Hacker group declares war on the security industry
Anti-Sec, an ominous sounding hacker group, has pulled another attention-grabbing stunt. In last week's hack of US image host ImageShack, the group dismissed the policy of full-disclosure of vulnerabilities, an essential piece of policy in the eyes of many security specialists, as playing into the hands of the security industry. The group believes that the security industry uses full disclosure and the publication of exploits only as "scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services."
Anti-Sec has been attracting attention over the last several weeks using website hacks. They redirected all images on ImageShack to their pamphlet. The group has openly attacked security-related websites such as astalavista.com, accusing the individuals running the site of charlatanism. The hacks have also led to rumours that the group is in possession of a zero day exploit for OpenSSH.
In their 'manifesto' published as an image on ImageShack, they claim that full-disclosure helps only script kiddies who use the exploits to raid vulnerable servers. "If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable," (at least for script kiddies) "As an added bonus, if publication wasn't enough, these exploits are mirrored and distributed widely across the Internet."
There is certainly something to be said for Anti-Sec's point of view. Most serious security specialists now adhere to a policy of responsible disclosure and either do not publish information on vulnerabilities and exploits at all, or only publish such information once the vendor has developed a patch to fix the vulnerability. A quick look at sites such as milw0rm, for example, which is now back in business after its recent voluntary closure, makes it clear that there is no shortage of exploits out there.
Anti-Sec's declared aim is the 'removal' of full disclosure. To achieve this, they plan to move against "all exploitive and detrimental communities, companies, and individuals" – they also talk of "elimination". Anyone running a security blog or an exploit website is said to be "a target".
No matter how seriously one takes these threats, they are sure to trigger a renewed and heated discussion of whether exploits should be published and if doing so really makes the web a safer place.
- Milw0rm exploit portal resumes normal service, a report from The H.
- OpenSSH zero day exploit rumours not confirmed, a report from The H.
- Rumours of critical vulnerability in OpenSSH in Red Hat Enterprise Linux, a report from The H.