Mark Amory | 27 June 2013

How to exfiltrate data from your network with sites like Flickr

It's been a while since my last offering, but I read something recently that made me think that I needed to tell a wider audience.

Whilst researching material for a new QA authored course, I stumbled across an interesting article about Flickr and the new 1Tb of storage space it now gives to all members.

So what's this got to do with security & doxxing you may ask?

So what's doxxing you may be asking first?

Doxxing is the term given to the exfiltration of sensitive data from a network - A stolen amount of documents.

OK, so now we know what doxxing is, how does this involve Flickr? (unless the stolen documents are pictures of the new, Top-Secret Mega-laser you're working on)

Well it's like this....

When a file is uploaded to Flickr, it looks at the data type to ensure the file is an image (gif, jpg, etc.) and if it is, it allows it to be uploaded, if it's not it doesn't - Simple!

Well, it's not actually as simple as that - there does need to be image data in the file, else you could simply rename any file as a gif or jpg and upload it - what you need to do is combine an existing image with an archive file (.zip or .rar) and produce a file with an image extension such as .gif or .jpg

Okay - so I still don't get what this has to do with security ?

Well, imagine if someone wanted to spirit away a number of sensitive files from your network....

You've blocked access to removable media, you've instigated random bag searches, you scan all emails leaving the company, you block things like FTP....

But you still let people surf the web...

Here's where it all comes together. Someone could create an archive file (.zip or .rar) of the files they intend to steal, combine this with an image and then upload said "image" to Flickr.

Cool - so how do you do this wizardry?

Easy - like this:

  • Get your desired files and create an archive (winzip, or WinRAR will do the trick) - e.g. "stolen.rar"
  • Get your image file (.gif or .jpg are fine, but gifs tend to be smaller) - e.g. "piccy.gif"
  • Open a cmd prompt
  • type copy /B picky.gif+stolen.rar upload.gif (where upload.gif is the name of the output file you are creating)
  • Go to Flickr and upload your new "upload.gif" image

To retrieve the stolen data, simply download the file from Flickr and rename the file extension to .zip or .rar and use the archive tool to open and extract the data.

It's a simple, yet effective way to transport data without being detected.

It looks like an image, it tastes like an image, it smells like an image - it MUST be an image - right?

Now, time to go tighten up on that list of blocked URL's - eh?

Mark-Amory

Mark Amory

Senior Learning Consultant

After leaving a career as a mechanical & electrical engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft office and Adobe products. In-line with his background as an engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies, and since 2005 has specialised in the cyber security domain. Mark has been the author of a number of QA cyber security courses, and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.