linux prevails as most Linux Exploits are very limited.

        Here are some facts you convincingly failed to mention.

        The fact is the vast majority of Linux exploits are what are known as "Local Exploits" Local Exploits actually require physical access to the computer to be executed. On the other hand the vast majority of Window's exploits are remote exploits and those only require internet access to the computer to be used.

        I will be the first to admit that no operating system is 100 percent free of remote exploits. BUT unlike Windows the few Linux remote exploits that do exist usually require a poorly configured computer and even if successful the damage is usually limited only to the account compromised not the entire computer as in Windows.
        blaze1024
    • ImageShack should have used Linux

      Well if you knew more about computers you would know that Linux can be hacked to. Its just not done as much do to most hackers use Linux and they don't want to hack them self. Thats the only reason they hack Microsoft. That and Microsoft can't get build nothing right.
      Wildfire365@...
  • There's no guarantee with share

    These sites just make it fun for people to enjoy the Internet.
    anonymous
  • RE: ImageShack hacked by anti-full disclosure movement

    I do not agree with AntiSec. I believe that it is the responsibility of organizations to stay abreast of current vulnerabilities and patch appropriately. From what I have seen over the years is that (correctly said above), today's 0-day is actually last month's 0-day. Just that the weaponization of last month's 0-day took a month and now - because of active exploitation - it is again a 0-day. I feel it is very important to watch the Bugtrac, @RISK, and US-CERT announcements everyday and act accordingly. If we, the security community, do not have full disclosure, we do not know what vulnerabilities are out there - I do not believe in security thru obscurity. I believe in taking responsibility for what you own and protect it to the utmost best of your ability.
    cejennings_cr
  • the -actual- purpose

    http://romeo.copyandpaste.info/txt/movement.txt

    seriously, a lot of people doesn't seem to get it.

    read that please.
    jon due
    • It's a load of bullplop

      And always will be. Look at my other post in
      this thread to see why. Exploits, in my
      opinion, should ALWAYS be made public in order
      to coerce companies to fix the flaws in their
      software that people find.

      Now, should these companies be given a
      REASONABLE amount of time to fix the thing
      before it is made public? Yes..... but
      reasonable amount of time is only 4 weeks, i.e.
      a month!
      Lerianis10
    • A lame excuse... next time they will...

      A lame excuse for a script-kiddie job... next time they will deface a site in the name of love, puppies, gun control, the Republican party, or whatever.

      A silly script kiddy is a silly script kiddy, no matter his/her flag.

      Anti-full-disclosure... c'mon... that's l-a-m-eeee.



      Regards,

      MV


      MV_z
  • Full-disclosure is the best thing to be done

    The fact is that without making these attack vectors
    public (sooner or later), most companies would NEVER FIX
    THESE THINGS!

    That is why I have little to no respect for the anti-full
    disclosure people, they are living in a DREAM WORLD where
    companies will automatically 'do the right thing' just
    because a vulnerability is reported to them and fix the
    flaw in question.
    Lerianis10
    • Not just theory.

      More than a decade ago full disclosure was unthinkable and companies sat on fixes for months or never released them at all (Or worse: Bundled them into "upgrades" and charged for them - this was common practice)

      Full Disclosure has always been controversial, however it's proved to be an essential tool for making companies fix software in a timely manner AND to think about vulnerabilities in software they're writing.

      Ironically the anti-full-disclosure attack highlights the value not only of full disclosure, but also the importance of admins paying attention.

      Image Shack was likely backdoored via a wellknown hole they neglected to patch. For that all I can say is "boo, sucks". For the users of Image Shack - given the hosting was free, how about asking for your money back.

      Uncle Stoat
  • The other side of the problem

    There are many articles about the programmers who would try to contact big companies just to give up the security info that they have discovered for free, but they were treated so bad, that they would publish that thing... that's also true about MS and Apple...

    Another problem - every coder spends time to dig out that info and in the corner of their mind they think it would be nice to get some kind of compensation for the job, but again, big companies don't like to do this.

    What should coder do? Usually they warn company in advance and later sell info to hackers, other security companies or whoever would pay for that info...

    A little bit of respect to coders, would fix at least 80% of this issue...
    Tomas M.
  • RE: ImageShack hacked by anti-full disclosure movement

    Responsible disclosure, don't post an exploit, post an advisory with a PoC maybe

    that is not perfect, but it will decrease the amount of skids running around with ./pwn, which will decrease the amount of botnets, amount of DDoS, amount of everything that those skids have been doing for the past years.

    A lot of people might be able to code an exploit from your PoC maybe, but those people should not publish an exploit either... if you make the exploit, keep it to your self, no need to publish that all over the net to get your name on milw0rm etc...

    Think of it this way, whats worse.. having little kids with ./xploits to run, or a company that did not patch after your advisory?
    jon due
  • RE: ImageShack hacked by anti-full disclosure movement

    This movement is not a good idea. The exposure of exploits is one of the driving factors that force the software company's to patch in a reasonable timeframe. Without the exposures publicly, do you think that Microsoft or other companies would spend even half the time and money fixing these security holes? This movement, if it were successful would increase the need for anti virus and other security software. A script kiddy getting their hands on a proof of concept is a LOT less dangerous than the groups that have the knowledge and ability to exploit zero day or unpatched machines. Take Vundo or NetSky for instance. These viruses are constantly being updated by groups with knowledge that does NOT just come from these public releases. These groups will continue. If they do continue and are faced by a Microsoft that decides that they don?t need to patch as quickly due to the lack of exposure, they would own many more machines than they already do. This puts us in a much weaker position as users and forces us to put our trust in someone else for protection against exploit thus costing us more money than we already paid for the operating system or applications we are using. And Linux users, we all know that your software is free, so who pays for the security patch teams to keep it up to date?
    Zarlof
  • What Are The Bullies Hidding?

    What is it exactly the anti-full disclosure bullies are wanting to hide? What is so important to them that they don't want light shone on companies, products or services so things will get fixed that otherwise would NEVER get fixed in this tech age we live in now. Why would they want everyone to keep quiet when something needs corrected? Their very actions bring suspicion as to their true hidden motives and new criminal activities. Where does their financial support come from? Are they the hidden ones promoting products with malware, crapware, spyware, etc.? As mentioned, times have changed. If it were not for concerned people disclosing the facts to get and keep things fixed, things would be in a lot worst scenario than it is now. Some things I agree do not need disclosed or at least discretion used, but, as a whole it is the only way some companies and governments will listen if they do then. A potential loss of revenue for a flawed product or service that the public hears about usually wakes them up to correct it. Turning the light off does not make the dark security holes go away or fix the problems needing attention. Maybe they didn't get enough attention when they were little and realized they are still 'little'. lol
    eyecee
  • RE: ImageShack hacked by anti-full disclosure movement

    If you notice at the bottom of the page it said No images were harmed. It's not because the script kiddy's involved could and didn't but simply because the exploit they used did not give them the ability.

    Now if you want to know who is really behind this groups actions simply follow the money trail. This groups philosophy benefits only certain "for profit" software company's.
    >>> Microsoft <<< for example

    When you think about it the only company's who benefit from not having exploits published publicly are those company's who have something to hide and don't want defects in their software made public.

    If you sell software knowing full well that defects exists that can cause the loss of data and you continue to sell said software without full and open disclosure of said defects don't you open up the possibility of liability

    Here is the botom line if you read the EULA of most paid for software you know the company selling it takes no resposability for your data or loss of data. Now if you can prove that they new about a defect and refused to fix it and this resulted in the loss of data you might have a valid claim despite the EULA.

    Bottom line, This is Microsoft protecting its hide.

    blaze1024
  • RE: ImageShack hacked by anti-full disclosure movement

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut