View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 20, 2019updated 28 Jul 2022 6:09am

Are Stock Photos a Threat to Cybersecurity?

These terrible hacker stock images hold other secrets...

By CBR Staff Writer

The Rise of Steganography

The cyber-attacks that were once the arsenal of nation states and organised cyber gangs always descend down the supply chain into the hands of the modern criminal, writes Dr Simon Wiseman, CTO, Deep Secure. One devastating technique that is increasing in popularity amongst canny cybercriminals is steganography, where information is concealed in the pixels of images (for example, in the colour and transparency values) to hide threats.

From hiding attack code and the command and control channels necessary to execute it, to providing a vehicle to covertly exfiltrate valuable information once within a network, steganography provides an almost undetectable means of breaching networks and the data they hold; the naked eye could never tell when a picture has been tampered with.

For example, we stegged one of Computer Business Review’s most recent articles, “Over 50% of Firms Have 1,000+ Exposed Files, Ghost Users, Stale Passwords” into the image  above and you will see the photo doesn’t look disturbed in any way.

This is what makes steganography attacks so effective and ideal: images can be easily manipulated with scripting tools to conceal large amounts of information without affecting how they appear.

Beware: Big Cyberthreats can Come in Small Photos

With steganography, bad actors can store more information based on the size of the image. As the size of the picture goes up, there is more potential to hide a lot more information. You might be surprised to find that within the image above, we were able to encrypt all 272 pages of the famed Shakespeare Play, Macbeth – all within this 733KB photo – without distorting the image.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The New Wave of Credit Card Theft

While stegging the entire works of Shakespeare into pictures may seem trivial, what about credit card details?

That’s exactly what we did with the photo at left (well, these are actually 30 made-up credit card details) – but we have previously shown how we can fit as many as 300,000 credit card details in just 50 images)

To do this, the hacker simply needs access to the appropriate steg tool (freely available on the Web) or they could write their own using a scripting tool or Office macro. Add an innocuous looking image, the data they want to hide and a password to extract the secret at its destination. The data can then be smuggled out via anything from a Tweet in an image to a Web mail message or even a logo in an email signature, all without ringing any alarm bells.

Steganography: The Tool of Choice for Malicious Insiders?

But it’s not just used by attackers on the outside. Steganography is a perfect tool for the malicious insider, as they can easily pass information out of networks without alarming Data Loss Prevention software.

Over the past couple of years, there have been a number of incidents where steganography has been leveraged by internal employees looking to exfiltrate company information. Indeed, last year a Chinese engineer was able to exfiltrate sensitive information on turbine technology from General Electric on between 5-10 occasions by stegging it into images of sunsets. He was only discovered when GE Security officials became suspicious of him and started to monitor his office computer.

And to show you how easy it is, we stegged diagrams of a nuclear plant into the image above.

And the use of these tools is widespread. Our recent research into The Price of Loyalty exposed the extent of the risk’s insider threats pose, with eight percent of UK office workers reporting that they had used cyber tools (such as steganography or encryption) to steal company information. While 13 percent of these respondents were in the IT & Telecoms industry, where more technical skills might be expected, the HR and finance industry also reported comparably high use of cyber tools (15 percent and 12 percent respectively).

The Key to Steganography Prevention? Content

Businesses and their security teams should be worried by the prospect of steganography – both in the hands of malicious outsiders and insiders. But it doesn’t have to be a losing battle.

While it’s impossible to detect, there is a completely novel approach which is capable of preventing threats concealed in images using steganography from entering or leaving your network. Content threat removal uses a transformational approach to the problem that allows you to trust all the digital content passing through your network. All files – whether OfficeX documents, jpegs or even image caches – are intercepted at the boundary and prevented from proceeding. This content is then transformed, during which the useful information is extracted from the content and the original file is discarded. A new file, which is a visual replica of the original, is then created inside the company’s boundary.

Transforming images in this way destroys any threat concealed within them, but the end user experience of the image is not undermined and the resulting image is identical to the original to the human eye. If it’s impossible to detect whether an image is stegged, you need to be able to trust that it’s not.

The image above may look like all the rest – but believe me, this is the only digitally pure image in this article that you want to receive. And until you are able trust all the images passing through your network, you’re just going to have to take my word for it…

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.