They say an image is worth a thousand words, and surely that means it's worth spending a few words protecting. While most data security policies and practices today focus on primarily text- or document-based asset hardening and protection, visual assets (e.g. photographs) are often left vulnerable to adversarial data collection--to use a simple yet damaging example, can you imagine posting a photo of a location-sensitive data center only to forget to remove GPS coordinates from the image's metadata? What about a student ID number seen on an Instagram feed, which when coupled with photos of the same target's birthday party can be used to obtain their university credentials?
Our talk will discuss various counter-forensic measures against both existent and emergent threats targeting image-centric intelligence gathering which adversaries may use to leverage target exploitation attacks.
Specifically, the problem is as follows: visual assets can inadvertently leak valuable information which should be kept private. The target may either not realize that the particular information is being leaked, or may realize that it is being leaked but may not consider the fact that the leaked information should be kept private in th first place. Our presentation will explore the myriad ways that images may be mined for said information, and in turn offer counter-forensic techniques of preventing said data leakage by focusing on obfuscation, removal, and altercation of the leaked information.
We have also written a detailed breakdown of the topics that will be discussed:
In detail, we will discuss the following six concentrated topics outlining both attack vectors and in turn presenting pertinent defense measures in the form of counter-forensic image sanitation techniques. The numbering is not directly representative of the number of accompanying slides, merely of the number of main focal points covered (e.g. point 3 may have 4 separate slides, etc.).
Introduction to Visual Data Extraction --A seemingly innocuous photograph will be displayed, and the audience will be asked to jot down a list of all potentially-identifiable information they can visually extract just by looking at the image. The same image will be returned to at the end of the talk and the same question will be asked.
The Risks of Latent Embedded Image Metadata --Prior to discussing overt (or readily visible) image data, we will undertake a discussion of latent (or not readily visible) image metadata, which is to say metadata. Various particularly sensitive Exif and PNG metadata fields will be explored (e.g. GPS coordinates, owner information such as name and serial numbers, time and timezone settings, and so on). Following the showing of how metadata can be viewed (via software such as Exiftool and browse extensions such as Exif Viewer), the talk will further discuss counter-forensic best practices of not merely wiping, but altering metadata.
Beyond GPS: Exploring Secondary Location Leaks --'OK, so you've removed GPS metadata from your photos, think you're safe?' Going beyond metadata, the discussion will now turn to overt visual cues which may alert adversaries as to the location and conditions an image was taken in. These techniques are explored and counter-measures presented to obfuscate the true location of sensitive images (for instance, by replacing the outlet plug covers in a data center prior to taking publicity photos to mask its actual geographic location; or leaving a Turkish newspaper on a table prior to taking a photo in an Australian hotel).
Proper Redaction Protocol --Now that we have identified some potentially-compromising visual information in images, what are the best practices for redacting or altering this information? Various novelty blurring filters afforded by high-end photo editing software may be reverse-engineered to reveal data thought to be redacted; for instance, blurred credit card numbers may potentially be reversed with high degrees of certainty if one can replicate the same font and font color. Thus, proper sanitation of critical image components is crucial. Here, we will discuss various redaction strategies, from avoiding blur and other novelty effects to falsifying the apparent scope of the redacted area.
Image-Based Privilege Escalation --So-called 'fusking' attack techniques and countermeasures are discussed, as image location enumeration may often lead to further sensitive images being discovered. Fusking attacks are predicated on standard camera vendor filename conventions and incremental numbering. The critical importance of filenaming and directory structuring when storing images is addressed.
Reverse Image Searching --Reverse image search engines are next discussed, with an eye towards non-obvious uses. For instance, if one does a preemptive reverse image search on an image before placing it online to make sure it doesn't lead to a sensitive personal website and the search comes up with no hits, is it safe? What about if the image is cropped to remove extraneous data so that, for instance, it is now just a target's face? What if still frames from a video are fed into a reverse image search?
Social Media Mining --Ostensibly anonymous images may be traced back to the source and lead to enumeration of sensitive assets (e.g. deducing which location or position the subject of a photograph holds and who, in turn, belongs to their particular social network). Preemptive counter-forensic methods of foiling image-based social-media analysis are discussed such as tag obfuscation and avoidance. A hypothetical case study will be presenting of the amount of personally-identifiable information that may be extracted from following someone's social media feeds for a month (such as date of birth, ID numbers, social network, as well as past, present, and future locations).
Conclusion --Returning now to the image presented at the outset of the talk, we ask the audience to come up with a new list of information they could now potentially extract from the image, and compare it to the preliminary list they made.