ImageShack Hacked, Security Groups Threatened

revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."

Astalavista

[Spyware23]

For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).

Re:wow what an awesome idea!

[Pyrion]

Except they haven't replaced all of the images. I just looked in my account and only one of my images (a horribly outdated tf2 screenshot, of all things) was replaced.

Re:Leave door open or we will rob you ?

[binkzz]

1) I think that's a good thing
2) They don't want the world to not know about the exploits, they just don't want the world to know how to use those exploits
3) These exploits would still be in the hands of the security companies so that they could prepare protection against them

I'm not sure how you came to your conclusions, I don't believe they are correct.

Some observations

[rs79]

1) The text was syntactically and grammatically near perfect. You don't often see that in these sorts of things.

2) The cadence and style was sort of familiar. I was always able on usenet to identify forgeries not by the path, but by the way they were written. Any idiot can put words where they're not supposed to be, but very few people can wrote like somebody else.

3) I posit that if they weren't good intentioned they'd have hacked DHS.

It would not surprise me if this turned out to be a bunch of CS/security professors or the like, or their minions doing their work.

From the message, I'm absolutey certain they're in America, and had either a very rigorous or British schooling.

Re:Making the world a better place.

[aristotle-dude]

They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.

Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".

Wow. I don't think you understand what full disclosure is and what they are allegedly advocating. It seems like they are not advocating to not disclose the vulnerability to the vendor but rather to not disclose not only the existence of vulnerability but also an example exploit to the world. This full disclosure is precisely what results in "script kiddies" getting their toys because they don't have to be part of any particular hacking group or hack significant "skillz". It creates a mad rush for the vendor to get the patch out there before it can be exploited by lamerz using a script they either downloaded off a website or a script that they copied from the the disclosure with some minor changes.

Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.

Example of a virus from Image Shack.

[afxgrin]

A friend of mine had her machine infected with one of the imageshack exploits. It was basically a double extension EXE, labelled like Aphoto.jpg__________________.exe

She wasn't paying much attention and had hit OK when prompted to run the program. So her computer had started sending me MSN links to similar images hosted on ImageShack.

Here's the EXE that I got sent. [rapidshare.de]

Someone I was chatting with in a technology IRC chatroom had run the virus in a VM, and it apparently has code to detect the presence of a VM, rapes your registry, spreads itself to multiple EXEs across your system, and a bunch of other weird things. The code is apparently run through one of those code masher programs to prevent decompilers.

Re:Some observations

[TheRaven64]

You have an odd definition of perfect grammar. Their writing style isn't bad, but they had run-on sentences and incorrect hyphenation in a few places early on and then deteriorates completely towards the end into something barely coherent.

Re:Leave door open or we will rob you ?

[Tycho]

OT: your sig "I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas"

I assume you aren't going to try to deny that you are also a citizen of the United States of America at this point. Other people, now in jail, have tried not to pay income taxes and other federal taxes by claiming that they had renounced their US citizenship and were now just a citizen of the State of X, but not a US citizen any longer. None of these individuals actually successfully argued in court that they were just a citizen of State X and not a US citizen, so they no longer had to pay income tax. Most idiots in this position would have found their lawyer unwilling to make that argument, or if acting as their own lawyer these idiots might have found themselves stopped as soon as they started and fined $5000 each time during trial for even trying. When one makes a frivolous argument that is not valid and that relates to income taxes in court, expect a bill. Obviously the lesson to take back in this argument and with others is to not parse words intentionally incorrectly, and that you will not find any valid loophole to avoid paying any income taxes. Just to suck it up and pay your income taxes like everyone else. If you are behind on filing a year or two, contact a tax lawyer and then negotiate with the IRS and do so before the IRS calls you, you will always end up better off that way.