Security Experts:

Hack the Planet Zine Highlights Compromises at ImageShack and Symantec

A hacker zine has posted details that expose some questionable security practices maintained by image hosting service ImageShack, in addition to source code used by the service. The zine also singled out Symantec and exposed the personal details (dox) for several Anonymous supporters.

When AntiSec (no relation to Anonymous’ incarnation) attacked ImageShack in 2009, the image service said that security was tightened and that user data was secure. In the fourth installment of HTP, the authors tested that claim, three years later. According to the zine, what they discovered is less than flattering when it comes to an information security program.

[...]

Here’s a list of criteria we found that evidenced the hardened security on all of ImageShack's equipment:

- Run all MySQL instances as root

- Ensure all kernels are 2008 or earlier

- Routers compromisable via /level/16/exec/-/show/run

- Hardcode database passwords into as many files as possible (though we do give them credit, the root MySQL pass 'mutaborius' was never cracked by Hashcat.)

- Implement a firewall that allows outgoing backconnects

- Add tasks to root's crontab that regularly run files owned by the www user

- Run outdated Nginx

- Enable register_globals

- Use one $1 shadow hash for everything

Protip, if your security sucks this much, your incoming firewall rules and your keyauth won't save you.

[...]

“That being said, ImageShack has been completely owned, from the ground up. We have had root and physical control of every server and router they own. For years,” the zine’s authors wrote.

The ImageShack section of HTP includes details that could have only come from access to the server itself, including internal and external IP assignments, SSH logs, source code and hardcoded passwords.

HTP also discloses details taken from Symantec, but unlike the ImageShack section, Symantec’s section only includes database schemas, along with what looks to be a massive marketing and CMS database dump (usernames, passwords, and corporate email) as proof of access.

“Saved by your WAF? You wish. All the other major AV corps are owned too, yours just pissed us off the most. Oh, and if you think we're listing everything here, take the blue pill...and nice JBoss on VeriSign, by the way. We've always been entertained by Symantec partnerships. (especially Huawei...),” the zine’s authors said.

The server breaches were said to have been possible due to (in addition to lax security) four Zero-Days – including shell breakouts and local root escalations. The zine goes on to publish dox and other logs targeting various supporters of Anonymous. This includes the court rulings, and personal information on several people, in addition to more than a dozen NSFW images taken by a 22 year-old female Anon.

"Symantec is aware of the claims being made online,” a Symantec spokesperson told SecurityWeek. “We take each and every claim very seriously and have a process in place for investigating each incident. Our first priority is to make sure that any customer information remains protected. We are investigating these claims and have no further information to provide at this time. "

SecurityWeek has also contacted ImageShack and will provide an update if a response is received.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter