ImageShack Hacked

I discovered today that several of the images I store in ImageShack were hacked. The images were replaced with a new image, bearing the following message:


Imageshack

Proudly presents...

Anti-Sec. We're a movement dedicated to the eradication of full-disclosure. We wanted to give everyone an image of what we're all about.

Full-disclosure is the disclosure of exploits publicly - anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.

Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable.

As an added bonus, if publication wasn't enough, these exploits are mirrored and distributed widely across the Internet with a nice little advertisement embedded in them for the crew or website which first exposed the vulnerability to the public.

It's about money. While the world is difficult to change, and money will certainly continue to be very important in the eyes of many, our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit its consequences.

It is our goal that, through mayhem and the destruction of all exploitative and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.

How do we plan to achieve this? Through the unrelenting, unmerciful elimination if all supporters of full-disclosure and the security industry in its present form. If you own a security blog, and exploit publication website or distribute any exploits... "you are a target and you will be rm'd. Only a matter of time."

This isn't like before. This time everyone and everything is getting owned.

Signed: The Anti-Sec Movement

No images were harmed in the making of this... image.


Here's a screenshot I took of the Imageshack Hack Message.


It's still unclear who did this and why. There have been more and more reports of this across the web in the past several hours, but still no official statement from ImageShack. I'm also still not sure whether the images hacked are recoverable (in case ImageShack backs up their servers) or are they lost forever...

Did you happen to come across this issue? If so, post a comment.

Outbrain Security Breach Solved

I just got an e-mail from Yaron Galai, CEO of Outbrain, regarding Outbrain's security breach I reported earlier in my blog. As expected, Outbrain reacted immediately to the issue and it was solved promptly. Yaron also commented on the issue in my blog.

As promised, I will write about the Outbrain rating widget, which I have found very useful, in one of my future posts in this blog.

Security Breach in Outbrain?

Recently, I installed the Outbrain rating widget on my blog. Outbrain is a great tool that enables readers to rate each of your posts, and suggests relevant posts to them depending on their rating history. I'll write more about Outbrain in one of my upcoming posts, as it is one of my favorite widgets. But as I discovered today, Outbrain still has its flaws - and today I think I found a serious one.


Earlier today, when I checked entrances to my blog using my FEEDJIT widget, I saw I got an entrance from a URL in the Outbrain domain (www.outbrain.com). When I clicked that URL (as I often do, curious to see who's referring to my Blog), I saw that it was actually some kind of testing website of Outbrain, containing information about blogs that recently installed, updated, or uninstalled the Outbrain widget. Nothing extraordinary so far... However, by further browsing in the page, I found out that the site also contains some personal information, like registered users' e-mail addresses, or statistics which I think should remain only with the registered user, like how many outbrain clicks he got so far...


I won't expose the specific URL I'm talking about here, as I don't want to increase the potential damage from this security breach. I will however share a partial screenshot of the mentioned site (blacking out all personal data, of course).


On discovering this issue, I immediately contacted Outbrain's CEO and one of their support employees (with whom I'm familiar from previous support sessions). Past experience proved me that Outbrain's response is usually prompt and efficient, and this was also the case now - after approx. two minutes I got a response from the CEO, saying they're looking into the matter ASAP. I'll update this blog once I get an official response from them.

Update: The issue described above was quickly solved after I reported it to Outbrain, and I got a reply from them confirming it. Please find more information in the following post.