Mark Amory | 27 June 2013
How to exfiltrate data from your network with sites like Flickr
It's been a while since my last offering, but I read something
recently that made me think that I needed to tell a wider
Whilst researching material for a new QA authored course, I stumbled across an interesting article about Flickr and the new 1Tb of storage space it now gives to all members.
So what's this got to do with security & doxxing you may ask?
So what's doxxing you may be asking first?
Doxxing is the term given to the exfiltration of sensitive data from a network - A stolen amount of documents.
OK, so now we know what doxxing is, how does this involve Flickr? (unless the stolen documents are pictures of the new, Top-Secret Mega-laser you're working on)
Well it's like this....
When a file is uploaded to Flickr, it looks at the data type to ensure the file is an image (gif, jpg, etc.) and if it is, it allows it to be uploaded, if it's not it doesn't - Simple!
Well, it's not actually as simple as that - there does need to be image data in the file, else you could simply rename any file as a gif or jpg and upload it - what you need to do is combine an existing image with an archive file (.zip or .rar) and produce a file with an image extension such as .gif or .jpg
Okay - so I still don't get what this has to do with security ?
Well, imagine if someone wanted to spirit away a number of sensitive files from your network....
You've blocked access to removable media, you've instigated random bag searches, you scan all emails leaving the company, you block things like FTP....
But you still let people surf the web...
Here's where it all comes together. Someone could create an archive file (.zip or .rar) of the files they intend to steal, combine this with an image and then upload said "image" to Flickr.
Cool - so how do you do this wizardry?
Easy - like this:
- Get your desired files and create an archive (winzip, or WinRAR will do the trick) - e.g. "stolen.rar"
- Get your image file (.gif or .jpg are fine, but gifs tend to be smaller) - e.g. "piccy.gif"
- Open a cmd prompt
- type copy /B picky.gif+stolen.rar upload.gif (where upload.gif is the name of the output file you are creating)
- Go to Flickr and upload your new "upload.gif" image
To retrieve the stolen data, simply download the file from
Flickr and rename the file extension to .zip or .rar and use the
archive tool to open and extract the data.
It's a simple, yet effective way to transport data without being detected.
It looks like an image, it tastes like an image, it smells like an image - it MUST be an image - right?
Now, time to go tighten up on that list of blocked URL's - eh?